IT Governance: Generating Value & Mitigating Risk

Many recent articles about cybersecurity include discussion of Information Technology (IT) Governance. What is IT Governance is and why is it important?

The concept of IT Governance is not new. It gained visibility in the early 2000s along with the enactment of such regulations as the Sarbanes-Oxley Act of 2002, also known as the “Public Company Accounting Reform and Investor Protection Act,” which was developed on the heels of a series of financial scandals involving public companies, including Enron, Tyco International and WorldCom. In light of such legislation, and the increasing roles and costs of IT, companies were advised to implement IT frameworks to provide accurate, visible and timely information, and, most relevant to cybersecurity, ensure the protection, privacy and security of information assets.

Gartner, Inc., a global research and advisory firm, defines IT Governance as, “the process that ensures the effective and efficient use of IT in enabling an organization to achieve its goals.” In its intended function, IT Governance is a subset of Corporate Governance; together they establish the rules by which an organization operates. IT Governance plays key roles in both public and private companies, ensuring investments in IT generate value and mitigating risks associated with IT departments and operations.

IT Governance can be mandated by regulation or voluntarily established to measure IT results or both. A key component of IT Governance is IT Policies, which convert the desired behaviors of IT team members relative to information security into a formal plan.

To establish an IT Governance program, an organization should:

  • Obtain the commitment of its management
  • Identify and record stakeholder requirements
  • Align the IT security strategy with the business strategy
  • Determine the IT Security Principles that will guide the IT Security Function
  • Establish metrics to demonstrate the value of the IT Security Function

HBK Risk Advisory Services can help you design and develop your own IT Governance program to protect your business. Call us at 330.758.8613; or email me at As always, we’re happy to answer your questions and discuss your concerns.

About the Author(s)
Bill is a Senior Manager in HBK’s IT Department and works out of the firm’s corporate office in Youngstown, Ohio. He specializes in cyber security, IT security, external IT audit, internal IT audit, IT consulting, software Development, IT governance, PCI-DSS, supply chain, system implementations and e-Commerce and has worked for a wide range of industries, including the Public Accounting field. Bill is a certified public accountant, a certified information system auditor, and a certified supply chain professional.
Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.