Reports, Compliance, and Security: The Three Pillars of Effective IT Governance

By Kevin Elias Thomas

IT governance is the process of ensuring that IT supports the strategic objectives and goals of the organisation, while managing the risks and costs associated with IT. IT governance is an essential component of corporate governance, as IT plays a vital role in the performance, innovation, and competitiveness of modern businesses. However, IT governance also involves many challenges and complexities, such as aligning IT with business strategy, complying with various laws and regulations, and protecting IT assets from cyber threats. Therefore, it is important to have a robust IT governance framework that is based on three pillars: reports, compliance, and security.

Reports: Measuring and Communicating IT Value

Reports are the means by which IT governance demonstrates the value and performance of IT to the organisation and its stakeholders. Reports provide information on the alignment, effectiveness, efficiency, and maturity of IT processes, projects, services, and resources. Reports also enable IT governance to monitor and evaluate the achievement of IT goals and objectives, identify gaps and issues, and implement corrective actions and improvements.

Reports can be classified into two types: internal and external. Internal reports are intended for the internal use of the organisation, such as management, board, audit committee, or IT staff. Internal reports can include:

• IT strategy and roadmap
• IT budget and expenditure
• IT portfolio and project status
• IT service level agreements (SLAs) and key performance indicators (KPIs)
• IT risk assessment and mitigation plan
• IT audit findings and recommendations
• IT maturity assessment and benchmarking

External reports are intended for the external use of the organisation, such as customers, suppliers, regulators, investors, or auditors. External reports can include:

• Annual report and financial statements
• Corporate social responsibility report
• Customer satisfaction survey
• Supplier evaluation report
• Regulatory compliance report
• Audit report and opinion

Compliance: Meeting Legal and Regulatory Obligation

Compliance is the process of ensuring that IT conforms to the laws, regulations, standards, policies, and contracts that apply to the organisation and its activities. Compliance is a critical aspect of IT governance, as non-compliance can result in legal sanctions, financial penalties, reputational damage, or loss of trust.

Compliance can be classified into two types: internal and external. Internal compliance refers to the adherence to the internal rules and requirements of the organisation, such as policies, procedures, guidelines, or codes of conduct. Internal compliance can be achieved by:

• Establishing a clear governance structure and roles
• Defining a compliance policy and framework
• Implementing a compliance management system (CMS)
• Conducting regular compliance audits and reviews
• Providing compliance training and awareness

Some of the common external compliance areas for IT are:

• Data protection and privacy, such as GDPR, CCPA, or HIPAA
• Cybersecurity and information security, such as NIST, ISO/IEC 27001, or PCI DSS
• Intellectual property and digital rights, such as DMCA, WIPO, or Creative Commons
• Quality and service management, such as ISO 9001, ISO/IEC 20000, or CMMI
• Environmental and social responsibility, such as ISO 14001, ISO 26000, or GRI

Security: Protecting IT Assets from Cyber Threats

Security is the process of ensuring that IT assets are safeguarded from unauthorised access, use, modification, disclosure, or destruction. Security is a crucial aspect of IT governance, as cyber threats can compromise the confidentiality, integrity, availability, and accountability of IT assets. Cyber threats can also cause financial losses, operational disruptions, legal liabilities, or reputational harm.

Security can be classified into two types: preventive and reactive. Preventive security refers to the measures that are taken to prevent or deter cyber attacks from occurring, such as:

• Implementing a security policy and framework
• Applying security standards and best practices
• Installing security software and hardware
• Encrypting data and communications
• Educating and training users and staff

Reactive security refers to the measures that are taken to respond to or recover from cyber attacks that have occurred, such as:

• Detecting and analysing security incidents
• Containing and eradicating security threats
• Restoring and recovering IT assets
• Reporting and communicating security breaches
• Learning and improving security processes

Conclusion

 IT governance is a key factor for the success and sustainability of any organisation that relies on IT. IT governance should be based on three pillars: reports, compliance, and security. Reports enable IT governance to measure and communicate IT value to the organisation and its stakeholders. Compliance enables IT governance to meet legal and regulatory obligations that apply to IT. Security enables IT governance to protect IT assets from cyber threats that can jeopardise IT. By implementing these three pillars, IT governance can ensure that IT supports the strategic objectives and goals of the organisation, while managing the risks and costs associated with IT.

(The author is Kevin Elias Thomas, Chief Information Security Officer, Ezeelogin, and the views expressed in this article are his own)