All about IT Governance

It is because,

a. Senior management of companies do not believe, they need to invest into something that *may* happen

b. DR is expensive - if you are not a storage company, your DR costs can skyrocket to the extent of listing them on your 10-k!

But think about it, what is not expensive? Automation is expensive, Regulation is expensive, Business Process Transformation is expensive.  Atleast, DR enables you to do the best at something you are good at - do it once, do it the best!

What is the bare minimal risks that your ITGC SOX controls should cover? Although there are ITGI/COBIT documents to guide you through, one can easily get lost in the maze - I thought, I will put together this checklist for anybody to apply this to get a comfort.

a. New accounts or modifications to account privileges are approved - OS, DB, App, Network, Logical Security (VPN, ActiveDirectory, NIS, LDAP and other authentication sources),  Physical security.

b. Terminations are performed timely - applicable to same processes as above

c. Transfers are handled as combination of b. and a. above - applicable to same processes as a.

d. Controls around change management to specifically address database object level changes, data fixes, data migrations and UATs are recorded for all application level changes

e.  Shared privilege level account management - passwords are changed when team members having access to shared privileged accounts leave the company - applicable to all areas listed in a.

f. Storage backup is tested for recovery (especially for databases)

g. Password configuration complies with enterprise standards for areas listed in a.

Optional:

a.  Account reviews in each area listed in a.

I remember somebody asking me, why is there such a big fuss about program management - why is it so important?

Here is my response: Lets say, I have diabetes and I would like to lead a structured and sustainable life - exercise every day, eat small portions and more often, take medications,  avoid bruises etc. The keywords ‘Sustainable’ and ‘Structured’ is what makes a set of tasks ‘Program’.

The program should have objectives, plans, timelines and should be measurable.  Example Programs would be SOX program, DR Program, Outsource Management Program, IT Service delivery program etc.

What makes these a program? They all require a methodology to ’sustain’ the tasks/processes involved.

For those who are not following  Symantec in the past 6 months, you may be in for a surprise that EDS was the appointed outsource vendor for taking over most portions of the IT. Although, the details are a bit sketchy, it is our belief that a minimal IT is being owned by Symantec and the rest of IT services including client services, help desk services, infrastructure management and core business applications management is handed out to EDI.

The following are the lessons we have gathered:

a. There are 3 schools of outsourcing:

1. Outsource business secondary services (helpdesk, client services etc.)

2. Outsource a portion of your growth services (Internal QA, Internal Development for IT)

3. Full-outsource: Outsource everything except Governance (including IT Security), Compliance and Vendor Management

We believe what has hapenned at Symantec is #3 above. It is a fairly large responsibility however, it is very common in Hospital environment.

b. Symantec & EDS are now in a wedlock - it is hard to even imagine looking back

c. We strongly believe, if the company is in either Run or Grow mode (not transform mode), then ‘full-outsource’ may work.

d. EDS does not come cheap however, if Symantec strongly believes in ‘Grow’ mode, maybe IT was a distraction (I know, I can’t believe I am saying it).

e. Company employees would have to be transitioned in various packages however, it may be hard to build a team ever again to build out IT - so skeletal team within above areas and ‘hard to find’ liaison people would have to be retained.