IT Governance Standards

Governance Standards.  The Control Objectives for Information and Related Technology (COBIT) is a comprehensive guidance document developed by the IT Governance Institute, the research arm of the Information Systems Audit and Control Association (ISACA) and an affiliate of the Council Of Sponsoring Organizations (COSO). Today COBIT is recognized by the leading audit organizations as the leading instrument for IT governance including the Institute of Internal Auditors, the world’s leading association of Risk Management and Internal Auditing professionals.

In the framework, COBIT addresses the needs for IT governance around the need to appropriately manage enterprise risks, exploiting the benefits of IT to assure alignment between IT and business strategy as well as meet the competitive challenges of the services environment as well as the various compliance regimes. The framework also addresses who should participate in governance to include internal and external stakeholders who provide IT services, have control and risk responsibilities and who have a stake in overall decision-making. The framework also recommends compliance with standard business and industry best practices for IT including those specified by disparate organizations include the COSO, the various ISO standards for Information Technology security and management, ITIL, PMBOK, PRINCE, NIST and many other industry vehicles.

COBIT recognizes several levels of organizational governance maturity; from the non-existent (level 0) to the fully optimized (level 5) and provides some sanity check to determine an organization’s current level and processes and procedures to maintain and improve on them. The COBIT, like most best practices standards including the recently released ISO/IEC 38500 (Corporate Governance of Information Technology).

ISO/IEC 27001:2005 (Information technology-security techniques-information security management systems -Requirements) provides a comprehensive framework for managing information security and privacy, including the operationalization of risk management for IT security management.  ITIL (Information Technology Infrastructure Library) is a comprehensive service delivery governance framework and the Project Management Body of Knowledge (PMBOK) provides guidance (as does PRINCE 2- Projects IN Controlled Environments).

These tools together form a comprehensive body of knowledge, which if properly deployed, with consideration to organizational cultural identity; taking advantage of organizational strengths and addressing limitations will help any organization, in our case the University take advantage of the full power of technology while avoiding costly side effects such as delayed adoption, lack of buy-in, delayed project implementation, lack of alignment, wastes and the various other risks particularly with obsolete technology, security and privacy.

Evident in the ECAR survey result is the utilization of multiple governance frameworks by the responding Institutions. It is imperative to realize that governance does not and should not translate into radical change of structure, rather it should be seen as a vehicle for enhancing decision making, alignment, fostering holistic input into technology choices and guaranteeing stakeholder buy-in.  IT governance is not an excuse for abrogating IT responsibilities; it is a vehicle for enhancing it.