Thursday, April 14, 2016
Significant benefits can be achieved by establishing a sound IT Governance program at an organization, including strong security. Below are examples and lessons learned from organizations that have implemented or improved their IT Governance programs. The

This post is the fourth in a series on how strong IT Governance can help drive effective security across Federal enterprises.  See the first installment.

In the first example, a federal agency needed to transform the way it governed and managed IT within the Department.  It created three boards: an IT Leadership Board, a Budgeting and Near Term Issues Board, and a Programming and Long Term Issues Board. Key accomplishments included:

  • Approached IT Governance in the “right way,” enabling delivery of better results to its constituents
  • Increased enterprise-wide governance understanding and adopted a new approach to IT Governance, positioning for maximum business effectiveness and improved success over the long term
  • Institutionalized IT Governance committees with charters, policies, standards and procedures for critical IT decision-making across the organization
  • Transformed business frameworks and moved to a more effective and efficient IT environment
  • Developed a more effective regulatory and governance framework for overall business operations
  • Developed a framework for enhanced participation, transparency, and accountability in the alignment of IT to the business and the management of IT itself
  • Developed a plan to implement and sustain IT Governance for the benefit of all - employees, constituents and other stakeholders
  • Developed a framework for organizing its IT workforce under a centralized model
  • Assigned roles and responsibilities for IT management to effectively deal with oversight organizations on IT matters
  • Enabled the IT organization to define the target environment for transformation
  • Institutionalized management practices based on industry best practices described in COBIT®, Val IT™ and ITIL®
  • Established metrics to track implementation progress and performance improvements
  • Compared the department’s strategic plan to the activities required by law, and modified the strategic plan to bring it into complete alignment with law and policy
  • Produced a gap report assessing departmental policy, procedures and tools for data security, identifying gaps and recommended remediation in key areas identified
  • Developed a Performance Management Plan, detailing the tasks, milestones, resources and completion dates for remediating data security weaknesses
  • Produced a privacy business plan and maturity roadmap that provided strategic and tactical components to assist in decision making, planning and  resource allocation for privacy services
  • Diagnosed and solved a major business and IT challenge for the C-Suite by implementing Business, Applications and Processes, and IT General Controls, which met both internal and external audit requirements
  • Integrated the Network Operations Center (NOC) and Security Operations Center (SOC) to form a Network Operation Security Center to improve the efficiency and effectiveness of network and security operations and thereby greatly improve security of the network
  • Developed an Operational Risk Management Plan to enable the agency to better accomplish its mission through improved data security, and to allow the agency to make better-informed risk management decisions related to security priorities for correcting the most severe security risks first, -- thereby improving the agency's enterprise security posture

A few non-federal examples are also applicable.  The first, a federally regulated financial institution, established four IT Governance committees:  an Enterprise Architecture Committee, a Change Authorization Board, an IT Controls Committee, and an IT Governance Leadership Committee. Some key accomplishments achieved include:

  • The Enterprise Architecture Committee eliminated half of the 950 software packages being maintained, resulting in more efficient and effective use of staff and eliminating the maintenance costs of the software packages and saving millions of dollars for the organization – and this was just their first round of reviews, followed by the elimination of more software as the process continued
  • Some 40 Change Control Committees were replaced by one Change Authorization Board.  Rather than allowing software and data changes to be implemented in a haphazard manner, all changes went through one Board -- which resulted in controlled implementations of changes, and for the first time supported in a decision not to implement a major new software platform until the entire system could be thoroughly tested and accredited by the CIO.
  • The IT Controls Committee implemented COBIT’s control objectives and practices for all of its IT general and application controls.  This resulted in the institution getting a clean audit and SOX 404 opinion that had eluded them for 3 years, and allowed them to register common stock with the SEC to increase investor confidence.
  • The IT Governance Leadership Committee developed a dashboard that allowed the CIO, COO and CEO to visualize on one “pane of glass” their IT general and applications controls posture for the entire institution
  • The institution’s overall information security governance was assessed, including reviewing all security processes, identifying gaps and writing additional security policies, standards and procedures to successfully remediate security weaknesses relating to financial reporting in the areas of information security, data integrity, change management and operations

In addition, a health insurance company, faced with a multitude of process audits each year, needed to make audit response consistent in order to reduce the overall impact on the business, and to also establish compliance with new insurance industry regulatory requirements. Because of the central role IT played in running the business, leadership knew it needed to implement an appropriate IT Governance program.  Some key accomplishments were:

  • Implemented IT Governance company-wide
  • Collaboratively instituted industry-standard IT Governance controls that spanned all operations, which ensured high internal standards and uniform procedures and helped to achieve regulatory compliance
  • Assessed and implemented key IT processes based on COBIT®
  • Implemented a continuous process for monitoring compliance with industry regulations and standards (e.g., HIPAA, NAIC Model Audit Rule)
  • Reduced the amount of effort needed for audit response by approximately half
  • Created a more effective, uniform responses to audits
  • Better supported regulatory compliance
  • Established new security controls to help the company monitor compliance with industry regulations and standards, better aligned business and IT operations, helped manage risk and helped increase security, company-wide

These accomplishments and benefits provide a model for all departments, agencies and organizations.  Government can learn from these examples and adapt IT Governance to strengthen their security and privacy posture, applying sound risk management concepts, and thereby meet their own individual and unique needs.