Organizations continue to leverage the growing power of IT hardware and software to remain competitive and meet their stakeholders’ rising expectations. As the amount and type of investments, and the sensitivity of data captured grows, so do concerns about the actions taken to protect these assets. The ability to achieve short- and long-term objectives increasingly depends on the organizations’ ability to implement and sustain effective IT governance practices.
IT governance is a subset of corporate governance, and it focuses on IT performance and related risk management. A key driver of the interest in this field is the need organizations have to focus on value creation by aligning strategic objectives with performance management and the expectations of all stakeholders. It consists of the policies, procedures, and processes to design, manage, and monitor the organization’s regulatory, legal, environmental, and operational requirements.
In simple terms, good governance means that decision-making is based on the organization’s structures, processes, and culture. When there is good governance, the organization operates with a clear purpose that delivers long-term value and meets stakeholder expectations. It requires leadership and values, often accompanied by a guiding framework.
While interest in IT governance has existed for decades, the focus has increased due to the passing of several laws in the United States and abroad.
The Gramm-Leach Bliley Act: It requires financial institutions to explain to their customers their information-sharing practices and how they protect the sensitive data they collect.
The California Online Privacy Protection Act (CalOPPA), California Consumer Privacy Act (CCPA), and The New York Privacy Act (NYPA): These laws are designed to protect consumers residing in NY and CA and regulates the sale of their personal data. The location of the businesses is irrelevant, and similar laws are at various stages of implementation in other US states as well.
The Payment Card Industry (PCI) Data Security Standard (DSS): Its purpose is to protect the entire payment card ecosystem, so it applies to merchants and service providers that process credit and debit card transactions. Some of the requirements include the use of firewalls, encryption, anti-virus software, apply access restrictions and unique IDs, track and monitor all access, and test security systems.
The General Data Protection Regulation (GDPR): It is a European Union (EU) privacy law that regulates the transfer of personal data outside the EU. The primary goal is to improve individuals' control and rights over their personal data.
Key IT Governance Frameworks
While the term, and related concepts have been in place for decades, many organizations continue to struggle in their IT governance efforts. Roadblocks include a lack of awareness of key requirements, how best to implement the necessary policies and procedures, how best to monitor key activities within and outside the organization, and taking corrective action when deviations from expected practices emerge.
Several frameworks have been developed to help organizations in this regard.
COBIT 2019: COBIT stands for Control Objectives for Information and Related Technology. It is a framework created by ISACA (Information Systems Audit and Control Association), and it was designed to serve as a support tool for managers. It helps to bridge the gap between business risks, control requirements, and technical issues by ensuring quality and reliability of information systems. It has universal appeal as it can be applied to any organization in any industry.
ITIL(R) 4: The Information Technology Infrastructure Library (ITIL) is an ITSM framework that includes governance as part of its Service Value System along with a set of detailed practices for IT activities. It includes service and asset management, and it focuses on aligning IT services with the needs of the business. It describes processes, procedures, and tasks, and it includes checklists that can be used by all types of organizations. ITIL can be applied toward strategy and delivery to maintain overall competencies. With it, organizations can set a baseline from which they can plan, implement, and measure results.
ISO: The International Standards Organization (ISO) issues ISO 37000:2021 Governance guidance to help organizations to perform with purpose and effectively, while behaving responsibly. It applies to organizations of all types, sizes, industries, and locations and emphasizes sustainability and effective oversight over all of its activities, including the handling of data.
NIST: The National Institute of Standards and Technology (NIST) is a federal agency within the U.S. Department of Commerce. Its framework consists of standards, guidelines, and best practices to manage cybersecurity risk through five functions: Identify, Protect, Detect, Respond, and Recover, and reminds users to balance proactive safeguards while preparing for worst-case scenarios.
These frameworks are not only conceptual, but typically include checklists and best practices that help IT professionals, managers, auditors, and compliance professionals act pragmatically to help their organizations implement and assess the information technology measures in place.
The work of internal auditors, compliance professionals, regulators and IT professionals should focus appropriately on the risks that the organization’s activities may expose them to. For example:
Evolving technological advances create opportunities and risks. The growth of the Internet of Things (IoT), for example, ushers in opportunities to connect millions to devices so they share data, and their functionality increases the convenience users enjoy. As vacuum cleaners, refrigerators, thermostats, doorbell cameras, fitness equipment, and automobiles interact with each other, they may funnel sensitive information through common pathways. Similarly, customer data gets aggregated at organizations that may share that data with other parties. These interactions raise the specter of data being compromised during its collection, storage, and movement – all areas of concern and addressed by IT governance frameworks.
The growing use of artificial intelligence (AI) and machine learning (ML) also carries IT governance implications. Organizations should be careful about the algorithms used when developing these technologies, the manner of their deployment, and the measures put in place to monitor their performance. These technologies rely on large datasets that may include personally identifiable information (PII) and its capture, use, storage, sharing and transmission may impact individuals’ rights.
Other risks of concern include:
The leakage of private customer information would not only jeopardize customers’ personal information resulting in identity theft, but fines and penalties may be levied on the offending organization and their reputation would be tarnished.
The inability to promptly block cybersecurity attacks, or to recover from them, would jeopardize an organization’s ability to serve its customers and generate revenues and profits.
Poorly supervised asset acquisition and infrastructure deployment would limit operating speed, putting the organization at a competitive disadvantage.
The inability to identify all data storage locations would compromise the organization’s ability to maintain version control, retain records as mandated, properly backup copies, and dispose of all records at the end of the data and document retention period. While these dynamics impact financial and personal information, it also exposes the organization to additional risks if its databases were infiltrated, as attackers would have access to more records than they would otherwise.
Access controls are often viewed as IT general controls, but in terms of IT governance, the inability to restrict access to information and limit it on a need-to-know basis, exposes the organizations’ assets to data corruption and even fraudulent conduct.
The use of legacy systems that were built with fewer security features and may today act as a weak link in the organization’s cybersecurity efforts.
Education and Preparation by Professionals
The scope of IT governance is quite broad. It includes the development, security, and operations activities within organizations, and the actions taken to protect assets while creating value for stakeholders. Given the extent of activities encapsulated in IT governance, IT professionals and other stakeholders may want to consider pursuing related certifications as indicated above.
IT, audit, and compliance professionals should balance their pursuit of technical skills with the acquisition and enhancement of soft skills. The latter are important because enquiring about current practices, exploring the implications of DevSecOps activities and strategic plans, and the brainstorming of risk-related events, begs for an ability to engage in meaningful conversations, explore scenarios, handle conflict and disagreements effectively, and being able to explain the purpose of a given line of questioning. Auditors and other compliance-minded professionals would be well served enhancing their communication skills, as much of the technical aspects of IT governance are seen, unfortunately, by many as a bother and unnecessary. Thus, being able to effectively explain why these topics matter and the potential repercussions of failing to embrace IT governance best practices can be costly to organizations and their stakeholders.
There is an abundance of guidance on IT governance principles that can assist governing bodies in discharging their duties and meeting the expectations of their stakeholders effectively, prudently, and efficiently. By embracing these guidelines, the benefits include enhanced accountability, responsiveness, and transparency. Given the focus on privacy and the appropriate use of personal information, fair treatment and trusting relations among stakeholders are also on the list of benefits.
As organizations continue to invest in and embrace new technologies to create value, it behooves them to implement and maintain effective IT governance practices that will strengthen their entire IT ecosystem and the practices that enable it.