1 Management Summary

IT Governance as the sum of all policies, the organisational structure and the enterprise process framework must ensure that IT is implemented adequat ...

2 Highlights

• IT Compliance and Risk Management must be understood as not an additional burden.
• Embedding IT Compliance and Risk Management into all relevant bu ...

3 Introduction

This document suggests a paradigm change by understanding IT Compliance as a central corporate goal, thus enabling new synergies and fostering busines ...

3.1 Building blocks of IT Governance

IT Risk management is often considered to be a part of IT Governance. This discipline looks at threats and risks to information and the systems proces ...

3.2 Regulations and requirements

Many requirements are imposed on organizations based on national or regional legislation but also on the basis of their industry or the type of busine ...

3.3 Best practice frameworks

Identifying the applicable requirements is an important task. Once those have been determined, it is of course of importance to get to an adequate pro ...

4 Business values as the basis for a strategic IT compliance approach

Forward-thinking organisations build their corporate actions on a solid basis by defining corporate goals and pursuing them constantly. Extending typi ...

4.1 Identifying business values beyond mere regulatory compliance

An essential, strategic challenge for every organisation is the definition of adequate corporate goals. These goals ideally determine the bottom line ...

The important step that should be taken up-front is to understand that a change in focus is required. Taking additional or modified enterprise objecti ...

4.2 Building on a mature GRC program

Companies in the financial services sector were among the first that had to get used to various national, international and sector-specific standards ...

4.3 Understanding external and legal requirements as success factors

Being compliant to legal requirements has typically not been considered as a main objective for organisations. But once it is understood that the fail ...

An adequate definition of corporate objectives between traditional market oriented goals and secondary goals as described above needs to be accepted a ...

4.4 Changes in business models and IT

Many factors influence the changes that can be currently seen and that will have an impact on the way we do business today and even more tomorrow. Now ...

4.5 From external requirements and corporate objectives to a policy framework

An essential part for defining the necessary requirements is the set of external laws and regulations to be met. Understanding which legal and regulat ...

The high level of abstraction for these documents implies that not all internal or external requirements need to be codified within corporate policies ...

5 IT Compliance and IT Security by design

With the increasing number of legal requirements as well as the growth in of individual requirements, many organisations must identify the right contr ...

5.1 Determining and documenting business benefits

Embedding the demands resulting from IT Compliance into robust and secure IT processes and technologies is both a challenge and an opportunity for man ...

The following two sections illustrate potential benefits as examples for the advantages that can be gained from the suggested approach.

5.2 Potential benefits for breach and incident management

Breach and incident management systems are designed to achieve a controlled and proactive approach to handling security threats and incidents. They im ...

5.3 Potential benefit for infrastructure management and sustainability

A strong level of control over corporate IT systems, no matter whether they are in the cloud, on premises, or a hybrid, helps in achieving a much bett ...

6 Recommendations

One main conclusion is that implementing IT Compliance as a corporate objective needs to be understood and facilitated not only within IT but also fro ...