Chapter 2: Governance – Governance and Internal Controls for Cutting Edge IT

CHAPTER 2: GOVERNANCE

“There is nothing so useless as doing efficiently that which should not be done at all.” Peter F. Drucker

IT Governance Concepts and Principles

Governance is the means by which IT and the business establish present and future goals for IT, to ensure IT is a strategic enabler of the business, delivering quantifiable business value on its investments. The moves to outsource and Cloud Computing makes governance even more critical than in a traditional environment.

In general terms, corporate governance of IT involves evaluating, directing, and monitoring the usage of IT. This spans the planning, design, development, deployment, operation, management, and application of IT to meet the needs of the business. It involves ensuring that the capability being delivered aligns with the needs of the business, and that the controls are in place to be able to prove that the proper events took place, and sometimes even to prove that an improper event did not take place.

IT governance is well-documented in multiple sources and does not need to be completely revisited in this text. However, in the interest of those who are reading this book because it has to do with Cloud Computing, but have not yet thoroughly ingested similar books focused on IT governance, the topic is included. Without good governance, the investment in IT cannot realize its potential. Without good governance, outsourcing and Cloud Computing are likely to be less than anticipated in terms of cost savings and improved capability.

The role of governance in Cloud Computing is amplified, according to NIST. One root cause for this is the transformation of capital investment into operational expense line items: while this has an advantage of allocating costs according to actual usage, the oversight of these computational resources is concomitantly reduced leading to an increased risk that security and privacy issues will go unaddressed. When Cloud Computing/outsourcing of IT is enabled as an expense line item, “Cloud creep,” the uncontrolled expansion of departmental IT, is accompanied by increased risk for the company making the outsourcing decision.

Principles

In the interest of expanding upon existing guidance for governance, a set of principles based upon internationally recognized standards establish a sound foundation for a defensible model of governance. The following high-level principles and the discussion of each are derived from ISO/IEC 38500, Corporate Governance of Information Technology.

Principle 1: Responsibility

In an outsourced or Cloud-based environment, it is essential that a clear definition of roles and responsibilities is identified, to both ensure a clear mutual understanding of who is doing what, and to identify interfaces between the groups where handoffs should occur smoothly. One of the most overlooked roles in this principle is the role of the business owner. Let us look at this critical role further.

Business owners must understand their role in defining how information systems carry out business logic, both directly and in supporting roles, in order to enable business processes to meet existing business need, and to be nimble enough to respond to market and business change. Business owners need to be able to define their business in ways that skilled IT business partners can translate into use cases, for example, and to not view IT as a “black box.”

Business owners may not have clear visibility of the supporting requirements that are implied through their use-case definitions. For example, a business owner may have an interest in data mining information captured through websessions of the business customers during their interaction with the application’s web-based interface.

Every development team, whether departmental or centralized, is responsible for translating business use cases into information systems logic, and this is true regardless of whether the target system is a third-party provider’s SaaS (software as a service) framework, they are applets distributed through an App store, or as an enterprise application hosted on a Cloud provider’s PaaS (platform as a service) or IaaS (infrastructure as a service). Rapid development cycles lead to rapid prototypes and effectively can become “prototype in production” without any vetting of the potential of violation of security or privacy principles. In this scenario, the business unit deploying the business logic now becomes the primary arbiter and enforcer of security and privacy principles, rather than a central enterprise organization. It can be a conflict of interest. Some sort of centralized governance process is needed to ensure that roles and responsibilities are clearly understood, as well as executed.

Principle 2: Strategy

The organization’s business strategy should take into account IT’s current capabilities as well as future capabilities. The implications of this are that the existing computing capability is defined and measured against a baseline of capability, process, and control. Implications for the evolution or revolution of computing capability for the enterprise should be described and compared against the business longer term goals and objectives: will the existing IT infrastructure be an asset or an impediment to the future business strategy of the organization? Can IT deliver on change that may require business products and services to be cycled on a six month basis?

As described in the cost model for Cloud Computing, decisions for moving to a third-party provider should consider the capability “uplift” associated with IT transformation. Part of the justification for the move to outsourced/Cloud-based IT will very likely be on the capability that the IT transformation can enable for the business. This anticipated value must be described and measured post-migration to the Cloud in order to see if the value was truly realized. This is another role for governance.

IT strategy is a cross organizational exercise and necessarily requires active involvement of both IT and business unit leadership to direct investment in both IT services and assets (including people, software, and infrastructure). Business and IT alignment on the IT capabilities needed to support the business strategy is critical to success. A formally chartered IT governance committee with both IT and business unit leadership should adopt alignment practices that will ensure that:

  1. IT informs key stakeholders on the current technology environment.
  2. Business unit management and stakeholders share with IT future business direction and organizational goals.
  3. IT management effectively identifies technology opportunities that can enable the business.
  4. Planning is inclusive of all business units.
  5. Criteria for prioritization of initiatives is transparent and communicated across the organization.

In addition, the projected value of proposed IT projects should be evaluated post-implementation by a cross organizational team to determine if projected value was realized, and if not why not. The results of this analysis should be reviewed with the governance committee. The cost model in Chapter 4 may be useful in identifying areas of hidden cost that will affect the cost-benefit and net value of the IT project to the company.

The governance process does little to evaluate for security and privacy risk, but these are emerging as primary topics in Cloud Computing and offshoring. This will be covered in more depth in Chapter 5 on Risk Management, but some of the following examples of security risk illustrate how risk needs to be incorporated into the early considerations for any Cloud-based projects:

  • Terms in provider dictated, non-negotiable service agreements may leave the status of data left in the Cloud at the termination of service very unclear as to its secure disposition.
  • Cloud architecture is still a client-server architecture, and while the provider may provide security, the end-user device or connected system may be the insecure point of entry into the Cloud by an interloper.
  • The outsourcing company retains all accountability for the location and security of its data. This can be harder to monitor in the Cloud environment, because the nature of Cloud architecture is more complex. Cloud providers may utilize nested secondary and tertiary outsourced services from around the globe. This complexity results in a greater, not smaller, attack surface.
  • As with any outsourcing agreement, the burden is on the outsourcing organization to ensure they define processes together with the provider to maintain visibility of the health of the computing environment, and to have clear roles, responsibilities, and procedures ready to respond to any anomalous activity in the system.

Principle 3: Acquisition

IT acquisitions should be made for reasons that are based on business need and documented with sufficient analysis. The balance of opportunity, benefit, cost, and risk must be judiciously evaluated.

Principle 4: Performance

The current and anticipated business usage of IT must align with the design of IT infrastructure and applications. Levels of service, quality of service, and end-user experience will drive business confidence in IT as a business partner, that IT is capable of supporting the necessary performance to enable the kind of rapid rollout of new business capability for global competitiveness.

Principle 5: Conformance

Policies, standards, and practices that define the “what” and “how” of conformance to mandatory regulations, statutes, legal requirements, and contractual obligations in all jurisdictions enable the business to meet its requirement for compliance.

In addition, we need to inspect what we expect. Establishing the standards of conformance must be backed with independent reviews to ensure that the standards are enforced consistently and reliably across the organization.

Legislative and regulatory considerations for Cloud Computing are described in more detail in Chapter 3.

Principle 6: Human Behavior

IT policies, practices, and decisions demonstrate respect for human behavior, including the current and evolving needs of all the “people in the process.” I have often referred to this as needing to consider the “organic matter at the keyboard.” Human behavior is wired to overcome every obstacle in its way to accomplish its objective. We are nothing if not consummate problem solvers and what are security and privacy controls if not problems to be overcome?

In the governance process for Cloud Computing, it is essential to understand the nature of the organization from a human perspective: What is the impact that outsourcing will have on the organization? Do people have the information and the skills they require to be successful in the new environment? Have all necessary parties been informed of management plans and direction for IT? Are there risks to the IT environment from associates that perceive their roles as potentially redundant on account of outsourcing? How much remote access will be required and how is that controlled?

Of all the areas of governance, this is the most challenging and, from a management perspective, perhaps deserves the greatest attention. People are always the greatest resource and the greatest challenge from a risk and security point of view.

Evaluating, Directing, and Monitoring

Governance involves evaluating, directing, and monitoring IT.

According to ISO/IEC 38500, evaluation involves “examining and making judgement on the current and future use of IT, including strategies, proposals and supply arrangements (whether internal, external or both).” This needs to identify and evaluate factors affecting the business, whether geopolitical, economic, technological change, or social trends. We live in a time of great change in all these areas – those accountable for governance need to have a strong point of view for these perspectives that is appropriate for the business.

Directing involves establishing roles, responsibility, and accountability for plans that will support the future of IT investment and policies that will direct sound behavior for both associates of the organization and providers of services to the organization. The behavior of the organization should track to both the plans as well as the principles of governance described further in this chapter.

The third element of governance involves monitoring. IT needs effective measurement systems that track the performance of IT to plan, and track the performance of IT to business objectives. There also needs to be effective tracking and reporting of compliance to statutory, legal, contractual, and regulatory requirements, along with a corrective and preventative action tracking system that will monitor all actionable improvement items to closure. The set of drivers for monitoring shown in the table below are based upon control objectives for IT:

  • Provide transparent view of IT’s performance based on reliable information;
  • Opportunities for improvement are identified;
  • Facilitate achievement of business and compliance objectives;
  • Cost-effectiveness;
  • Well informed IT investment decisions, tracking, and improving value delivery;
  • Consistent use and integrity of performance indicators.

Monitoring occurs at multiple levels in IT. For example, we have various IT metrics monitoring the health and hygiene of the network, servers, desktops, and laptops. We monitor information flow for data loss prevention, firewalls for connectivity, and IDS (intruder detection systems) and IPS (intrusion prevention systems). At another level, internal audit does periodic reviews of portions of the organization to check for adherence to company policy and best practice, and reports on findings and observations. There are management reports of management’s assertions of business status, project status reports and external audits and regulatory exams. It seems as if plenty of monitoring is going on. The key is to ensure that monitoring reflects reality across the organization, that it is based on current and relevant facts and data, and that it is correlated into a meaningful representation of IT’s capabilities to enable the business and ensure compliance.

Monitoring

Monitoring is effectively management and execution of measurement activities. Remember that it is possible to measure an infinite number of things and the key is to limit measurements to those items that matter to the organization.

A couple of questions to ask in order to evaluate if a measurement matters are: (1) could this measurement go away and no one would notice? and (2) does the measurement of this item somehow provide information that could drive change into the organization? COBIT®“monitor and evaluate” provides a number of control objectives to establish monitoring at a level that supports good governance and is relevant to Cloud Computing:

Monitoring Approach: Establish a general monitoring framework and approach to define the scope, methodology, and process to be followed for measuring IT’s solution and service delivery, and monitor IT’s contribution to the business. Integrate the framework with the corporate performance management system.

Definition and Collection of Monitoring Data: Work with the business to define a balanced set of performance targets and have them approved by the business and other relevant stakeholders. Define benchmarks with which to compare the targets, and identify available data to be collected to measure the targets. Establish processes to collect timely and accurate data to report on progress against targets.

Monitoring Method: Deploy a performance monitoring method (e.g. balanced scorecard) that records targets, captures measurements, provides a succinct all-around view of IT performance, and fits within the enterprise monitoring system.

Performance Assessment: Periodically review performance against targets, analyze the cause of any deviations, and initiate remedial action to address the underlying causes. At appropriate times, perform root cause analysis across deviations.

The overall role of monitoring at the governance level is to set in place management expectations for processes and controls. These processes and controls should establish practice that matches the risk appetite of the business and ensures the implementation of measurement and assessment informs management on the overall suitability for technology to meet business needs.