1 / 37

IT governance

IT governance. ISACA SA Awards Ceremony 20 April 2007 Presented by: Mervyn E. King S.C. Introduction. Information age Members of global village Willingly or unwillingly Real time Transparency – cornerstone Sunlight/disinfectant Electric light/policeman

deepak
Télécharger la présentation

IT governance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT governance ISACA SA Awards Ceremony 20 April 2007 Presented by: Mervyn E. King S.C.

  2. Introduction • Information age • Members of global village • Willingly or unwillingly • Real time • Transparency – cornerstone • Sunlight/disinfectant • Electric light/policeman • Ultimate light – Telecommunications and IT Mervyn King SC

  3. Changed corporate world (1) • Integral to society • Shareowner profile changed • Conformance and performance • UN Human Rights declaration • Environmentalists • Information communication technology • Activism • Triple bottom line Mervyn King SC

  4. Changed corporate world (2) • Capital a scarce resource • Borderless world • Click of a mouse • Make or destroy markets • Rely on reports from companies • Capital flows affected by electronic communication • Flows towards good governance Mervyn King SC

  5. Changed corporate world (3) • Shareowner revolution • Global institutional investor • Conduit for person in street • Where were the directors? • Where were the institutional shareowners? • Strategic importance of IT systems – not only enabler Mervyn King SC

  6. Changed corporate world (4) • ICT • Important strategic role – pervasive • Flatter structures – online • Industries converge • Governance role? Mervyn King SC

  7. Governance a process • Governance about process • Enterprise – strategic • Risk for reward – failure • Good governance and failure • Acceptable • Bad governance – failure – scandal • Not acceptable Mervyn King SC

  8. Compliance • Mindless whether voluntary or compulsory • Compliance officer • Apply mind • Not suitable for business • Explain • Market ultimate compliance officer Mervyn King SC

  9. Enron • Had the trappings of good governance • Quantitatively compiled • Non-executives • Good board attendance • Committees of board • Yet dysfunctional Mervyn King SC

  10. Enron – why? • Self-interest • Greed • Dishonest – SPE’s and off balance sheet • Apparently to prop up share price • Codes will not help • Intellectual dishonesty Mervyn King SC

  11. A director’s duties - responsibilities • Good faith • Care • Skill • Diligence Mervyn King SC

  12. Incapacitated person • Human being • Best interests, care, skill, diligence • Decent citizen thing to do • Company an artificial citizen • Incapacitated • Director, heart, mind and soul Mervyn King SC

  13. Quantitative governance compliance • Voluntary or compulsory • Not the answer • Quality governance • Based on intellectual honesty • Incapacity awareness • Corporate sins – awareness • Intellectually naïve questions • IT governance the same Mervyn King SC

  14. IP and IT • Manual processes to systems processes • Processes and risks locked into IT • IP locked into IT • Staff told “how” to use systems • The understanding of the IT? • In the IT department and CIO • “Black box” scenario Mervyn King SC

  15. Two levels of IT governance • Technical and IT process level – first • Business process level strategic – second • CIO and colleagues need to understand the business • Aids company to realise strategies • IT governance specific to each business Mervyn King SC

  16. IT governance • Legislate • Cobit or ITL • Legal framework needed • Due care • Due diligence • These are the essence of information security Mervyn King SC

  17. Regulate IT governance? • Not for level two • Management of processes to realise business strategies • No generic rule • To regulate all businesses • Even adapt methodologies to suit local environment for level one Mervyn King SC

  18. Risk in the use of IT (1) • Strategic importance of information technology • Technology issues • Board members need greater understanding • Duty of care and skill • How else carry out duties? Mervyn King SC

  19. Risk in the use of IT (2) • Unaware of operational risks • Because processes not understood • Risk management • Solution? • Representation or outside advice Mervyn King SC

  20. Risk in the use of IT (3) • Confidential info outside company • Different codes of conduct • Different values • Different risks • Accountability issues Mervyn King SC

  21. Risk in the use of IT (4) • Increasing dependence on outsiders • Outside direct control of company • Process outside, e.g. call centre • Financial and reputational risks • Outside access to confidential information • Information security as part of governance Mervyn King SC

  22. Internet Encyclopedia Information security • Napoleon, The Three Musketeers • The wax seal • Information to enemy • Disastrous for battle or the war Mervyn King SC

  23. Unauthorised • Use • Access • Disclosure • Disruption or elimination • Changes • Prudent and reasonable steps or legislation • Care and diligence Mervyn King SC

  24. Internet Encyclopedia The wax seal • Confidentiality – job application • Integrity – no change without authorisation • Availability – system functioning correctly • Possession – stolen laptop • Authenticity – information genuine • Utility – usable and useful Mervyn King SC

  25. The ISO code for information security (1) • The security policy • Asset management • Human resource security • Physical and environmental security • Communications management • Operations management Mervyn King SC

  26. ISO code (2) • Access control • Information systems acquisition • Development and maintenance • IS incident management • Business continuity • Regulatory compliance Mervyn King SC

  27. Cryptography • Codes • Renders it unusable • Other than authorised user • Encrypted information • Usable again by decryption Mervyn King SC

  28. Methods of protection • Legislation? • UK Data Protection Act • The Family Education Rights and Privacy Act • The Health Insurance Accountability Act • The Electronic Communications and Transactions Act Mervyn King SC

  29. Sarbanes-Oxley and King • Comply or explain • Comply or else • Legislate against negligence or dishonesty? • Intellectual honesty • Market cap of company • Due care and diligence Mervyn King SC

  30. Information security • Steps taken to practice due care • Verified • Measured against reasonable man • Continual processes in due diligence • Activities to monitor protection mechanisms • Maintaining the mechanisms Mervyn King SC

  31. Electronic communication • Board pack • AFS online • No more printed AFS • No more published in newspapers • Cautionaries • Faster dissemination of information • Insider trading – more or less? • Security against sensitive market leaks Mervyn King SC

  32. IT board representation • IT was an enabler to support the business • Now both supports the business and drives strategy • Strategic decisions on IT improvements and on information availability • CIO on board? Mervyn King SC

  33. Laws and regulations • Duty of board to ensure compliance • Bulk of companies SMME • Cannot afford IT expertise inhouse • Have to use service providers • Remember can delegate but cannot abdicate Mervyn King SC

  34. Director’s liability • Director is a director • Collective authority • Individual liability • Statutory and common law • Expertise important Mervyn King SC

  35. Good practitioners • Aware of four duties • Aware quality above quantity • Aware human frailty • Aware individual liability • Aware not understanding – IT • Intellectual honesty foundation • How legislate about all this or only one aspect? Mervyn King SC

  36. Conclusion • Comply or explain • Comply or else • In either regime, quality is the factor not quantity • The market is the ultimate compliance officer • Ultimate responsibility is business success • Balance conformance and performance • Legislation is not the recipe for good governance, corporate or IT • Moses, Congress, Parliament Mervyn King SC

  37. “The Corporate Citizen” Mervyn King SC

More Related