Information technology is one of the most valuable yet often least understood assets in a business. It takes an insightful enterprise to recognise the benefits of information technology and use it to drive stakeholder value. Moreover, successfully managing information technology in a business also means understanding and mitigating the risks associated with it, including increased regulatory compliance and the critical dependence of many business processes on information technology (According to the IT Governance Institute).
IT governance falls under the mandate of a business’ executives and its board of directors. The King Code on Corporate Governance states that IT risk should form an integral part of an organisation’s risk management plan.
The role of information technology in the economic and social prosperity of the country is expounded in the Electronic Communications and Transactions Act, 2002 (Act 25 of 2002). The Act strives to ensure that electronic transactions in South Africa conform to the highest international standards and that a safe, secure and effective environment for the consumer, business and government is developed wherein electronic transactions can be conducted and utilised. To achieve this, the Act seeks to ensure compliance with accepted international technical standards in the provision and development of electronic communications and transactions.
To this end, the long-awaited Protection of Personal Information (PoPI) Act, 2013 (Act 4 of 2013) aims to bring South Africa in line with international data protection laws. The impact of this legislation will be far reaching, with a significant impact on the manner in which companies collect, store, use and disseminate personal information. In addition, King III recommends that formal disaster recovery and contingency planning should form a vital part of good corporate governance practices.
As the online environment becomes ever more complex, it has become almost impossible for businesses to address all the risks inherent in operating a computer network. Moreover, as technology evolves, so the crimes associated with it become increasingly complex. As such, the importance of prioritising risk management procedures specific to a business’ information technology structures cannot be more highly emphasised, these procedures are an integral part of combating and mitigating the effects of cyber crimes.
Despite the fact that society has adapted quickly to sophisticated technology, a startling majority of small to medium-sized enterprises do not have formal disaster recovery or business continuity procedures in place. Perhaps this avoidance is due to the complexity of information technology systems. It could also be that smaller businesses are reluctant to hire outside professionals to assist with compiling such contingency plans.
Whatever the reasons, it has become clear that it is no longer sufficient to rely on back-up drives alone – particularly if these are stored on the premises. Indeed, the more reliant an organisation is on its computer network and systems, the more complex its risk management programme is likely to be. To this end, IT service providers are positioned not only to provide expert advice, but also to assist with the compilation of a comprehensive information technology strategy, including costing analysis and budgeting.
There is a wealth of information that is freely available and easy to obtain that can be used to assist a business to conduct a risk assessment and prepare an information technology risk management framework. For example, the Information Systems Audit and Control Association (ISACA) has compiled a Control Objectives for Information and Related Technology (COBIT) framework which specifically addresses information technology management and IT governance. Furthermore, the PCI Security Standards Council incorporates and cites a number of methodologies that are available to assist organisations in developing their risk assessment process: International Organisation of Standardisation (IS), The National Institute of Standards and Technology (NIST) and Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE).
In this climate, business managers who have not implemented sufficiently detailed disaster recovery and business continuity plans are not only in contravention of good corporate governance, but are also placing the business in a precarious position that responsible management would not risk.
Author: Catherine Berry BBA; B COMM Hons, is Senior Underwriter Financial and Professional Lines at Camargue