Information technology governance
Information Technology Governance, IT Governance or ICT (Information & Communications Technology) Governance, is a subset discipline of
Corporate Governancefocused on information technology(IT) systems and their performance and risk management. The rising interest in IT governance is partly due to compliance initiatives, for instance Sarbanes-Oxleyin the USA and Basel IIin Europe, as well as the acknowledgment that IT projects can easily get out of control and profoundly affect the performance of an organization.
A characteristic theme of IT governance discussions is that the IT capability can no longer be a black box. The traditional involvement of board-level executives in IT issues was to defer all key decisions to the company's IT professionals. IT governance implies a system in which all stakeholders, including the board, internal customers, and in particular departments such as finance, have the necessary input into the decision making process. This prevents IT from independently making and later being held solely responsible for poor decisions. It also prevents critical users from later complaining that the system does not behave or perform as expected, as explained in the
Harvard Business Reviewarticle by R. Nolan:
:"A board needs to understand the overall architecture of its company's IT applications portfolio … The board must ensure that management knows what information resources are out there, what condition they are in, and what role they play in generating revenue… " [Nolan, R. and F. W. McFarlan (2005). “Information Technology and the Board of Directors.” "Harvard Business Review" (October 2005).]
There are narrower and broader definitions of IT governance. Weill and Ross focus on "'Specifying the decision rights and accountability framework to encourage desirable behaviour in the use of IT." [Weill, P. & Ross, J. W., 2004, "IT Governance: How Top Performers Manage IT Decision Rights for Superior Results", Harvard Business School Press, Boston.]
In contrast, the IT Governance Institute expands the definition to include foundational mechanisms: "… the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives." [IT Governance Institute 2003, "Board Briefing on IT Governance, 2nd Edition". Retrieved January 18, 2006 from http://www.isaca.org/Content/ContentGroups/ITGI3/Resources1/Board_Briefing_on_IT_Governance/26904_Board_Briefing_final.pdf]
AS8015, the Australian Standard for Corporate Governance of ICT, defines Corporate Governance of ICT as "The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organisation."
The discipline of information technology
governancederives from corporate governanceand deals primarily with the connection between business focus and IT managementof an organization. It highlights the importance of IT related matters in contemporary organizations and states that strategic IT decisions should be owned by the corporate board, rather than by the chief information officeror other IT managers.
The primary goals for information technology governance are to (1) assure that the
investmentsin IT generate business value, and (2) mitigate the risks that are associated with IT. This can be done by implementing an organizational structurewith well-defined roles for the responsibility of information, business processes, applications, infrastructure, etc.
Decision rights are a key concern of IT governance, being the primary topic of the book by that name by Weill and Ross. [Weill P., Ross J., "IT Governance: How Top Performers Manage IT for Superior Results", Harvard Business School Press, 2004, ISBN 1-59139-253-5 ] According to Weill and Ross, depending on the size, business scope, and
IT maturityof an organization, either centralized, decentralized or federated models of responsibility for dealing with strategic IT matters are suggested. In this view, the well defined control of IT is the key to success.
After the widely reported collapse of
Enronin 2000, and the alleged problems within Arthur Andersenand WorldCom, the duties and responsibilities of the boards of directors for public and privately held corporations were questioned. As a response to this, and to attempt to prevent similar problems from happening again, the US Sarbanes-Oxley Actwas written to stress the importance of business control and auditing. Sarbanes-Oxley and Basel-II in Europe have been catalysts for the development of the discipline of information technology governance since the early 2000s. However, the concerns of Sarbanes Oxley (in particular Section 404) have less to do with IT decision rights as discussed by Weill and Ross, and more to do with operational control processes such as Change management.
Following Corporate Collapses in Australia around the same time, working groups were established to develop standards for Corporate Governance. A series of Australian Standards for Corporate Governance were published in 2003, these were:
* Good Governance Principles (AS8000)
* Fraud and Corruption Control (AS8001)
* Organisational Codes of Conduct (AS8002)
* Corporate Social Responsibility (AS8003)
* Whistle Blower protection programs (AS8004)
AS8015Corporate Governance of ICT was published in January 2005. It was fast-track adopted as ISO/IEC 38500 in May 2008.
Problems with IT governance
Is IT governance different from IT management and IT controls? The problem with IT governance is that often it is confused with good management practices and IT control frameworks. ISO 38500 has helped clarify IT governance by describing it as the management system used by directors. In other words, IT governance is about the stewardship of IT resources on behalf of the stakeholders who expect a return from their investment. The directors responsible for this stewardship will look to the management to implement the necessary systems and IT controls. Whilst managing risk and ensuring compliance are essential components of good governance, it is more important to be focused on delivering value and measuring performance.
Nicholas Carr has emerged as a prominent critic of the idea that information technology confers strategic advantage. [Carr, N. G. (2004). "Does IT matter? : information technology and the corrosion of competitive advantage." Boston, Harvard Business School Press. ISBN 1-59139-444-9] This line of criticism might imply that significant attention to IT governance is not a worthwhile pursuit for senior corporate leadership. However, Carr also indicates counterbalancing concern for effective IT risk management.
The manifestation of IT governance objectives through detailed process controls (e.g. in the context of project management) is a frequently controversial matter in large scale IT management. See
Agile methods. The difficulties in achieving a balance between financial transparency and cost-effective data capture in IT financial management (e.g., to enable chargeback) is a continual topic of discussion in the professional literature [Office of Government Commerce (2001). "Service Delivery: Capacity Management, Availability Management, Service Level Management, IT Service Continuity, Financial Management for IT Services and Customer Relationship Management." OGC, ITIL© Managing IT Services (IT Infrastructure Library). London, The Stationery Office. ISBN 0-11-330017-4] , [Remenyi, D., A. H. Money, et al. (2000). "The effective measurement and management of IT costs and benefits." Computer weekly professional series. Oxford ; Boston, Butterworth-Heinemann. ISBN 0-7506-4420-6] and can be seen as a practical limitation to IT governance
Relationship to other IT disciplines
IT governance is supported by disciplines such as:
* Business Service Management
Business Technology Optimization
IT asset management
IT portfolio management
* IT security assessment
IT service management
Project managementand Program managementin the enterprise IT context (including software engineeringwhere appropriate)
There are quite a few supporting mechanisms developed to guide the implementation of information technology governance. Some of them are:
* The [http://www.itil.co.uk/ IT Infrastructure Library] (
ITIL) is a detailed framework with hands-on information on how to achieve a successful operational Service management of IT, developed and maintained by the United Kingdom's Office of Government Commerce, in partnership with the IT Service Management Forum.
* Control Objectives for Information and related Technology (
COBIT) is another approach to standardize good information technology security and control practices. This is done by providing tools to assess and measure the performance of 34 IT processesof an organization. The [http://www.itgi.org ITGI] ( IT Governance Institute) is responsible for CObIT
* The ISO/IEC 27001 (
ISO 27001) is a set of best practices for organizations to follow to implement and maintain a security program. It started out as British Standard 7799 ( [BS7799] ), which was published in the United Kingdom and became a well known standard in the industry that was used to provide guidance to organizations in the practice of information security.
* The Information Security Management Maturity Model [http://www.ism3.com ISM3] is a process based ISM maturity model for security.
AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology. AS8015 was adopted as ISO/IEC 38500 in May 2008
* [http://www.iso.org/iso/pressrelease.htm?refid=Ref1135 ISO/IEC 38500:2008 Corporate governance of information technology] , (very closely based on
AS8015-2005) provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. ISO/IEC 38500 is applicable to organizations from all sizes, including public and private companies, government entities, and not-for-profit organizations. This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.
BS7799- focus on IT security
* CMM - The Capability Maturity Model - focus on software engineering
Non-IT specific frameworks of use include:
Balanced Scorecard(BSC) - method to assess an organization’s performance in many different areas.
Six Sigma- focus on quality assurance
Certified in the Governance of Enterprise Information Technology (
CGEIT) is an advanced certification created in 2007 by the Information Systems Audit and Control Association (ISACA). It is designed for experienced professionals, who can demonstrate 5 or more years experience, serving in a managing or advisory role focused on the governance and control of IT at an enterprise level. It also requires passing a 4-hour test, designed to evaluate an applicant's understanding of enterprise IT management. The first examination will be held in December 2008.
Information Technology Infrastructure Library
Information technology management
IT portfolio management
IT service management
* Lutchen, M. (2004). "Managing IT as a business : a survival guide for CEOs." Hoboken, N.J., J. Wiley., ISBN 0-471-47104-6
* March J., Simon H., "Organizations", Blackwell Publishers, 1993 (First ed. Wiley, 1958), ISBN 0-631-18631-X
* Van Grembergen W., "Strategies for Information technology Governance", IDEA Group Publishing, 2004, ISBN 1-59140-284-0
* Georgel F., "IT Gouvernance : Maitrise d'un systeme d'information", Dunod, 2004(Ed1) 2006(Ed2), ISBN 2-10-050241-7 See also the bibliography sections of
IT Portfolio Managementand IT Service Management
* Renz, Patrick S. (2007). "Project Governance." Heidelberg, Physica-Verl. (Contributions to Economics) ISBN 978-3-7908-1926-7
* [http://www.itgi.org The IT Governance Institute]
* [http://www.isaca.org Informations Systems Audit and Control Association]
* [http://www.iaitam.org/Corp_Bios.htm International Association of Information Technology Asset Managers, Inc. - IAITAM]
* [http://www.itil.co.uk IT Infrastructure Library]
* [http://www.acs.org.au/governance Australian Computer Society Governance of ICT Committee]
* [http://www.itgovernance.com IT Governance Network]
* [http://www.ramin.com.au/itgovernance Ramin Communications ICT Governance papers]
* [http://www.qap.eu/index.php?cont=137&lgn=3 Overview of IT Governance publications]
* [http://www.iteva.rug.nl Center of IT Economics Research]
Wikimedia Foundation. 2010.
Look at other dictionaries:
Technology governance — means the governance, i.e. the steering between the different sectors state, business, and NGO s , of the development of technology. The concept is based on the notion of innovation and of techno economic paradigm shifts according to the theories … Wikipedia
Information technology management — (or IT management) is a combination of two branches of study, information technology and management. Strictly speaking, there are two incarnations to this definition. Fact|date=March 2008 One implies the management of a collection of systems,… … Wikipedia
Information technology audit process — Information technology audit process:Generally Accepted Auditing Standards (GAAS)In 1947, the American Institute of Certified Public Accountants (AICPA) adopted GAAS to establish standards for audits. The standards cover the following three… … Wikipedia
Information technology controls — In business and accounting, Information technology controls (or IT controls) are specific activities performed by persons or systems designed to ensure that business objectives are met. They are a subset of an enterprise s internal control. IT… … Wikipedia
Information Technology Infrastructure Library — The Information Technology Infrastructure Library (I), is a set of good practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITILv3 and ITIL 2011 edition), ITIL… … Wikipedia
Corporate governance of information technology — Information Technology Governance, IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management. The rising interest in IT governance is partly due to… … Wikipedia
Ministry of Communications and Information Technology (Egypt) — Arab Republic of Egypt Ministry of Communications and Information Technology MCIT MCIT Premises Agency overview Formed … Wikipedia
History of information technology auditing — Information Technology Auditing (IT auditing) began as Electronic Data Process (EDP) Auditing and developed largely as a result of the rise in technology in accounting systems, the need for IT control, and the impact of computers on the ability… … Wikipedia
Certified Information Technology Professional — (CITP) is a Certified Public Accountant recognized for their technology expertise and unique ability to bridge the gap between business and technology. Unlike other certifications that recognize only a narrow scope of skills, the CITP credential… … Wikipedia
Center for Information Technology — The Center for Information Technology (CIT) is an agency of the United States Federal Government. CIT, first established in 1964 as the Division of Computer Research and Technology (DCRT), provides the technological and computational support and… … Wikipedia