On the surface of it, it seems like IT Governance is a lot of trouble for no tangible return. Yet, if we really take the time to think about it, a business runs on information. The decision-makers in the company rely on the data collected, and the information generated by the information systems to make their decisions. An information system that delivers timely and accurate information is an invaluable asset to any company.
And yet, how many companies really have a proper IT policy? Many companies think an information system is a sort of “fire and forget” system — that it can be installed and then left alone to work. Like all systems, however, it will suffer from decay over time. Software becomes obsolete, hardware ages and suffers from wear and tear, and even processes become old and inefficient as new (and more efficient) ways of doing things are discovered. Proper processes need to be in place to ensure that obsolete software is properly disposed of, and hardware stripped and securely disposed.
Staffs also need to be trained and re-trained in the latest processes to ensure that the business retains its competitive edge in the industry. There are few things more dangerous to the health of a company than an improperly managed information systems network. An improperly managed information systems network could leave any and all data vulnerable. If your data is vulnerable, so is your company.
The case of Heartland Payment Systems is an interesting case to study. Heartland Payment Systems is one of the largest credit card processors in the world. The credibility of the company, and the security of millions of credit card numbers in it’s database, was called into question when a key logger was found in their internal network.
T. J. Maxx, a fashion and apparel store was compromised for more than a year. From the middle of 2005 to December 2006, millions of debit and credit card numbers, as well as other personal information such as driver’s license numbers, were stolen from two of it’s stores. This breach cost the company one hundred and eighteen million dollars ($118 million.) A properly monitored (and secured) transaction process would likely have cost them a lot less.
HealthNet, a medical insurer, lost a hard drive containing the medical records of 1.5 million patients.
The University of California, Berkeley left the personal information of 160,000 students and alumni vulnerable when their information systems network was broken into.
Even governments are not spared -The British NHS’ Medical Training Application Service website was wide open for eight hours, allowing anyone on the net to access the personal information of anyone in the database.
All this could have been avoided with a properly implemented IT governance policy.
How Can IT Governance Be Implemented?
There are several sets of best practices (frameworks) that can be used as a guide for implementing a sound IT governance policy.
The most popular ones, as reported by Price Waterhouse Coopers in their report “IT Governance in Practice : Insight from leading CIOs” are COBIT and ITIL.
The same report lists CMMI, Prince II, COSO and ISO 17799 as lesser used frameworks. These frameworks provide a set of key performance indicators and initiatives and act as a guide for implementing a sound It governance policy.