|
|
|
|
The 5 Steps
to Good IT Governance |
|
|
|
|
1. |
Clarify Your Needs. |
|
|
|
|
|
|
 |
|
Clarify where you are and where you want to be. The first step in
establishing good governance is to figure out exactly where you are
not and defining where you want to be. The usual way to do this is
to perform a Governance Review that identifies gaps in processes and
controls.
To get started, identify the exact regulations and rules your
business is subjected to. To find out, look to your business’
industry and that of your customers and vendors. For example,
banking and financial institutions are subject to Gramm Leach
Bliley, Basel II, The Patriot Act, among others; as well as
subjected to state and federal banking and finance regulatory
agencies. Health care providers, facilities, their vendors and
service provides are subjected to HIPAA. Other industries may have
to adhere to EPA, FDA, FCC and other federal, state and local laws.
There are requirements that transcend industry. Labor laws, EEOC
and state and federal privacy laws are examples that nearly all
companies must adhere to.
|
|
Beyond governmental bodies, there are self-regulated bodies, such as
the Payment Card Industry which enforces the PCI Data Security
Standard. The PCI DSS is intended to protect cardholder
information.
Financial auditors play a significant role in enforcing
regulations. In doing so, they follow guidelines from agencies that
oversee and certify the auditors. Their interpretations of those
guidelines tend to become rules that apply to companies they audit.
The Governance Review matches each business to its regulations and
compares current policies and practices to mandates. This is done
by mapping business processes to the standards.
The resulting gap
analysis serves as a basis for a roadmap for the business to meet or
exceed compliance goals and requirements. Untangling conflicting
regulations and knowing which regulations apply is a great help
towards understanding how to apply the confusing array of controls
and requirements to a unique situation.
|
|
|
| |
|
|
|
|
back |
|
|
|
|
2.
|
Understand Your Choices. |
|
|
|
|
|
|
 |
|
Once the gap analysis is complete, define the solutions that fill
the gaps. Learn which solutions apply and how they differ with
respect to your unique needs. One way to do this is to list the
gaps and research the thousands of products and services available
in the market. Then, slog your way through the millions of web
pages, read everything you can on the subject and wait for call
backs from sales reps.
Remember to examine your choices for automating cumbersome manual
processes. Automation is key to developing a button-down, iron-clad
Governance initiative.
|
|
By automating IT Governance, you can avoid many
audit deficiencies because the tools only need
to be evaluated one time.
After that, auditors simply test changes to
systems. Automation also promotes consistency
of application, eliminates human error and
eliminates individual interpretation of business
rules. This ensures a compliant environment.
Map the business process to the solutions
available. This forms the basis for a Roadmap
to Compliance.
|
|
|
| |
|
|
|
|
back |
|
|
|
|
3. |
Make Decisions. |
|
|
|
|
|
|
 |
|
The Roadmap forms the base planning document for seeing what you
need to do on one ‘surface’ (the roadmap) and determining which
order to do them in.
Once you have the solutions that fill the gaps, look at each
solution to determine the order in which you believe they should be
adopted.
Consider criticality of the requirements to your business,
along with the amount of time needed to implement, budget, resource
– both human and infrastructure – availability, staffing patterns,
|
|
timing (coming up to the holidays when staff is out?), and other
factors important to your organization.
Perform a risk/benefit analysis and make a determination whether the
business’ tolerance for risk is satisfied. Document justifications
and obtain sign-off by executive staff.
Plot the remedies along a horizontal line representing a time line.
The time line becomes a visual representation of the road map. This
gives you a picture of where you are on the path to compliance.
|
|
|
| |
|
|
|
|
back |
|
|
|
|
4. |
Take Action. |
|
|
|
|
|
|
 |
|
After you decide the priorities of the items, trigger the roadmap.
Beef up the policies, procedures, processes and controls. Compare
existing written policies to standards and requirements to make
certain they are accurate and complete.
Standards change over time
and your policies need to keep pace. Using the standard as a
guideline or template, adopt policies that are totally missing.
Automate cumbersome manual processes. Streamline business
processes. Implement the software and hardware that make up the
plan.
|
|
Define service level requirements. If your company requires more
than one vendor for you to choose from, compile a short list of
candidate suppliers.
If you have an RFP requirement, follow the RFP
procedure and select the products and vendors who best meet your
unique requirements. Negotiate pricing and work out SLA with the
vendor.
Then, launch the projects, monitor installation, testing
and deployment to make certain the vendor performs to expectations. |
|
|
|
|
|
|
|
|
back |
|
|
|
|
5. |
Monitor and Measure
Results. |
|
|
|
|
|
|
 |
|
The deployed automated solutions produce
continuous visibility into governance and
compliance. Reviews at regular intervals surface
new problems and assure ongoing integrity of
good governance. Remediate audit deficiencies
and respond to audit findings. Perform a
Capability Analysis to identify steps to take to
proceed to the next level of your chosen
Maturity Model.
Compliance issues are in a continuous state of
flux. Legislation is pending to tweak each of
the major laws. Agencies introduce revisions to
rules and regulations daily. Law suits change
the interpretation of how regulations are
applied.
Each year auditors write new plans to refine the
audit. In the process, they alter the
application and interpretation of standards and
principles.
It is important that businesses stay attuned and
alert to new or amended requirements and how the
changes impact their operations. It is
incumbent upon businesses to periodically review
their processes and controls to make certain
they stay compliant.
|
|
Monitor the regulatory, audit and litigation
landscapes to keep abreast of changes in rules
and requirements. Perform regular IT Governance
Reviews of the total environment or of
particular pieces that have been the subject of
recent attention.
Perform reviews every quarter and in advance of
the financial or IT audit to prepare the
business for the formal evaluation. That way,
the business can take action to avoid
deficiencies or at least be prepared for audit
findings. When auditors leave, craft responses
to audit findings and remediate deficiencies.
A Capability Analysis is a review that enables a
business to progress along the maturity model
continuum. The Capability Analysis consists of
a review of the business’ current status from
initial stage through more formalized processes
up to the continuous improvement stage.
Perform
a Capability Analysis at least annually to
determine which steps you will take to move up
the scale toward continuous improvement. Plan
these steps and incorporate them in your annual
goals and objectives, annual plan and budget.
|
|
|
| |
|
|
|
|
back |
|
|
| |
|
|
|
|
|
|
|
|
| |
|
|
| |
|
|
| |
|
|
| |
Each year auditors write new plans to refine the
audit. In the process, they alter the
application and interpretation of standards and
principles.
It is important that businesses stay attuned and
alert to new or amended requirements and how the
changes impact their operations.
It is
incumbent upon businesses to periodically review
their processes and controls to make certain
they stay compliant.
|
|
| |
|
|
 |
|
|
