take control of your it systems<\/i><\/p>\n
by rick telberg<\/b><\/p>\n
as a financial services professional, you know the horror stories\u00e2\u20ac\u00a6 fidelity national, wells fargo, choicepoint, h&r block, ameritrade. each has suffered data breaches in the past two years that ranks among the worst in history.<\/p>\n
privacy and security are already common watch-words in the financial services industry, but now independent bankers, brokers, traders and lenders are taking the next step by building protections into their corporate structures and processes. it\u00e2\u20ac\u2122s called \u00e2\u20ac\u0153governance.\u00e2\u20ac\u009d<\/p>\n
by itself, it\u00e2\u20ac\u2122s not immediately intuitive exactly how governance is applied to information technology. one definition\u00e2\u20ac\u201doffered by an auditors group–is a bit more focused: \u00e2\u20ac\u0153a structure of relationships and processes that direct and control an organization and help it achieve its goals by adding value while balancing risk and return over it and its processes.\u00e2\u20ac\u009d<\/p>\n
whew! that\u00e2\u20ac\u2122s a pretty typical long-winded way of saying that because it is the underlying structure of most businesses these days, there needs to be a set of formal processes and procedures in place. these are necessary because it is inherently vulnerable, without procedures and controls it\u00e2\u20ac\u2122s just too easy to change essential data.<\/p>\n
some of the formal processes and procedures, most notably those which pertain to \u00e2\u20ac\u0153balancing risk and return\u00e2\u20ac\u009d, are often targeted at internal control and, if the business is subject to it, meeting the provisions of the applicable sections of sarbanes-oxley and gramm-leach-blilely. <\/p>\n
but it governance is not restricted to internal control and sarbanes-oxley compliance. there are numerous other governance areas that may impose compliance issues. <\/p>\n
for example, privacy issues are very sensitive these days, and one of the more stringent constraints on the distribution of information is hipa\u00e2\u20ac\u201dthe health information protection act. if any of your clients are in the healthcare industry, you are no doubt aware of the lengths that this act requires healthcare providers to go to assure confidential information remains confidential. restricting access to data to authorized users is an important component of it governance.<\/p>\n
another important component of it governance is process management\u00e2\u20ac\u201dunderstanding the flow of information through a business entity, where the data is created, where it is captured, who handles this data, and what is done with the data. <\/p>\n
that sounds pretty cut-and-dry, but lots of money and hours have been spent on studying this area, and while progress has been made, there\u00e2\u20ac\u2122s no single framework for business process management that everyone agrees is universally applicable. one popular approach is the cobit (control objectives for information and related technology) model which is promulgated by isaca (which was previously known as the information systems audit and control association) and the it governance institute. cobit, now in its 4.0 release, provides the materials and procedures for implementing a formal set of business process procedures and controls. the isaca offers training and certification in cobit.<\/p>\n
one problem with cobit is that it is a rather complex model, which means that it is often time-consuming and expensive to implement, and might not be a realistic framework for smaller enterprises.<\/p>\n
if it sounds like it governance has no easy answers, then perhaps you can see why it has jumped onto the list of concerns. the surprising thing is that these concerns haven\u00e2\u20ac\u2122t appeared before. <\/p>\n
secure your infrastructure<\/b><\/p>\n
a great resource is the \u00e2\u20ac\u0153board briefing on it governance, 2nd edition\u00e2\u20ac\u009d document. this publication is available as a free download from the www.itgi.org website, and contains explanations of the various components of it governance as well as extensive checklists and flow charts to help in implementing it governance policies and procedures.<\/p>\n
[copyright 2007 bay street group llc. all rights reserved. used by permission. first published in hp technology at work.]<\/i><\/p>\n","protected":false},"excerpt":{"rendered":"