In the wake of 9/11 and corporate debacles such as Enron, organizations are taking a serious look at their information technology (IT) groups and questioning the governance models necessary to minimize risks and maximize returns.
At a very broad level, organizations can approach governance on an ad hoc basis and create their own frameworks, or they can adopt standards that have been developed and perfected through the combined experience of hundreds of organizations and people. By adopting a standard IT governance framework, enterprises realize a number of benefits.
What is ‘IT Governance’?
Essentially, governance addresses the proper management of organizations. IT governance takes these concepts one step lower and applies them to the IT group.
Perhaps the best definition can be found in the executive summary of COBIT, which identifies IT governance as “a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.”
Three Primary IT Standards
To be clear, “ad hoc” refers to frameworks developed within an organization based on the best practice experience found within an organization. In contrast, there are evolving international standards that are maintained by governing bodies that reflect the experience of hundreds of organizations. Now, if we focus on IT standards, there exist three that seem to be at the forefront today. They are:
- COBIT — The Control Objectives for Information and related Technology (COBIT) standard is now in its third revision and is published by the Information Systems Audit and Control Association(ISACA) and was originally released in 1996. The COBIT framework is comprised of 34 high-level control objectives and 318 detailed control objectives that have been designed to help businesses maintain effective control over IT. The standard is very well done and the entire COBIT documentation set is available online including the executive summary, framework, control objectives, audit guidelines, management guidelines and an implementation guide.
Currently, the ISACA is finalizing a special version of COBIT called “QuickStart” for small and medium-sized businesses. It will contain a subset of the COBIT standard and focus on elements that are viewed as most critical for organizations that lack the resources to pursue the full standard.
- ISO 17799 — The International Organization for Standardization‘s ISO 17799, titled “Information Technology – Code of Practice for Information Security Management,” was first released by the ISO in December 2000. However, it is based on the British Standard 7799 that has quite a lineage, but solidified under the BS 7799 identifier beginning in 1995 and finalized in 1999. The intent of the standard is to focus on security and aid an organization in the creation of an effective IT security plan.
The standard has the following high-level groupings: security policy, organizational security, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, systems development and maintenance, business continuity management and compliance. The standard is very well-done and covers a great deal of material in a concise manner.
- ITIL — The Information Technology Infrastructure Library(ITIL) is maintained by the United Kingdom’s Office of Government Commerce (OGC) and was developed with the input of many organizations beginning in the late 1980s. Interestingly, it is not well-known in all countries, but definitely has a growing number of subscribers.
The “library” currently consists of seven books: service support, service delivery, security management, application management, ICT infrastructure management, the business perspective and planning to implement service management. ITIL is very much aimed at identifying best practices in regards to managing IT service levels and a number of organizations, including the U.S. Navy and Procter and Gamble, have adopted ITIL and enjoyed substantial benefits.
The Benefits of Standards
There are a number of compelling reasons to adopt a defined standard:
1. The Wheel Exists — In today’s world time is a precious commodity. Why spend all of the time and effort to develop a framework based on limited experience when internationally developed standards already exist?
2. Structured — The framework of the models provides an excellent structure that organizations can follow. Furthermore, the structure helps everyone be on the same page because they can see what is expected.
3. Best Practices — The standards have been developed over time and assessed by hundreds of people and organizations all over the world. The cumulative years of experience reflected in the models can not be matched by a single organization’s efforts.
4. Knowledge Sharing — By following standards, people can share ideas between organizations, profit from user groups, Web sites, magazines, books and so on. Proponents of company-specific ad hoc approaches do not have this luxury.
5. Auditable — Without standards, it becomes far more difficult for auditors, especially third-party auditors, to effectively assess control. By this, I mean that the auditors themselves should be following standards, as opposed to ad hoc auditing practices. The goal must be to at least certify the organization against at least one base standard and then make recommendations over and above the standard(s), where appropriate.
Which standard is best?
Interestingly, there isn’t a great deal of overlap between the three. COBIT is strong in IT controls and metrics. ISO 17799 covers IT security quite well and ITIL emphasizes processes, notably those surrounding the IT helpdesk.
Rather than select one, organizations would be wise to get an overview of the three and then plan an approach that blends the best practices of each along with the needs of the organization.
For example, customers or a regulatory body may be pressuring an organization to adopt ISO 17799 and, as a result, that should then be at least the initial focus. However, rather than stop with ISO 17799, the same organization should extend its vision to include other standards as well.
Adopt and Adapt
Getting started is the hard part! This is a recurring theme in many articles written about IT governance. The question really is not “do we or don’t we implement?”, but really one of “how do we implement?” At this point there are a substantial number of resources available to help organizations research and implement. Take the area that is of greatest concern to you and/or your stakeholders and start with an incremental approach. All of the standards are huge undertakings and you are far better off to phase in various elements over time than to try and implement everything at once.
COBIT, ISO 17799 and ITIL all serve as excellent frameworks by which to improve IT governance. The key is to research the standards, review your needs and then move forward with the standard that is the best initial fit. In the end, all three provide best practices for IT organizations to review and eclectically adopt. Firms, moving ahead with the adoption of a standard will be well served to utilized a phased implementation project approach and start with elements of the standard that will yield their organization the most benefits.