Please note that this pertains to South African Legislation, the King Requirements, and Best Practice.
This time we look specifically at the issues around the Governance of Information Technology.
If we are to look at the PoPI Act (Protection of Personal Information) here in South Africa, we will notice just how important it is to ensure that our IT governance and issues around compliance are measured, monitored, and met.
Let’s have a look at some of the questions that Directors should be asking.
1. Who is accountable for the IT decisions that are taken and do you understand how they are taken? What generally happens is that the infamous “somebody” needs a very important “something” and without any discussion to see where and how the “something” would fit into what you’ve already got, the decision is made and the “Something” is purchased. It soon becomes evident, however, that the “something: that you’ve purchased, usually at great cost, is not compatible with anything that you already have.
2. In view of the above example it is clearly a very good idea to have an IT governance framework in place. This should define and support all of the decision models and ensure that there is proper and clear accountability. All of the processes around the issue of governance should also be documented and signed off in accordance with the company Authority Matrix.
3. Is there a budget for IT investment and do you understand how and where that investment is to be utilized? As with any other purchase in the company, budgets need to be set for all IT requirements. Again, these budgets should be signed off and approved in compliance with the company Authority Matrix.
4. Are you in compliance with the PoPI Act in terms of your client information? It is of the utmost importance to have a documented PoPIA Policy, which all your employees MUST be trained on and be familiar with. Don’t forget that your own IP (Intellectual Property) also needs to be protected too.
5. Aside from PoPIA, are all the other rules, standards, codes & compliance regulations adhered to as well. It is a good idea to have staff, including senior and middle management to sign off that they have been trained on and understand the requirements.
6. Is your IT value measured and if so how?
7. Are the current IT risks and concerns regularly communicated to the Board? This item should, in fact, be on the Board Meeting agenda for every meeting. Especially at this time when corporations and even middle to small businesses are being targeted by cyber-crime.
8. Is there regular feedback on progress on all major IT projects or current challenges? Again, this should be an item on the agenda at Board Meetings.
Feedback and communication are key if the board members are to fully understand and therefore make decisions around the IT requirements and challenges that the company may be facing.
Again, as you can see there are a huge number of issues that need to be managed, measured, and resolved and it is of the utmost importance that the compliance and the best practice methodology around your IT requirements are taken seriously and implemented.
Next time we will have a look at some of the Compliance requirements around Laws, rules, codes, and standards