Information Technology Governance, IT Governance or ICT (Information & Communications Technology) Governance, is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance management and risk management. The rising interest in IT governance is partly due to compliance initiatives, for instance Sarbanes-Oxley in the USA and Basel II in Europe, as well as the acknowledgment that IT projects can easily get out of control and profoundly affect the performance of an organization.
A characteristic theme of IT governance discussions is that the IT capability can no longer be a black box system. The traditional involvement of board-level executives in IT issues was to defer all key decisions to the company's IT professionals. IT governance implies a system in which all stakeholders, including the board, internal customers, and in particular departments such as finance, have the necessary input into the decision making process. This prevents IT from independently making and later being held solely responsible for poor decisions.
There are narrower and broader definitions of IT governance such as the focus on "specifying the decision rights and accountability framework to encourage desirable behavior in the use of information technology."
In contrast, the IT Governance Institute expands the definition to include foundational mechanisms: "the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives."
While AS8015, the Australian Standard for Corporate Governance of ICT, defines Corporate Governance of ICT as "The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organization and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organization."
The discipline of information technology governance, a derivative of corporate governance and deals primarily with the connection between business focus and IT management of an organization. It highlights the importance of information technology related matters in contemporary organizations and states that strategic IT decisions should be owned by the corporate board, rather than by the chief information officer or other IT managers.
The primary goals for information technology governance are to:
- Assure that the investments in IT generate business value, and
- Mitigate the risks that are associated with IT. This can be done by implementing an organizational structure with well-defined roles for the responsibility of information, business processes, application software, infrastructure, etc.
Decision rights are a key concern of IT governance, depending on the size, business scope, and IT maturity of an organization, either centralized, decentralized or federated models of responsibility for dealing with strategic IT matters are suggested. In this view, the well defined control of IT is the key to success.
After the widely reported collapse of Enron in 2000, and the alleged problems within Arthur Andersen and WorldCom, the duties and responsibilities of the boards of directors for public and privately held corporations were questioned. As a response to this, and to attempt to prevent similar problems from happening again, the US Sarbanes-Oxley Act was written to stress the importance of business control and auditing. Sarbanes-Oxley and Basel-II in Europe have been catalysts for the development of the discipline of information technology governance since the early 2000s. However, the concerns of Sarbanes Oxley (in particular Section 404) have less to do with IT decision rights and more to do with operational control processes such as IT Change management.
Problems with IT governance
Is IT governance different from IT management and IT controls? The problem with IT governance is that often it is confused with good management practices and IT control frameworks. ISO 38500 has helped clarify IT governance by describing it as the management system used by directors. In other words, IT governance is about the stewardship of IT resources on behalf of the stakeholders who expect a return from their investment. The directors responsible for this stewardship will look to the management to implement the necessary systems and IT controls. Whilst managing risk and ensuring compliance are essential components of good governance, it is more important to be focused on delivering value and measuring performance.
The manifestation of IT governance objectives through detailed process controls (e.g. in the context of project management) is a frequently controversial matter in large scale IT management. The difficulties in achieving a balance between financial transparency and cost-effective data capture in IT financial management (e.g., to enable charge back) is a continual topic of discussion in professional literature and can be seen as a practical limitation to IT governance.
There are quite a few supporting mechanisms developed to guide the implementation of information technology governance. Some of them are:
- The HORSE Project (HORSE) - Holistic Operational Readiness Security Evaluation is a comprehensive information security framework designed to be accessible, extensible, comprehensive, and collaborative. It is a resource for lawyers to layman alike. The HORSE Project is the brainchild of Michael D. Peters.
- The IT Infrastructure Library (ITIL) is a detailed framework with hands-on information on how to achieve a successful operational Service management of IT, developed and maintained by the United Kingdom's Office of Government Commerce, in partnership with the IT Service Management Forum.
- Control Objectives for Information and related Technology ( COBIT) is another approach to standardize good information technology security and control practices. This is done by providing tools to assess and measure the performance of 34 IT processes of an organization. The ITGI (IT Governance Institute) is responsible for COBIT
- The ISO/IEC 27001 (ISO 27001) is a set of best practices for organizations to follow to implement and maintain a security program. It started out as British Standard 7799 ([BS7799]), which was published in the United Kingdom and became a well known standard in the industry that was used to provide guidance to organizations in the practice of information security.
- The IT Baseline Protection Catalogs, or IT-Grundschutz Catalogs, ("IT Baseline Protection Manual" before 2005) are a collection of documents from the German Federal Office for Security in Information Technology (FSI), useful for detecting and combating security-relevant weak points in the IT environment. The collection encompasses over 3000 pages with the introduction and catalogs.
- The Information Security Management Maturity Model ISM3 is a process based ISM maturity model for security.
- AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology. AS8015 was adopted as ISO/IEC 38500 in May 2008
- ISO/IEC 38500:2008 Corporate governance of information technology, (very closely based on AS8015-2005) provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. ISO/IEC 38500 is applicable to organizations from all sizes, including public and private companies, government entities, and not-for-profit organizations. This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.
Certified in the Governance of Enterprise Information Technology (CGEIT) is an advanced certification created in 2007 by the Information Systems Audit and Control Association (ISACA). It is designed for experienced professionals, who can demonstrate 5 or more years experience, serving in a managing or advisory role focused on the governance and control of IT at an enterprise level. It also requires passing a 4-hour test, designed to evaluate an applicant's understanding of enterprise IT management. The first examination will be held in December 2008.
- Information Technology Infrastructure Library
- ISO/IEC 38500
- ISO 27002
- FIPS 199
- FIPS 200
- SP 800-37
- SP 800-53
- SP 800-53A
- SP 800-59
- SP 800-60
- Family Educational Rights and Privacy Act (FERPA)
- Lutchen, M. (2004). Managing IT as a business : a survival guide for CEOs. Hoboken, N.J., J. Wiley., ISBN 0-471-47104-6
- March J., Simon H., Organizations, Blackwell Publishers, 1993 (First ed. Wiley, 1958), ISBN 0-631-18631-X
- Van Grembergen W., Strategies for Information technology Governance, IDEA Group Publishing, 2004, ISBN 1-59140-284-0
- Georgel F., IT Gouvernance : Maitrise d'un systeme d'information, Dunod, 2004(Ed1) 2006(Ed2), ISBN 2-10-050241-7
- Renz, Patrick S. (2007). "Project Governance." Heidelberg, Physica-Verl. (Contributions to Economics) ISBN 978-3-7908-1926-7
- The IT Governance Institute
- Informations Systems Audit and Control Association
- International Association of Information Technology Asset Managers, Inc. - IAITAM
- IT Infrastructure Library
- Australian Computer Society Governance of ICT Committee
- IT Governance Network
- Ramin Communications ICT Governance papers
- Overview of IT Governance publications
- Center of IT Economics Research