Before understanding the steps to implement the IT Governance system in an organization, It is important to understand about IT Governance.
What is IT Governance?
Many of us do hear this word in our daily life and we frequently use this term but most of us don't understand the core meaning of governance.
IT Governance is nothing but a system of governing or controlling and ruling of an organization. It is related to the set of processes to address a problem and innovate through interaction and decision making by top-level management.
IT Governance is a set of rules, policies, standards that an organization follows to achieve its business vision through strategic planning, teamwork, decision making, and processes.
The organization should consider the following thing for the good governance system in place.
Define organizational goal and objective
Identify the resource and evaluate them
Plan the progression considering the key factors
Select the governance lead
Document the processes as a policy, standard, procedure, and guidelines accordingly.
Training about the system
Why do we need Governance?
To meet the business goals
To optimized resources
To optimized risks
Now, after understanding the governance and the factor that affects the good governance. It's time to discuss implementing effective IT governance in an organization. Here are the general steps are made based on COBIT 5.
To know more about the COBIT framework. Click here
we can be categorizing the steps to implement the IT governance based on the ADDIE Model.
STEP 1: Analysis
Initially, we identify the need for business understanding it's vision, mission, objective.
Then, we identify the assets, infrastructures and IT services that an organization has. The organizational assets include human resources, technologies, hardware, software and most important data and information.
Similarly, we identify external threats and opportunities in the business.
Then, we analyze the business goals and assets and opportunities and map with the COBIT 5 principles that ensure the stakeholders need, cover end to end, integrate into a single framework with holistic approaches and separates the governance from management.
STEP 2 Design Stage
In this phase, the organizational structure is designed to and categorized into three different levels of Governance structure i.e. Strategic, Management, and Operational Level. Here, the Board of Directors, steering committee, Chairman are the governing body who are responsible for strategic planning and designing the policies, standards, procedures, guidelines to strategically align the IT goals with business goals. Management includes CEO, senior employees and head of the department who executes the implementation of the policies designed by higher authorities. And lastly, the operational level employees carry out the processes set by the management.
In this stage, the model is designed considering the below.
Define business goals and objectives
Identifying available resources
Required resource planning
Choosing a leadership
Documentation of processes as a draft
Training, empowering team members and stakeholders
We have to consider the (Responsible, Accountable, Consulted and Informed) RACI Metric in this stage to segregate the duties, authorities, maintain need to know and least privilege.
Here is the sample of RACI Chart.
STAGE 3 Development
Once the organisation structure is designed then the chosen leader work with the team to identify the security risk. The risk are categorized based on strategic risk, compliance risk, operational risk, financial risk and reputation risk.
Once the risks are assessed based on the priorities. This helps to understand the current state of the business. This can also be done by Process Assessment Model of COBIT. The team lead analysis the need of security policy, standards, procedures.
Thinks to consider the before developing a policy
Policy should address the need of the business
Ensure that every policy are interconnected and there should be a policy to handle policies
Identify the overlapping policies
Policy should be complete and on consideration of all stakeholder
Define policy handling authority and maintenance responsibility
Establish Documentation of policies
Circulate and inform the policies to the concern stakeholders
Beside that we can considers various standard policies and customized as per the need of organisation. Here are the links for the most popular security policy resources
Besides these organisation can also consider other standards like ISO/IEC and government standards as well.
This stage is also can be also called strategic planning.
We have to consider What, Why, When, How, Who and Where (Accountability) of Strategy as a critical before implementing the strategic plan
Once we answer the question below
What need to be done?
Why this needs to be done?
When this needs to be done?
Who-must-do-this?
Where-this-must-be-done?
STEP 4 Implementation
Once the policies are developed by the board of directors on the consultation of steering committee as per the need of business. These policies are implemented by the senior management through procedures
Here we consider some of the assessment techniques that can assisted in identifying the state of progress.
Confidentiality Integrity and Availability (CIA)
COBIT Process Assessment Method (PAM)
Strengths Weakness Opportunities and Threats Analysis (SWOT)
Gap Analysis
The details about these assessment techniques will be covered in my next blog.
STEP 5 Evaluation
This is the final step of implementing a governance system in any organization. Here the actual measurement of progress is made based on comparing the present state of business processes and the desired state. The various monitoring techniques are used to compare the signs of progress with business goals. In business, a threshold is set by the standards and controls that determine the pace of business progression.
Here are some of the metrics like Key Performance Indicator (KPI) and Key Measurement Metrics that evaluates the alignment of IT processes achievement with business values.
This process can also be called the review process.
Finally, we have successfully implemented the IT governance model.
Here are some links that will help you to clarify more about IT governance model and implementation.
Comments