There are several different IT governance frameworks, each with its own pros and cons, supporters and critics. In this article, we will look at some of the more commonly used IT governance frameworks and how they can be applied to the governance of IT.
COBIT IT governance framework
COBIT is one of the most widely used IT governance frameworks in the world today. The COBIT IT governance framework (Control Objectives for Information and Related Technologies) was first created in 1996 by ISACA as a framework for IT governance and management. Several versions have been released since then. COBIT 5 was a major upgrade for COBIT IT governance which was published in 2012. The following version, COBIT 2019, was released in 2018.
The COBIT IT governance framework contains several components, including:
- Framework: Organizes governance objectives and good practices by IT domains and processes and links them to business requirements.
- Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas for plan, build, run, and monitor.
- Control objectives: Provides a complete set of high-level requirements to be considered by management for effective control of each IT process.
- Management guidelines: Helps to assign responsibilities, agree on objectives, measure performance, and illustrate relationships with other processes.
- Maturity models: Assesses maturity and capability per process and helps to address gaps.
The COBIT 2019 governance framework addresses the latest IT trends, technologies, and security concerns for organizations by providing an emphasis on security, risk management, and information governance. It introduces the COBIT Core Model, which includes 40 governance and management objectives for establishing a governance program. This is intended to provide organizations with greater flexibility for adapting IT governance frameworks to their specific requirements and situations. Unlike other static IT governance frameworks, COBIT 2019 has been designed to evolve continually. According to ISACA, COBIT 2019 provides:
- Focus areas and design factors to provide more clarity on creating a governance system for business needs.
- Improved alignment with global standards, other IT governance frameworks, and best practices such as the Val IT framework and the IT GRC framework.
- Regular updates released on a rolling basis.
- More tools to support businesses when developing a best-fit governance system.
- An ‘open-source’ model that allows for feedback from the worldwide governance community to encourage faster updates and enhancements.
- Additional support for decision making including on-line collaborative features.
- A better tool to measure the performance of IT and alignment with Capability Maturity Model Integration (CMMI)
COBIT 2019 also includes “focus area” concepts that define specific IT governance topics and issues which can be addressed by management or governance objectives. These include small and medium enterprises (SMEs), cybersecurity, digital transformation, and cloud computing.
COBIT 2019 introduces eleven design factors that can influence any of the IT governance frameworks. These design factors also influence the priority of the different COBIT components and any specific variants. The design factors are:
- Enterprise strategy
- Enterprise goals
- Risk profile
- I&T related issues
- Threat landscape
- Compliance requirements
- Role of IT
- Sourcing model for IT
- IT implementation methods
- Technology adoption strategy
- Enterprise size
COBIT 2019 Core Publications
There are four core publications that define the COBIT IT governance approach:
- COBIT 2019 Framework: Introduction and Methodology. This explains the principles behind COBIT IT governance plus key concepts, examples, and the overall framework structure.
- COBIT 2019 Framework: Governance and Management Objectives. Provides a detailed description of the COBIT Core Model and its 40 governance/management objectives.
- COBIT 2019 Design Guide: Designing an information and technology governance solution. This offers advice on how to tailor a COBIT IT governance system for an organization’s unique circumstances and context.
- COBIT 2019 Implementation Guide: Implementing and optimizing an information and technology governance solution. This provides a roadmap for implementation and continuous improvement.
IT security governance frameworks
IT security governance is just as essential as IT governance frameworks for just about every organization today. The prevalence of cyber threats and an ever-increasing risk profile require organizations to have robust governance over how they provide security for their IT systems. IT security governance is the system by which an organization directs and controls IT security (adapted from ISO 38500). IT security governance should not be confused with IT security management. IT security management is concerned with making decisions to mitigate risks; governance determines who is authorized to make decisions.
While any of the IT governance frameworks can help provide some of the necessary controls over IT security, adopting a specialist IT security governance framework can be more successful in reducing the risks to your organization. A framework for IT security governance can:
- Provide a blueprint for how IT security is managed and controlled.
- Define relevant policies.
- Identify any legal and regulatory requirements.
- Set data classification standards.
- Define roles and responsibilities.
Here are some useful frameworks for IT security governance:
ISO/IEC 27002: This international standards document, first created in 2000 and subsequently updated in 2005, 2007, and 2013, has been a significant influence on frameworks for IT security governance since its inception. ISO/IEC 27002 provides best practice recommendations on information security controls for use by those responsible for initiating, implementing, or maintaining information security management systems (ISMS). ISO/IEC 27002 is part of a full series of standards for IT security. These include ISO/IEC 27017 published in 2015, which defines additional security controls for the cloud which were not completely defined in ISO/IEC 27002.
Federal Financial Institutions Examination Council (FFIEC) guidelines: The FFIEC is a formal U.S. government interagency body composed of five banking regulators that are “empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions.” In June 2013, the FFIEC set up the Cybersecurity and Critical Infrastructure Working Group. This group has created some very useful resources that can be applied as a framework for IT security governance. Both the information found in the IT Examination Handbook under ‘Information Security’ and the interagency guidelines are the best available in terms of an overall “program” design and should be the main reference document for every financial institution.
PCI DSS: The Payment Card Industry Data Security Standard, known as PCI DSS, is a set of requirements that explains to a financial organization how they can protect themselves and their customers when taking payments. Created specifically for the payment card industry, the PCI Data Security Standard, like the ISO standard, is heavily focused on technology. It also provides information on security procedures, such as defining who has access to data and why, and a detailed checklist that can be useful when designing a self-assessment IT security governance approach.
Val IT Framework
Val IT is developed by ISACA who also publish COBIT. Val IT is emerging as one of the popular IT governance frameworks, although it has a narrow focus and cannot be substituted for the more generic governance frameworks. The Val IT framework is intended to be used to help boards, executive management teams, and other enterprise leaders to optimize the realization of value from IT investments. Val IT provides direct support to executives at all management levels across both business and IT organizations, covering the selection, procurement, development, implementation, deployment, and benefits realization processes.
The approaches set out in the Val IT framework have been successfully used by organizations for many years. The framework contains proven processes and practices that form a single integrated governance framework that provides business and IT decision-makers with a comprehensive, consistent, and coherent approach to creating concrete and measurable business value.
Val IT extends and complements COBIT based IT governance frameworks. Val IT focuses on investment decisions and benefits realization whilst COBIT focuses on execution. COBIT 5 incorporated Val IT into a single framework and process reference model, which has continued into COBIT 2019.
The objective of the Val IT framework is to maximize the business value created from IT investments in an enterprise using governance best practices. To assist, it defines three major domains, seven guiding principles, a set of processes, and management practices to support and help executive management and boards at an enterprise level in making better decisions about IT investments. These domains are:
- Value Governance (VG prefix).
- Portfolio Management (PM prefix).
- Investment Management (IM prefix).
The Seven Principles of the Val IT framework are:
- IT-enabled investments will be managed as a portfolio of investments.
- IT-enabled investments will include the full scope of activities that are required to achieve business value.
- IT-enabled investments will be managed through their full economic life cycle.
- Value delivery practices will recognize that there are different categories of investments that will be evaluated and managed differently.
- Value delivery practices will define and monitor key metrics and will respond quickly to any changes or deviations.
- Value delivery practices will engage all stakeholders and assign appropriate accountability for the delivery of capabilities and the realization of business benefits.
- Value delivery practices will be continually monitored, evaluated, and improved.
IT GRC Framework
GRC stands for Governance, Risk, and Compliance. A GRC framework is a generic term for IT governance frameworks that include these three aspects. A GRC framework provides the strategy and structure to keep an organization and its operations secure and on track. Governance defines the principles, agreements, controls, and support required to achieve the organization’s goals. Risk management identifies threats while introducing processes to protect against them. Compliance management ensures that the organization abides by regulations, follows proper accounting practices, and operates ethically. An IT GRC framework approach specifically applies these to IT systems and IT governance frameworks.
Governance, risk management, and compliance act together to keep an organization in balance:
- Governance: Governance helps to align IT activities with the strategic goals of the organization. The G part of an IT GRC framework helps IT staff to understand how their contributions and interests fit in with those of others. Governance is also a mechanism for reducing IT risk and ensuring compliance by validating and managing data information sources, storage, and processing.
- Risk management and risk mitigation. The R in GRC stands for risk. Risks include any part of IT where an issue or a loss could adversely affect business activities. Some risks are outside the direct control of IT, such as a pandemic that leads to staff shortages. Others are more controllable, such as the design of IT to maintain availability. Cyberattacks continue to form the greatest threats to IT.
- Compliance management. The C in GRC stands for compliance. Regulatory compliance failures in IT-related areas can lead to significant financial loss and severe reputational damage. In 2019 fines for breaches of data security were at an all-time high: in 2019, EU-based businesses had spent up to 4% of their annual global revenue on GDPR fines. Intelligent technologies and GRC software solutions can assist with maintaining a robust and up-to-date compliance strategy.
An IT GRC framework integrates organization-wide systems and processes for all aspects of governance, enterprise risk management, and compliance, providing a structured approach that aligns an organization’s IT strategy and business strategy. The outcome is the effective management of risk and the meeting of compliance requirements. Based on the IT GRC framework model, IT governance frameworks can control how the organization operates, conducting its operations ethically, prudently, and responsibly.
IT Governance Frameworks – Conclusion
Adopting any of the IT governance frameworks can be beneficial for any organization. Implementing one of the pre-existing IT governance frameworks can shorten implementation IT governance frameworks time and give a faster return on investment. Any of the frameworks can integrate organization-wide systems and processes to oversee all aspects of governance, risk management, and compliance. They provide the structured approach necessary to align an organization’s business strategy with its IT technology and strategy, effectively managing risk and meeting compliance requirements. As businesses face unprecedented complexities and threats, implementing IT governance frameworks has never been as important as it is today.