Explain the role of information technology governance institute (itgi) on infosec governance.
Show
IT Governance (ITG)IT governance (ITG) is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. IT demand governance (ITDG—what IT should work on) is the process by which organizations ensure the effective evaluation, selection, prioritization, and funding of competing IT investments; oversee their implementation; and extract (measurable) business benefits. ITDG is a business investment decision-making and oversight process, and it is a business management responsibility. IT supply-side governance (ITSG—how IT should do what it does) is concerned with ensuring that the IT organization operates in an effective, efficient and compliant fashion, and it is primarily a CIO responsibility. The COBIT Mission: To research, develop, publicise and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-today use by business managers and auditors. FeaturesAuthor: Steven De Haes, Ph.D., Anant Joshi, Ph.D., Tim Huygh and Salvi Jansen IT governance, also referred to as governance of enterprise IT (GEIT) or corporate governance of IT, is a subset of corporate governance that is concerned with enterprise IT assets. In an analogy to corporate governance, IT governance is concerned with the oversight of IT assets, their contribution to business value and the mitigation of IT-related risk.1 A commonly referenced definition states:
Prior studies identify five domains that warrant oversight of the board of directors (BoD) and executive management in governing IT assets:3, 4, 5, 6
Emerging research calls for more board-level engagement in IT governance and identifies serious consequences for enterprises if the board is not involved. For example, high levels of board engagement in IT governance, regardless of existing IT needs, increases enterprise performance.7 From the board perspective, there is also a growing need to comply with an increasing amount of regulatory and legal requirements (e.g., privacy), of which many also impact IT. These regulatory requirements redefine the responsibilities of the BoD for IT governance.8 Despite the agreement between researchers and practitioners on the need for board-level involvement in IT governance, it appears that this is more the exception than the rule in practice.9, 10, 11 This article builds on the assumption that the behavior of the board toward IT governance and digital leadership can be influenced by external factors, such as corporate governance codes,12 and describes the study that answers the questions:
Research DesignThe research began with a literature review to underpin the study and to define the main concepts that were used in the research project. Next, a sample of international corporate governance codes was analyzed. The selection of national corporate governance codes was based on two dimensions—geography (i.e., continent) and economy (i.e., income groups). Using an index of all of the corporate governance codes around the world,13 a national corporate governance code was selected to populate as many cells as possible (figure 1). When a country had multiple corporate governance codes, the most recent code for listed companies was selected. An additional requirement was that the corporate governance code should be available in English. The final sample of national corporate governance codes (N=15) is presented in figure 1. To analyze each corporate governance code for IT-governance-related content, an IT governance transparency framework was used.14 This IT governance disclosure framework contains 39 disclosure items that are distributed over the following domains (focus areas): IT strategic alignment, IT value delivery, IT risk management and IT performance measurement (figure 2). Because the IT resource management domain overlays all other focus areas,15 the framework incorporates IT resource items across all of the four remaining IT governance focus areas.16 Using the IT governance transparency framework as a coding frame, a binary classification approach was used to analyze the national corporate governance codes, i.e., an item is scored 1 if the item is present as a guideline or practice in the corporate governance code and scored 0 otherwise. Corporate Governance Codes Make Little Reference to IT Governance or Digital LeadershipFigure 2 presents the item-level analysis of the 15 corporate governance codes for IT governance-related content. A first general observation is that, aside from the South African code, the corporate governance codes score very low overall for including IT-governance-related practices or guidelines. A reasonable explanation is that many national corporate governance codes are based on the Organization for Economic Cooperation and Development (OECD) principles of corporate governance.17 Eight of the 15 national corporate governance codes explicitly state that they are based on the OECD principles. The remaining seven corporate governance codes show a lot of similarities with the OECD principles, but do not explicitly refer to OECD. Because the G20/OECD principles do not include specific directives regarding IT governance or IT-governance disclosure (aside from using the company website as a disclosure channel for material company information), it is not an unreasonable assumption that this might lead to a low attention to IT-governance-related matters in the national corporate governance codes that use these principles as a blueprint. An interesting observation at the item level is that use of IT for regulation and compliance in the IT risk management domain is found in 11 of the 15 selected corporate governance codes. Again, a reasonable explanation can be found in the G20/OECD principles on corporate governance. As part of disclosure and transparency, it states that the organization website provides an excellent means to disclose material company information.18 This is, indeed, a way of using IT for regulation and compliance. Finally, the IT is part of audit committee item, belonging to the IT strategic alignment domain, is also found in the Macedonia corporate governance code. These are the only two disclosure items that were found in corporate governance codes other than South Africa. Indeed, the South Africa corporate governance code, King III,19 contains a significant amount of IT-governance-related guidance. King III came into effect for South African entities beginning 1 March 2010 and is applicable to all entities (regardless of their size and whether or not they are listed). King III contains an IT-governance chapter consisting of seven IT-governance principles and some additional and more detailed recommended practices for each of these principles (figure 3).20 Conclusions and ImplicationsIn this research project, a selection of national corporate governance codes was analyzed for IT governance-related content. The findings showed that only the contemporary South African corporate governance code, King III, contains a significant amount of IT governance-related guidance. As IT becomes more pervasive in firms all over the world, it makes sense for boards to take on accountability for IT-related matters. This view is shared by researchers and practitioners alike. In transitioning from COBIT 4.1 to COBIT 5, ISACA clearly emphasized the need for board involvement in enterprise governance and management of IT. It did so by explicitly including board-level accountabilities and responsibilities in the EDM domain, thereby further emphasizing the separation between the governance and management of IT. Because boards around the world are directly influenced by corporate governance codes, it makes sense for the committees that are drafting national corporate governance codes to include guidance for board members, to enable them for their accountabilities and responsibilities in the realm of IT governance. AcknowledgmentThis research is part of a co-created research project by KPMG Belgium, CEGEKA Belgium, Samsung Belgium, the Antwerp Management School and the University of Antwerp (Belgium). The leadership role of the industry partners in supporting this research is focused on better understanding the crucial accountability of the BoD in governing digital assets and providing solutions and tools for these board members to assume their accountability. Endnotes1 Weill, P.; J. Ross; IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business School Press, USA, 2004, www.abebooks.com/book-search/isbn/1591392535/ Steven De Haes, Ph.D. Anant Joshi,
Ph.D. Tim Huygh Salvi Jansen What are the 5 types of IT governance?The IT Governance Institute (a division of ISACA) breaks down IT Governance into five domains:. Value delivery.. Strategic alignment.. Performance management.. Resource management.. Risk management.. What is governance in information technology?IT governance (ITG) is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.
What are the four 4 focus areas of IT governance?IT governance should focus on four key areas:. strategic alignment with business;. value delivery;. risk management; and.. resource management.. What is the role of IT governance?IT governance frameworks enable organisations to manage their IT risks effectively and ensure that the activities associated with information and technology are aligned with their overall business objectives.
|