Monday, December 31, 2007

IT Governance is becoming more of a buzzword nowadays for a good reason. More and more of a company's financial transactions are fully automated, and with that there are ample opportunities for theft from a company. IT systems also holds most the intellectual property of a company has, and theft of IP has been listed as one of the top issues for US companies in Asia: http://www.mytelus.com/money/news/article.do?pageID=ex_business/home&articleID=2844426.

IT Governance should be part of the company's overall Governance, Risk, and Compliance efforts. GRC should drive the investments, divestments and strategy for IT to ensure competitiveness of the company. This includes protecting valuable assets in a company. IP protection will become more and more important as more and more IP is going away from paper based IP towards digitized IP. The question is, how do you identify and protect your IP?

The only way to identify IP, is to evaluate the business processes creating, using and storing IP. In most instances, IP "floats" around in an organization in email and documents, even when there are safeguards in place for who can access the IP initially.

When these business processes are understood, a process redesign might be necessary, and if so, it should be risk driven. If you have IP, and you are concerned about loosing it, the first step should be to go over your current policies. Are they adequate? If they are adequate, have you placed security controls that enables you to measure compliance against the policies? If you are missing controls, or have less than optimal controls, it is well worth spending the time and quantify the risk of the non adherence to the policy, and select the areas with highest risk first.

No comments: