IT governance is a formal framework that provides a structure for organizations to ensure that IT investments support business objectives. The need for formal corporate and IT governance practices across U.S. organizations was fueled by the enactment of laws and regulations, including the Gramm–Leach–Bliley Act (GLBA) and the Sarbanes-Oxley Act, in the 1990 and early 2000s that resulted from the fallout from several high-profile corporate fraud and deception cases.
I reached out to Paul Calatayud, chief technology officer at security management provider FireMon, for his input on IT governance and what's required for successful implementation. Calatayud leads Firemon's corporate development program and provides thought leadership regarding product strategy, product management, and research and development. He's also a SANS Institute instructor and sits on advisory boards for several security-related companies.
[ Check out the top GRC certifications. | Get the latest insights by signing up for our CIO newsletter. ]Essentially, IT governance provides a structure for aligning IT strategy with business strategy. By following a formal framework, organizations can produce measurable results toward achieving their strategies and goals. A formal program also takes stakeholders' interests into account, as well as the needs of staff and the processes they follow. In the big picture, IT governance is an integral part of overall enterprise governance.
According to Calatayud, IT governance and GRC are practically the same thing. "While GRC is the parent program, what determines which framework is used is often the placement of the CISO and the scope of the security program. For example, when a CISO reports to the CIO, the scope of GRC is often IT focused. When security reports outside of IT, GRC can cover more business risks beyond IT."
[ Related: Learn more about GRC ]Organizations today are subject to many regulations governing the protection of confidential information, financial accountability, data retention and disaster recovery, among others. They're also under pressure from shareholders, stakeholders and customers.
To ensure they meet internal and external requirements, many organizations implement a formal IT governance program that provides a framework of best practices and controls.
Both public- and private-sector organizations need a way to ensure that their IT functions support business strategies and objectives. And a formal IT governance program should be on the radar of any organization in any industry that needs to comply with regulations related to financial and technological accountability. However, implementing a comprehensive IT governance program requires a lot of time and effort. Where very small entities might practice only essential IT governance methods, the goal of larger and more regulated organizations should be a full-fledged IT governance program.
The easiest way is to start with a framework that's been created by industry experts and used by thousands of organizations. Many frameworks include implementation guides to help organizations phase in an IT governance program with fewer speedbumps.
The most commonly used frameworks are:
Most IT governance frameworks are designed to help you determine how your IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from its investments.
Where COBIT and COSO are used mainly for risk, ITIL helps to streamline service and operations. Although CMMI was originally intended for software engineering, it now involves processes in hardware development, service delivery and purchasing. As previously mentioned, FAIR is squarely for assessing operational and cyber security risks.
When reviewing frameworks, consider your corporate culture. Does a particular framework or model seem like a natural fit for your organization? Does it resonate with your stakeholders? That framework is probably the best choice.
But you don't have to choose only one framework. For example, COBIT and ITIL complement one another in that COBIT often explains why something is done or needed where ITIL provides the "how." Some organizations have used COBIT and COSO, along with the ISO 27001 standard (for managing information security).
One of the most important paths to success is with executive buy-in. Calatayud recommends forming a risk management committee with top-level sponsorships and business representation. "To ensure it's an effective program, it needs to be supported by a broad set of line of business leaders." He also recommends sharing results with the board or audit committee to "develop real attention when items begin to get ignored."
As with any significant project, you should always keep communication lines open between various parties, measure and monitor the progress of the implementation, and seek outside help if needed.