Understanding Governance

April 22, 2013, by | Start Discussion

What is Governance?

Governance is the system by which an organization is directed and controlled. It consists of a set of responsibilities that give strategic guidance to management to run the organization smoothly. Its core principles are driven by maintaining organization vision, shareholder and stakeholder confidence, business values, adherence to compliance, proper risk mitigation and resource utilization. The Board of Directors is the legal representative of the governance for an organization. All decisions are made by the members of the “Board” typically comprising of Directors, management representative (CEO), major shareholders and other stakeholders. This extends the accountability of people which are directly in “business”. Governance ensures that the goals set forward by the “Board” are achievable with proper risk mitigation and optimum resource utilization.

What is IT Governance?

IT Governance is a subset of corporate governance which specifically addresses the issues on how IT is applied across the organization. Since IT is now an integral part of the organization, a need to govern IT assets and resources is felt. In that way, a better understanding of Total Cost of Ownership (TCO) is achieved for IT assets. IT Governance helps to align IT objectives with business objectives producing significant business value which is measurable and quantifiable.

This greatly helps to monitor and present a truer picture of business growth. IT Governance is directly used by Directors on behalf of stakeholders who expect a return on their investment. It should not be confused with IT Management which directly manages IT Assets. Associated frameworks for IT Governance are Control Objectives for Information and Related Technology (COBIT), and ISO/IEC 38500: IT Governance Standard.

What is Information Security Governance?

Information Security Governance (ISG) is the subset of corporate governance which addresses the strategic direction for protecting the information assets in the organization. It is very closely associated within IT Governance as business has become increasingly dependent on IT systems. ISG focuses its attention to preserve the confidentiality, integrity, availability of information. It also provides protection for the intellectual property of the organization. ISG has recently started gaining importance due to the passage of many legal mandates like Sarbanes-Oxley, HIPAA, and PCI-DSS. Once again, Directors directly use ISG on behalf of stakeholders/shareholders to provide assurance that organisational information assets are in a “secured” state.

Can we use IT Governance and IT Management interchangeably?

No. There is much confusion among the IT folks who view Management and Governance as the same entity as they both have the ability to “direct”. Hence, for most of the time, IT folks use these terms interchangeably. But we need to understand that Governance of any kind will relate to that activity which is directly used by the board members or directors who function on behalf of stakeholders/shareholders who have invested their money in the organization. Management always acts as an execution body which functions as per the directions and goals set forward by the board.

IT Governance makes sure that IT objectives are aligned with the business objectives which in turn produces measurable business value essential for the growth of the organization. IT Governance also brings in accountability within the enterprise due to the shared responsibility of both the directors and shareholders. IT Management on the other hand focuses on managing IT assets in accordance with business needs and priorities.

IT Management is involved in budgeting, staffing, organizing and controlling IT operations and assets. It is also involved in other aspects such as change management, software design, network planning, tech support etc.

Can we have comparison of roles for Governance and Management?

Responsibility  Governance  Management
Policies and Procedures Sets policy in areas of financial management, conflict of interests; reviews procedures, recommends updates and changes as needed; monitors organization’s compliance Develops procedures that match board policy; implementation of the boards’ policies on a daily basis
Planning Develops and implements a board planning process, defines organization’s vision; develops mission statement; sets goals; reviews and approves objectives Arranges logistics for planning processes; writes objectives; develops work plans, timelines; implements work plans; makes progress reports and submits to Board
Finance Ensures efficient financial policies and procedures and in accordance with the law meeting the requirements of funders; revises and approves budgets; reviews financial reports; selects auditor and reviews audit; Develops and implements financial management procedures as decided by Board; develops budgets; performs financial management tasks; submits regular financial reports to the board; provides information to the auditor; submits required reports to funders
 Board Operations Prepares agenda for meetings of the directors; decides what committees are needed to accomplish its work; monitors and evaluates work of committees  Assists with development of agendas for meetings of the directors; suggest committees or committee members to board; sets up meetings, prepares meeting minutes
 Personnel  Hires, fires and evaluates the chief executives. Determine salaries of senior level management, prepares succession plan  Hires, fires and evaluates the employees. Determines salaries of lower management and employees
 Resource Development  Develops strategies to acquire resources needed to pursue organization’s missions and objectives  Assists with the development of strategies; implements resource strategies assigned by the Board
 Evaluation  Evaluates chief executive and the match between the organization’s vision and mission and its activities and accomplishments;  Evaluates staff; provides directors with information they need to evaluate match between the organization’s vision and mission and its accomplishments; conducts project evaluation

Why is IT Governance necessary? How does it provide value to the organization?

Shared responsibilities among the directors, shareholders and other stakeholders prevent abuse of power by senior IT management to procure expensive IT inventory and assets which provide very little value and return to business. Various models such as Chargeback models can be adopted to see which IT investments give out most business value and return on investment. IT Governance makes it easy to determine Total Cost of Ownership (TCO) for IT assets. Hence efficient management of IT inventory can take place.

Why is Information Security Governance (ISG) necessary? How does it provide value to the organization?
ISG is increasingly becoming important due to the increased level of dependence of business processes on IT Systems. This means that the information residing on IT systems needs to be properly protected from unauthorized access. ISG works in close tandem with IT Governance as well as the Organizational Risk Management function and provides effective controls for any leakage of confidential information from the organization.

ISG also routinely engages in audit checks on IT systems, ensures service continuity and regular risk assessments provide information about the risk appetite of the organization. It helps the board to take informed decisions before venturing into investments for new business areas.

Compliance mandates are also met by good IS governance. Above all, ISG provides a peace of mind to stakeholders and shareholders that their investments are in “safe” state.

ISG in tandem with IT Governance works wonders to keep businesses engaged in rapidly evolving technological areas while providing assurance that the information assets are well protected from external or internal threats.

Are you implementing IS Governance properly?

Following questions must be evaluated to ensure you are implementing IS Governance properly in your organization:

Is your IS Governance delivering value?

You need to optimize security investments such that they are in-line with your business objectives. Evaluate if sufficient and prioritized care is taken for areas which are having greatest business impact. Check if minimum security requirements are following practices that are proportional to risk.

Is your IS Governance well planned?

Check if the IS budget is well planned and portfolios well defined for the procurement of IS tools such as for GRC automation, log analysis, security utilities, etc. and also for hiring IS staff like pen-testers, analysts and consultants etc. Evaluate if your investments are aligned as per the corporate strategy and the risk profile.

Is your IS Governance well managed and measurable?

Performance measurement processes must be well defined and approved by the board or senior management. These processes must be able to determine various weaknesses and also provide feedback during the resolution process. This should be followed by independent external assessments and audits for assurance purposes.

For proper resource utilization, you need to capture knowledge by documenting security processes and procedures. Proper security architecture design will help in optimal usage of IT security infrastructure.

Is your IS Governance able to properly manage and mitigate risk?

Organizations often focus only on qualitative risk based assessment exercises which tend to become opinionated and discretionary. It is advisable to do a qualitative risk assessment on information assets by a measurable and quantifiable process. This can help to gauge the true impact on business processes if they get compromised.

There should be a clear understanding of the organization’s risk profile, risk exposure and the consequences of non-compliance with the state-level and national-level legal requirements. Residual risks must be mitigated to an accepted level by a formally defined risk management process. They may be avoided, transferred or accepted depending on their impact on business.


Manasdeep currently serves as a Security Analyst in the Technical Assessment team at NII Consulting, Mumbai. His work focuses on conducting Security Audits, Vulnerability Assessment and Penetration Testing for NII’s premier clients. He possesses strong analytical skills and likes to keep himself involved in learning new attack vectors, tools and technologies. He has flair in technical writing and shares his thoughts on his blog “Experiencing Computing…” at http://manasdeeps.blogspot.in. He has also published information security paper(s) in International Journal of Computer Science and Information Security (IJCSIS) along with various seminar / conference proceedings.

Leave a Reply