The IT governance process helps you align IT to achieve your business goals, protect assets, comply with legal and regulatory requirements and manage risks. Sound IT governance is the need of the hour for all organisations that are going digital. This is even more critical in highly regulated industries such as financial services. Most organisations in India are waking up to this reality. The question is how to get started. Here is a high-level approach for you:
Step 1
Start mapping the key risks across applications, infrastructure and people, and designing controls in a risk register. A few examples are below:
Information security risk
Antivirus should be installed on all devices
USB lock should be enabled on all devices. Exception approvals should be in place for users for whom the USB lock can be disabled.
All servers should be patched with the latest updates
All Personally Identifiable Information (PII) should be encrypted at rest
An Aadhaar Vault should be in place for Aadhaar number storage. Images containing Aadhaar number should be masked
Firewall logs need to be reviewed every month and suitable action needs to be taken.
People risk
Background verification checks for all candidates for employment.
Employee access should be revoked across all systems on the last working day of the employee
Physical security risk
CCTV installed at all entry & exit points and logs should be reviewed
Only approved users can access CCTV Camera
Visitor/third party employee registers should be maintained
Operational risk
Maker-checker should be implemented in applications, document review, system administration, database administration and transaction processing
Backups are checked and validated regularly
Step 2
Roll up all the controls into an IT policy document. Get the policy reviewed and approved by your board.
Step 3
All controls defined in the IT policy need to be implemented and tested. Define an audit calendar and ensure that all controls are tested over a period of time.
Step 4
Review the audit observations that do not comply with our IT controls. Tag them as high, medium & low. Ensure that the observations are fixed within a reasonable period of time.
Once you follow the above process for a few months you will get the hang of the IT governance ritual. Then start exploring popular frameworks such as COBIT / ITIL and improving your IT governance process.
Satish Ayyaswami is GramPro Business Services’ special advisor. The article originally appeared on TechAdvisory for Indian Businesses
