take control of your it systems
by rick telberg
as a financial services professional, you know the horror stories… fidelity national, wells fargo, choicepoint, h&r block, ameritrade. each has suffered data breaches in the past two years that ranks among the worst in history.
privacy and security are already common watch-words in the financial services industry, but now independent bankers, brokers, traders and lenders are taking the next step by building protections into their corporate structures and processes. it’s called “governance.â€
by itself, it’s not immediately intuitive exactly how governance is applied to information technology. one definition—offered by an auditors group–is a bit more focused: “a structure of relationships and processes that direct and control an organization and help it achieve its goals by adding value while balancing risk and return over it and its processes.â€
whew! that’s a pretty typical long-winded way of saying that because it is the underlying structure of most businesses these days, there needs to be a set of formal processes and procedures in place. these are necessary because it is inherently vulnerable, without procedures and controls it’s just too easy to change essential data.
some of the formal processes and procedures, most notably those which pertain to “balancing risk and returnâ€, are often targeted at internal control and, if the business is subject to it, meeting the provisions of the applicable sections of sarbanes-oxley and gramm-leach-blilely.
but it governance is not restricted to internal control and sarbanes-oxley compliance. there are numerous other governance areas that may impose compliance issues.
for example, privacy issues are very sensitive these days, and one of the more stringent constraints on the distribution of information is hipa—the health information protection act. if any of your clients are in the healthcare industry, you are no doubt aware of the lengths that this act requires healthcare providers to go to assure confidential information remains confidential. restricting access to data to authorized users is an important component of it governance.
another important component of it governance is process management—understanding the flow of information through a business entity, where the data is created, where it is captured, who handles this data, and what is done with the data.
that sounds pretty cut-and-dry, but lots of money and hours have been spent on studying this area, and while progress has been made, there’s no single framework for business process management that everyone agrees is universally applicable. one popular approach is the cobit (control objectives for information and related technology) model which is promulgated by isaca (which was previously known as the information systems audit and control association) and the it governance institute. cobit, now in its 4.0 release, provides the materials and procedures for implementing a formal set of business process procedures and controls. the isaca offers training and certification in cobit.
one problem with cobit is that it is a rather complex model, which means that it is often time-consuming and expensive to implement, and might not be a realistic framework for smaller enterprises.
if it sounds like it governance has no easy answers, then perhaps you can see why it has jumped onto the list of concerns. the surprising thing is that these concerns haven’t appeared before.
secure your infrastructure
a great resource is the “board briefing on it governance, 2nd edition†document. this publication is available as a free download from the www.itgi.org website, and contains explanations of the various components of it governance as well as extensive checklists and flow charts to help in implementing it governance policies and procedures.
[copyright 2007 bay street group llc. all rights reserved. used by permission. first published in hp technology at work.]