IT governance

ISACA SA Awards Ceremony20 April 2007

Presented by:

Mervyn E. King S.C.

Mervyn King SC

Introduction

Information age Members of global village Willingly or unwillingly Real time Transparency – cornerstone Sunlight/disinfectant Electric light/policeman Ultimate light – Telecommunications and IT

Mervyn King SC

Changed corporate world (1)

Integral to society Shareowner profile changed Conformance and performance UN Human Rights declaration Environmentalists Information communication technology Activism Triple bottom line

Mervyn King SC

Changed corporate world (2)

Capital a scarce resource Borderless world Click of a mouse Make or destroy markets Rely on reports from companies Capital flows affected by electronic communication Flows towards good governance

Mervyn King SC

Changed corporate world (3)

Shareowner revolution Global institutional investor Conduit for person in street Where were the directors? Where were the institutional shareowners? Strategic importance of IT systems – not only

enabler

Mervyn King SC

Changed corporate world (4)

ICT Important strategic role – pervasive Flatter structures – online Industries converge Governance role?

Mervyn King SC

Governance a process

Governance about process Enterprise – strategic Risk for reward – failure Good governance and failure Acceptable Bad governance – failure – scandal Not acceptable

Mervyn King SC

Compliance

Mindless whether voluntary or compulsory Compliance officer Apply mind Not suitable for business Explain Market ultimate compliance officer

Mervyn King SC

Enron

Had the trappings of good governance Quantitatively compiled Non-executives Good board attendance Committees of board Yet dysfunctional

Mervyn King SC

Enron – why?

Self-interest Greed Dishonest – SPE’s and off balance sheet Apparently to prop up share price Codes will not help Intellectual dishonesty

Mervyn King SC

A director’s duties - responsibilities

Good faith Care Skill Diligence

Mervyn King SC

Incapacitated person

Human being Best interests, care, skill, diligence Decent citizen thing to do Company an artificial citizen Incapacitated Director, heart, mind and soul

Mervyn King SC

Quantitative governance compliance

Voluntary or compulsory Not the answer Quality governance Based on intellectual honesty Incapacity awareness Corporate sins – awareness Intellectually naïve questions IT governance the same

Mervyn King SC

IP and IT

Manual processes to systems processes Processes and risks locked into IT IP locked into IT Staff told “how” to use systems The understanding of the IT? In the IT department and CIO “Black box” scenario

Mervyn King SC

Two levels of IT governance

Technical and IT process level – first Business process level strategic – second CIO and colleagues need to understand the

business Aids company to realise strategies IT governance specific to each business

Mervyn King SC

IT governance

Legislate Cobit or ITL Legal framework needed Due care Due diligence These are the essence of information security

Mervyn King SC

Regulate IT governance?

Not for level two Management of processes to realise

business strategies No generic rule To regulate all businesses Even adapt methodologies to suit local

environment for level one

Mervyn King SC

Risk in the use of IT (1)

Strategic importance of information technology

Technology issues Board members need greater understanding Duty of care and skill How else carry out duties?

Mervyn King SC

Risk in the use of IT (2)

Unaware of operational risks Because processes not understood Risk management Solution? Representation or outside advice

Mervyn King SC

Risk in the use of IT (3)

Confidential info outside company Different codes of conduct Different values Different risks Accountability issues

Mervyn King SC

Risk in the use of IT (4)

Increasing dependence on outsiders Outside direct control of company Process outside, e.g. call centre Financial and reputational risks Outside access to confidential information Information security as part of governance

Mervyn King SC

Information security

Napoleon, The Three Musketeers The wax seal Information to enemy Disastrous for battle or the war

Internet Encyclopedia

Mervyn King SC

Unauthorised

Use Access Disclosure Disruption or elimination Changes Prudent and reasonable steps or legislation Care and diligence

Mervyn King SC

The wax seal

Confidentiality – job application Integrity – no change without authorisation Availability – system functioning correctly Possession – stolen laptop Authenticity – information genuine Utility – usable and useful

Internet Encyclopedia

Mervyn King SC

The ISO code for information security (1)

The security policy Asset management Human resource security Physical and environmental security Communications management Operations management

Mervyn King SC

ISO code (2)

Access control Information systems acquisition Development and maintenance IS incident management Business continuity Regulatory compliance

Mervyn King SC

Cryptography

Codes Renders it unusable Other than authorised user Encrypted information Usable again by decryption

Mervyn King SC

Methods of protection

Legislation? UK Data Protection Act The Family Education Rights and Privacy Act The Health Insurance Accountability Act The Electronic Communications and

Transactions Act

Mervyn King SC

Sarbanes-Oxley and King

Comply or explain Comply or else Legislate against negligence or dishonesty? Intellectual honesty Market cap of company Due care and diligence

Mervyn King SC

Information security

Steps taken to practice due care Verified Measured against reasonable man Continual processes in due diligence Activities to monitor protection mechanisms Maintaining the mechanisms

Mervyn King SC

Electronic communication

Board pack AFS online No more printed AFS No more published in newspapers Cautionaries Faster dissemination of information Insider trading – more or less? Security against sensitive market leaks

Mervyn King SC

IT board representation

IT was an enabler to support the business Now both supports the business and drives

strategy Strategic decisions on IT improvements and

on information availability CIO on board?

Mervyn King SC

Laws and regulations

Duty of board to ensure compliance Bulk of companies SMME Cannot afford IT expertise inhouse Have to use service providers Remember can delegate but cannot abdicate

Mervyn King SC

Director’s liability

Director is a director Collective authority Individual liability Statutory and common law Expertise important

Mervyn King SC

Good practitioners

Aware of four duties Aware quality above quantity Aware human frailty Aware individual liability Aware not understanding – IT Intellectual honesty foundation How legislate about all this or only one aspect?

Mervyn King SC

Conclusion Comply or explain Comply or else In either regime, quality is the factor not quantity The market is the ultimate compliance officer Ultimate responsibility is business success Balance conformance and performance Legislation is not the recipe for good governance,

corporate or IT Moses, Congress, Parliament

Mervyn King SC

“The Corporate Citizen”