Here’s a great video from our partners at RSA Archer about the IT group at St. Luke‘s Health System in Idaho, and some of the challenges they were experiencing with GRC reporting.
- IT Security Director Reid Stephan talks about lists — servers, end-point devices, applications, locations — all living in different spreadsheets and shared drives. There was nothing at a high level to tie them all together. He says compliance requests were mostly “gut feeling” responses.
- One of the program goals was to establish formal policies and procedures to put a quantifiable measurement on their compliance. They now attach a percentage number in each compliance area.
- IT Security Analyst Dustin Aldrich talks about the benefits of amalgamating all of their data and reporting. Besides providing better information, he says it reduces the administrative burden so that staff can spend more time more efficiently.
We hear about challenges like this all the time from companies that we work with. They want to evolve from an environment where they’re chasing data, to one where they’re using risk information in a proactive and strategic way.
Is your organization still managing IT risk using spreadsheets? How confident are your leaders and executives in the risk information they’re receiving? How accurate and up-to-date is your risk and compliance information? If you’d like to talk about this project or other health care risk management use cases, send us a note at firstname.lastname@example.org