Introduction
Despite its staid reputation, IT governance is making headlines. Driven by data privacy regulations and cyber security concerns, companies are coming to recognize – and act on – the need for tighter controls and greater accountability around the performance, security, and risk of IT systems and stakeholders.
But despite such awareness, the daily flurry of system updates, application patches, and security notes makes it far too easy to focus on the transactional side of IT – and put off the need for a proactive, long-term governance strategy. These are the questions that keep CIOs up at night: Which applications and systems are exposing us to serious security risks? How should I protect my systems, data, and users?
Truly answering such questions requires a holistic approach that systematically improves IT governance, reduces risk, and limits exposure. One solution – harnessing process control and risk management applications, traditionally used to manage financial risk and compliance, to improve IT governance – allows organizations to better govern IT, reduce risk, and increase application and data security.
Four Steps to Improving IT Governance
To work across the organization, IT governance must be driven by a top-down policy. Proactive governance looks at the entire IT landscape, from single sign-on to mobility access to Internet security and laptops. A simplified yet systematic approach consists of four steps: creating IT policy, defining controls, testing controls, and monitoring control performance.
Figure 1: A Simplified Yet Systematic Approach to IT Governance
Create policy. A complete review of all IT systems, applications, and users is needed to determine an optimal governance policy based on risk, threats, and exposure. The CIO needs to understand which systems have the greatest impact on daily operations. Which systems help maintain a competitive advantage? Harbor trade secrets? Hold sensitive information? Once these systems are identified, IT can establish the appropriate policy to govern, protect, and secure systems and data.
Define controls. IT must then define the controls required to enforce the chosen policy. Controls can be manual (e.g., surveying line managers about security threats) or automated (e.g., a daily McAfee log check).
Test controls. This requires setting up routine tests to check control performance. For example, an automated test to ensure that all vendor edits are made by authorized users; a periodic review and attestation of accounts with access to sensitive data; or the use of archival log records to support ongoing and forensic review of activities.
Monitor performance. The final step is to monitor performance of the control tests against predetermined parameters based on frequency, level of risk, and other criteria. If any risk exceeds a defined threshold – for example, more than five incidents of unauthorized access to a particular system in a week – automated alerts notify management to take appropriate action. Some high-risk transactions, of course, require ongoing monitoring. For example, when an employee is terminated, controls should ensure that laptops are returned and user access removed to block unauthorized usage.
Business Analytics Services from SAP can help customers plan and execute IT governance across the entire IT landscape. Our service professionals can provide the expertise to leverage investments in SAP software to manage IT governance securely and effectively. For example, in the second and third steps of the process shown in Figure 1, the SAP BusinessObjects™ Process Control application can be used to set up automated control tests, reducing manual testing and oversight and saving time and money. Once a governance policy is established, the solution can monitor both SAP and non-SAP applications and systems for compliance – for example, checking McAfee logs to analyze update penetration on employee laptops. By centrally monitoring key controls, the SAP solution creates greater visibility into overall IT governance.
Business Analytics Services from SAP can also help identify ways to better monitor performance, such as using the SAP BusinessObjects™ Risk Management application to monitor test performance, alert executives, and suggest mitigation measures for immediate decision making and remediation. For example, a control test might identify repeated unsuccessful login attempts or unauthorized logins, then automatically alert management to the issue. IT managers can analyze risks in terms of severity and likelihood of impact, then monitor performance through executive-level dashboards and reports that deliver visibility into key risk metrics and policy compliance.
Using a best-practice framework for risk analysis, predefined risk responses, and continuous risk monitoring and reporting, the software empowers companies to effectively monitor risky business behavior and provide mitigation to minimize risk.
CONCLUSION
No organization can afford a security breach or scandal, and CIOs must keep IT governance in mind at all times. By managing risk and compliance across the entire IT landscape, CIOs can evaluate and align processes and strategies to provide effective governance.
Business Analytics Services from SAP can help companies plan, execute, and improve IT governance across multiple IT systems. Using solutions – such as SAP BusinessObjects Process Control and SAP BusinessObjects Risk Management applications – companies can automate IT governance and better organize staff, speed reporting, and reduce costs. A centralized monitoring system further helps IT managers consistently and proactively enforce IT policies and ensure compliance.
For more information on how Business Analytics Services from SAP can help unlock the value of IT governance, and lower risk and exposure, visit us online.