When we talk about IT governance, we’re basically talking about three things: Data Management, Asset Management and PeopleManagement. Data are the building blocks from which information can be derived. Because of this, it’s important to have a framework that determines who has access to what data. It is of supreme importance to a company that they should be able to control the flow of information, to determine where it comes from, where it goes, and who it goes to. According to Weill and Ross, IT governance is “Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT.”
It’s important to note that “desirable behavior” is mentioned here. Data management concerns itself with “encouraging desirable behavior”. In the case of data management, this means “desirable behavior of data”. What happens when data leaves a server? How do we track and monitor the flow of the data, where it goes, and where it stops? These questions need to be answered. Answering these questions is what makes for proper data management. The people and processes that are put into place to analyze the flow of data, and to alert the correct people should anything seem out of the ordinary, this is what makes data management invaluable to the average business.
Good data management also means proper measures to secure the data as it is stored, and as it flows. Encryption algorithms should be reviewed periodically, and updated if necessary. New, more efficient or cost-effective ways to store data should also be considered. New technology, while being more efficient and convenient, also exposes a company to new challenges that need to be met. The transition from a wired to a wireless network, for instance, will greatly increase efficiency and convenience, but will also expose the data to anyone capable of intercepting the transmission.
When we talk about data management, we should also talk about asset management. IT asset management concerns itself with the hardware and software assets of a company. It ensures that software is up-to-date, properly configured and all licenses are verified. It also deals with procurement, installation and upgrading of said software. As far as hardware is concerned, the phasing-out, upgrading, and proper disposal of hardware assets come under it is purview.
As far as proper asset management is concerned, there should be processes for tracking, changing and proper disposal of hardware and software assets. Old and obsolete hardware should be cleaned of all business information before being disposed. Also, a tracking process (who deals with the disposal? how do we ensure that the data is scrubbed clean before the hardware is disposed?) should be put into place and monitored regularly. Data on some magnetic storage media (such as hard disk drives) can be recovered even if all the files have been “deleted”.
Because of this, simply deleting the files before disposal leaves potentially sensitive company information vulnerable to anyone (or any company) skilled enough to recover the data. And that’s not the only possible vulnerability. Anyone with a small USB Flash Drive (“thumbdrive”) could easily copy out the data before deleting it. The flash drive is small enough to be hidden in a pocket. All this makes the case for a proper IT asset management policy where control.
Monitoring and feedback systems are implemented to ensure the proper functioning of a company’s data management policies. When people talk about data management or security, very often they only talk about the security of the data. Rarely do they consider the fact that the data is only as secure as the weakest link, and the weakest link could be the person handling the data. While it’s a good idea (security-wise) to require a person to change his (or her) password periodically, it also increases the risk that said person might be so worried about not remembering the latest password (since it changes so often) that he (or she) writes it down somewhere. The same goes for “strong” passwords -these passwords may be more secure, but they are also harder to remember, thus increasing the risk that the user will write it down somewhere. For environments that are highly secure, other authentication methods might be considered, such as retina, palm or thumb scanners.
Even if the passwords are properly managed, the recipient of the data might store it in a flash drive, or portable hard disk drive, and then leave the drive on a table or misplace it. He might give it away to a caller pretending to be, for instance, the CEO of the company. He might just steal it and sell it to a rival company. All these risks need to be mitigated.
As can be seen from the abovementioned examples, it’s not enough to just manage the data and hardware and software, one must also manage the people that handle the data and hardware and software. Another aspect of people management is the management of change. When hardware, systems and software change, management must be capable of handling employee resistance to change. This can be overcome by implementing a proper training program, with key performance initiatives and strong management presence and support.
IT governance is all about proper management of risks, proper oversight, control and management of data, IT assets and the people that receive or handle them.