Ten Principles of IT Governance - the Burton Report - Case Study Example

Information Assurance and Governance Abstract: The paper aims at the observation and analysis of the Burton Report presented to the MOD according to the ten principles of IT governance. The principles provide leaders with a succinct summary to use as a primer, refresher, or checklist as they refine their IT governance. As Burton supported refreshing the IT governance system at MOD, many of the rules described have been followed by Burton while proposing recommendations. Only those have not been followed which are regarding the initial settlement of IT governance system. The second part of the paper examines how the application of suggestions in Burton report adhere with the Government regulations regarding data handling and IT Governance. 1. Actively design governance It has been argued that the IT governance system established in many organisations is incongruent as it has been designed in several different patches of problem solving mechanisms. The designing activity of the governance system reduces the synergy level and limits the opportunities for strategic impact from IT. In order to deal with the issue it is important for the management of the organisation to design the IT governance procedure according to the goals and objectives of the organisation. The notion requires the management of the organisation to actively play part in the procedure. Without the proper support of the management the successful designing and implementation process of IT governance cannot be undertaken. Although it is not possible to actively redesign the overall governance mechanism but it is important to undertake mechanism reviews on regular basis. The Burton report recommends undertaking assessment of IT governance system on regular basis in order to implement security improvement processes at MOD. 2. Know when to redesign: The report is full of recommendations for the change in the governance structure at MOD regarding the security of the IT infrastructure. It is also important to undertake change in the behaviour of the employees at the organisation according to the change in governance. The redesign in the governance system will although take some time but its effective implementation will lead to the final objective of making the security of data foul proof. The report has recommended a change in the organisation perspective according to the direction in which the IT governance system is redesigned. Failure to do so will stultify the whole change process. The Burton report also suggests training and education all across the organisation. Burton suggested reviewing all the current training on Data Protection and Information Management, and identifying the uptake by the relevant post-holders, in order to determine future training needs. 3. Involve senior managers: The involvement of the senior management of the organization is an important factor in the effective governance of IT in an organization. The report also contains recommendations on the aspect. It has been suggested that the MOD should properly define the responsibilities for the Departmental Chief Information Officer functions. It has been noted that although many managers want to contribute in the IT governance process but fail because they don’t have the knowledge of the area where they have to play their part. The report goes further by recommending the formulation of a network of TLB CIOs and SIROs to eke the process of security and assurance of information as a critical business asset. The report also provided the solution of the absence of Defence Operating Board. It recommended the enforcement of the authority of MOD SIRO in order to address the information risk. 4. Make choices: The successful governance practices require strategic choices. In the case of MOD security of data is an important task. With all the other IT governance issues, the security of data as suggested by Burton is a nonnegotiable issue. As mentioned in one of the Old Mutual South Africa's (OMSA) six IT principles, "The interest and needs of the Group/OMSA come first when exploiting technology or when contracting with suppliers." The foremost interest of MOD is the encryption and security of data. Most governance processes become ineffective as organisations persuade conflicting goals. In the Government organisations like MOD directives come from many agencies this can result in shape of confusion and contradiction. The report suggests that the MOD and TLBs should co-ordinate with each other in order to provide coherent advice on the exploitation. 5. Clarify the exception-handling process: Every organisation experiences exceptions which eke the process of learning in the organisation. The challenges posed to the IT architecture and infrastructure of the organisation helps in undertaking the improvement process in the organisation. The exceptions proposed by a significant unit can increase the efficiency of the IT structure. As in the case of MOD the security challenges posed to the IT structure helped in improving the effectiveness of IT structure. This has been done by proposing the recommendations regarding the safety removable media devices. It is also imperative for MOD to ensure the compliance of individual and corporate responsibilities according to the DPA 1998. All the departments across the organisation should have information regarding the accountabilities procedure. It is also recommended that the full scope of responsibility of Chief Information Officer of MOD is clearly defined. 6. Provide the right incentives According to Weill and Ross the incentive and reward system in an organisation should be aligned with the aims and objectives of designing the IT system. Although the main aim of the Burton report is to provide recommendations regarding the improvement of the IT security system but it does not provide any recommendation regarding the incentive and reward systems in order to align them with the organizational goals. 7. Assign ownership and accountability for IT governance: As mentioned by Weill and Ross (2004) like any major organizational initiatives, IT governance must have an owner and accountabilities. Ultimately, the board is responsible for all governance, but the board will expect or delegate an individual (probably the CEO or CIO) or group to be accountable for IT governance design, implementation, and performance—similar to the finance committee or CFO being accountable for financial asset governance. In choosing the right person or group, the board, or the CEO as their designate, should consider three issues. 8. Design governance at multiple organizational levels: The separated governance processes in different departments of the organisations need to be connected with each other through different layers of IT governance. The formulation of governance procedure at higher level abets the designing the process of governance procedure at the lower level of organisation. The designing process of the governance arrangements at multiple levels will overt the connections and pressure points. 9. Provide transparency and education: The management of the organisation should provide all the stakeholders with a carefully devised manifesto explaining the governance processes undertaken in the organization. As mentioned by Weill and Ross (2004) " Transparency and education often go together—the more education, the more transparency, and vice versa". The report also follows the suit while recommending the introduction of policy and procedure for both data cleansing and data governance at the MOD. The implementation of proper policies will have ramifications in shape of true knowledge regarding the data holdings and initiation of appropriate audit and compliance measures. The report goes further by recommending the identification and facilitation of good process sharing. The report also emphasizes the importance of undertaking effective communication as it recommends in the 39th recommendation, the designing of a brief guidance manual while keeping the end user in mind. The feedback from the end users is also emphasised in order to suitably plan the future developments. The Authoritative policy documents should be supported by the description of the latest technological developments. The immediate arrangements should be undertaken in order to spread knowledge regarding the risks and mitigation procedures. The RN 'road show' approach is also proposed by the Burton Report. 10. Implement common mechanisms across the six key assets: The organisation having mechanisms which can govern more than one asset of the six key assets have better governance procedures. With governing each asset expertly it is important to create synergy between all the processes. In this lieu the report suggests, "A coherent, Joint Service and Civil Service, awareness campaign to be launched to highlight the importance of information and data as a key operational and business asset, with appropriate attention devoted to exploitation and protection, within the law." The above mentioned governance principles followed in the report can improve the value of the IT governance procedure for the organisation. With all the other aspects the above mentioned principles emphasize the importance of leadership participation in IT value creation. PART 2: The current regulations require the organizations to properly document the information security policies. These security policies become the foundation for the data security program. It is important for an organization to design a coherent system of data protection and governance which should be aligned with the regulations of Government. The nature of the organisation like MOD makes it more important to undertake effective measures regarding the data protection and governance while keeping in view the regulations prescribed by the Government. Most of the recommendations presented in the Burton report are aimed at ensuring the compliance of the data protection and governance. The report has recommended that the data supervising officers need to be more meticulous while enforcing the data security laws. MOD needs to review the DPA retention policy in order to eliminate the vagueness and improve the clarity of the regulations. It is also suggested that all the stakeholders related to data management services should undertake an agreement which will provide the complete description of the responsibilities of all the relevant parties for retaining and protecting the personal data types. The report also recommends strict adherence to JSP541 while reporting the data theft. It is also imperative to carry out the audit of the data holdings at MOD. The board is also recommended to design policies for the cleansing and governance of data to ensure the proper audit procedure and implement compliance measures. The report also recommends the MOD to carry out a risk-benefit analysis on the requirement to hold large amounts of personal data to meet Centre tasking. The report recommends the formulation of information exploitation and protection principles to be developed in accordance with British Defense Doctrine. The report also recommends instigating an articulated Joint Service and Civil Service awareness campaign which should emphasize the importance of data as one of the most valuable assets. This will not only describe the true value of data but will also lead to the proper design and implementation of the rules regarding the exploitation and protection of data according to the law. MOD is also recommended to undertake guidelines from the Information Commissioner on the status of the TAFMIS database(s) as regards the Data Protection Act. There should be clear guidelines regarding the possession of the personal data, accessing the data and its downloading to the removable media devices. The requirement for MOD in order to take urgent consideration for an easy and cheap way in order to facilitate the secure and use of personal computers for limited Government tasks, on an individually licensed basis will further align the security measures with the prescribed government guidelines. The implementation of recommendation regarding facilitating the awareness enhancement program across the MOD regarding the risk and mitigation techniques will multiply the effectiveness of IT governance procedure at MOD. The recommendations in the report regarding increasing the involvement of the leaders and seniors in the governance implementation process will also help the organization in understanding the training needs. Glossary: IT Governance: The subset of Organisational Governance system aimed at governing the IT system performance and risk management. Risk mitigation: Efforts to reduce either the probability or consequences of a threat. Exception handling: error handling overhead. Transparency: A sense of openness, communication, and accountability. Stakeholders: A party who affects, or can be affected by, the actions taken in the organisation. Audit: An examination of records or data to check their accuracy. References Peter Weill & Jeanne W. Ross, (2004). Ten Principles of IT Governance, Excerpt from IT Governance, a new book published by HBS Press. Read More