The objective of all Governance Frameworks is to implement operating best practice that results in lower financial losses from compliance failures, and little, if any, visible publicity that can harm an organisation. These best practices also make it relatively easy for an organisation to sail through regulatory audits.
By its very nature, best practice is both an unachievable goal, and at the same time, a total and continuous organisational commitment. This is due to constant change in the external regulatory and legislative environment and also the challenges associated with human behaviour in the workplace.
That being said, the alternative to adopting an approach to Governance and Information Technology that does not attempt to induce a culture of best practice from employees, sub contractors and suppliers into today’s difficult environment is dangerously naive.
The area of best practice and I.T Governance has been a “slow burn” for most organisations for a number of reasons. The biggest would be the wishful hope of management that the issues of compliance and regulation would in some way “die down or go away” and secondly, the organisational paralysis resulting from the considerable ambiguity in the interpretation of some regulations. The reality is that the current state of compliance requirements will continue to grow and a great deal of thanks is due to the individuals and companies who had the foresight to construct these governance frameworks that others might adopt.
Clearly the three main international best practice methodologies for technology are ISO 27001, COBIT and the IT Infrastructure Library (ITIL). There are others in this category such as FISMA, NIST and the common criteria which are mainly used by North American organisations.
The three methodologies in question provide an organisation with the means to address different angles of the Information Technology arena. ITIL focuses on service delivery and support. COBIT is for IT Governance and Control. ISO 27001 is for organisations implementing information security for compliance purposes.
Whether dealing with regulatory compliance or looking to obtain operational improvements, an extensive amount of planning and implementation is required. Without the adoption of a structured framework such as those described, success cannot be guaranteed.
The only credible method of implementing a best practice approach to Governance demands, through Quality of Service initiatives, to Information Security is to implement the following: