IT governance. You've heard of it, but you hate to admit that you're not real sure how it works. You can break down the term easy enough: IT is Information Technology. Check. Governance is a method or system of control and management. Check. Put them together and you get...what? How can IT be controlled and governed when IT itself is so mercurial? Isn't IT governance like herding cats?
If you'd prefer herding cats to tackling IT governance, you're not alone. As a matter of fact, you were in such good company in April 2008 that Mom and Dad had to set down some house rules to establish a sense of order in the IT household. Mom, as everyone knows, is the ISO (International Organization of Standardization), and Dad is the IEC (the International Electrotechnical Commission). The rules they set were outlined in a document called the ISO/IEC 38500. Great. Another number to remember.
The ISO/IEC 38500 provides a framework for effective governance of IT to assist directors at the highest level of organizations in understanding and fulfilling their legal, regulatory, and ethical obligations in respect to their organizations' use of IT. The ISO/IEC 38500 is applicable to organizations of all sizes, including public and private companies, government entities and not-for-profit organizations.
Let's pause to repeat that: "The ISO/IEC 38500 provides a framework...to assist directors at the highest level of organizations in understanding and fulfilling their legal, regulatory, and ethical obligations." Translation: Those who concern themselves with IT governance need to understand IT while also being well versed in business principles. They must be able to navigate those pesky legal loopholes while sleeping well at night about the decisions they made that day (ethical). Oh, so that's why these guys make the Big Bucks!
To more easily remember these variables, Doug Shuptar from SAP suggests the use of the mnemonic RACE (Responsibility, Accountability, Communication, Empowerment). Governance also means establishing measurement and control mechanisms to enable people to carry out their roles and responsibilities.
Why is IT governance important? The goal of governance is to ensure that the results of an organization's business processes meet the strategic requirements of the organization. Does business drive IT through governance? Doug Shuptar gives a resounding "YES" for an answer, with a cynical "Duh!" at the end for good measure. However, in many situations, this is not the case. Effective governance requires the goals of the IT organization and the goals of the business to be closely linked. Too often, a weak relationship exists between the two if any exists at all. When this occurs, IT initiatives crop up that have no bearing on the strategic business goals. Both the business and IT resource begin to wonder why a specific project is being deployed. The question, "What is this expected to accomplish?" is often never asked. Worse yet, no one would be able to provide a clear answer even if the question had been posed.
In the end, IT governance seeks to avoid blurred lines, creating clarity between business goals and IT projects. This is why it is so important. IT governance is a key element of a well-performing IT organization.ISO/IEC 38500 is organized into three primary sections: Scope, Framework, and Guidance.
Scope is characterized by: Clearly understanding the business strategy and aligning the technology strategy with the business strategy. Providing clarity between the business strategy and the IT initiatives, drawing links between business objectives and project objectives. Providing clarity through the preparation of a business case for each initiative. It's not enough just to create the links; we need to ask the question, "How will the project improve the business?" Establishing effective priorities on resources both human and financial. Understanding those resources is vital. Approving capital funds is not enough; approving the people is usually more difficult.
- Attaining agreement on priorities. As a group looking at the entire enterprise, make a determination as to what initiatives will move forward.
- Attaining agreement on which priorities should finish first.
The framework portion of ISO/IEC 38500 comprises definitions, principles, and a model. It sets out six principles for good corporate governance of IT:
- Human behavior
Various organizations have tried to achieve IT governance by monitoring and measuring in terms of (1) Infrastructure and asset protection and (2) Infrastructure and personnel performances. However, these two approaches mean that other challenges will arise, such as:
- Creation of Information Technology policies, processes, and strategies
- Management of Information Technology risks
- Business process mapping and harmonization
- Continuous management of Information Technology resources
- Monitoring results and Information Technology effectiveness
The IT Governance Framework is a straightforward tool to help organizations implement the ISO/IEC 38500 standard for IT governance in the real world. Since IT governance is a broad subject, many disciplines are involved, including:
- Information technology
- Risk management
- Intellectual property
- Business design
- Project management
Most of these disciplines offer IT governance solutions and tools within their scopes. While some of these tools are very detailed and have narrow scopes, no single standard discipline or tool provides a full picture of IT governance. Collectively they can provide a confusing picture that hinders the purpose of IT governance, which is to equip boards with information and levers for directing, evaluating, and monitoring IT support for their core businesses.
ISO 38500 is the first international standard that provides guidelines for corporate governance of Information Technology. It provides a set of six principles for good corporate governance of Information Technology.1) Ensure that IT responsibilities are clearly established.2) Corporate and IT strategy should be aligned.3) IT acquisitions and investments should be made properly.4) IT should deliver required performance.5) IT should conform to all compliance requirements.6) IT policies and practices should take human behavior into account.
Certifications in IT Governance
If all of this is fascinating to you, consider getting certified in the subject. The top five certifications for IT governance, as determined by Tom's IT Pro, are listed below. Keep in mind that these certs are limited to the United States only. Most of the certs come with hefty work experience requirements, so these are geared toward experts who are also leaders within their organizations.
Information Technology Infrastructure Library (ITIL) is a well-defined set of best practices that organizations can use to design, implement, manage, and maintain IT service projects. The primary focus of ITIL is service management, which aligns IT projects and services with the business goals of an organization. ITIL also meets quality standards set by ISO/IEC 20000, so an organization that consistently and closely follows ITIL practices is highly likely to offer high-quality products and/or services.
ISACA (Information Systems Audit and Control Association) is a highly respected, global nonprofit association that provides education, conferences, publications, and certification for IT governance professionals. Four certifications are available from ISACA, which address information systems auditing, information security management, enterprise IT governance, and risk and information systems control.The credential entitled Certified in the Governance of Enterprise IT (CGEIT) is geared toward professionals who play a significant role in managing, advising, and/or assuring IT governance. Typical job roles include senior security analyst and chief information security officer -- the upper echelon of the organization chart.
Professionals at this level align IT with business strategies and goals, manage IT investments to maximize return on investment, strive for excellence in IT operations and governance, and promote greater efficiency and effectiveness in IT while minimizing risk.
Another certification from ISACA, the credential entitled Certified in Risk and Information Systems Control (CRISC), recognizes IT professionals who are responsible for an organization's risk management program.
CRISC certified professionals manage risk, design and oversee response measures, monitor systems for risk, and ensure that the organization's risk management strategies are met. Organizations look for employees with the CRISC credential for jobs such as IT security analyst, security engineer architect, information assurance program manager, and senior IT auditor.
GRC Certify is a nonprofit organization that provides education for governance and IT control professionals and administers several governance-related certifications. Governance, Risk Management, and Compliance Professional (GRCP) certification is the foundational level cert in the GRC Certify program.
The GRCP is required for the higher level GRC Auditor certification. It will also be a prerequisite for the GRC Enterprise Architect, which is under development as of this writing. Another cert in the works is the GRC Master, which will build on all of these other certs when it is delivered.
The GRCP requires candidates to pass a single exam, and there are currently no prerequisites or work experience requirements that could be ascertained from the organization's website. But don't let the "foundational" nature of the GRCP fool you.
Aside from being well versed in basic GRC terms and definitions, candidates must also know how to analyze organizational culture and business contexts, define objectives, design and implement actions and controls in the face of adverse events, perform response and recovery, monitor performance, and so on. All of these skills indicate a person with at least three years of experience in managing security and risk for an organization.
Those who have acquired GRCP certification often have an MBA and/or perhaps the CRISC credential, some type of CISO (Chief Information Security Officer) cert, and plenty of IT expertise. Their job roles run the gamut from senior audit advisor and fraud and security analyst, to solutions and management consultant, to CIO.
BCS IT Governance & InfoSec Foundation
BCS, the Chartered Institute for IT, hails from the United Kingdom. The organization was incorporated by the Royal Charter and was even run by HRH the Duke of Kent in the early 1980s. As a nonprofit professional body, BCS aims to promote "social and economic progress" through the advancement of IT. Part of its purpose is to accredit professional competence through a highly structured certification program which is aligned to the ISO/IEC 27000 series and BS 25999 standards.
The BCS membership tier begins with the Associate level and moves up to Professional. After that comes the Chartered Professional level, topped off by the Fellow level.
Within the Professional certification track is a foundation-level certificate for information security management (a second track in data protection is also available), from which candidates can progress to practitioner certificates (specializations) in business continuity management, data protection, freedom of information, information risk management, and information assurance architecture.
Yes, IT governance can be like herding cats, but the ISO/IEC 38500 has created an indispensable roadmap for high-level executives so that those furry resources can be set on paths that lead to effective decisions that link business goals to IT projects.