Getting Back to I&T Basics: I began my auditing career in the financial services industry. Getting an understanding of any given bank’s information & technology (I&T) environment and processes was relatively easy. There would be an Information Security Policy, a formal IT risk assessment, a business continuity plan and incident response plan, a standardized patching process, and so on and so forth. The highly regulated nature of the industry made it easy to have a standardized set of expectations. The real shock was when I took my first foray outside of the FS industry. The client I was working with had little to no formal…well…anything. It’s natural to point to cost as the biggest barrier to a strong I&T control environment. We could also easily look to time and manpower as equally likely obstacles; but even with all these, understanding where to focus your limited time, energy and funds is critical. It is with that thought in mind that I am happy to introduce a new series for 2025: ‘Getting Back to I&T Basics. Over the next six articles, we will examine five critical areas essential for establishing a solid foundation to develop a robust Information and Technology environment. The series will conclude with an article that provides advanced considerations for progressing beyond the foundational elements we have established.
Organizations must actively manage their Information and Technology (I&T) resources strategically to remain competitive and secure; however, many organizations, especially small and medium-sized enterprises, often lack structured approaches to effectively govern their I&T environment. Establishing solid IT governance with a robust policy framework is not just beneficial; it is crucial for the long-term success, security, and efficiency of an organization.
IT Governance provides a structured framework that ensures IT investments and activities align directly with organizational goals and strategies. It involves leadership, organizational structures, and processes to make sure IT supports and enables the organization’s overarching strategic objectives.
Organizations frequently face challenges around unclear roles and responsibilities, ineffective decision-making processes, and misalignment between IT initiatives and business objectives. Without clear governance, IT projects can drift, become costly, or fail entirely.
A Robust IT governance provides:
This sounds like a lot, and it is. All the above combine to create a mature governance system. The burning question, though, is where do we start?
Assuming the organization’s overall strategic goals have been clearly defined, the first step in establishing effective IT governance starts with creating an IT strategic plan. Executive leadership should collaborate with I&T leaders to ensure that IT resources are appropriately positioned to help see those goals to fruition. This level of effective alignment can provide organizational clarity.
A strong IT strategic plan articulates how technology will aid in achieving organizational objectives. A comprehensive IT strategic plan should include:
Effective strategic alignment is a continuous process. Regular communication channels between IT and executive leadership must exist, supported by routine meetings and reporting mechanisms. Such transparency fosters trust, enables consistent alignment, and allows the organization to rapidly adjust to changing conditions. Given the importance of information and technology in today’s market, poor alignment will result in significant consequences, up to and including the failure to reach strategic objectives. This makes the need for alignment between the two strategic plans paramount.
The second pillar of solid IT governance is developing and maintaining a strong IT policy framework. Policies form the bedrock of an effective IT governance structure by setting clear expectations, behaviors, and operational standards.
An IT policy framework consists of clear, comprehensive, enforceable policies covering various aspects of information and technology management. The overall structure of the policy framework is flexible. Organizations may create a series of policies that combine to provide a strong framework, or use a single, overarching Information Security Policy (or similarly named) that contains multiple sub-policies. Regardless of method, the underlying fundamental is to address key topics, including:
A robust IT policy framework is essential for providing clarity and direction within an organization. Policies offer guidelines and set explicit expectations, reducing ambiguity and confusion. They help prevent risky behavior, breaches, and compliance violations, thereby reducing risk. Further, consistent application of IT standards across departments facilitates compliance with external regulations and internal controls. Additionally, policies empower IT leadership to enforce standards effectively, protecting organizational assets.
Whether you start from scratch or build through a purchased template, the key is customization and detail.
The most terrifying moment of developing a policy is sitting down with a blank piece of paper, or more likely an empty Microsoft Word document; however, there is good news for those of us that don’t have an inner J.R.R. Tolkien. There are plenty of paid and free online resources available that provide template-based policies. Alternatively, our good friend ChatGPT is a great starting point as well.
Building the basic structure of your policy framework is only the first step. No matter how amazing the template or first draft from AI is, detailed customization is critical. To repeat an earlier statement, ‘Policies offer guidelines and set explicit expectations…’ These guidelines and expectations will be unique from company to company, so take the time to do it right the first time. Below are several components that should be taken into consideration when adding detail and depth to your policies:
Implementing robust IT governance and a comprehensive policy framework significantly strengthens an organization’s ability to leverage IT effectively. By aligning IT strategy closely with organizational goals and providing clear, actionable policy guidance, organizations lay the groundwork for enhanced performance, security, and long-term success.
Earlier on in the article, I mentioned six critical components to creating a robust I&T governance system. We have primarily focused on Strategic Planning & Alignment and Compliance & Accountability (via policies) thus far; however, we’ve also lightly touched on Reporting Lines, Resource Optimization, and Performance Measurement as well. That leaves us with Risk Management, which is no small task. We will save that for Article II – Strengthening the Pillars of Governance: IT and Third-Party Risk Management.