IT governance ISACA SA Awards Ceremony 20 April

IT governance ISACA SA Awards Ceremony 20 April 2007 Presented by: Mervyn E. King S. C.

Introduction l l l l Information age Members of global village Willingly or unwillingly Real time Transparency – cornerstone Sunlight/disinfectant Electric light/policeman Ultimate light – Telecommunications and IT Mervyn King SC

Changed corporate world (1) l l l l Integral to society Shareowner profile changed Conformance and performance UN Human Rights declaration Environmentalists Information communication technology Activism Triple bottom line Mervyn King SC

Changed corporate world (2) l l l l Capital a scarce resource Borderless world Click of a mouse Make or destroy markets Rely on reports from companies Capital flows affected by electronic communication Flows towards good governance Mervyn King SC

Changed corporate world (3) l l l Shareowner revolution Global institutional investor Conduit for person in street Where were the directors? Where were the institutional shareowners? Strategic importance of IT systems – not only enabler Mervyn King SC

Changed corporate world (4) l l l ICT Important strategic role – pervasive Flatter structures – online Industries converge Governance role? Mervyn King SC

Governance a process l l l l Governance about process Enterprise – strategic Risk for reward – failure Good governance and failure Acceptable Bad governance – failure – scandal Not acceptable Mervyn King SC

Compliance l l l Mindless whether voluntary or compulsory Compliance officer Apply mind Not suitable for business Explain Market ultimate compliance officer Mervyn King SC

Enron l l l Had the trappings of good governance Quantitatively compiled Non-executives Good board attendance Committees of board Yet dysfunctional Mervyn King SC

Enron – why? l l l Self-interest Greed Dishonest – SPE’s and off balance sheet Apparently to prop up share price Codes will not help Intellectual dishonesty Mervyn King SC

A director’s duties responsibilities l l Good faith Care Skill Diligence Mervyn King SC

Incapacitated person l l l Human being Best interests, care, skill, diligence Decent citizen thing to do Company an artificial citizen Incapacitated Director, heart, mind and soul Mervyn King SC

Quantitative governance compliance l l l l Voluntary or compulsory Not the answer Quality governance Based on intellectual honesty Incapacity awareness Corporate sins – awareness Intellectually naïve questions IT governance the same Mervyn King SC

IP and IT l l l l Manual processes to systems processes Processes and risks locked into IT IP locked into IT Staff told “how” to use systems The understanding of the IT? In the IT department and CIO “Black box” scenario Mervyn King SC

Two levels of IT governance l l l Technical and IT process level – first Business process level strategic – second CIO and colleagues need to understand the business Aids company to realise strategies IT governance specific to each business Mervyn King SC

IT governance l l l Legislate Cobit or ITL Legal framework needed Due care Due diligence These are the essence of information security Mervyn King SC

Regulate IT governance? l l l Not for level two Management of processes to realise business strategies No generic rule To regulate all businesses Even adapt methodologies to suit local environment for level one Mervyn King SC

Risk in the use of IT (1) l l l Strategic importance of information technology Technology issues Board members need greater understanding Duty of care and skill How else carry out duties? Mervyn King SC

Risk in the use of IT (2) l l l Unaware of operational risks Because processes not understood Risk management Solution? Representation or outside advice Mervyn King SC

Risk in the use of IT (3) l l l Confidential info outside company Different codes of conduct Different values Different risks Accountability issues Mervyn King SC

Risk in the use of IT (4) l l l Increasing dependence on outsiders Outside direct control of company Process outside, e. g. call centre Financial and reputational risks Outside access to confidential information Information security as part of governance Mervyn King SC

Information security l l Napoleon, The Three Musketeers The wax seal Information to enemy Disastrous for battle or the war Internet Encyclopedia Mervyn King SC

Unauthorised l l l l Use Access Disclosure Disruption or elimination Changes Prudent and reasonable steps or legislation Care and diligence Mervyn King SC

The wax seal l l l Confidentiality – job application Integrity – no change without authorisation Availability – system functioning correctly Possession – stolen laptop Authenticity – information genuine Utility – usable and useful Mervyn King SC Internet Encyclopedia

The ISO code for information security (1) l l l The security policy Asset management Human resource security Physical and environmental security Communications management Operations management Mervyn King SC

ISO code (2) l l l Access control Information systems acquisition Development and maintenance IS incident management Business continuity Regulatory compliance Mervyn King SC

Cryptography l l l Codes Renders it unusable Other than authorised user Encrypted information Usable again by decryption Mervyn King SC

Methods of protection l l l Legislation? UK Data Protection Act The Family Education Rights and Privacy Act The Health Insurance Accountability Act The Electronic Communications and Transactions Act Mervyn King SC

Sarbanes-Oxley and King l l l Comply or explain Comply or else Legislate against negligence or dishonesty? Intellectual honesty Market cap of company Due care and diligence Mervyn King SC

Information security l l l Steps taken to practice due care Verified Measured against reasonable man Continual processes in due diligence Activities to monitor protection mechanisms Maintaining the mechanisms Mervyn King SC

Electronic communication l l l l Board pack AFS online No more printed AFS No more published in newspapers Cautionaries Faster dissemination of information Insider trading – more or less? Security against sensitive market leaks Mervyn King SC

IT board representation l l IT was an enabler to support the business Now both supports the business and drives strategy Strategic decisions on IT improvements and on information availability CIO on board? Mervyn King SC

Laws and regulations l l l Duty of board to ensure compliance Bulk of companies SMME Cannot afford IT expertise inhouse Have to use service providers Remember can delegate but cannot abdicate Mervyn King SC

Director’s liability l l l Director is a director Collective authority Individual liability Statutory and common law Expertise important Mervyn King SC

Good practitioners l l l l Aware of four duties Aware quality above quantity Aware human frailty Aware individual liability Aware not understanding – IT Intellectual honesty foundation How legislate about all this or only one aspect? Mervyn King SC

Conclusion l l l l Comply or explain Comply or else In either regime, quality is the factor not quantity The market is the ultimate compliance officer Ultimate responsibility is business success Balance conformance and performance Legislation is not the recipe for good governance, corporate or IT Moses, Congress, Parliament Mervyn King SC

“The Corporate Citizen” Mervyn King SC