FASTtalk January 2008
There are many best practice frameworks available for IT.
Here FAST looks at how to get the most out of them.
Today there is increasing pressure on organisations to embrace
and demonstrate good corporate governance. However, organisations
in the process of adopting (or talking about) IT best practice
often do so in a similar manner - they select specific
sections of standards methodologies that they want to adopt to
address particular issues.
While companies may be daunted by the initial resource in terms
of cost and time to implement the necessary tools and processes, by
being selective they are potentially missing out on cost savings
and other business efficiencies to be gained from fully integrated
and documented controls.
Many best practice frameworks are available for IT including
the FAST
Standard, ITIL, Software Asset Management Standard (ISO/IEC
19770-1), IT Service Management Standard (ISO20000) and the
Information Security Management Standard (ISO27001). Whether and to
what extent organisations adopt these methodologies should be
directly related to specific business requirements, but there are
clear benefits to be gained:
- Improve control over IT infrastructure
- Address legal requirements and limit liability
- e.g. there are 21 key pieces of legislation that affect the IT
environment (which are addressed through the FAST Compliance
Programme)
- Minimise business risk
- Improve financial planning - potential to
reduce costs
In order to maintain a controlled IT environment, organisations
must first understand what they have in their IT estate. Software
compliance cannot be achieved without having a full picture of all
hardware and software assets within the organisation. From a
security perspective, organisations also cannot implement the
proper security controls if they don’t know what they are trying to
protect.
In the area of software compliance, without a methodology that’s
easy to follow and understand - such as the FAST
Standard for Software Compliance (FSSC-1:2007) - many
organisations will execute only on part of what is required to
achieve compliance. For example, they may buy an audit tool but
never complete a full audit, looking only for the software they are
expecting to find. This means it’s likely they will miss any other
unlicensed software on the estate that could potentially put the
organisation at risk.
Additionally, technology alone cannot provide the solution to
proper IT governance. Working towards best practice also requires
good planning and potentially a change in culture. The human
element must be considered as many risks associated with IT systems
actually come from the end-users of technology. This is where the
policies and procedures that govern the use of IT come into their
own.
It is important that organisations publish clear and concise
guidelines to users which should be designed to push responsibility
and, to some extent, liability back on to the employee. Many
organisations go part way to doing this but they don’t monitor or
enforce such policies. The end effect is that the culture does not
change and as and when they need to enforce a particular policy
they find that policies and procedures documents haven’t been
disseminated appropriately, and, as they may have never enforced in
the past for a similar transgression, they may be accused of not
treating staff fairly.