Alan Calder on IT Governance, information security & ISO 27001

THE KING CODE OF GOVERNANCE PRINCIPLES (known as KING 3 or KING III) is still (in my opinion) the most advanced and useful of the world’s corporate governance codes. I’m a particular admirer of the fact that the King Committee included coverage of IT Governance in the Code, identified frameworks such as CObIT and the international standard ISO/IEC 38500 as providing useful starting points, and set out seven specific IT governance principles for company directors to follow.

I obviously agree with the King Committee that there is no ‘one size suits all’ approach to IT governance, and that every organisation has to develop its own approach to the subject, extracting those elements that will be useful to it from the existing frameworks and standards. That, after all, is the one of the driving thoughts behind the Calder-Moir framework - that, and the belief that one should be able to intelligently draw simultaneously on more than one framework. I’ve been particularly encouraged by the number of South African companies that have turned to our IT Governance Framework Toolkit to help them implement IT governance in their organisations.

This interesting article explains why old-fashioned crime – robbing a bank, say – has now gone online. It’s quicker, easier, and safer for the criminal. That does mean that organisations have to take care to protect themselves against cyber-criminals – and the steps that can be taken range from the simple (see 10 Rules of Information Security for the Smaller Business) to the sophisticated (implementing a best-practice Information Security Management System based on ISO27001, for instance).

At the very least, anyone with corporate responsibilities should have a reasonable understanding of cybercrime – as well as of cyberterrorism and its close cousin, cyberwar. There is a wide range of issues that today fall under the heading of White Collar Crime, and which need attention. Your business is at risk – finding out about the risks is a good first step to taking appropriate action!

The idea of applying the governance concept to the deployment and use of SharePoint within organisations does, at one level, seem odd- it seems a very detailed level for the application of concept which is fundamentally about how the board governs the use of ICT within the organisation.

Microsoft Office SharePoint Server (MOSS) is an immensely useful collaboration and information sharing tool for organisations, teams and workgroups. However, poorly governed SharePoint deployments can create significant holes in organisational information structures as well as exposing the organisation and its information to a wide range of risks.

 Maximising value from your SharePoint deployment requires a joined−up approach that is aligned with the communication objectives and risk controls of the business − a governance approach. Microsoft introduced the idea of SharePoint governance with MOSS 2007 and has applied it to MOSS 2010 as well. The ITGP SharePoint Governance kit starts with the excellent Microsoft work and then goes substantially further, in terms of providing a practical and useful set of templates and tools that can integrate into any information security management system or IT Governance Framework.