Tuesday, July 7, 2009

Governance and Control

Stephanie Quick

Much of what I do is analysis of an organization’s intelligence with a real focus on how performance is associated with IT. At a number of client sites I have noticed the lack of controls for information security, data integrity and IT purchases aligned with goals and objectives putting my client at risk. There have been client sites where best practices have been in use and where evident from the start of our work. A framework of best practices for managing and protecting information, assets and subsequent acquisitions is effective management of risk and controlling costs.

One such framework is Control Objectives for Information and related Technology practices, also known as COBIT or COBiT, a framework of best practices for IT management that has been around since 1996. COBIT provides a set of generally accepted measures, indicators, processes and best practices to assist management in maximizing the benefits derived through the use of information technology while developing appropriate IT governance and controls.

COBIT was developed 13 years ago and its framework for control and protection of information is critical in managing IT in 2009. Year 2000 also known as Y2K raised the red flag on data integrity while HIPPA and The Sarbanes-Oxley Act of 2002 alerted us to the protection of information. Such regulations mandate strong internal controls and protection of information and assets worldwide. As the sharing of information has become and will continue to be global and the use of IT becomes more sophisticated so does the problematical nature of information security.

As we continue to move forward in the development and use of IT in business, organizations need to reach into the past for the implementation of best practices for understanding IT systems and deciding the level of security and control that is necessary to protect their assets, through the development of an IT governance model. COBIT control objectives are categorized in four domains:

• Planning and Organization,
• Acquisition and Implementation,
• Delivery and Support, and
• Monitoring and Evaluation.

Organizations benefit from utilizing COBIT because it offers a foundation on which IT related decisions and investments can be based. Decisions are more aligned with the organization’s goals and objectives because there is a framework of best practices for defining a strategic IT plan, defining the information architecture and the acquisition of the necessary hardware and software to implement the strategy; processes for ensuring uninterrupted services and the ability to monitor the systems performance.