Further, IT governance is aligned with the overall enterprise governance
strategy so that every employee and every process complies with prescribed
IT policies. Examples could be password policies and rules around how pass-
words are used, mandatory IT training, rules for e-mail usage, IT governance
related documentation, and so on.
In terms of risk ....................................................................................
When it comes to risk, IT GRC is fairly straightforward. It essentially deals
with how to set policies and procedures that minimize risks to the network,
applications, and data.
Information security involves ensuring the integrity and privacy of corporate
data. So naturally IT GRC must ensure that adequate security measures are in
place to protect information both from internal and external attack (as well
as snafus resulting from plain old human error). But there are other consider-
ations as well.
Suppose that the company is going to do an upgrade to the system that gen-
erates financial reports. In this instance, what are the documented policies
and procedures for backing up the existing system? Who is in charge of
checking the various components of the system? And who is testing — and
what pieces are they testing — to make sure the components are actually
going to support the business needs the system is designed to address?
Then there is the area of disaster recovery. Katrina is the oft- and overused
example of this kind of thing, but when the hurricane struck it put every
worst-case IT risk scenario to the test. Those companies that were prepared
managed to recover because they understood the need to have disaster
recovery systems in place that could mitigate the impact of a hurricane
hitting the Gulf Coast.
The threat doesn’t necessarily have to be a large-scale catastrophe, such as
Katrina. A heavy snowfall, rain causing a roof to collapse, or a mouse chewing
on some wires causing a fire are all examples of possible disasters. In either
event, the company that has considered its IT risks and established the
means to respond to them will survive both the immense hurricane and
the tiny mouse.
Your disaster recovery plan needs to include not only your company’s physi-
cal location, but also that of your backup site. For example, say that your
company is located in an area that is geologically secure, far enough north
to avoid hurricanes, and far enough south to never have more than a gentle
sprinkling of rain or dusting of snow. However, if it is using an offsite vendor
to back up data or has located its data recovery center in another geographic
region, what are the policies for managing a storm or fire or some other event
268 Part IV: Managing the Flow of Information
