When you start out implementing IT governance, you have to begin by knowing where you stand. Some policies may be in place, some you will have to create. The existing policies may themselves need review, amendment, or be replaced completely with more up-to—date ones. You must determine whether all that you are doing is in line with the law of the land. There’s a lot to do.
Begin by asking yourself a few questions:-

1. Is establishing effective IT governance a performance goal for your organization? If not, get your managers to work out a goal, and the schedule and budget to achieve that goal.

2. Has the steering committee to implement governance been set up? IT governance requires that frequent monitoring be done by the right people, including both external and internal members.

3. Have all the governance policy documents been inventoried? This is important, because much of the policies you need may already be in place, given that Sarbanes-Oxley has been around eight years now. Nevertheless, bringing them all together will help you know about and plug the gaps.

4. Do you understand thoroughly all the existing policies? This is because you will be making future policies, and may have to amend existing older policies to bring them in line with regulations enacted later.

5. What are the major IT governance and compliance issues to be sorted out between you and legal/audit departments? The answer to this will help you set priorities.

Once you have got the answers to these questions, you will know how much and what you need to be doing.
It is important to understand what is meant here by ‘effective’. Simply put, you need to know

1. Which regulation or regulatory body defines compliance means for your IT organization.
2. Whether the company has appropriate governance in place to document the IT organization’s compliance.

Effectiveness is about achieving the most with the least effort, hence the operant policy in IT governance is “create only as much IT governance as you need to manage corporate users, protect corporate data, instruct vendors and partners, and meet requirements of Compliance, Legal and Audit departments”. Any less may fall foul of the law, any more may hamper decision-making freedoms within your organization.

To help you define and achieve an effective governance framework, the toolkit provides you with a very detailed Instructions and Overview module, including several templates you can use to obtain data to answer the questions above.

Once you have established the background, and you have charted the way forward, it is time to set up the Steering Committee. This is the core group of people, who under a mandate from the board, are responsible for implementing IT governance on the ground. The people who sit on it must not only be knowledgeable, but also have great personal integrity and no conflicts of interest.

The Steering Committee, as the name suggests, cannot be rudderless. You must define a firm charter of what its responsibilities and powers are, what goals it is expected to deliver on, and what interventionary and/or punitive actions it is empowered to take, towards implementing IT governance. A template for preparing such a charter is included in the IT Governance and Compliance Toolkit, along with proformas for maintaining agendas and minutes of the committee meetings.

{ 0 comments }

If Information Technology is not your organization’s core line of business, your organization may be unaware of what and how much impact you have on its costs, revenues and profitability. Your audit and finance departments might treat IT as a cost, and their budgeting decisions will be based on that premise. It is therefore important that you carry out a Business Impact Analysis (BIA), which can bring you two benefits -

1.It will tell your internal and external auditors how your department is performing financially; and,
2.It will help you determine the level to which IT governance is critical to your organization.

BIA helps an organization know which units, operations and processes it has in place are really critical to the business’ survival. In times of difficulty, the BIA will help the organization chart the way forward, and the IT department’s participation, as custodian of the organization’s knowledge, will be critical.

A good BIA will tell you how much each unit and process costs to maintain, and how much revenue depends on it, directly or indirectly. It will also help you identify essential business units and/or processes that must return to full operation following a disruption. The BIA delineates the business impact of disaster scenarios on your company’s ability to deliver products and services to its customers.

Some of the areas that you will have to cover in your analysis include:-

1.The regulatory agencies you have to report to
2.The critical records you must maintain
3.The processes under your charge
4.The risk to business caused by a potential disruption (increased costs, reduced revenues)
5.The cost of recovery
6.The manpower and time required to make up

The IT Governance and Compliance toolkit includes a specimen questionnaire that you can use carry out the analysis. It will help you define each IT process, and assign a priority score to it.

Once done, you can use the BIA to align each critical process with the IT governance policies, bringing everything into compliance with the regulations.

{ 2 comments }

In any organization, auditing is too important a task to be left to auditors. Auditing is a two-step process – firstly, your organization’s internal auditors must approve of the financial transactions, which are then scrutinized by external auditors. Before internal auditors look into your finance sheets, it is advisable to do a self-audit. There are several benefits of a self-audit including

1.Monitoring cost overruns on any project and avoiding (or at the least minimizing) them
2.Keeping within the budget
3.Accounting for every cent spent and earned, especially petty expenses which are often hard to document
4.Being prepared for contingencies by knowing your department’s financial health

How do you go about an audit?

First of all, collect and file together all the relevant documentation pertain to the finances of your organization. Much of this documentation will be available with your internal auditors.

Secondly, determine the areas of concern in your department. Some of these might be -

1. Are your IT operations areas (such as network operations center, data center) restricted only to relevant staff, and their comings and going recorded?
2. Is access to your data password protected, and are anti-hacking measures in place?
3. Is there a process for regular back-up of data?
4. Do you have a disaster recovery plan in place?

A self-audit is a good way of knowing how much governance is already in place. If you have a lot of “no” answers to the self-audit, your organization probably has too little IT governance in place. You may wish to schedule a meeting with your auditors and find out what are the major pending issues that need to be addressed, so that your governance is in full force.

The IT Governance and Compliance Toolkit includes a detailed questionnaire to help you carry out the self-audit.

Many people find it difficult to deal with auditors. An auditor’s job is not to get you into trouble, but to establish a vigilance system that ensure your organization remains viable. The auditor’s relationship with the IT department revolves around ensuring that it does everything it reasonably can to prevent tampering or destruction of business data, unauthorized access to business data, and to prevent or react in a timely manner to business disruptions.

The toolkit includes a number of tips on how to deal with auditors.

The next few blogs will address how you go about establishing individual policies.

{ 1 comment }

Application Development Policy: Your organization uses many software applications, some that you purchased, and some that you may have developed yourself. Your IT governance policy for these applications must ensure that only authorized personnel have access to them, that they are not copied or redistributed illegitimately, and so on. As a lot of the process depends upon setting and using passwords, your policy on passwords must be detailed and take into account all factors. The Application Development Policy Template is a compilation of several factors which may be important for you while setting or amending policy.

Data Security Policy: The policies that you set in place to secure your organization’s data will stand as a benchmark of your ability to decide policy. Hence this is one policy document you need to pay very careful attention to.

Some points you may wish to keep in mind:

1.Restrict special system privileges, such as the ability to examine the files of other users, to those directly responsible for system management and security.

2.Define user privileges such that ordinary users cannot gain access to the private data of other users.

3.Assign user-IDs to specific individuals, grant group user-IDs for certain shared property only adequate security mechanisms in place.

4.Ensure that all activities of system administrators such as user-ID creation and privilege changes are securely logged and reflected in periodic management reports.

5.Have a mechanism to monitor access privileges associated with a user account (ID), such that those privileges are revoked if the user is no longer eligible for those privileges.

The Data Security Policy Template can be used by you to draw up your organization’s comprehensive policy statement.

Email Security Policy: As much of corporate communications now happen over email, how you allocate privileges to employees who have official email accounts, will matter a lot. Your policy must aim to prevent abuse of the email privileges, and also prevent leakage of critical corporate data through adequate monitoring.

Some points to consider:

1.As all official emails are company, assert the right to monitor their contents.
2.Ensure all mails are scanned for viruses.
3.Prevent abuse of email privileges for unethical or offensive purposes.

You can refer to the Email Security Policy Template as a reference for drawing up your own comprehensive policy.

{ 2 comments }

Internet Usage Policy: While the internet may be a major source of information for employees, as well as a means of communication with clients, vendors etc, it is also open to abuse and a major threat (in the form of viruses) to your organization’s data. Hence an internet access policy is very critical.

Some thing to keep in mind:

Reserve access to those who have a demonstrable business need.

Prohibit transmittance of company information over the Internet unless such transmission is approved and secured.

Screen all software and files downloaded with virus detection software.

You can use the Internet Access Policy Template to draw up your policy statement.

Network Security Policy: While your organization’s intranet is necessary for employees to communicate with each other, securing it from external attack is critical. Your policy must see to it that your organization’s data is not compromised in any way.

Pointers:

Restrict access to authorized people.

User-IDs must each uniquely identify a single user.

Users must not leave their computer, workstation, or terminal unattended without first logging-out, locking the workstation, or invoking a password-protected screen saver.

Internal network addresses must not be publicly released.

All Internet Web servers must be firewall protected.

Any external network connections must be secured via approved standards.

Prior approval required for all changes.

A larger and more comprehensive policy template can be found in the Network Security Policy Template. A policy with this broad a scope requires input from pretty much every team within the IT department—telecommunications, network operations, development, and security.

Password Management Policy: Nothing can ruin an organization more than a bad password, vulnerable to cracking. Thus your policy on passwords will be a key determinant of the robustness of your IT governance.

Some simple pointers include forcing users to change their passwords frequently, setting complex, not-easily-crackable passwords, not storing passwords in an accessible place etc. What really matters in your policy is the teeth you give it, i.e. the powers you give your team to effectively implement the password management policy. You can use the Password Management Policy Template to set yours.

Physical Access Policy: Some of the company’s IT assets, such as servers and master computers are placed in special rooms, to which access is restricted to authorised personnel only. The policy that governs this is thus very important.

Some suggestions:

Restrict entry to authorized personnel only, who produce the correct i-card or badge.

Ensure that all computer room doors can be opened only by authorized peersonnel with the right keys.

Individuals needing temporary access to computer rooms must have IT Department permission, granted after adequate justification.

Security staff will regularly monitor all computer room doors.

All entry and exit must be logged.

For sensitive areas, security cameras, with video tape recordings made of all activity is recommended.

This is a sensitive policy. Excessive security measures might hamper normal work, while lax policy may potentially do a lot of damage. A comprehensive set of recommendations can be found in the Physical Access Policy Template, which you can use too devise your policy.

{ 1 comment }

Roles and Responsibilities Policy: It is incumbent on you to establish a high standard of “due care” for the ownership, use, and transmittal of information resources, i.e. your team must understand their responsibility towards IT governance, and know what behavior is expected of them.

Some points you need to consider:

There must be an owner for all information, who must determine its security level.

Information security controls must be implemented at the appropriate level to satisfy the most stringent requirements of any party on the system.

Employees must access only the information they need to do their jobs, and use access (login, password etc) provided to them securely and for company purposes only.

Employees must use only authorized connections to company networks and computers.

Responsibilities executed professionally will ensure a high level of governance. You can use the Roles and Responsibilities Policy Template to draw up a comprehensive policy.

Acceptable Encryption Policy: Encryption is a double-edged tool – while it can help effectively secure information, it can also hamper the ease of access to organizational staff. Hence you need to have a clear policy on when to encrypt data, and who is authorised to do it. You also need to establish a standard for encryption and key management, that staff need to achieve.

Some pointers:

Encrypt all data that has been classified as Confidential or Restricted, when you have to transmit it across channels you have no control over, e.g. the internet, VoIP etc.

Encrypt all restricted data on systems that are deemed as “high” risk of loss or theft, such as laptops.

Prohibit anyone from disabling encryption without prior approval.

While you establish encryption standards, you may want to keep the following in mind:;

Use only technology that is proven and based on industry standards, such as S/MIMIE etc

Encryption should cover emails, folders, FTP etc, such that it comprehensively covers all critical data.

Select encryption that is scalable and is appropriately cost effective.

To draw up a comprehensive Acceptable Encryption policy, you can draw on the Acceptable Encryption Policy Template.

Remote System Access Policy: Some staff may need to access organizational IT resources (such as emails) from external locations, over third-party providers. In such a case, it is necessary to have a policy that ensure adequate security of your system to prevent leakages, without hampering data flow.

Some points to consider:

All inbound dial-up connections with your internal computer data network must employ extended user authentication.

Dial-up connections to internal systems and networks may be established as long as they are fully consistent with published internal standards.

After a fixed number of unsuccessful attempts, the connection must be terminated.

The Remote Access Policy Template gives you a more comprehensive set of recommendations for drawing up your policy.

{ 1 comment }

Malware Security Policy: Lax immune surveillance can result in viruses infiltrating and destroying critical data. Hence a thorough and effective policy must be in place to ensure that viruses and other malware are regularly scanned for and eliminated.

Some points you may wish to consider:

Allow only authorized workers in the IT Department to install or use any externally-provided software. This will help prevent inadvertent damage of data by use of unauthenticated software.

Make virus scanning redundant where feasible. The frequency of virus scans must conform to standards.

Users must not attempt to eradicate computer viruses, but immediately call the IT Department.

You can use the Malware Security Policy Template too draw up your policy.

IT Computer Equipment Security Policy: As your organization’s data ultimately rests on physical devices such as laptops and servers, the physical security of the equipment is a necessary part of overall IT governance. You can include the following pointers while drawing up your own organization’s policy:

Ensure that computers, telephones and other office equipment provided to employees are used for legitimate business purposes.

Reserve the right to monitor use of such equipment to ensure appropriate use.

Do not allow employees to access another co-worker’s computer without authorization.

See to it that company equipment is disposed of by authorized personnel only.

For further details, you may refer to the IT Computer Equipment Security Policy Template provided in the toolkit.

Wireless Devices Security Policy: As organizations move towards wireless networking to facilitate movement within the premises (for meetings, presentations etc), new security challenges emerges. For this you will have to draw up a Wireless Security Policy. You can make use of the following suggestions:

Assert that the IT Department has the sole authority to manage wireless devices that connect to the corporate network. Any employee who wishes to utilize wireless technology must follow the IT Department’s published policies, standard protocols, practices and procedures.

Wireless devices must be purchased and configured by the IT Department.

Final responsibility for the security and proper use of any wireless client rests with the employee.

Reserve the right to deny access to wireless devices as needed.

You can make use of further details in the Wireless Devices Security Policy Template included in the toolkit.

You must ensure while drawing up every policy that it has teeth, and that you have the right to administer appropriate punitive action to anyone found violating the IT governance policies.

{ 0 comments }