在当今不断变化的世界, 一个组织的利益相关者, 比如客户, 供应商, 员工, 股东, 监管者和整个社会, require the board of directors (BoD) to lead the creation of value or, 至少, 它的维护.
因为人们, information and technology are critical resources to meeting this expectation, 更甚于以往, it is necessary to implement and audit effective technology governance.
有两个基本问题:什么是IT治理? 为什么董事会要负最终责任?
IT governance is “the responsibility of executives and the board of directors; consists of the leadership, organizational structures and 流程 that ensure that the enterprise’s IT sustains and extends the enterprise's strategies and objectives.”1
撇开所有法律问题不谈,如果“董事会”...has broad responsibilities for the exercise of the functions of strategic guidance, 监督, 普通管理的控制”2 and technological resources guide the creation of value through improvements in products or services to the client, 内部流程的改进, training of staff and implementation of the concepts learned and the digital transformation of organizations, how can the board not be ultimately responsible for IT governance as part of organizational governance?
This is reinforced by The Institute of Internal Auditors (IIA) in its guide Global Technology Audit Guides (GTAG): Auditing IT 治理,其中提到:
IT governance represents a subdiscipline of organizational governance, 哪一个是由领导组成的, 流程, 政策, and structures that ensure that information technology supports the organization's strategies and objectives. IT治理是组织法规的基础, 法律, environmental and operational requirements so that aspirations and strategic plans can be achieved.3
基于 COBIT®, ISACA’s framework for governance and management of enterprise IT, 一些重要的板点, 管理及资讯科技职能包括:
- The business objectives of an organization are defined from the needs and expectations of stakeholders. 它们是定义IT目标和目标的基础, 因此, 用于实现业务- it对齐和 反之亦然 并透过资讯科技投资创造价值. 例如, an organization's strategic plan should include what is required from the IT function and the IT strategic plan should align its projects, initiatives and investments in a way that supports the organization's strategic business plan.
- 如果业务操作需要IT服务, 那么业务就是IT的客户, and the client defines the value of the service provided by IT. 为那, it is helpful for the IT function to stop using advanced technological language to communicate and instead use business language.
The BoD is not only responsible for overseeing management; it also plays an important role as a strategic advisor on the services that the IT function provides to the organization and all its stakeholders.
The BoD is not only responsible for overseeing management; it also plays an important role as a strategic advisor on the services that the IT function provides to the organization and all its stakeholders.
在实施方面, COBIT establishes a set of components for an IT governance system, many of which are reflected in the multidisciplinary approach to governance proclaimed by the Institute of Corporate and Public 治理 (IGEP), 全球董事学院网络成员(图1).
图1-COBIT + IGEP
| 治理系统的COBIT组件 | 治理的多学科方法 |
| 文化、道德和行为 |
|
| 组织结构 |
|
| 原则、政策和程序 |
|
To generate value through the combination of profitable IT investments in the broad sense, organizations need to implement the efficient use of resources and the management of IT risk. One of the most frequent concerns stakeholders have is the growing risk associated with cybersecurity, 尤其是ransomware. To address this, most believe that organizations should start with risk analysis. 然而,这并不总是必要的第一步.
为什么? Because the probability of an attack is nearly 100%—as evidenced by just reading the news. The impact is already known: inaccessible resources and unavailable information. The BoD should ensure that incident response includes prior informed decision-making, 不支付通信, awareness training for staff on issues related to cybersecurity, and teleworking and incident management and backup 政策 with testing.
These analyses are what allow board members to be able to identify what to ask to obtain information and to be able to answer questions related to the cybersecurity risk that, 毫无疑问, the BoD will receive from the interested parties in the face of an incident that affects the reputation or the value of the organization's shares.
With a fresh look at the importance of the role of the BoD and other stakeholders in IT governance, it is time for boards to take advantage of the opportunity offered by IT governance to create value in their organizations.
尾注
1 ISACA®, “术语表”
2 拉丁美洲开发银行, 拉丁美洲公司治理准则, 委内瑞拉,2013
3 内部审计师协会(IIA), Global Technology Audit Guides (GTAG): Auditing IT 治理, 美国,2021年9月10日
著布拉加, CGEIT, COBIT Fundamentals, CP, GPDR Foundation
Is a certified professional in enterprise governance of information and technology (EGIT) oriented to the achievement of enterprise and alignment goals. She has worked on audits and reviews for public and private entities using international frameworks such as COBIT® 以及国际标准组织(ISO)的标准. She is an author and researcher on governance and management of information and technology in various media, 包括ISACA® 出版物. Braga is a former leader of the ISACA COBIT and Frameworks Community and a global guidance contributor to the second edition of The Institute of Internal Auditors (IIA) publication 全球技术审计指南(GTAG)审计IT治理. 可以联系到她 www.linkedin.com/in/graciela-braga-cgeit.