GLOBAL STANDARD FOR INFORMATION MANAGEMENT Manohar Ganshani Businesses have today expanded beyond local geographies. Global presence demands uniformity within the processes across disparate locations of the organisation s business in order to provide consistent response to business needs. The information technology remains the central element of information management due to the fact that most of the information resides in and is processed by IT. To bring about uniformity within the processes, organisations need to adopt a standard that meets the business objectives. This leads to the question, which standard to choose and adopt? The challenge is further compounded not only by the standard but by the fact that the organisations have to comply with multiple regulations and legal requirements while transacting the business across boundaries. So the question turns into a puzzle: Do we need a global standard for information management? This article attempts to solve the puzzle and offers an approach based on how the complex organisations treat this puzzle, though it need not be the only suggested approach or alternative.
Best practices, standards, and framework For the sake of clarity and to avoid a situation where these terms are used interchangeably here is a simple definition of these terms. Best practices Result/output oriented cost-beneficial informally accepted methods followed by homogeneous industries across the world. Organisations generally tweak them depending upon individual requirements. For example, unified customer experience offered by some of the global banks, quality initiatives (Six Sigma, CMMI etc), balanced scorecard for performance measurements and so on. Standards Framework Mainly address WHAT part of best practices. Provide uniformity for processes to be followed and offer opportunity of certification. In case of certification, compliance is mandatory. For example, various standards by International Standards Organisation (ISO), British Standards Institute (BSI), American National Standards Institute (ANSI), Australia-New Zealand Standards (ANZ) and so on. Addresses HOW part of implementation of standards/best practices. Provides a set of key ingredients and processes to build maturity models. For example - Committee of Sponsoring Organisations (COSO), Control Objectives for Information and related Technology (COBIT) and Risk IT (IT risk maturity assessment) by IT Governance Institute, ITIL (Information Technology Infrastructure Library) and so on. Various facets of compliance Legal Regulatory Laws enacted by sovereign governments applicable to organisations registered/operating in government s territory. Sarbanes-Oxley, Gramm-Leach-Bliley Act (GLBA), IT Act (Amendment) 2008, North American Electric Reliability Corporation (NERC), Health Insurance Portability and Accountability Act (HIPPA), privacy acts, data protection acts. Requirements specified by authorised agencies for specific industries. BASEL II (through central banks), Securities and Exchange Commission (SEC), Securities and Exchange Board of India (SEBI), Payment Card Industry Data Security Standard (PCI DSS) etc.
External Internal Industry mandates eg SAS 70. Business strategy and company policies. Legal and regulatory compliances are necessary to protect stakeholders interests. Essence of information management It is important to understand the essence of information management before deliberating on the need for a global standard. COBIT defines information management as IT resources and processes that provide information to the business processes to achieve business objectives. Although information management does not necessarily cover only IT resources and processes, dependency of organisations on IT for information management makes it relevant. Thus reliable information needs to be made available without compromising the security, through an optimum (efficient) use of resources whenever needed and should be relevant (effective) to the business, for management to take decisions. The mechanism of provisioning the information in an effective and efficient manner deals with the governance aspect of it. So essentially, information management is like a coin that has two sides ie information governance and information security. Since most of the information is held in IT systems, IT governance would meet the objective of information governance to a large extent. This may be debatable however the idea is that the approach applied for information within IT system can be extended for manual processes within the information management. The solution The solution to the puzzle lies in understanding the essence of information management. We now need to deal with two aspects, ie IT governance and information security. Most of the mature organisations have adopted one standard and then looked at the incremental requirements of various other compliances, for dealing with these two aspects. Having a close look at the umbrella of available standard set COSO, for example, provides a framework at a high level to deal with internal controls while COBIT provides guidelines to implement controls for interface between business management and IT related activities (and is lower level to deal with maturity assessment). ITIL4 (for IT Service management) and ISO270013 (for information security) are further granular, reaching to operational level. It is ideal to have a common requirement of standards to build information management that demands compliance with more than one standard to meet the business needs. The fact is that smart and complex organisations leverage the existing
standard and framework and benefit from the intersection of these framework and standards in conjunction with best practices. Challenges 1. Identification Identifying the base standard/framework is key to the success of information management since this is going to be the foundation. One approach is to create a business case where the business impact would help determine the base standard. The business impact would consider various parameters like fulfillment of security and privacy requirements, alignment with the business objectives, skill and resource requirements, regulatory and legal compliance requirements etc. 2. Interpretation and scope coverage The interpretation should provide the required coverage of scope in terms of scalability and expansion to other boundaries. 3. Implementation and sustenance While satisfying the two fold requirements of information management, it is ideal to have the processes of the standard/framework chosen automated to maintain the consistency and transparency in the subsequent reporting process. Not only that, automation also results into an easier change management process. The key challenge here is the selection of an IT GRC tool. Look for an IT GRC tool that provides benefit in terms of customisation and scalability without calling for extraordinary skills. Sustenance is more imperative from assurance perspective and not merely from the certification perspective. To conclude, it is imperative to use a unified compliance framework and to adopt a risk based approach while choosing and adopting a standard, framework and compliance (regulatory, legal or industry mandates) requirements. Risk based approach would help to determine the impacting regulation and standard to be used from the umbrella of existing standards, framework, best practices etc. Unified compliance framework will help build the common requirements and then evolve a process to deal with the delta change due to the new regulations as the business crosses the existing boundaries. It serves the purpose of governance, security and therefore meets the essence of information management that aligns with the business objectives. In a nutshell, there is no need for yet another global standard.
References 1. COBIT - The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). 2. COSO - The Committee of Sponsoring Organisations (COSO) is a voluntary private-sector organisation. COSO framework provides guidance on organisational governance, internal control, fraud, enterprise risk management and financial reporting. 3. ISO27001:2005 - An ISO/IEC 27001 family standard for Information Security Management Systems. However there are revisions to ISO27001 for meeting other different requirements like ISO27004 which is the designated number for a new standard covering information security system management measurement and metrics. 4. ITIL - IT Infrastructure Library originally created by the UK government is the framework for building and implementing IT service management in an organisation. About the author: Manohar Ganshani is practice partner for governance risk and compliance practice at Wipro Consulting Services. The article has inputs and review comments also from Sunil Bakshi who is a senior manager in the same team.