Implementing System Center Process Pack for IT GRC

GRC is an acronym for governance, risk management, and compliance. The IT GRC Process Pack allows you to provide automated compliance management through the System Center suite. The System Center Process Pack for IT GRC allows you to manage IT operations and information management; it does not include other governance, risk management, and compliance functionality for other areas such as organizational accounting and business operations.

A control objective is a desired state result that has been met through risk assessment. For example, a control objective might be that user accounts of contract workers have an expiry date. This objective might have been selected after risk analysis found that some contractors had network access after their contract term finished. Control activities allow control objectives to be accomplished.

The System Center Process Pack for IT GRC uses the following System Center segments:

  • Service Manager This hosts the System Center Process Pack for IT GRC and allows you to run the controls and activities that are necessary to meet control objectives. The System Center Process Pack for IT GRC requires that Service Manager be configured with the Active Directory, Operations Manager, and Configuration Manager connectors.
  • Service Manager data warehouse This allows you to generate compliance and risk reports to audit and review compliance information. It is required for System Center Process Pack for IT GRC reporting.
  • Configuration Manager site server Configuration Manager provides configuration drift reporting. Configuration drift occurs when a computer’s configuration changes from those specified in a desired configuration baseline. It requires the deployment of Configuration Manager agents on monitored computers.
  • Operations Manager This manages alerts generated when computers drift from the desired configuration baseline. It requires the deployment of the Operations Manager agent on to monitored computers.

You install the System Center Process Pack for IT GRC on to the Service Manager server. After you have the Process Pack, run the MpSyncJob to synchronize Service Manager with the data warehouse. Then import the IT Compliance Management Libraries into Service Manager and the desired Configuration Management configuration items and baselines into Configuration Manager.

When implementing a compliance program, it is occasionally necessary to configure program exceptions. You create exceptions for services or servers that cannot be made compliant with control objectives. You can create the following exception types:

  • Control activity scope exceptions This type of exception allows you to exclude specific control activities when checking compliance.
  • IT GRC program exceptions This type of exception allows you to exclude a specific computer from an IT GRC program.
  • IT GRC policy exceptions This type of exception allows you to exclude control activities that are not applicable to your organization.