Stages of Information Technology Governance - Coursework Example

Governance in Information Technology Name: Course Professor’s name University name City, State Date of submission Table of Contents Introduction 3 ITG Issues at iPremier 4 Stages of ITG 5 Risk Considerations in a Disaster Recovery Plan 6 Effectiveness of Risk Measures at iPremier 7 Recent Major Data Breaches 9 Managing Business Re-Engineering At iPremier 11 Conclusion 13 References 15 Introduction Information technology governance (ITG) is one of the most important strategic decisions a modern company has to make. ITG is defined as “IT governance is the responsibility of the Board of Directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategy and objectives.”[deH04] As the world becomes more and more reliant on the operations of information technology, so has the need to have a proper and functional ITG increased. Moreover, focus on how companies utilize information technology has come into sharp focus over the last few years due to the numerous data breaches that have affected firms leading to massive loss of confidential data relating to both the company and its companies. Indeed, since the collapse of Enron, ITG has become more intertwined with overall corporate governance than ever before [Nat05]. Many of these breaches could be directly attributed to the utter lack of defence mechanisms and governance strategies. It has led some to question whether the lack of governance is an ailment affecting one department alone or it is cancer within the entire company. Given the importance ITG has in achievement of corporate goals and objectives, this paper will analyse various issues related to the development of a proper ITG strategy. Using a case study approach the paper will be a report on the stages of IT governance and the risk factors pertinent to ITG. Moreover, the report will report on recent data breaches that have affected major companies and the steps necessary in business process re-engineering as a major step in developing an effective ITG. ITG Issues at iPremier iPremier is a fictional company that is similar to many fast growing companies specializing in electronic commerce[Aus09]. However, after a number of years of rapid growth and success, it has hit a dry patch in the recent years. With a drop in its share price during the 2000 “dot.com” bubble burst, iPremier has found it difficult to survive, only managing to make thin profits out of its operations[Aus09]. One ailment hindering growth at the company relates to the company’s ITG policy, or the lack of such a policy. One of the ITG issues hindering iPremier from achieving its full potential is the lack of a common understanding between what the business and the IT department on what the company needs to fulfil its objectives. In this case, the top management constitute the business side of iPremier. At the beginning, Bob Turley is introduced to the IT department at iPremier and it is evident that he expects much more than what he finds in the office employees call “the dungeon.”[Aus09]. For an ecommerce company, it is apparent that the IT department does not do much. Apart from the lack of training for its employees, iPremier has adopted an ineffective outsourcing policy[Aus09]. According to experts, IT governance should only be outsourced when it is more cost-effective to do so and when there is a lack of such expertise within the company [Nat05]. From the case study it would appear that while the IT department has some major reservations about Qdata, the top management does not seem eager to look for alternatives thus exemplifying the discord in understanding between the business side at iPremier and the company’s IT department. The second governance issue affecting iPremier is the lack of a disaster recovery plan and strategies. This plan is meant to ensure that the company’s operations continue in the event of a disaster such as a serious data breach and denial of service attack[Mar02]. Such a document is important in outlining what procedures should be followed in the event of a disaster, and it can be important in preventing panic that only serves to aggravate to situation. In the case of iPremier, such a document exists but its whereabouts and content is not known to the employees. This is exemplified by the panic responses given by Leon and Warren concerning what the next step should be as the denial of service attack escalates. Stages of ITG In developing an effective ITG, a number of steps have been identified as the standard procedure [ITG07]. The first step involves planning how information technology can contribute to the realization of corporate goals and objectives. At iPremier, the management should have pondered on the role IT plays in the success of the firm. The first realization would have been that IT is at the heart of its operations. Seeing that it is a high-end ecommerce site, iPremier relies on IT more than most companies[AlQ03]. Therefore, while it may have been cost effective outsourcing the entire IT department, the company should have foreseen the challenges that come with such a strategic move and their possible effects on overall company performance. The second step is the acquisition of IT infrastructure. At this stage there are several decisions that could have been made by iPremier, the top most being whether the information system to be installed will deliver business needs. During this stage, the company would have thought of the budget necessary in the purchase of the new information system. This would have included a clear comparison between the cost of developing in-house system and the cost of outsourcing. These does not only include financial costs, but also costs that arise as a result of increased risk and uncertainty. The third step in developing an effective ITG involves determining whether services are being delivered as expected[ITG07]. One of the key determinants of quality delivery is security, especially for a company holding confidential data. Failure to honour contractual terms such as showing up in case of emergencies aggravates the costs for iPremier as it takes longer to solve simple problems, thus giving customers ample time to lose confidence in the company’s ability to solve problems. The last step in developing an ITG policy is to run regular checks and measures on whether the system is working as required. If this step had been implemented by iPremier, the company would have realized that there were several problems related to outsourcing ITG to Qdata. If iPremier conducted regular monitoring, support and evaluation procedures, it would have realized that the architecture at Qdata was not as good as it looked on paper. During the support phase, iPremier would have considered the speed at which Qdata responds to emergencies. This would have been instrumental in handling the crisis described in the case study in a proper manner. Support and monitoring also help the company ensure that its ITG goals are well aligned to the overall business goals even as time passes and circumstances change. Risk Considerations in a Disaster Recovery Plan Risk analysis and management is at the core of an ITG policy [Nat05]. In the current highly competitive and disruptive world, risk analysis is at the heart of any company that seeks to survive in the long term. As companies continue scanning the environment, it is also important that they have a recovery plan from disasters as this can save them from collapse and increase profitability through a risk awareness culture [Wei04]. In developing a disaster recovery plan, iPremier should consider a number of risks pertinent to its operations. As a company that serves the very high-end market, iPremier is susceptible to cyber-attacks that target it database of customer information. Given that customers buy goods online, the database is bound to contain vital information that includes credit card information, passwords and personal identification. It logically follows that the database is highly valued in the black market. Therefore, one of the risks peculiar to iPremier is access or security risk. The risk involves the denial of access to the system and it is almost impossible to fathom what happened once service resumes. The occurrence of this risk is what seems to be driving Bob Turley into wanting to establish the full extent of the damage done by the denial of service attack. In developing its disaster recovery plan, iPremier should consider its exposure to data integrity risk. This risk is defined to mean that the operations of the company might not work as planned owing to accidental or purposeful manipulation of data or the entire system [EdG11]. In creating the recovery plan, it is important to denote the cause of this risk. As such, data integrity can be damaged through alterations to access privileges, incorrect patches and other mechanisms that alter the workings of the system[EdG11]. For iPremier, lack of data integrity can lead to malfunctions costly to the company’s bottom line. For instance, lack of data integrity can lead to a customer being under or over charged for the purchase. It can also lead to money being routed to another bank account. If the company performs an analysis of data, iPremier might end up with the wrong statistical information about their customer, leading to the making of wrong strategic decisions. From the case, it is not evident that iPremier performs any analysis of its exposure to these risks, leading to the notion that its profitability is thin because its system is not working as intended. Effectiveness of Risk Measures at iPremier The effectiveness of risk measures in a company has to be measured on a continuous basis[Nat05]. A company can adopt three approaches to risk reduction as a way of managing risk. These methods are mitigating the risk where the company implements controls meant to reduce the risk to an acceptable level, transfer the risk to another party through insurance and outsourcing, and accept the risk by acknowledging its existence and monitoring it [Nat05]. From the case, it would appear that iPremier has adopted a risk transfer approach to risk reduction. This is denoted by the fact that it has outsourced its entire IT department to Qdata, opting to maintain a skeleton that monitors the systems for any issues. For this outsourcing and transfer of risk strategy to work, iPremier had to put in place a number of considerations and checks. One, the company had to ensure that Qdata is committed to attaining the terms the contract[Fee05]. From the case, one of the terms is that Qdata had to provide 24/7 support meaning that Qdata had to be available anytime there was an emergency or a routine procedure to be performed. This did not happen as Joan Ripley had problems accessing their office. Moreover, it took a call from the chief executive at iPremier to his counterpart at Qdata to make them open up their offices to Joan. While it had outsourced its IT department as a way of reducing risk, it was expected that iPremier maintained a functional recovery document. This would enable the firm wade through precarious times and reduce panic that leads to making hasty decisions, such as calling the police. This is a risk reduction measure as prevents a case where disaster events are escalated by unreasonable actions. However, iPremier’s recovery plan is non-existent even when it has been written down. This is because very few people in the company know of its existence or contents. Moreover, handing over the entire IT function to Qdata created the risk of total dependence where iPremier found it difficult to exit[Wri04]. This might have been the source of the company’s inability to draw a proper recovery plan as it did not fully understand the risks it was exposed to as a result of its association with Qdata. The implication is that the company’s risk reduction measures are not working as they are expected to. Recent Major Data Breaches Companies and governments face attacks to their security systems from people who owe their motives to various reasons. Leading reasons of launching an attack are to obtain data that is later sold a profit, a show of supremacy in the art of hacking, pure malicious intent and other reasons. However, activism has become among the top reasons why systems, especially those belonging to governments and their institutions are hacked. Between October 2012 and February 2013, Anonymous was accused of hacking into the Federal Reserve database and stealing information relating to thousands of citizens[LOR13]. Anonymous is a hacking group that well regarded as a leader in using cyber-attacks to make political statements[Bri121]. It later emerged that the attackers used sequel injection into the database and they were able to access the information they needed [Jon14]. The group later posted the information onto a website it controlled and this had several uses. One of them is that it made it possible for anyone with the motive and means to conduct a social engineering attacks on the people whose information was stolen. Sony’s PlayStation is one of the most popular gaming consoles in the world[The04]. The console allows its users to play with others through an online model accessible through Sony PlayStation’s Network. The database contains the names, credit card details and other bits of information that make it an ideal target for hackers. In 2011 and 2014, the network was successfully hacked first by Anonymous then by an unidentified group[Bri121]. In 2011, Sony was forced to shut down the network for a month as users suffered from a denial of service attack[Bri121]. The result was that Sony suffered a loss amounting to over $170 million [Bri121]. Additionally, Sony’s reputation as a company that guarded customer information using top-notch security measures suffered a heavy blow. This is because the company remained tight lipped about the cause of the network’s slow activity for a week before admitting that the network had been hacked and information relating to 70 million customers stolen [Bri121]. It was alleged that the hack was response towards Sony’s action to sue an activist who had broken into a gaming console allowing it to play pirated games. As companies come to depend on the availability of online services to run their operations, hackers realize that a simple denial of service can hurt a company’s bottom, even when done for a few hours. It is for this reason that the denial of service attacks are rampant in recent security breaches to company databases and systems irrespective of the reason behind the attack. One of these denial of service attacks targeted PayPal, a global payment company. Launched in December 2010, the attack was perpetrated by Anonymous as a reaction to the company’s refusal to process payments made towards WikiLeaks, another activist movement [Bri121]. Anonymous is a well-organized yet headless group. As such, its members were able to gather through online chat groups and organize the attack, without needing a leader. The denial of service resulted from an elaborate flooding of PayPal’s database with online requests. This resulted in the databases collapsing and directing users to malicious websites. The attack lasted four days, and the damage was extensive to the company and other companies that rely of its services to receive payments for online merchandise purchases. It is estimated that the attack cost PayPal over £3.5 million [Bri121]. In 2011, Anonymous was on the headlines for leading an attack that led to the closure of Bay Area Rapid Transport (BART) system. Unlike other attacks, the attack on BART was also carried offline and led to the closure of the transit system during the rush-hour period. Anonymous targeted the website used by BART for marketing purposes, realizing the names and details of about two thousand users[Bri121]. In a similar attack, the group broke into San Francisco police website and leaked the information of a hundred police officers, including their residential addresses and contact information[Bri121]. Using social media the group organized a protest that was held online and offline. Offline protests led to the closure of the railway system in the city for more than hour[Bri121]. This shows the ability of hackers taking denial of service to another level where service provision does not require internet platforms. Careful coordination of the attack also illustrates the need for companies to shield their systems online and offline as attacks are not limited to any platform. Managing Business Re-Engineering At iPremier Business process re-engineering (BPR) is described as the radical redesign of business systems to achieve improvements in productivity, cycle times and quality [Dar131]. The aims of BPR include the reduction of costs, improvement in quality of services and products and streamlining of company functions to meet overall business goals and objectives. From the case, it is clear that iPremier needs to have a BPR project. This is exposed from the scenario described in the case where there is a clear lack of operational processes, and much is left to human judgment at the time of a crisis. For a company to implement a BPR project, it requires taking a number of steps. The first step in developing a BPR is establishing a project plan[Off12]. This step involves establishing the overall goals that are to be achieved by the BPR project. For iPremier, these goals could include the streamlining of the hiring process that ensures that the technical side of the business does not get mixed up with the commercial side. Another goal for the company could be to develop an efficient supplier sourcing mechanism that ensures that suppliers are well vetted before the supply contract is signed. The first step in the BPR project also involves setting a picture of what the organization should look like after the project is done. This is replete with measures that could include higher profits, lower employee turnover and other efficiency measures. An important aspect of this step is the underlying goal to ensure that the business can meet the needs of its customers in the most efficient way[Dar131]. The second step is to redesign core processes [Dar131]. At iPremier, there is a need for the company to rethink how it goes about providing services to its customers as evidenced by the denial of service attack. The company needs to ensure that it does not suffer such attacks too often as total elimination is often impossible. It is important that when such attacks occur they do not last for long. However, while attacks might occur it is crucial that the company does not hand over data to the attackers. There is a need for the company to develop a policy of what should be done to prevent attackers from obtaining customer information. As part of this step, iPremier might use another company’s operational model as the measure of performance. Industry experts also recommend that a company considers organizing its processes into cross-functional teams that feed into each other [Dar131]. While it is important that employees do not work on both the technical and commercial sides of the company, iPremier might find it useful to ensure that these sides meet and discuss matters that affect the entire company. Such a meeting would reduce instances where the commercial side does not understand the importance of having a functional IT department. As the company lays out an in-house data centre, cross-functional teams are instrumental in making every employee understand the role the centre will play in the company and how they contribute to its success. At the heart of a BPR project is the need to change corporate culture[Dar131]. Therefore, the fourth step involves reconsidering administrative and people issues [Dar131]. At iPremier, the executives do not seem too concerned that there has been a data breach that could affect the integrity of customer information. Moreover, it is evident that there is the lack of a proper communication channel that allows confidential information to be scattered all around the company. A culture change would involve making every officer and employee of the company understand the important role played by the customer in the organization. Such an understanding from the top would create a sense of urgency to solving customer related problems before other aspects of the business come in. it would also create support for the BPR project. As the BPR project is implemented in the second to third steps discussed above, it is beneficial for the company to measure the effectiveness of the entire project[Off12]. Having been established in the first step, performance measures give an indication of whether the project is going on as planned. It also gives indications of performance gaps that have to be filled if the entire project is to become a success. For iPremier, measurement of performance would include the occurrence of fewer data breaches to its data centre. It would also include increased profitability and happier customers. In managing the entire process, it is imperative that the project gains the support of the top management. As research has concluded, the positive attitudes of leaders elicits a matching positive behaviour from their followers [Joa13]. Commitment from the top not only elicits positive behaviour in all ranks within the company, but it also leads to the provision of necessary funds required to make the venture a success. Research has shown that management’s commitment and support for a BPR project is crucial for its success [Hal93]. Conclusion The goal of this report was to explore the importance of ITG in the success of a company. The case of iPremier brings to the fore the importance of ITG in modern company. Using a case study method that was linked to examples from research and industry findings, it has been established that outsourcing ITG in company that solely relies on information technology to deliver services to its customers is not a plausible idea. This is because outsourcing such a core function exposes the company to more risks, which is a core area of ITG. It is also concluded that in the development of an ITG policy, there are four steps to be followed, these being analysing the role played by Information technology in the company’s success, acquiring necessary infrastructure, checking the performance of acquired infrastructure, and taking collective action where performance does not meet expectations. A disaster recovery plan is also found to be of benefit, besides playing a pivotal role in an ITG policy. The nonexistence of such a policy can be detrimental to a company, often leading to its collapse. Recent data breaches illustrate that hacking can be done to any database and that companies and governments must be wary of the intentions of hackers. To develop a proper ITG policy, it is concluded that a company can follow a BPR process that would radically alter its operations to the delight of customers. References deH04: , (de Haes & van Grembergen, 2004, p.1), Nat05: , (National Computing Centre, 2005, p.6), Aus09: , (Austin & Short, 2009), Nat05: , (National Computing Centre, 2005, p.35), Mar02: , (Martin, 2002, p.2), ITG07: , (IT Governance Institute, 2007, p.15), AlQ03: , (Nabeel, 2003, p.32), ITG07: , (IT Governance Institute, 2007), Nat05: , (National Computing Centre, 2005, p.30), Wei04: , (Weill & Ross, 2004, p.9), EdG11: , (Gelbstein, 2011), EdG11: , (Gelbstein, 2011), Nat05: , (National Computing Centre, 2005, p.9), Nat05: , (National Computing Centre, 2005, p.33), Fee05: , (Feeny et al., 2005), Wri04: , (Wright, 2004), LOR13: , (FRANCESCHI-BICCHIERAI, 2013), Bri121: , (Kelly, 2012, p.1667), Jon14: , (Stempel, 2014), The04: , (The New York Times Company, 2004), Bri121: , (Kelly, 2012, p.1665; Burnett, 2014), Bri121: , (Kelly, 2012, p.1664), Bri121: , (Kelly, 2012, p.1665), Bri121: , (Kelly, 2012, p.1664), Bri121: , (Kelly, 2012, p.1666), Bri121: , (Kelly, 2012, p.1665), Dar131: , (Rigby, 2013, p.18), Off12: , (Office of Commercial Services Management, 2012, p.8), Dar131: , (Rigby, 2013, p.18), Off12: , (Office of Commercial Services Management, 2012, p.15), Joa13: , (Marques, 2013, p.164), Hal93: , (Hall et al., 1993, p.123), Read More