Many recent articles about cybersecurity include discussion of Information Technology (IT) Governance. What is IT Governance is and why is it important?
The concept of IT Governance is not new. It gained visibility in the early 2000s along with the enactment of such regulations as the Sarbanes-Oxley Act of 2002, also known as the “Public Company Accounting Reform and Investor Protection Act,” which was developed on the heels of a series of financial scandals involving public companies, including Enron, Tyco International and WorldCom. In light of such legislation, and the increasing roles and costs of IT, companies were advised to implement IT frameworks to provide accurate, visible and timely information, and, most relevant to cybersecurity, ensure the protection, privacy and security of information assets.
Gartner, Inc., a global research and advisory firm, defines IT Governance as, “the process that ensures the effective and efficient use of IT in enabling an organization to achieve its goals.” In its intended function, IT Governance is a subset of Corporate Governance; together they establish the rules by which an organization operates. IT Governance plays key roles in both public and private companies, ensuring investments in IT generate value and mitigating risks associated with IT departments and operations.
IT Governance can be mandated by regulation or voluntarily established to measure IT results or both. A key component of IT Governance is IT Policies, which convert the desired behaviors of IT team members relative to information security into a formal plan.
To establish an IT Governance program, an organization should:
- Obtain the commitment of its management
- Identify and record stakeholder requirements
- Align the IT security strategy with the business strategy
- Determine the IT Security Principles that will guide the IT Security Function
- Establish metrics to demonstrate the value of the IT Security Function
HBK Risk Advisory Services can help you design and develop your own IT Governance program to protect your business. Call us at 330.758.8613; or email me at email@example.com. As always, we’re happy to answer your questions and discuss your concerns.