|
In today’s increasingly competitive environment, enterprises must simultane-ously be flexible enough to exploit new opportunities, ensure that their organizations are functioning as effectively and efficiently as possible, and minimize risks. One of the biggest challenges IT organizations face in achieving their business goals is managing compliance activities. These challenges can drive up the demand for IT projects, straining resources that are needed to satisfy service level agreements while still managing the complexity of business processes. Furthermore, since IT operations are supporting these business processes, they are often responsible for providing the business with a view of its risk and regularly monitoring and documenting compliance status. The rising costs of managing IT processes and addressing these challenges have made it more important than ever to align IT with business objectives.
As a result, enterprises are becoming more systematic about the strategies and frameworks they have in place to optimize resources, reduce risk and gain more business value from compliance spending. Governance is that systematic process. While not a new concept, governance provides the oversight that can help ensure that the appropriate people are involved, that they are involved at the right time and that they can make informed decisions to achieve optimal outcomes. Because effective governance can help organizations weigh perfor-mance against objectives — whether they’re prescribed by external factors or internal control — compliance management efforts are integral to governance.
As enterprises drive toward effective governance, they are looking for process models and frameworks to lead them on this journey. There are many gover-nance frameworks available, but in most cases these frameworks recommend a continual process consisting of the following common steps, such as:
- Collecting information.
- Analyzing this information and associated risks.
- Making policy decisions.
- Creating procedures and controls, including security, based on policy.
- Testing those controls to determine outcomes against policy, including business performance, value and compliance measures.
The IBM Service Management initiative provides an infrastructure on which IT processes can perform consistently, reliably and predictably to support the delivery of services to the business. IBM Service Management relies on best practices — such as those outlined in the IT Infrastructure Library® (ITIL®) and Control Objectives for Information and related Technology (CobiT) — in order to build a management infrastructure that delivers business-critical IT services. When organizations treat compliance as a set of formally managed IT processes, it can ultimately become a business enabler, helping organizations streamline operations, minimize total cost of ownership and obtain the agility needed to proactively stay ahead of new initiatives.
This paper describes how IBM Service Management can help an organization address compliance issues by providing an integrated, sustainable strategy for IT governance and compliance management. It also offers details on the wide-ranging approach that IBM delivers — including hardware, software and business consulting — to help tackle service management.
Rely on best practices
Proactively measuring IT governance and compliance depends on effectively managing relevant IT process controls. An organization must define, assess and monitor the status of IT processes to maintain desired levels of IT service, security, availability and performance. A process controls framework — based on best practices — can help effectively implement policies while providing a link to business controls, including controls over financial reporting. An IT process controls framework should help address elements such as:
- Confidentiality. Protect sensitive information from unauthorized disclosure or intelligible interception.
- Integrity. Safeguard the accuracy and completeness of information and software.
- Availability. Make information and vital IT services available when required.
- Performance. Provide information and services with a high level of efficiency.
There are many different process controls frameworks and guidelines regard-ing which controls are important and measurable in an organization. Some of the best-known controls frameworks include:
- Committee of Sponsoring Organizations of the Treadway Commission (COSO) — key financial controls framework.
- International Standards Organization (ISO) 9001 — quality controls framework.
- CobiT — IT controls framework.
- ITIL — IT service support framework.
- ISO 17799/ISO 27001 — IT security framework.
Each of these frameworks plays a particular role in the overall governance objectives, helps maximize business integrity in the execution of IT services and corporate governance and provides IT services to help protect against unauthorized access and unforeseen risks.
|
