ESCROW: COBIT(r) 5 a Shot in the Arm for IT Governance and Control
Recent Gauteng Business News
COBIT(r) 5, the eagerly awaited best practices framework providing the next generation of ISACA guidance on the management of enterprise information and technology assets, will be a shot in the arm for IT governance and control in South Africa, says Escrow Europe director, Andrew Stekhoven.
As an independent, non-profit, global association, ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. Building on more than 15 years of practical application, COBIT(r) 5 is designed to align with current thinking on enterprise governance and management techniques as they relate to IT.
How COBIT Affects IT Governance
COBIT (Control Objectives for Information and related Technology) is there to protect and enforce the organisations interests in all acquisition contractual agreements and helps to manage third-party services by identifying and mitigating risks relating to suppliers ability to continue effective service delivery in a secure and efficient manner on a continual basis, said Stekhoven.
It provides best practices across a domain and process framework from a consensus of experts and presents activities in a manageable and logical structure. It is strongly focused on more on control, less on execution and helps optimise IT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong by developing appropriate IT governance and control in a company.
Extracts from the COBIT(r) 5 process reference guide show that the company or its officer charged with mitigating ITC risk must effectively manage supplier risk. This includes identifying, monitoring and, where appropriate, managing risks relating to the supplier's ability to deliver service efficiently, effectively, securely, reliably and continually (APO10.04).
Further, it states that suppliers should be selected according to a fair and formal practice to ensure a viable best fit based on specified requirements (APO10.02) and that the officer must manage all backup arrangements, that is ensure availability of business critical information (DSS06.08).
Importantly, said Stekhoven, COBIT(r) 5 also provides guidelines that the officer can follow, or steps that he or she can take, to streamline the process of mitigating the risk. Specifically, it says Consider escrow or deposit arrangements.
Being Well Versed in IT Governance Rules Is Imperative
South African law currently does not provide for the protection of, and access to, software source code in the event of software supplier insolvency. However, software escrow bridges this divide to facilitate compliance with corporate governance imperatives.
This advice is in line with King III and Gartner, which has written: Technology escrow is a smart and effective component of a business continuity strategy that software licensees can use to protect their mission critical applications in an ever-changing environment.
"Escrow management has evolved to meet the challenges presented by compliance regulations," said Stekhoven. "Technology escrow has long been an established best practice for vendor management and business continuity. Now, technology escrow can become a valuable component of a corporate compliance strategy as well.
According to ISACAs web site, COBIT(r) 5 will include improved coverage of these sustainability issues and also address the use of IT beyond the traditional IT function, within the business and throughout enterprise activities. It will consolidate and integrate the COBIT 4.1, Val IT 2.0 and Risk IT
frameworks and also draw significantly from BMIS and ITAF.
Im certain that COBIT(r) 5 will help elevate the importance of IT governance and management even further, so that South African companies and their and directors and officers take effective steps to mitigate their exposure to risk.
In addition, its proposed stance on active software escrow will raise its profile even further and ensure that South African companies, and directors and officers, are not exposed to IT governance risks which can so easily be mitigated through the use of escrow.
Business News Sector Tags: Infotech|