IT Governance




Solution Spotlight








Contact us






The 5 Steps to Good IT Governance

  1. Clarify Your Needs.          



Clarify where you are and where you want to be.  The first step in establishing good governance is to figure out exactly where you are not and defining where you want to be.  The usual way to do this is to perform a Governance Review that identifies gaps in processes and controls. 


To get started, identify the exact regulations and rules your business is subjected to.  To find out, look to your business’ industry and that of your customers and vendors.  For example, banking and financial institutions are subject to Gramm Leach Bliley, Basel II, The Patriot Act, among others; as well as subjected to state and federal banking and finance regulatory agencies.  Health care providers, facilities, their vendors and service provides are subjected to HIPAA.  Other industries may have to adhere to EPA, FDA, FCC and other federal, state and local laws.


There are requirements that transcend industry.  Labor laws, EEOC and state and federal privacy laws are examples that nearly all companies must adhere to. 




Beyond governmental bodies, there are self-regulated bodies, such as the Payment Card Industry which enforces the PCI Data Security Standard.  The PCI DSS is intended to protect cardholder information.


Financial auditors play a significant role in enforcing regulations.  In doing so, they follow guidelines from agencies that oversee and certify the auditors.  Their interpretations of those guidelines tend to become rules that apply to companies they audit.


The Governance Review matches each business to its regulations and compares current policies and practices to mandates.  This is done by mapping business processes to the standards.


The resulting gap analysis serves as a basis for a roadmap for the business to meet or exceed compliance goals and requirements. Untangling conflicting regulations and knowing which regulations apply is a great help towards understanding how to apply the confusing array of controls and requirements to a unique situation.







Understand Your Choices.




Once the gap analysis is complete, define the solutions that fill the gaps.  Learn which solutions apply and how they differ with respect to your unique needs.  One way to do this is to list the gaps and research the thousands of products and services available in the market.  Then, slog your way through the millions of web pages, read everything you can on the subject and wait for call backs from sales reps. 


Remember to examine your choices for automating cumbersome manual processes.  Automation is key to developing a button-down, iron-clad Governance initiative. 




By automating IT Governance, you can avoid many audit deficiencies because the tools only need to be evaluated one time. 


After that, auditors simply test changes to systems.  Automation also promotes consistency of application, eliminates human error and eliminates individual interpretation of business rules.  This ensures a compliant environment.


Map the business process to the solutions available.  This forms the basis for a Roadmap to Compliance.







Make Decisions.




The Roadmap forms the base planning document for seeing what you need to do on one ‘surface’ (the roadmap) and determining which order to do them in. 


Once you have the solutions that fill the gaps, look at each solution to determine the order in which you believe they should be adopted.


Consider criticality of the requirements to your business, along with the amount of time needed to implement, budget, resource – both human and infrastructure – availability, staffing patterns,




timing (coming up to the holidays when staff is out?), and other factors important to your organization.


Perform a risk/benefit analysis and make a determination whether the business’ tolerance for risk is satisfied.  Document justifications and obtain sign-off by executive staff.


Plot the remedies along a horizontal line representing a time line.  The time line becomes a visual representation of the road map.  This gives you a picture of where you are on the path to compliance. 






Take Action.




After you decide the priorities of the items, trigger the roadmap.  Beef up the policies, procedures, processes and controls.  Compare existing written policies to standards and requirements to make certain they are accurate and complete.


Standards change over time and your policies need to keep pace.  Using the standard as a guideline or template, adopt policies that are totally missing. Automate cumbersome manual processes.  Streamline business processes. Implement the software and hardware that make up the plan. 




Define service level requirements. If your company requires more than one vendor for you to choose from, compile a short list of candidate suppliers.


If you have an RFP requirement, follow the RFP procedure and select the products and vendors who best meet your unique requirements.  Negotiate pricing and work out SLA with the vendor.


Then, launch the projects, monitor installation, testing and deployment to make certain the vendor performs to expectations.






Monitor and Measure Results.




The deployed automated solutions produce continuous visibility into governance and compliance. Reviews at regular intervals surface new problems and assure ongoing integrity of good governance.  Remediate audit deficiencies and respond to audit findings. Perform a Capability Analysis to identify steps to take to proceed to the next level of your chosen Maturity Model.


Compliance issues are in a continuous state of flux.  Legislation is pending to tweak each of the major laws.  Agencies introduce revisions to rules and regulations daily.  Law suits change the interpretation of how regulations are applied. 



Each year auditors write new plans to refine the audit.  In the process, they alter the application and interpretation of standards and principles. 


It is important that businesses stay attuned and alert to new or amended requirements and how the changes impact their operations.  It is incumbent upon businesses to periodically review their processes and controls to make certain they stay compliant.




Monitor the regulatory, audit and litigation landscapes to keep abreast of changes in rules and requirements.  Perform regular IT Governance Reviews of the total environment or of particular pieces that have been the subject of recent attention.


Perform reviews every quarter and in advance of the financial or IT audit to prepare the business for the formal evaluation.  That way, the business can take action to avoid deficiencies or at least be prepared for audit findings.  When auditors leave, craft responses to audit findings and remediate deficiencies.


A Capability Analysis is a review that enables a business to progress along the maturity model continuum.  The Capability Analysis consists of a review of the business’ current status from initial stage through more formalized processes up to the continuous improvement stage. 


 Perform a Capability Analysis at least annually to determine which steps you will take to move up the scale toward continuous improvement.  Plan these steps and incorporate them in your annual goals and objectives, annual plan and budget.








Each year auditors write new plans to refine the audit.  In the process, they alter the application and interpretation of standards and principles. 


It is important that businesses stay attuned and alert to new or amended requirements and how the changes impact their operations.


It is incumbent upon businesses to periodically review their processes and controls to make certain they stay compliant.





ITGS is a trademark of IT Governance Services, all other trademarks are property of their respective trademark holders

all material ©2002-2014 IT Governance Services a SMS, Inc. company | Redmond, WA | legal | privacy policy