Governance

(OBJ 5.1)

Governance

• Part of the GRC triad (Governance, Risk, and Compliance)
• Governance refers to the overall management of the organization's IT infrastructure, policies, procedures, and operations.
• Strategic leadership, structures, and processes ensuring IT infrastructure aligns with business objectives
• Involves risk management, resource allocation, and performance measurement

Purpose of Governance

• Establishes a strategic framework aligning with objectives and regulations
• Defines rules, responsibilities, and practices for achieving goals and managing IT resources

Influence on IT Components

• Shapes guidelines for recommended approaches in handling situations
• Drives policy development, outlining organizational commitments (e.g., data protection, ethical conduct)
  • "Shaping the path an organization should follow"
• Impacts creation of standards, defining mandatory rules for policy adherence
• Ensures procedures align with objectives, providing task-specific guidance
  • The detailed steps to be followed to accomplish specific tasks, with the organization's strategic objectives
  • Ensures consistency and compliance with both policies and standards

Adaptation and Revision

• Governance must adapt to technological advancements, regulatory changes, and industry culture shifts
• Monitoring evaluates governance effectiveness and identifies gaps or weaknesses that might have arisen due to changes in technology, regulations, or industry culture.
• Revision updates governance framework to address these gaps or weaknesses
  • Could involve updating the policies, standards and procedures, or making changes, to the organization's IT infrastructure or operations.

Example

• TechFirm: A hypothetical software development company with a governance framework.
• In 2015 it started using cloud-based services for some of its operations, which required a review of their governance framework
  • They had to update their policies and procedures to include secure use of cloud services.
• In 2018: New data protection regulations were introduced, requiring more stringent protection of customer data
  • TechFirm had to monitor these regulatory changes and revise their governance framework accordingly.
  • They updated their data protection policies and adopted new security standards
• TechFirm monitored changes in technology, regulations, and industry culture, and revised their governance framework to address these changes.
  • This ensured that their governance framework remained effective, and that they continued to maintain secure operations.