All about IT Governance

Yes - if handled right.

What values does it add? It will definitely stabilize the environment and avoid outages.

If SOX is embedded into day-to-day operations, SOX does add value. For that matter, any mature and proven process does add value.

However, SOX ‘values’ starts becoming visible when you formalize the changes - Systems, People, Day-to-day processes and Auditors.  For example, if there is a clear ‘training’ checklist to follow when a new hire is welcomed into the operations team or an employee is terminated, it avoids a lot of unwanted surprises due to changes performed by a new hire.

In our experience, SOX has specifically avoided surprises - people tend to ask questions, figure the rational behind the ‘urgent needs’ and tend to move towards a repeatable task.

When can SOX not add value? When SOX is not embedded within the day-to-day operations or when SOX is handled as a separate process from the day-to-day operational tasks.

We are a team of experienced IT executives serving 3+ billion dollar companies to keep the IT lights ON. Although, the ‘dial-tone’ service delivery is talked about in the past 5 years, this set of blogs is to present the challenges we are experiencing to offer ‘dial-tone’ level of services and how we are trying to solve them.

MSP - new glorified keyword for ‘outsource vendors’ - Managed Service Providers.

MSP is glorified because, gone are those days where your project/program managers, Business Analysts, DBAs help run the Oracle ERP implementation while the rest of the team are all outsourced engineers.

Today, MSP is about giving an outsource vendor full responsibility of delivery - Design, Develop, Test. You build the requirements & delivery program while your production team will simply inherit the applications built to the your standards and to match the business requirements.

However there are inherent risks with this - Resource risks. People granted access to privileged accounts as part of MSP task needs to be terminated as soon the MSP employees leaves the company - the risk is, your confidential or sensitive data could be put in somebody’s hands who cannot be directly controlled by you. If you add culture difference between the companies and the country where the development is being performed, it is hard to not consider the risk.

However, by developing trust while meeting as frequent as once per week to understand who accesses have to be disabled would help reduce the MSP risk to a minimal.