Sound IT governance requires breadth & depth: to be effective, IT governance must be constructed on the foundations of law, security practices, risk management, audit standards and regulatory compliance--and on common sense.Despite major efforts to deter it, identity theft--using the Internet and other information technology (IT) tools--remains among the fastest-growing crimes across the globe, and it is increasing daily. As such, it may be convincingly argued that identity theft represents the single largest threat to sustainable IT governance, since identity theft touches at the very core of what is valued so highly, particularly in the U.S.--the individual's privacy. Privacy is in the American grain, and is cherished throughout other nations and cultures as well. The loss of privacy, particularly at the hands of third parties, has attracted the attention not only of privacy advocates, but of state and federal legislatures, who have been prodigious pro·di·gious adj. 1. Impressively great in size, force, or extent; enormous: a prodigious storm. 2. Extraordinary; marvelous: a prodigious talent. 3. in writing laws aimed at stemming the tide of such theft. While identity theft and other information crimes are difficult to stop, there are ways to reduce them and their impact on a business enterprise. Strong IT governance is a critical piece of the solution framework. However, many companies run the risk of defining IT governance too narrowly, resulting in a false sense of security. For example, IT governance built only on the foundation of legislative fiat [Latin, Let it be done.] In old English practice, a short order or warrant of a judge or magistrate directing some act to be done; an authority issuing from some competent source for the doing of some legal act. reflects a myopic my·o·pi·a n. 1. A visual defect in which distant objects appear blurred because their images are focused in front of the retina rather than on it; nearsightedness. Also called short sight. 2. and narrow perspective, and one that is unlikely to stand the test of time, given the increasing threat facing global e-commerce. Conversely con·verse 1 intr.v. con·versed, con·vers·ing, con·vers·es 1. To engage in a spoken exchange of thoughts, ideas, or feelings; talk. See Synonyms at speak. 2. , effective IT governance must be constructed on the foundations of law, accepted security practices, risk management, audit standards, regulatory compliance and on common sense. Governance over IT is complicated, reflecting the complexity and dimension of the threat. Additionally, IT governance is not something that is simply "nice" to have. Today, the company that elects to forgo the planning, development, implementation and monitoring of a comprehensive IT governance plan is rolling the dice of chance. Additionally, with current and upcoming state and federal legislation, IT governance is becoming more of a mandate. In fact, it may prove to be the defining dimension between effective information management and integrity and information chaos contributing to security breaches, illicit Not permitted or allowed; prohibited; unlawful; as an illicit trade; illicit intercourse. ILLICIT. What is unlawful what is forbidden by the law. Vide Unlawful. 2. information disclosure and privacy violation. Ultimately, IT governance may be the great wall separating enterprise success from enterprise failure, as defined by degradation of the brand, reputational liability and even legal liability with substantial financial consequences. Jefferson Wells hosted more than 250 financial and IT executives in roundtable discussions last year to assess the challenges inherent in designing and implementing an effective IT governance program. All of the participants agreed that the process is both long and arduous ar·du·ous adj. 1. Demanding great effort or labor; difficult: "the arduous work of preparing a Dictionary of the English Language" Thomas Macaulay. 2. . For many, if not most, IT governance is driven by the Sarbanes-Oxley Act See SOX. of 2002. This is both a blessing and a curse, since some perceive governance solely as a requirement of the act--a cost, and not a solution. In a survey of nearly 120 executives conducted prior to the roundtables, 57.5 percent responded that they had not yet implemented a formal IT governance program within their organizations. Clearly, much work remains (see chart on page 55). Broad Vision Needed in Response to Threat Proliferation proliferation /pro·lif·er·a·tion/ (pro-lif?er-a´shun) the reproduction or multiplication of similar forms, especially of cells.prolif´erativeprolif´erous pro·lif·er·a·tion n. Developing a responsible, meaningful and accountable IT governance plan begins with a vision. This vision must address a wide range of threats, threat mitigation factors and strategies. It is necessary to understand the impact of threats on the enterprise. A host of questions can be asked: What is the impact of the threat on normal business operations Business operations are those activities involved in the running of a business for the purpose of producing value for the stakeholders. Compare business processes. The outcome of business operations is the harvesting of value from assets ? Has the company conducted a business impact analysis? What is the company's business continuity plan and how can it be impacted by the list of threats? What is the disaster recovery plan and how will it function under various worst-case threat scenarios? Is information from the enterprise archived outside of the state where corporate headquarters is based? Where are the data centers? Does information move from one state jurisdiction to another, and what are the consequences of that action? Also, consider the international implications. When information is moved internationally, from country to country, is it likely that one or more privacy laws are being violated? What is the extent of liability? Will a Narrow Approach Contribute to Corporate Liability? As has become obvious, failures of IT governance carry the burden of liability. Liability comes in several forms, with legal and financial liability the most familiar. But reputational liability may be equally harmful. IT governance is a strategic tool that can help companies navigate more carefully and cautiously through the increasingly perilous landscape of enabling technology infrastructure. The legal and financial liability associated with IT is joined at the hip with identity theft and the inadequacy of controls over the storage and use of personal, sensitive information. In fact, identity theft and associated crimes represent the greatest threat of legal and financial liability. A quick scan of major newspapers illustrates the need for improved IT governance. More and more, companies are being challenged in court over security breaches, which could or did result in the inappropriate disclosure of personal information. A number of major U.S. corporations are currently being challenged in class-action suits Noun 1. class-action suit - a lawsuit brought by a representative member of a large group of people on behalf of all members of the group class action following the disclosure to the media of serious--and potentially harmful--security breaches. Many of these disclosures were made on the basis of compliance with California's privacy legislation, known as SB-1386. Following California, a number of other states--including Louisiana, New Jersey, New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of , Georgia, Illinois, Indiana, North Dakota North Dakota, state in the N central United States. It is bordered by Minnesota, across the Red River of the North (E), South Dakota (S), Montana (W), and the Canadian provinces of Saskatchewan and Manitoba (N). and others--have crafted and passed similar legislation. Any company engaged in IT governance also must consider the impact of reputational liability. Some may view reputational liability as a "soft" issue; it's anything but soft. A decline in reputation may lead to loss of brand value and of market and shareholder value. These conditions ultimately restrict the ability of a company to grow, to reward employees, to acquire more market share and even to acquire other companies. In effect, reputation is a company's money in the bank. The loss of it may redefine Verb 1. redefine - give a new or different definition to; "She redefined his duties" define, delimit, delimitate, delineate, specify - determine the essential quality of 2. a company's future. Any business that has not decided to move toward comprehensive IT governance may be considered to be negligent negligent adj., adv. careless in not fulfilling responsibility. (See: negligence) with respect to shareholder value and consideration. Advice for Creating Good IT Governance Creating good IT governance requires a good team with the knowledge to effectively create, implement and champion the system. Attracting and maintaining a strong team is among the first priority. Based on leading practices, the following team members should be considered for integration into IT governance: * CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. and the Board of Directors: it is critical for top executives to set the tone; * Chief Information Security Officer or Chief Security Officer: assists in assessing key threats and key defense strategies; * Chief Risk Officer: assists in evaluating business risks associated with IT governance and the emergence of evolving conditions that may bring risk to the enterprise; * Chief Legal Officer: brings the perspective of a liability defense strategy, as well as regulatory compliance considerations; * CFO See Chief Financial Officer. : has a crucial interest in understanding the financial consequence of IT governance cost, balanced against corporate liability; * Chief Human Resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. Officer: works with other members of the team to produce the policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental that govern the background investigation process in order to mitigate the risks associated with hiring new personnel. Also, cooperates in developing the policies and procedures pertinent to the enterprise's electronic communications policies; * Chief Audit Officer: makes certain that the threat conditions and mitigation controls are appropriately synchronized syn·chro·nize v. syn·chro·nized, syn·chro·niz·ing, syn·chro·niz·es v.intr. 1. To occur at the same time; be simultaneous. 2. To operate in unison. v.tr. 1. ; * Chief Marketing Officer: helps convey the IT governance message internally and to the media, as well as clients or customers, as part of the corporate branding Corporate branding is the practice of using a company's name as a product brand name. It is an attempt to leverage corporate brand equity to create product brand recognition. It is a type of family branding or umbrella brand. initiative. Good IT governance begins with good corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. . A company can begin by looking at the Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. (COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) ), since COSO is known as the "gold standard" of corporate governance. The IT Governance Institute's CobiT framework is an accepted framework consisting of 34 high-level control objectives. CobiT provides recommended practices that bridge the gaps between business risks, technical issues, control needs and performance measurement requirements. In addition, consider the IT Infrastructure Library (ITIL (Information Technology Infrastructure Library, www.itil.co.uk) One of the more comprehensive as well as non-proprietary and publicly available sets of guidelines for "best practice" IT services management, owned by the British Office of Government Commerce (OGC). ). ITIL is a process-based approach to service support and delivery gaining rapid acceptance in the U.S., after having been well established as a service standard throughout Europe. Good IT governance means complying with--and even anticipating--change. One example of the change that is constantly occurring is found in a piece of Congressional legislation, H.R. 1263, Section 304. Under this law, the U.S. Department of Commerce would seek to harmonize privacy legislation across a wide range of nations. International uniformity would reduce the current conflict over imbalanced privacy laws from one jurisdiction to the next. IT governance is the orchestration orchestration Art of choosing which instruments to use for a given piece of music. The sections of the orchestra historically were separate ensembles: the stringed instruments for indoors, the woodwind instruments for outdoors, the horns for hunting, and trumpets and drums between management and the IT governance team. It is also the development and enforcement of effective policies and procedures that govern behavior, just as it is the socialization socialization /so·cial·iza·tion/ (so?shal-i-za´shun) the process by which society integrates the individual and the individual learns to behave in socially acceptable ways. so·cial·i·za·tion n. of these policies and procedures throughout the workforce. Creating an IT governance strategy and then deploying it may not be easy, but the time to bring IT governance to the enterprise is now. Any hesitation to do so may result in an unfavorable outcome in the event of a security breach resulting in the loss of information integrity. The company that believes that IT governance is excessively costly should trade places with the company that has been victimized by identity theft and is now defending itself against a class-action lawsuit. In the final analysis, prevention will always win out over remediation, just as a solid reputation trumps a variable one. MacDonnell Ulsch (don.ulsch@jeffersonwells.com) is a Director of Technology Risk Management and the IT Governance Subject Matter Expert, and Jeffrey Bamberger (jeffrey.bamberger@jeffersonwells.com) is a Professional in the Technology Risk Management group. They are both based in Jefferson Wells' Boston office. For more information about the Technology Risk Management Practice, visit www.jeffersonwells.com. RELATED ARTICLE: takeaways * Identity theft--using the Internet and other IT tools--is among the fastest-growing crimes globally; it is also the single largest threat to sustainable IT governance. * IT governance may be the great wall that separates enterprise success from failure--as defined by degradation of brand, reputational, legal and financial liability. * Good IT governance begins with good governance The terms governance and good governance are increasingly being used in development literature. Governance describes the process of decision-making and the process by which decisions are implemented (or not implemented). . Models are the COSO framework, IT Governance Institute's CobiT framework and IT Infrastructure Library (ITIL). * Good IT governance requires a good team with knowledge to create, implement and champion the system.
Do you currently have a formal IT Governance Program?
Percentage of Responses
No, but planning to implement one 46%
Yes 42.5%
No, with no plans to implement one 11.5%
From the Jefferson Wells 2005 IT Governance Roundtable Report
Note: Table made from bar graph.
|
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion