A Thorogood Special Briefing

2nd edition

IT GOVERNANCE
Managing Information Technology
for Business

David Norfolk
 

Inside front cover

 

 A Thorogood Special Briefing

2nd Edition

IT GOVERNANCE
Managing Information Technology 
for Business

David Norfolk
 

Thorogood Publishing Ltd

10-12 Rivington Street 

Other Titles from London EC2A 3DU

t : 020 7749 4748

Thorogood Publishing f : 020 7729 6110
e: info@thorogoodpublishing.co.uk
 w : www.thorogoodpublishing.co.uk
IT Contracts: Effective Negotiating
and Drafting
© David Norfolk 2011
Rachel Burnett 

Managing In-house Legal Services

All rights reserved. No part of this
Mark Prebble
publication may be reproduced,
stored in a retrieval system or
Retention of Title transmitted in any form or by any 
means, electronic, photocopying,
Susan Singleton
recording or otherwise, without the
prior permission of the publisher.
Strategy Implementation Through
This Special Briefing is sold subject
Project Management
to the condition that it shall not, by 
Tony Grundy  way of trade or otherwise, be lent,
re-sold, hired out or otherwise
circulated without the publisher’s
Legal Protection of Databases
prior consent in any form of 
Simon Chalton binding or cover other than in
which it is published and without a
similar condition including this
Software Contract Agreements
condition being imposed upon the
Robert Bond
subsequent purchaser.

No responsibility for loss occasioned

Implementing E-procurement to any person acting or refraining
Eric Evans and Maureen Reason from action as a result of any 
material in this publication can be
accepted by the author or publisher.
Email – Legal Issues
Susan Singleton

A CIP catalogue record for this

Special discounts for bulk quantities Special Briefing is available from the
of Thorogood books are available to British Library.
corporations, institutions, associations and
other organisations. For more information ISBN: 1-854187-45-7
contact Thorogood by telephone on 978-185418745-1
020 7749 4748, by fax on 020 7729 6110, or
email us: info@thorogoodpublishing.co.uk Printed in Great Britain
by Marston Digital
 

THE AUTHOR

The author

David Norfolk BSc, MBCS, CITP, CEng, LRPS, joined Bloor Research as a Senior
Analyst for Development in 2007 and is now Practice Leader for Development
and Governance.

He has published research papers on Compuware Uniface, data integration, the

Artisan Studio software engineering tool, Capability and Maturity, Enterprise
Architecture and so on; and has spoken at many events (e.g. for the Intel software
community).

David is co-author, with Shirley Lacy, of a practitioner-focussed book on

Configuration Management, Configuration Management: Expert Guidance for 
 IT Service Managers and Practitioners, published by the BCS.

He first got interested in computers and programming quality in the 1970s,

working in the Research School of Chemistry at the Australian National University.
There he discovered that computers could deliver misleading answers, even when
programmed by very clever people, and was taught to program in FORTRAN.

He then worked in DBA and Operations Research for the Australian Public Service
in Canberra. Returning to the UK in 1982, David worked for Bank of America
and Swiss Bank Corporation, where he occupied positions in DBA, Systems
Development Method and Standards, Internal Control, Network Management,
Technology Risk and even Desktop Support. He was instrumental in introducing
a formal Systems Development Process for the Bank of America Global Banking
product in Croydon.

In 1992, David became disillusioned with the way people issues were being
handled in City IT and decided to start a new career as a professional writer
and analyst. Since then he has written for many of the major computer magazines
and various specialist titles around the world. He helped plan, document and
photograph the CMMI Made Practical conference at the IoD, London, in 2005
and has written many industry white papers and research reports.

He is past co-editor (and co-owner) of  Application Development Advisor ; is

currently Executive Editor for Croner’s “IT Policies and Procedures” product;
and was Associate Editor for the launch of Register Developer .

David has an honours degree in Chemistry and is a Chartered IT Professional,

has a somewhat rusty NetWare 5 CNE certification and is a full Member of the

 A T H OR O GO O D S P EC I AL B RI E F I NG iii
 

I T G O V E R N A N C E – M A N A G I N G I N F O RM A T I O N T E C H NO L O G Y F O R B U S I N E S S

British Computer Society (he is on the committee of the Configuration

Management Specialist Group). He has his own company, David Rhys Enterprises
Ltd, which he runs from his home in Chippenham, where his spare moments (if 
any) are spent on semi-professional photography (he holds the Licentiate
distinction from the Royal Photographic Society (LRPS) and is working on the
Associateship), sailing and listening to music – from classical through jazz to folk.

Read David’s blog, The Norfolk Punt , at

http://www.it-analysis.com/blogs/The_Norfolk_Punt/ 

iv   A TH O R OG OO D S PE CI AL BR I E FI NG
 

I T G O V E R N A N C E – M A N A G I N G I N F O RM A T I O N T E C H NO L O G Y F O R B U S I N E S S

accurately know how many PCs they have and what programs run on them?
How many organisations don’t have an overall picture of exactly what is stored
on their servers?

When the directors of such companies accept responsibility for what their
organisation does and how it does it, how can they do so with any confidence
at all? Such a state of affairs cannot be allowed to continue.

Management issues in IT governance

• Providing an organisational structure that allows Board-level manage-
ment to set strategic goals and cascade these through the organisation
down to the IT technicians implementing automated systems.

• Aligning IT strategy with business strategy; perhaps, even, making

IT an integral part of the business.

• Providing an effective communications infrastructure that enables two-

way communication (feedback) between all the stakeholders in the
governance process, both internal and external.

• Providing effective low-level enforcement of business-focused govern-

ance policies in the IT sphere.

• Enabling the effective identification of IT-related risk in the context of 

business service provision, and the translation of IT risk mitigation
measures into a business terminology.

• Providing metrics for the effectiveness of IT governance.

• Identifying a return on the investment in IT Governance in terms of 

‘better, faster, cheaper’ business systems.

Definition of IT governance
IT Governance is that part of corporate governance in general which ensures
that automated systems contribute effectively to the business goals of an
organisation; that IT-related risk is adequately identified and managed (mitigated,
transferred or accepted); and that automated information systems (including
financial reporting and audit systems) provide a ‘true picture’ of the operation
of the business.

 viii  A TH O R OG OO D S PE CI AL BR I E FI NG
 

MANAGEMENT OVERVIEW: DRIVERS FOR IT GOVERNANCE

References
References in square brackets, e.g. [8th DirCons, web], refer to entries in the
Resources appendix, at the end of this Report.

 A T H OR O GO O D S P EC I AL B RI E F I NG ix
 

I T G O V E R N A N C E – M A N A G I N G I N F O RM A T I O N T E C H NO L O G Y F O R B U S I N E S S

find them sufficiently challenging. They call for Audit Committees to adopt a
broader role in corporate governance and reiterate that the Board should maintain
an effective internal control regime. This implies accuracy and transparency in
the IT reporting systems that must be a foundation of any such effort.

The Financial Reporting Council reviewed Turnbull in July 2004, which affects
accounting periods starting on or after 2006. This review found that the Turnbull
guidance still generally achieves its intended effect, in the light of UK and
international experience since 1999 although there are questions as to how far
it has succeeded in promoting the actual embedding of governance in business
processes. The Turnbull Review Group made only a small number of changes
to the Turnbull Guidance, one being that the board’s statement on internal control
should confirm that necessary actions have been, or are being, taken to remedy 
any significant failings or weaknesses in internal control. Turnbull at present is
concerned with the spirit of corporate governance and isn’t very prescriptive;
it remains to be seen whether it becomes more prescriptive over time, along
the lines of Sarbanes-Oxley (which is more prescriptive and longer than Turnbull,
although less purely prescriptive than is usual with US regulations). The UK 
Auditing Practices Board revises its bulletins on The Combined Code on corporate
governance: Requirements of Auditors under the Listing Rules of the Financial
Services Authority [APB, web] in the light of any changes to Turnbull; Bulletin
2004/3 was replaced with Bulletin 2006/5 in September 2006, and part of this is
superseded by Bulletin 2009.4, Developments in Corporate Governance
Affecting the Responsibilities of Auditors of UK Companies, issued in December
2009 (see the list of Bulletins at [APB, web], for example).

IT Governance Institute, Control Objectives for

Information and Related Technology
The Control Objectives for Information and related Technology (COBIT) is an
important framework developed by the IT Governance Institute in the context
of COSO and is built on the premise that the role of IT is to deliver the information
that an organisation needs in order to meet its objectives. IT Governance is then
the process that ensures that it satisfies this role adequately. A useful introduction
and overview of COBIT is contained in the Board Briefing on IT Governance,
from the IT Governance Institute [BoardBrief, web].

The Higgs review

Derek Higgs was commissioned by the DTI to review the role and effectiveness
of non-executive directors in the implementation of good corporate governance.

12  A TH O R OG OO D S PE CI AL BR I E FI NG
 

2 EXTERNAL PRESSURES: WHAT REGULATIONS?

He reported in 2003 with a set of suggested changes to the Combined Code,

which was republished accordingly in that year.

The Combined Code is now under the auspices of the Financial Reporting Council
(FRC) and further changes can be expected as and when needed to ensure that
it remains relevant in the face of changing business conditions and technologies.

Legislation affecting IT governance

Legislation affects IT governance and it is important to actually read the legislation,
as well as any guidance notes or press releases. Many vendors seek to generate
sales from high profile legislation, and only by referring to the legislation itself 
will you discover that there may be, for example, exceptions for smaller companies
or wider issues that make a vendor’s ‘silver bullet’ solution unlikely to be effective.
For example, ‘SOX kits’ are available which promise to deliver Sarbanes-Oxley 
compliance – but in the absence of an active and well-understood process
framework it is unlikely that these will deliver more than compliance with the
‘letter’ of the law on the day that they are delivered. Since directors are supposed
to revisit internal controls whenever anything which might affect them changes,
it is likely that any ‘silver bullet’ will prove to be expensive in the longer term,
may well prove not to deliver the compliance with the spirit of the law that
regulators expect – and won’t deliver the organisational benefits possible from
a holistic approach.

Of course if you put in place the frameworks, processes and organisational

maturity necessary to comply with the spirit of Sarbanes-Oxley, say, you may 
find a ‘silver bullet’ technology that meets your needs – but it is then hardly just
a silver bullet.

The main act affecting companies in the United Kingdom is the Companies Act
2006. This is the longest Act of Parliament ever enacted in the United Kingdom
(305,397 words) and it is supported by numerous regulations having the force
of law. In effect, it establishes an equivalent to the US Sarbanes-Oxley Act (see
below) in the UK. It is less prescriptive and detailed than SOX (UK companies
(unless registered on the US stock exchange or subsidiaries of US companies
etc) should concern themselves with the Companies Act before getting paranoid
about SOX), although the devil is in the detail of how the regulators and law courts
interpret the Act. The Companies Act 2006 affects (or is capable of affecting) IT
governance in many ways, but the following should perhaps be particularly noted:

 A T H OR O GO O D S P EC I AL B RI E F I NG 13
 

I T G O V E R N A N C E – M A N A G I N G I N F O RM A T I O N T E C H NO L O G Y F O R B U S I N E S S

Statutory registers
Each company is required to maintain and update as necessary a register of 
members and certain other statutory registers.

 Accounting records
A company must keep adequate accounting records sufficient to show and explain
the company’s transactions, to disclose with reasonable adequacy the financial
position of the company at any time and to enable the directors to prepare accounts
in accordance with the Act (s. 386).

Statutory accounts
Directors are required to use the accounting records to produce statutory accounts
that fulfil the legal requirements, and to prepare a directors’ report (and in some
cases other reports) that give prescribed information. These must be signed to
indicate that the directors accept responsibility. If an audit is compulsory or if 
an audit has been commissioned even though it is not compulsory, the accounts
are then audited and the auditor will sign the audit report. In all cases, signed
accounts must be sent to every company member and to Companies House.
Obviously, IT systems must provide accurate information for these purposes.

 Auditors’ rights
Auditors have a right of access at all times to the books, accounts and vouchers
of the company. They also have the right to require from directors, other officers,
employees and certain other persons such information and explanation as they 
think necessary for the performance of their duties. Any person who, in making
any statement (orally or in writing) that purports to convey information or
explanations to the auditors in the course of their audit, knowingly or recklessly 
makes such a statement that is misleading, false or deceptive in a material particular,
commits an offence punishable by a fine or imprisonment for up to two years
(or both). Failure to provide requisite information or explanations is also
punishable, unless the person concerned can prove that it was not reasonably 
practicable to provide them (s. 501).

Company management, and its directors in particular, should think in advance

about the sort of information the auditors might need and ensure that systems
are designed to provide it (or can be easily modified to provide it) as and when
required. This policy then forms a ‘non-functional requirement’ for systems

14  A TH O R OG OO D S PE CI AL BR I E FI NG
 

2 EXTERNAL PRESSURES: WHAT REGULATIONS?

development in general – which developers must be made aware of. Similarly,

the provision of robust audit trails for financial information becomes a general
non-functional requirement.

Further, the only practical way you can be sure that your policies concerning
the provision of audited financial information have actually been adopted in the
automated systems that you use, is to implement recognised ‘industry best
practice’ processes for the development of automated systems and the
operational management of the infrastructure that they run on – such as the
Dynamic Systems Development Method [DSDM, web] and the IT Infrastructure
Library [ITIL®, web] procedures. Beyond even this, a company might find that
process improvement (the ability to say what you are going to do, measure what
 you actually do and apply changes to the process that reduce any gap between
aspiration and achievement) helps it to address regulatory criticisms in a cost-
effective way and to cope with changing circumstances. One recognised
process improvement regime for IT organisations is CMMI (Capability Maturity 
Model Integration) from the Software Engineering Institute [CMMI, Web].

Statement in the directors’ report 

The directors’ report must contain a statement from each of the company directors
at the relevant time, to the effect that there is no relevant audit information of 
which the auditors are unaware (as far as the director knows), and that he or
she has taken all appropriate steps to make him or herself aware of such
information and to bring it to the attention of the auditors.

Directors’ duty to exercise reasonable care, skill and diligence

The Companies Act lists a number of directors’ general duties, including a duty 
to exercise reasonable care, skill and diligence. The remedy for a claimed failure
in this regard is a civil action by the company against directors believed to be
at fault.

A director must exercise the degree of care, skill and diligence that would be
exercised by a reasonably diligent person with:

• the general knowledge, skill and experience that may reasonably be

expected of a person carrying out the same functions as the director
in relation to the company and

• the general knowledge, skill and experience that the director actually 
has.

 A T H OR O GO O D S P EC I AL B RI E F I NG 15
 

I T G O V E R N A N C E – M A N A G I N G I N F O RM A T I O N T E C H NO L O G Y F O R B U S I N E S S

The director must meet the higher of the two requirements and it is interesting
to note that this duty follows the duty set out in Section 214 of the Insolvency 
Act 1986.

As a practical example, it means that a non-executive director who is a well-

qualified and experienced solicitor must bring the care, skill and diligence expected
of such a person to a very small private company that operates a fish and chip
shop. On the other hand an unqualified and inexperienced director of a major
public company must meet the standard expected of a director of that type in
a company of that type.

It is relatively easy to set out the required standard, but it must of course be
translated into a myriad of individual circumstances, which may not be easy in
practice. Judges have in the past (especially in the distant past) taken a very relaxed
 view about the standards expected, but the requirements have grown more
demanding over the years, and especially in recent years.

Directors are not expected to be experts in everything, which is an obvious

impossibility. They are expected to use common sense, give a reasonable amount
of time and effort to the company and to make suitable enquiries when necessary.
They are expected to do what may reasonably be expected of a director of that
type in a company of that type, and if they have particular skill, knowledge or
training, they are expected to use it. This means, for example, that if a director
is the Chief Technical Officer and a skilled programmer, he or she would have
some responsibility for poor IT systems that do not implement company policy 
or which permit fraudulent practices.

Sarbanes-Oxley Act (USA)

Sarbanes-Oxley (SOX, [SOX, Web]) is US legislation but it is very high profile.
Mark Mitchell of Informatica has met UK companies that are not subsidiaries
of US companies or listed on US stock exchanges, that claim to have a strategy 
involving Sarbanes-Oxley compliance. This is usually revisited when he points
out the likely cost of this (although there are reasons for pre-emptive compliance:
the prospect of takeover by a US company, perhaps). Effective IT governance
is a worthwhile goal but compliance with any regulations that don’t specifically 
apply to you, without a clear business reason, is very unlikely to be cost effective.

Nevertheless, SOX does affect many UK companies. In the Netegrity Security 

and Compliance Survey [op. cit.], however, only 15% of respondents thought
that it was important. It seems rather unlikely that 85% of UK companies are
neither listed on the NY Stock Exchange nor NASDAQ; nor are offshoots of US

16  A TH O R OG OO D S PE CI AL BR I E FI NG
 

2 EXTERNAL PRESSURES: WHAT REGULATIONS?

companies; nor doing significant business with US companies (in which case
they’ll need to supply the information their partner needs to satisfy SOX); nor
likely to be taken over by, nor merge with, a US company.

Generally, SOX involves implementing an internal control framework such as

COSO (see above) – and only a recognised control framework that is established
by a body or group that has followed due process procedures, including the
broad distribution of the framework for public comment, will be accepted.

The essence of SOX compliance seems to be that you build a rod for your own
back. You must develop a defensible approach to internal control for your business
(and this can be criticised), and then you devise a defensible approach to internal
control for your systems and then you must demonstrate that you are adhering
to your own rules. In other words, it’s not simply a case of adhering to the rules,
there’s an effectiveness measure too (and this is more along the lines of European
regulatory practice).

The impact on IT is that it must facilitate this process, by building into its systems
and processes facilities that provide the information needed by SOX, the audit
trails needed to assure the integrity of this information, and so on. The IT Group
must also be aware of ‘Silver Bullet’ solutions: cosmetic ‘quick fixes’ for
compliance, that are a constant maintenance overhead when the business changes
[Faegre, web].

The two sections with most impact on IT are 302 and 404(a), which deal with
the internal controls that should be in place to ensure the integrity of a company’s
financial reporting and this will impact directly on the software that controls,
transmits and calculates the data used to build the company’s financial reports.

SOX SECTION 302

Since August 29, 2002, Section 302 has made CEOs and CFOs commit to the
accuracy of their company’s quarterly and annual reports. They must state:

1. That they have viewed the report.

2. That to the best of their knowledge, the report contains no untrue

statement of a material fact and does not omit any material fact that
would cause any statements to be misleading.

3. That to the best of their knowledge, the financial statements and other
financial information in the report fairly present, in all material aspects,
the company’s financial position, results of operations and cash flows.

 A T H OR O GO O D S P EC I AL B RI E F I NG 17
 

I T G O V E R N A N C E – M A N A G I N G I N F O RM A T I O N T E C H NO L O G Y F O R B U S I N E S S

some legitimate products. However, it is illegal and the activities of 

organisations such as the Business Software Alliance [BSA, web] or
FAST (the Federation Against Software Theft) [FAST, web]) makes even
unintentional use of unlicensed software unacceptably risky. In January 
2004, The Federation reinforced its use of criminal proceedings to crack
down on the misuse of software under s.109 of the Copyright, Designs
and Patent Act 1988. Companies have been prosecuted even while in
the process of addressing their licensing issues, and the interruption
to business (from confiscated computers etc.) and loss of reputation,
may be a bigger problem than the fine.

• Health services and pharmaceutical regulations such as, for example,

the US Health Insurance Portability and Accountability Act of 1996
[HIPAA, web], and various pharmaceutical industry regulations
worldwide. The pharmaceutical industry is particularly highly regulated.

• Telecommunications regulations such as the Regulation of Investigatory 

Powers Act (RIPA) [RIPA, web]. This impacts the interception of 
electronic communications and the use of encryption technology.

• The Health and Safety at Work Act in the UK [HAS, web]. This applies
to workers in IT just as much as anywhere else. It isn’t perhaps an IT
governance issue, exactly, but it is important to remember that IT
workers are not exempt from Health and Safety issues – and some of 
these (the impact of computer monitors on eyesight and Repetitive
Strain Injury (RSI) from keyboard use, for example) are particularly 
related to computer use.

• The WEEE Recycling Directive [WEEE, web]. This probably won’t

impact end-users of IT much, but it may impact Operations, as most
electronic equipment must now be recycled when it is disposed of 
(luckily, the vendor probably has to arrange this).

• The Disability Act, 1995 [Disability, web]. Again, like Health and Safety,
IT organisations are not exempt. In particularly, web sites must be
designed to facilitate access by the differently abled. The key standard
in this area is probably the Web Content Accessibility Guidelines 1.0
(1999; work continues on these and a Working Draft 2.0 was produced
in 2003), created by the Web Accessibility Initiative of the W3C [WCAG,
web].

• Anti-Money Laundering legislation, which (in the UK) is embodied in

several pieces of primary legislation: the Criminal Justice Act 1988

22  A TH O R OG OO D S PE CI AL BR I E FI NG
 

2 EXTERNAL PRESSURES: WHAT REGULATIONS?

(as amended), the Drug Trafficking Act 1994 and the Terrorism Act
2000 (as amended). This largely, although not exclusively, affects banking
and financial organisations, which must make Suspicious Transaction
Reports (STRs), if money laundering is suspected, to either the law
enforcement authorities or to the relevant Money Laundering
Reporting Officer (MLRO).

Obviously, automated financial processing systems may have to recog-

nise suspicious transactions and this may impact IT systems design;
there is also a possibility that STR processing may appear to conflict
with the requirements of the Data Protection Act (since ‘tipping off’
the subject of an STR is illegal) and this may also have an impact on IT
systems design or operation [STR-DPA, web]. Anti-Money Laundering
legislation introduces its own risks too – what should a bank do if it
finds that its best and most profitable customers are probably money 
launderers but it can’t really afford to lose their business?

Publications such as Gee’s IT Policies and Procedures [ITPP, 2004] attempt to

guide subscribers on the current state of such legislation and are regularly 
updated, but you should always take professional advice as to the exact impli-
cations of legislation, if it affects you specifically. It is perhaps not directly a part
of ‘IT Governance’ per se but it is sometimes worth remembering that it’s a very 
good idea to avoid expensive court cases wherever possible (investigate ‘alter-
native dispute resolution’) and, in particular, to avoid becoming a test case for
new regulations. It is indeed possible that regulatory compliance may be imple-
mented in the software driving the business but be very careful about this.
Ultimately, the effect of regulatory law and its associated enabling legislation
is what a court decides it is, not what seems reasonable to technically compe-
tent lay-readers of legal material. Even an expert legal opinion is not binding
on a future court.

In the next chapter we look at the impact of IT governance on the organisation

in general.

 A T H OR O GO O D S P EC I AL B RI E F I NG 23
 

3 ORGANISATIONAL IMPACT

to serious CMMI practitioners for taking a rather superficial view of the subject.
 You should also remember that although CMMI deals with more than just
software development, it doesn’t cover every aspect of an organisation, even if 
its levels could provide a convenient shorthand for describing maturity in areas
where CMMI proper doesn’t apply. For those seeking more information, refer
to the CMMI, web address in Resources Appendix [CMMI, web].

CMMI is commonly seen as a five-stage process, with organisations progressing

through the stages in turn, although there is also a continuous representation,
which allows an organisation to be at a different capability level in different process
areas at the same time (and CMMI experts often find this a more productive
way to look at real organisations). The staged representation is easier to follow
as a basis for discussion of maturity. The stages are:

5 The institutionalisation of continuous process improvement through

proactive process measurement.

4 The use of quantitative process metrics, at the organisational level, to

manage and improve the process.

3 The availability of managed process at an organisational level.

2 The availability of managed process, at a project level.

1 The adhoc application of process.

Level 1 doesn’t mean that you have no process or that projects always fail or
that nothing good happens – a common misconception. However, at Level 1 any 
successes can’t be guaranteed – they may depend on particular people or circum-
stances and a way of working in one project that delivers success may be
abandoned or, at least, not used somewhere else, simply because management
doesn’t recognise what it has. It is hard to see how you can claim any great degree
of IT Governance at the equivalent of CMMI Level 1.

Going from Level 1 to Level 2 can be quite onerous, because it involves recognising
and documenting what you have – and that often brings you up against the usual
people issues as your IT ‘mavens’ may feel that documenting what they do and
sharing it with others diminishes their value in the organisation. At Level 2, you
are starting to have a degree of IT Governance – and, remember, that we are
only using the CMMI Levels as a framework for describing maturity levels. You
may effectively be at something corresponding to CMMI Level 2 as far as IT
Governance is concerned, even if you aren’t formally implementing a CMMI
initiative and haven’t undergone CMMI assessment (just don’t claim to be at
CMMI Level 2 unless you do undergo proper appraisal, undergo regular re-
appraisals and publish the appraisal class – A, B or C – and its scope).

 A T H OR O GO O D S P EC I AL B RI E F I NG 29
 

I T G O V E R N A N C E – M A N A G I N G I N F O RM A T I O N T E C H NO L O G Y F O R B U S I N E S S

CMMI Level 3 is probably as far as you absolutely need to go for IT Governance

– which is not to say that going further doesn’t bring advantages and even better
governance. However, at Level 3, you not only know what you have and know
what you are doing with it, you are managing your IT resource at an
organisational level and making basic measurements of the effectiveness of your
management, which you can use to improve it.

At what corresponds to Capability/Maturity Level 3, which includes Level 2, you

should have, at least:

• Asset management in place, including management of information,

infrastructure and application assets.

• An organisation-wide security policy, based on risk management and

effective identity management.

• Implemented a business continuity policy; complemented with service

level management; incident, service impact and problem management;
and effective capacity planning and provisioning.

• Effective configuration management in place.

• Information lifecycle management in place, ensuring that electronic

business records are kept safely for as long as necessary and then
disposed of reliably and securely.

• Managed processes for application lifecycle and operational

management.

It should be noted that CMMI is itself developing, partly to address “gaming”

of appraisals by company marketing departments (which is why the scope of 
an appraisal should be available and why appraisals have a limited period of 
 validity). Interesting developments are new CMMI “constellations”, CMMI-SVC
for developing services rather than software and CMMI-ACQ for companies
acquiring automation rather than developing it. There is also the issue that
maturity and good process isn’t an end in itself but a means for delivering business
outcomes – and an organisation which is generally of high maturity may fail to
deliver because just one key part of the organisation is at a low maturity level
and fails to control risk.

Process-driven development and operations are fundamental to what we think

of as IT governance and will be treated in more detail in the next chapter. A
typical but vendor-independent development process is the Dynamic Systems
Development Method [DSDM, web] and a widely accepted infrastructure/ 
operations management process is documented in ITIL ®, originally sponsored
by a UK Government computing organisation [ITIL ®, web].

30  A TH O R OG OO D S PE CI AL BR I E FI NG