IT governance

IT governance can be thought of as the level above IT management.

Governance is concerned with providing control and oversight to IT systems, which involves aligning IT management and operations with business needs and requirements, and ensuring that compliance with internal and external policies and regulations is met. Governance is also responsible for providing the IT vision for the IT unit and the rest of the organisation. Because of this, governance is traditionally a board-level responsibility, though increasingly parts of this responsibility are now delegated down to lower levels.

That is not to say that IT governance is separate from IT management, they are in fact complementary – the management provides the ‘how’ to do things, and the governance provides the ‘what’ to do.

Why IT governance?

The recognition of the need for corporate governance in organisations has been around for several centuries. However, it is only at the end of the last century that people began to put it on a more formal footing. The early 1990s saw the dismissal of several CEOs by their boards in the US, while in the UK Robert Maxwell used £400 million from his employees’ pension fund to prop up the failing Mirror Group. These and other examples of corporate irregularities and fraud forced governments to place corporate governance on a more formal and structured footing. In the UK, this was achieved by the Companies (Audit, Investigations and Community Enterprise) Act 2004, and in the US by the Sarbanes-Oxley Act of 2002.

With the increasing influence of IT on the functions of an organisation and the need for appropriate financial controls becoming more apparent, it was realised that IT governance was necessary to achieve appropriate corporate governance. This, in turn, prompted the creation of IT governance standards such as COBIT or AS 8015-2005 (which became the ISO/IEC 38500 standard) which we still use today.

ISO 38500 Standard

The ISO 38500 standard is one of the simpler IT governance standards that try to give a high-level overview of key IT governance ideas. Developed from the Australian AS 8015-2005 standard, it was first published in January 2008 having been fast-tracked through the ISO standards processes as it was realised to be a key standard. In 2015 it was revised to the current version, with the key change being a shift in focus from ‘corporate governance of IT’ focusing at the top of the organisation ‘to governance of IT for the organisation’, which focuses on applying IT governance across the organisation with units of the organisation taking ownership of their own governance.

The standard is designed to be applicable across all organisations that use IT in any manner and is designed to help ensure that IT systems in the organisation are effective, efficient, and used in an appropriate manner. It does this by

  • Providing stakeholders* with confidence in the IT governance of the organisation (provided the standard is being followed)
    * The ISO 38500:2015 standard defines a stakeholder as ‘any individual, group, or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity’
  • Informing and guiding governing bodies in organisational IT use
  • Establishing an IT governance vocabulary

To achieve this, the standard focuses on a model and six principles to help guide the governance process, with the model being applied to each of the six principles to generate practices that are appropriate to the organisation. The model used is the Evaluate-Direct-Monitor model often used in governance. In it, governing bodies:

  • Evaluate the current state of IT in the organisation to judge if it is fit for the current and future needs of the organisation. This will involve internal drivers (such as business needs and stakeholder requirements) and external drivers (such as regulatory requirements, technological changes, changes in the market, etc). This is an ongoing process and needs to be applied to both specific development plans as well as the more general organisational objectives.
  • Direct organisational IT usage by the creation of strategies (which set the tone and direction for IT objectives and investment) and policies (which establish the norms for IT behaviour). These strategies and policies can be created by the board or, more commonly, the board will assign responsibilities for their creation to a particular person or organisational unit.
  • Monitor the performance of the IT, both with respect to system performance and with respect to strategies, policies and external regulations.

Model of governance of IT from ISO 38500:2015 illustrating the *Evaluate-Direct-Monitor* processes described above.

Each of the above three parts of the model need to be applied to the six principles stated in the standard. The principles are designed to say the ‘what’ of the IT governance in the organisation, but not the ‘how’, which will be dependent on the structure of the organisation. These principles are:

Responsibility

People and groups, both those using and those providing IT resources, should understand and accept their responsibilities for the provision and use of the IT systems. People and groups who have to undertake management or governance tasks should have the authority to carry out those tasks.

Strategy

The organisational business strategy takes account of the current and future needs and capabilities of the IT system and the plans for the IT system are capable of meeting the current and future needs of the organisation.

Acquisition

Any and all IT acquisitions are made in a clear and transparent manner. Each acquisition is scrutinised in terms of benefits, opportunities, costs, and risks and the reasoning explained and justified.

Performance

IT services, IT service levels and IT service quality are fit for current and future business requirements.

Conformance

Policies and practices are clearly defined, implemented and enforced. IT usage needs to comply with all mandatory legislation and regulation.

Human behaviour

IT systems need to take account of and respect the users of the system. Anybody who interacts with the system in any way should be able to use the parts of the system that they need to in as easy a manner as possible. This will include such things as accessibility for people with a disability, AUPs, physical workstation setup, etc.

For each of the above principles, the standard gives guidance and best practice practices on how the principle can be evaluated, directed and monitored.

In practice, the ISO 38500 is an excellent starting point and introduction to the key issues in IT governance. However, the whole standard is only 12 pages long, and as such does not provide as much detail or guidance as many of the other IT governance standards.

COBIT

COBIT (Control Objectives for Information and Related Technologies) is perhaps one of the best known IT governance frameworks. Developed by ISACA in 1996 as a set of controls to help the financial audit community handle IT systems, it was subsequently expanded to become a full-blown IT governance framework.

The current version of COBIT is COBIT 2019, which was released in November and December 2018. The differences between the two versions are small (considering the breadth of COBIT) and focus on updating the standard to better integrate with other related standards, integrating performance management into the main model, and facilitating more openness through the use of new COBIT focus areas.

COBIT 2019 was designed around two different sets of principles – six principles that describe the core requirements for a governance system for enterprise IT and three principles for a governance framework that can be used to help build an organisation’s governance system. The six principles for a governance system given in the COBIT framework are:

  • Each enterprise needs a governance system to satisfy stakeholder needs and to generate value from the use of I&T. Value reflects a balance among benefits, risk and resources, and enterprises need an actionable strategy and governance system to realise this value.
  • A governance system for enterprise I&T is built from a number of components that can be of different types and that work together in a holistic way.
  • A governance system should be dynamic. This means that each time one or more of the design factors are changed (eg a change in strategy or technology), the impact of these changes on the Enterprise Governance of Information and Technology (EGIT) system must be considered. A dynamic view of EGIT will lead toward a viable and future-proof EGIT system.
  • A governance system should clearly distinguish between governance and management activities and structures.
  • A governance system should be tailored to the enterprise’s needs, using a set of design factors as parameters to customise and prioritise the governance system components.
  • A governance system should cover the enterprise end to end, focusing not only on the IT function but on all technology and information processing the enterprise puts in place to achieve its goals, regardless where the processing is located in the enterprise.

The three principles for a governance framework given in the COBIT framework are:

  • A governance framework should be based on a conceptual model, identifying the key components and relationships among components, to maximise consistency and allow automation.
  • A governance framework should be open and flexible. It should allow the addition of new content and the ability to address new issues in the most flexible way while maintaining integrity and consistency.
  • A governance framework should align to relevant major related standards, frameworks and regulations.

Together, these two sets of principles are used to derive a set of 40 key governance and management objectives which are described in the COBIT standard. These objectives each relate to one process which is also described in the standard and are split into five groups – one governance group and four management groups.

The objectives in the governance group focus on the area of evaluate, direct and monitor as used in the ISO 38500 standard. The management objectives are grouped into:

  • Align, plan and organize (APO) – these objectives focus on the overall organisation and strategy, as well as supporting activities for IT.
  • Build, acquire and implement (BAI) – these objectives look at the delivery of new IT services and solutions through either through creation or acquisition. A key part of this group is the need for clear definitions and integration into business processes.
  • Delivery, service and support (DSS) – objectives in this group look at the operational side of IT and are particularly relevant to us as this is where security is primarily considered.
  • Monitor, evaluate and assess (MEA) – objectives in this group are concerned with performance monitoring and ensuring that systems conform to internal and external requirements. Again this area is particularly relevant to us, as it is here where a SOC will undertake most of its activities.

COBIT 2019 Framework listing the objectives contained in the groups above: Evaluate, Direct, and Monitor governance: EDM01 - Ensured Governance Framework Setting and Maintenance, EDM02 - Ensured Benefit Delivery, EDM03 - Ensured Risk Optimisation, EDM04 - Ensured Resource Optimisation, EDM 05 - Ensured Stakeholder Engagement; Align, Plan, and Organize objectives: APO01 - Managed I and T Management Framework, APO02 - Managed Strategy, APO03 - Managed Enterprise Architecture, APO04 - Managed Innovation, APO05 - Manage Portfolio, APO06 - Managed Building Budget and Cost, APO07 - Managed Human Resources, APO08 - Managed Relationships, APO09 - Managed Service Agreements, APO10 - Managed Vendors, APO11 - Managed Quality, APO12 - Managed Risk, APO13 - Managed Security, APO14 - Managed Data; Build, Acquire, and Implement objectives: BAI01 - Managed Programs, BAI02 - Managed Requirements Definition, BAI03 - Managed Solutions Identification and Build, BAI04 - Managed Availability and Capcity, BAI05 - Managed Organisational Change, BAI06 - Managed IT Changes, BAI07 - Managed IT Change Acceptance and Transitioning, BAI08 - Managed Knowledge, BAI09 - Managed Assets, BAI10 - Managed Configuration, BAI11 - Managed Projects; Delivery, Service, and Support objectives: DSS01 - Managed Operations, DSS02 - Managed
Service Requests and Incidents, DSS03 - Managed Problems, DSS04 - Managed Continuity, DSS05 - Managed Security Services DSS06 - Managed Business Process Control; Monitor, Evaluate, and Assess objectives: MEA01 - Managed Performance Conformance Monitoring, MEA02 - Managed System of Internal Control, MEA03 - Managed Compliance with External Requirements, MEA04 - Managed Assurance

Adapted from Figure 4.2 in COBIT 2019 Framework, 2019 © ISACA. All rights reserved. Used with permission.

These objectives are achieved by the creation of an IT governance system that is appropriate to the organisation where it is used. This governance system is built using a number of key components which must be considered both collectively and individually to ensure that a holistic governance system is produced. In COBIT, the key components used to build an IT governance system are:

  • Processes – an organised set of descriptions of practices and activities that achieve specified objectives
  • Organisational structure – key decision-making entities in an organisation
  • Principles, policies and frameworks – the mechanisms for translating desired behaviour into guidance for operational activities
  • Information – any information needed for the effective and efficient functioning of the governance system
  • Culture, ethics and behaviour – both of individuals and the organisation as a whole need to be considered when deciding how best to design and implement an IT governance system
  • People, skills and competencies – these are needed to make sure that good decisions are being made, activities are completed successfully, and when things do go wrong, appropriate corrective action is taken promptly
  • Services, infrastructure and applications – the IT side of things

Of course, how you put together the key components described above is influenced by many different factors and it is here where the final three parts of the COBIT methodology come in, those of Focus areas, Design factors and Goals cascade.

Focus areas describe how components and objectives come together to address a given IT governance topic (eg cyber security, cloud, autonomics, etc). Focus areas are not initially defined or designed in the COBIT standard as they are too many to define as part of the standard. The aim is that as the standard is used, experts and practitioners will develop these focus areas into groupings that can be used by other organisations.

Design factors are an acknowledgement that many factors can influence how an IT governance system is designed and implemented. COBIT identifies 11 key influences (enterprise strategy, enterprise goals, risk profile, I&T-related issues, threat landscape, compliance requirements, role of IT, sourcing model for IT, IT implementation methods, technology adoption strategy, and enterprise size) which will have a greater or lesser degree of influence on the organisation. COBIT provides a useful categorisation for each of these influences which can be used to help design the IT governance system.

The final part of the COBIT standard methodology is the notion of a cascade of goals. This shows how stakeholder drivers and needs can be transformed into enterprise goals which are further transformed into alignment goals (that is, goals which align with business objectives), and finally into governance and management objectives.

In contrast to the ISO 38500 standard, COBIT is much more complex and comprehensive (and also free for the key parts) which means that in practice COBIT is normally applied in medium to large organisations where the resources to implement a proper IT governance system are more readily available.

IT governance and the SOC

It should go without saying that the SOC will play a key role in the IT governance of the organisation. This will primarily be in the area of cyber security, but will not be restricted to this. The SOC should be key in helping design any security, privacy and related areas of the IT governance framework. However, the SOC is itself subject to the organisation’s IT governance system. This is particularly important to ensure when you consider both the skill set and the tool set of the SOC.

Further reading

ISACA (2018) COBIT 2019 Framework: Introduction and Methodology. [online] available from http://www.isaca.org/COBIT/Pages/COBIT-2019-Framework-Introduction-and-Methodology.aspx [31 July 2019]


References

BSI (2018) BS ISO/IEC 38500:2015 Information Technology. Governance of IT for the Organization. [online] available from https://bsol.bsigroup.com/Bibliographic/BibliographicInfoData/000000000030372032 [30 July 2019]

Companies (Audit, Investigations and Community Enterprise) Act (2004) [online] London: The Stationery Office. available from https://www.legislation.gov.uk/ukpga/2004/27/contents [31 July 2019]

ISACA (2018) COBIT 2019 Framework: Governance and Management Objectives. [online] available from http://www.isaca.org/COBIT/Pages/COBIT-2019-Framework-Governance-and-Management-Objectives.aspx [31 July 2019]

Sarbanes-Oxley Act of 2002 15 § 7201. available from https://www.congress.gov/107/plaws/publ204/PLAW-107publ204.pdf [31 July 2019]

Share this article:

This article is from the free online course:

Security Operations

Coventry University