IT Governance is the process of aligning your organisation’s IT practices with your business strategy. It involves creating and implementing a robust framework containing reports, compliance and security. Having the relevant policies in place helps with important issues such as complying with legal obligations and minimising business risk. They are also important for corporate insurance policies and, increasingly, meeting clients’ due diligence requirements.
Here are six key areas of IT Governance that every organisation, of any size, should consider:
1. Business Continuity & Disaster Recovery (BC/DR)
The organisation drives a comprehensive BC/DR plan. It categorises critical functions (not technology) and puts required recovery windows in place for critical business processes.
Only once the business requirements are known can technical solutions be implemented to support them. BC/DR planning is not just the responsibility of IT. Each business area should maintain their own part of the overall business continuity plan.
Key-person risk is a crucial part of BC; a clear plan is needed to support the decision to invoke a plan component. Another frequently neglected, but equally critical, part is the recovery from the Disaster Recovery environment back to the normal ‘business-as-usual’ environment.
2. Incident Response
Businesses must plan responses to cyber incidents with transparency of actions and communication required by impacted parties. Four key stages are involved:
3. Data Assessments
GDPR means everyone should understand the nature of the information they hold as a business, where this resides and what, if any, sensitivity it has. When working with a new client, you should conduct a review of the data to be shared with them and the implications involved. Should a data breach occur, this review informs reporting obligations. Some clients’ security precautions regarding their data on your systems also need to be considered.
4. Continual Cyber Awareness Training
“As an essential part of cyber security, user awareness training goes hand in hand with technical controls and systems you implement, “ says Eric Hughes of EMH Technology. “A burglar alarm is useless if someone forgets to lock the front door and switch it on. Similarly, employees need to be aware of their role and responsibility regarding cyber security.”
Routine training should be updated to cover the latest threats. This should be coupled with phishing simulations and data breach notifications for current user accounts. These tools are essential in reducing your organisation’s cyber security risk profile.
5. Cyber Security Accreditations
There are numerous cyber security standards such as ISO 27001 or Cyber Essentials (Plus). These mandate a variety of organisational and technical controls around IT systems. The government-backed Cyber Essentials accreditation is achievable for all businesses. It is now a requirement of gaining some UK Government contracts.
6. Due Diligence
Supply chain management is a hot topic involving increasingly onerous due diligence questionnaires. Unfortunately, no standard documentation exists. Answering broadly similar but subtly different questions can involve a lot of time. If this is typical of your environment, producing a pack of common questions and responses saves time with future similar requests. Even when working with an outsourced provider, someone within the business needs to broadly understand the technical landscape and ensure it is fit for purpose.
A thorough understanding of how IT impacts your organisation enables robust plans to be created and implemented. For an initial discussion about your IT Governance without obligation – or jargon – talk to the friendly team, at EMH Technology.