IT governance/control and auditing is still nascent, but emerging, while the
IT security market in India is already on its way to maturity. Driven by the
spurt in regulatory mandates as well as a growing realization to put internal
controls and processes in place, the market is beginning to understand and move
towards a holistic, umbrella approach in terms of overall IT governance adoption
instead of a stand-alone approach towards security.
The recent HP pre-texting issue that has rocked the corporate world
reiterates the need for building internal controls and processes leading to
strong governance practices. And this need is becoming increasingly applicable
to establishment of strong IT governance as well.
The 22nd Annual Asia-Pacific Computer Audit, Control and Security (CACS)
conference conducted by the Information Systems Audit and Control Association (ISACA)
bore testimony to the growing awareness. There were around 175 participants
(including IS audit, control and security professionals) from across APAC.
Delving on the IT governance space, H Raghavendra Rao, senior consultant, i-flex
and president of the Bangalore Chapter of ISACA explained that IT governance is
essentially building a framework within the organization to see that the
investment in IT is aligned with the business. Audit, control and security are
the three key components of integral IT governance. In line with this, the
discussions were aligned along three streams-IT Audit Issues, Information
Security Management, and IT Risk Management and Compliance.
NRK Raman, chief operating officer, i-flex, Semphasized on the importance of
effective risk management through better internal control. HughPenri-Williams,
chief information security officer, Alcatel in his key-note address provided an
overview on the various standards and frameworks and their adoption by
organizations.
Regulatory compliance requirements like Sarbanes Oxley and HIPAA are
mandating the growing movement towards adoption of the IT governance framework.
The need for establishing internal controls is also providing the necessary
push. A recent study from the IT Governance Institute reveals that more than 84%
of the respondents in India considered IT very important for overall strategy
delivery: the figures high above the global average of 57%.Â
Globally, the study also shows organizations not considering implementing any
IT governance solutions, coming down from 17% in 2003 to the present 9%.
Meanwhile, the IT governance framework is also evolving to cater to the changing
market dynamics. In December 2005, a major update of COBIT, an internationally
accepted IT governance framework was launched. The new edition, COBIT 4.0,
provides a stronger business focus to address the evolving responsibilities of
boards and employees. It includes guidance for boards of directors and all
levels of management. It also links business goals, IT goals and IT processes.
The Indian market is increasingly facing the need for adopting a framework
for internal controls. According to Rao, a lot of IT governance opportunities
are emerging in the banking, telecom and BPO space. ISACA lists, as of August
2006 253 Certified Information Systems Auditor (CISA) and 29 Certified
Information Security Managers (CISM) in India. The number of CISA and CISM
professionals is likely to grow at a rapid pace with the spurt in demand. The
availability of an adequate pool of quality certified professionals will be a
key to the successful adoption of an IT governance framework by organizations.
Shipra Arora
shipraa@cybermedia.co.in