4Point GRC, introduced in 2004 by Phoenix Business and Systems Process, evolved in 2007 and 2008, under use by Altran Control Solutions, and matured further with SOAProjects in 2010. 

Branded SamePage Solutions, then Facilitated Compliance Management, FCM, EnterpriseGRC Solutions uses the same foundation 4Point GRC methodology to fix everything from the GRC movement that's entirely broken. A wholly owned and trademarked by Phoenix Business and Systems Process, now, EnterpriseGRC Solutions, Inc., companies listed with active partnership can provide the facilitating software used to implement a rapid GRC program, resulting in enterprise GRC platform readiness as established by the 4Point GRC method.  Facilitated Compliance Management is not intended to replace such products as Allgress, Aruvio, ServiceNow, Archer eGRC, Metric Stream, ZenDesk or Cavirin.  It is a stepping stone that allows organizations to prepare and mature to a point where such investments will reap the greatest value across all areas of the extended enterprise while requiring the least to absolutely no business disruption.

GRC is an artifact of good security and enterprise process.  It doesn't replace it, but strategically monitors and reports evidence to support and enforce governance, security risk management, and the evidence aspects that prove any technology enforced areas of compliance.

EnterpriseGRC Solutions partners with your program management office to assure delivery for your most valued and critical GRC investments. The methodology used to support your business remain in your possession to be evolved and blended as your own home grown GRC tool.

Governance and Compliance

Compliance is a universe of constraints enforcing business and technology practice aligned to a minimally acceptable product, service and financial benchmarks, consumer and citizen safety, and continuous availability of critical resource as mandated by US and World Governments.  Considerations for HIPAA, the USA Patriot Act, Graham, FISMA/ e-Government, OMB Circulars (various, such as A119 and A130), Executive Directives, DCIDs can't be limited to government, federal and financial programs. Businesses work in tandem, weaving regulatory issues via e-commerce, outsourcing and third party services, such that any law has implications for across multiple industries and business classifications. Laws like the Clinger-Cohen Act, the Paper Reduction Act, Basel I and II European Union privacy laws and Safe Harbor Principles California Security Breach Notice Law as well as emerging bills with similar guidelines SEC rule 17-a4, NARA regulations for federal records management, SEC CFR 17 Rule no. 16900 affecting Clearing Corporations, the National Strategy to Secure Cyberspace and many associated Public Laws and Government guidelines (especially those affecting Security programs and implementation of appropriate standards such as various FIPS) are all a part of our audit universe. The EnterpriseGRC Solutions toolbox is a list of applications and industry tools, with special attention to the better companies and materials, as found most successfully implemented among our clients.

Strategy and Techniques  -Approach to Mapping Service, IT Regulation and Frameworks

A clear win for any IT Service organization can be found in providing mapped CobiT and ISO 27001 programs.  Aligning service delivery to regulatory driven compliance models enables immediately sustained client value.

The simplest possible view of controls mapping might include

  • Business Process - Service
  • Business Control Requirement - Regulation
  • Control Process – Control Framework Identifier
  • System Enablers – Technology policy
  • People Enablers – Business Policy
  • Standard and Frequency of Measure – Compliance Metrics
  • Compliance Reporting – Representation of Compliance

Providing Compliance Mapping as a Service

The common understanding of the goals for providing compliance services should include the following intentions:

  • To avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements
  • To ensure compliance of systems with organizational security policies and standards
  • To maximize the effectiveness of and to minimize interference to/from the system audit process.

COBIT supports IT governance by providing a framework to ensure that:

  • IT is aligned with the business
  • IT enables the business and maximizes benefits
  • IT resources are used responsibly
  • IT risks are managed appropriately

When considering the drivers that allow for use of IT consulting, the risk of non-compliance with ISO 27001 makes a lot of sense.

Related risks of non-compliance with ISO 27001 include:

  • Risk of information disclosure, including related risks such as loss of confidence and trust
  • Incomplete risk assessment and, thus, an inadequate level of risk management
  • Inadequate business continuity management
  • Lack of security awareness within the organization
  • Inadequate security requirements when interacting with third-party organizations
  • Inadequate level of physical and logical security
  • Flawed procedures due to the lack of incident management
  • Inadequate security controls coverage in outsourcing/contractual arrangements
Mapping client processes, regulatory requirements, risks and commonly adopted standards or frameworks needs to serve a business purpose.  While many seek the Holy Grail spreadsheet providing one clean map of the audit universe, they must ultimately face reality. Mapping is an exercise that includes the client, business context, and a collaborative decision-making process.  Just as business demands change, the purpose of mapping would require similar levels of adjustment.