BCS MEMBERSHIP

navigation-membership-member.png

Join the global and diverse home for digital, technical and IT professionals.

CHARTERED IT PROFESSIONAL

navigation-membership-citp.png

CITP is the independent standard of competence and professionalism in the technology industry.

STARTING YOUR IT CAREER

Young Careers

Kick-start a career in IT, whether you're starting out or looking for a career change.

SOFTWARE TESTING CERTIFICATION

navigation-qualifications-swt.png

Over 100,000 professionals worldwide are certified with BCS.

ESSENTIAL DIGITAL SKILLS

navigation-qualifications-skills.png

Improve your digital skills so you can get on in today's workplace.

EVENTS CALENDAR

navigation-events-calendar.png

View all of our upcoming events.

ARTICLES, OPINION AND RESEARCH

navigation-articles-people.png

The latest insights, ideas and perspectives.

IN FOCUS

BCS MEMBERSHIP

CHARTERED IT PROFESSIONAL

STARTING YOUR IT CAREER

SOFTWARE TESTING CERTIFICATION

ESSENTIAL DIGITAL SKILLS

EVENTS CALENDAR

ARTICLES, OPINION AND RESEARCH

IN FOCUS

Governance is key

The key to the problem of data leakage can be laid squarely at the door of poor information security governance. As information security governance is a sub-set of IT governance, then the starting and finishing position rests with the CIO, says John Mitchell.

I am constantly amazed at CIOs who have no clear governance programme in place to ensure that their function can not only support current business objectives, but also help to extend the enterprise into the future. After all, IT departments only do two things: facilitate the development of new business solutions and deliver existing solutions to its clients.

In order to do these it must have a suitable organisational structure, excellent staff who are managed by appropriate policies, standards and procedures and a relevant way of measuring performance. So IT governance is all about putting a framework in place which enables the management of IT to meet business objectives with suitable success metrics.

Rather than reinvent the wheel each time it makes sense to pick up best practice from throughout the world and this is where the International Standards Organisation (ISO) comes in. As IT only do two things and as the way they deliver these things is pretty much the same regardless of language, culture, or technological maturity it seems an ideal candidate for a number of ISO standards.

There are now national and international standards for IT governance, software development, service delivery, information security and business continuity. Indeed the whole of IT is now covered by just five standards. The standards themselves have a standard format: part 1 is the code of practice and part 2 provides guidance on the implementation of part 1.

All the standards require some sort of policy statement and as a policy is simply a statement of intent these should be concise and to the point. For example, there are only two possible security policies and as they are mutually exclusive your company can only adopt one of them.

The first states that everything is open to everyone unless specifically restricted, while the second states that everything is locked down unless specifically derestricted. The implementation of either of these policies then requires the adoption of appropriate standards and procedures requiring the identification of assets which are either to be restricted, or opened up and the allocation of appropriate privileges to the people.

Apart from the official standards there are a host of good practice out there which have been identified by ISACA and the IT Governance Institute (ITGI).

These two organisations use a common umbrella open standard titled Control Objectives for IT (CobiT) which sits above the international and national standards and provides examples of good practice and measurement frameworks to enable organisations to implement good IT governance in an economical way. 

As an assurance professional (auditor) I tend to use a fairly simple process to gauge the governance maturity of any IT function. This is based around the maturity model concept which was initially developed by the Software engineering Institute of Carnegie Mellon university and extended by ISACA to cover the major IT processes. Basically you can take any process and measure it on a scale of 0 through 5.

  • 0 Nothing in place to manage the process
  • 1 Initial consideration is given to process management
  • 2 The process is repeatable, but depends on individuals for its success
  • 3 The process is defined and documented
  • 4 The process is managed and measurable
  • 5 The IT process is integrated with the business process.

You will notice that full compliance with any of the standards forces the IT function to level 4 as, not only is the process defined, but it is also measurable because all the standards require the collection and analysis of metrics to prove compliance.

Some standards, ISO 27000 (information security) and ISO 20000 (service delivery) move the IT function to level 5 by integrating the IT processes with the business processes. ISACA has defined 34 common processes used by IT departments and provides a maturity scale definition for each one. This enables me, with IT and the business, to assess the function's maturity in the key areas.

It's then up to the business to decide whether they are satisfied with their current level, or would like to improve on it. ISACA also provides an anonymous benchmarking service. I was a bit shocked to find that the average for Information security was 2.8, which is below defined process. Worrying, isn't it?

Tags
Security / data / privacy
Article
07 May 2011
07 May 2011
read
A A A
Share
Share linkedin social media

Similar from BCS

Article

Fighting Financial Crime with GPT

4 days ago
Article

What is penetration testing?

19 days ago
Article

Navigating the new UK IoT legislation

20 days ago
Article

Building greenfield IT infrastructure

One month ago
Most recent