Are the appropriate IT Governance controls in place to protect your business value?

In most organisations, IT has grown organically, meeting business needs as they arise. Those demands have come through thick and fast from almost all areas of the organisation’s operations. IT has become integral to almost all aspects of operations in most workplaces, putting immense pressure on those that are responsible for delivering these systems.

Under that pressure, it’s not uncommon for normal governance approaches to lag behind, but given the importance of IT, these clearly need attention.

There’s a wide range of topics that need thought.  Examples include :

Access Rights

From protecting systems with passwords, having a strong password policy, multi-factor authentication or PIN policies for mobile devices – with no PIN, a stolen mobile device can yield up significant amounts of data, personal information and website access details.

Policies

Are policies in place for appropriate use of devices, internet, email etc? A common response for small NZ businesses is that they have never needed these, but these have to be in place before you need them. Once an employee takes advantage, the horse has bolted. Are they up to date? Do they cover consumer cloud services such as Dropbox? Do they cover BYOD?

Antivirus and EDR (xDR)

Security patches are the fence at the top of the cliff and anti-virus can be the ambulance at the bottom. We have seen organisations suffer significant downtime because of a virus infection that would have been prevented by patching.

Security

Data security process – With data privacy concerns emerging, and legislation like GDPR becoming relevant, how well placed is your organisation to ensure it follows best practice? Do your systems allow you to track compliance, do you know what personal data your organisation holds?  This can often be informally held by well-meaning colleagues as well as your official systems, meaning that training and awareness matter as much as software – and that’s something that extends beyond the IT department.

Reporting

Do you have regular IT reporting in place, and does it cover the topics you really need to know about? These will span infrastructure (are the backups working and tested?) do you have any pending capacity considerations?  What’s the reliability of core systems like?