@ISACA Volume 22  2 November 2016

Tips for Understanding When Your Organization Might Need a Governance Initiative

Lisa Young, CISA, CISM

Almost all major organizations today say that good corporate governance is on their agenda. Because corporate governance is concerned with effective use of resources and management of risk to achieve business goals and balance the needs of stakeholders, and IT is critical to achieving those ends, it makes sense that a good corporate governance program should feature a special focus on IT. Governance of enterprise IT (GEIT) is a discipline concerned primarily with organizing the resources of an enterprise for the purpose of satisfying stakeholders. GEIT is meant to bring alignment between high-level strategic objectives with operational level activities and work outcomes. GEIT focus areas are strategic alignment, risk management, value delivery, resource management and performance measurement. These key elements make up the activities of GEIT and are what enterprise leaders look for in successful governance initiatives.

There is a difference between governance and management, which COBIT 5 explains:

Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-upon enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance and progress against agreed-upon direction and objectives.
Management plans, builds, runs, and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.

All frameworks for IT governance, including COBIT 5, emphasize the importance of applying business strategy in choosing how an organization should operate to optimize IT investment for business value generation and mitigate IT-related risk. Governance will not transform a bad strategy into a good one, but it will enable a good strategy to be realized by alignment of day-to-day operations and work streams with the vision, mission, strategy and values of the organization. Establishing and maintaining that alignment over time can be aided with a framework such as COBIT 5.

The improvement of IT governance is increasingly recognized by top management as an essential part of enterprise governance. Instant benefits, such as reduced cost, and longer-term benefits, such as enhanced management of IT-related risk, have improved relationships between business and IT and increased competitive advantage in the marketplace. Here are some tips to recognize if your organization could benefit from a GEIT project:

  1. There are overly complicated IT assurance, audit or compliance efforts due to a primary focus on the need to comply with multiple internal and external frameworks, standards, regulatory mandates and legislation. GEIT can assist with the transformation of strategy into goals, control objectives and performance metrics designed to streamline the operational tasks and activities into value-added ones that support strategic achievement.
  2. Complex IT operating models exist or there is no solid enterprise architecture in place. How IT creates value for the organization is tied to its strategic use and the relationship between the business and IT. Nowhere is this more evident than in organizations that buy technology for technology’s sake and do not have a clear IT strategy that supports the services needed to deliver business objectives.
  3. There is autonomy in various business or geographical units of the enterprise that makes sharing of standard work templates, processes and procedures difficult. While autonomy in business units may be necessary because of the nature and type of products and services delivered or the culture and language needed to operate in a certain area, there are certain business functions that can be streamlined and standardized no matter the product produced, the service delivered or the geographical location of the work. Some of these are in the areas of project management, human resources on-boarding, documenting standard work, and payments to and selection criteria of vendors

Governance is not unique or limited to IT; there must be good governance for the business to achieve its objectives in an efficient and effective manner. The deliberate decision to move from a compliance-based approach to a risk-based approach requires a shift in thinking. So too does the decision to align the strategy of the organization with the operational activities that are used to implement that strategy. This shift in thinking requires a closer look at how operational work, including the work of partners, vendors, contractors and employees, is aligned with strategy and a recognition that controls are not the only way to manage identified risk. This takes management commitment, a disciplined approach, clear communication, good planning, metrics tied to business objectives and a roadmap to guide the journey. If your organization is ready to take on GEIT, there are several good ISACA publications to help get you started.

For more in-depth information on GEIT, refer to the ISACA publication Getting Started With GEIT: A Primer for Implementing Governance of Enterprise IT.

There are also several COBIT Focus articles that are good to reference for this topic, including:

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.


Earn CPE at Data Protection Benchmark Webinar


Data loss has become a major concern for many enterprises around the world. To provide tips on how to better protect data, ISACA and Intel Security have partnered to present the “2016 Data Protection Benchmark Study: Are you at Risk?” webinar. This webinar will take place on 10 November at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

Rob Gresham, senior consultant of the Foundstone detection and response team at Intel Security, will lead this webinar. In it, he will analyze the latest data breach incident benchmark research. Webinar attendees will learn about average risk levels for various industries and best practices for implementing a data protection solution.

To learn more about this webinar or to register for it, visit the 2016 Data Protection Benchmark Study: Are you at Risk? page of the ISACA web site.


Reduced ISACA Membership Rates for Recent Graduates


Source: Vstock/Getty

Recent college graduates are now able to join ISACA at a reduced rate for up to 2 years after their graduation date. The Recent Graduate category of membership is available for US $68 (plus any applicable chapter dues). Those who are eligible for Recent Graduate membership will receive all of the benefits that professional members enjoy.

Individuals who are currently student members and have graduated within the last year will automatically be offered this new designation for their 2017 membership renewal. Recent graduates who were not previously ISACA student members, but would like to join at this rate must complete an online application and meet certain eligibility requirements (provide appropriate verification) to take advantage of this new membership offering.

For more information, visit the Recent Graduate Membership page of the ISACA web site. Questions? Contact recentgraduates@isaca.org.


Fulfill Your CPE Requirements to Retain Your Certification


The end of the year is approaching. Certified individuals have until 31 December 2016 to earn any needed continuing professional education (CPE) hours to reach their 2016 annual or 3-year cycle requirements. CPE can be reported in a single total or individually as earned. Renewing your certification requires reporting your 2016 CPE and paying the annual maintenance fee. ISACA membership can provide ways to earn CPE, many of which are free to members.

To add CPE hours, log in at www.isaca.org/reportcpe. Click the “Manage My CPE” button. Then click on “Add CPE.” Enter your CPE information and save it.

To learn more about membership and CPE, visit the How to Report and Earn CPE page of the ISACA web site.