Meet the Bloggers Twitter BTSecureThinking YouTube Channel Blogroll About BT Looking for more?
BTSecureThinking Resources center

SecureThinking > SecureStrategies

Wednesday, September 29, 2010

Guest Post: IT governance as an integral part of good corporate governance

With the recent PCI Community Meeting hosted in the United States and the European meeting on the horizon, we thought that it would be interesting to see what how our counterparts in Africa deal with corporate governance and regulatory compliance issues.

By Nilesh Makan, Information Risk & Security, Sasol Group Services

The King III Report outlines good corporate governance practices for all companies listed on the Johannesburg Stock Exchange (JSE).  Although the report relies on self-regulation rather than legislation, compliance may be enforced in courts.  Additionally, non-compliance may mean that companies are required to de-list from the JSE.

The essence on the King III report is to provide a list of best practice principles to the Board of Directors of a company to assist and steer them to make the right decisions for the company.

The requirements of the King III report are primarily a requirement in South Africa, however the principles of good governance will apply, irrespective of where you reside in the world.

Although predominantly a corporate governance framework, IT governance is being specifically dealt with in the King III Report for the first time.  According to the report, information systems were previously used as an enabler to business, but have now become pervasive in the sense that they are built into the strategy of the business.  The risks involved in information technology (IT) governance have become more significant during the past few years.

In South Africa as well as globally, little focus has been directed at the governance of Information and Communication Technology (ICT).

The latest iteration of the King report includes specific principles for IT governance.  These include:

  • The board should be responsible for information technology (IT) governance – In summary, this principle suggests that an organization’s board should ensure that an IT internal control framework is adopted and implemented.  This includes receiving independent assurance on the effectiveness of the IT internal controls.
  • IT should be aligned with the performance and sustainability objectives of the company – The board should ensure that the IT strategy is integrated with the company’s strategic and business processes.
  • The board should delegate to management the responsibility for the implementation of an IT governance framework – The CEO should appoint a Chief Information Officer to be responsible for the management of IT.  IT should report to the board on the performance of the IT function.
  • The board should monitor and evaluate significant IT investments and expenditure – The board should oversee the value delivery of IT and monitor the return on investment from significant IT projects.  The report also states that Intellectual property contained in information systems must be protected.
  • IT should form an integral part of the company’s risk management – Management should regularly demonstrate to the board that the company has adequate business resilience arrangements in place for disaster recovery.  Additionally, the board must ensure that the company complies with IT laws and that IT related rules, codes and standards are considered.
  • The board should ensure that information assets are managed effectively – The board should ensure that systems must be put in place for the management of information, which should include information security, information management and information privacy. The board should approve the information security strategy and delegate and empower management to implement the strategy.
  • A risk committee and audit committee should assist the board in carrying out its IT responsibilities – This should be in place to ensure that IT risks are adequately addressed and controls are in place and effective in addressing IT risks.  The implementation of IT governance is an ongoing process. The implementation of a solid governance framework based on best practices is one of the first steps in this process.

When implementing IT governance in your organization, try to ensure that it is an integral part of the corporate governance structures.  It should emphasize and ensure that the company’s IT sustains and extends its overall strategic objectives.

  1. Security Around the World: Middle East and Africa
  2. He Said – She Said: Warren Buffett and Accountability – A Useful Model for Security?
  3. Managing Risk Across the Extended Enterprise
  4. How do you get your Board to pay attention?
  5. National Security Council (NSC) 60-Cybersecurity Review—the Mission is Launched

Posted at 7:20 PM
Tags: , , , , , , ,

Bookmark and Share

One Response to “Guest Post: IT governance as an integral part of good corporate governance”

  1. Anand Naidoo says:
    September 30, 2010 at 10:47 am

    Excellent ….well documented.

    Reply

Leave a Reply