• Nem Talált Eredményt

The PCUBE-SEC style of enterprise-, and IT governance

In document Óbudai Egyetem (Pldal 19-22)

2. The basic factors of the security-supported governance methodology

2.1 The history of corporate governance - enterprise governance - IT governance, and the

2.1.3 The PCUBE-SEC style of enterprise-, and IT governance

Summarizing the previous requirements, we have quite a lot of goals for our framework.

Here is a collection of them, together with references to means to achieve them. These are those aspects, that the definition of the basic notions have to take into consideration.

The corporate governance framework has to support company growth, market success. This involves three immediate consequences, three requirements.

The first is continuous development - this is the only way to stay alive, if a firm stops developing, it will inevitably fall backwards, as we have already mentioned. Here development means development in business, and even innovation.

The trivial second consequence is the business support.

The third is compliance to any kind of external obligatory requirements. These can be either inherently, or regulationally obligatory. To the first type belong natural, social, and the like circumstances, while to the second the requirements of the government administration, those of the shareholders, or those of the mother company, etc.

These requirements will be handled by my excellence criteria, that will, besides helping to characterize the desired quality of the results of the actions of the staff, contribute to the provision of the promised receipts of best operational practice, Some of these practices have - even if sometimes remote - predecessors in information security - IT audit.

The probably most important excellence criteria, that will be introduced here, might be the already mentioned order. besides supporting every improving effort, it can be used to estimate the difference between the present, and the targeted future state.

To achieve any goals, first the goals themselves, thus the strategic directions have to be fixed. As for a beginning, this means the provisioning for the existence of the enterprise strategy, that should contain the definition of the strategic goals.

All this is useless, of course, without such measures or, in other words, actions, that are able to enforce the fulfillment of these goals, However, actions have no place in definitions.

In identifying the numerous possible actions, the already mentioned pillars of operations will help, by providing facilities for the classification of the tasks, and that of the scope of the tasks, too.

Discussing my excellence criteria I will emphasize, that the strategy is useless without built-in maintenance obligations. These should require both a regularity, and a compliance to the changing inside / outside circumstances.

To the actions, and to the requirements, too, actors have to be assigned, who fulfill them.

The tasks & responsibilities of the different actors at different hierarchical levels are, of course, different. At the first place, as it will be emhasized here more, than once, top management is responsible for everything. However, in order to implement the requirements in real life, everybody in the staff has to have his / her own responsibility delegated, assigned to them, according to their roles in the corporate organization &

hierarchy.

Taking all these into consideration, and deleting the consequences from the definitional level at the same time, I formulated such a definition, that is simple enough to be applied in ordinary practice. In its entirety this definition has first been published in 2012 [Szenes, 2012, MM], but has its predecessors already in 2010 [Szenes, 2010, GRC]. In this early version I had explicitly required the management of the communications media, but now I think that this is one of the activities, necessary to direct a company. However, It must be noted, that this is an important requirement. Lots of harm can be done, if this is badly conducted. Doing it cleverly might be a little exhausting, but brings fruits immediately.

Another important novelty of my definition is the emphasizing of the responsibilities of those, who work at, and hopefully for the company, too.

I define

PCUBE-SEC enterprise governance,

as the responsibility of the whole staff, top management included. Top management has to direct the company the best possible way towards market success, taking every kind of environmental aspects into consideration as far, and in such a way, as it is in the interest of the enterprise, based on the strategy of the institution. To define and maintain this strategy belongs to the responsibility of the top management, while the staff is responsible for supporting the top management in these issues.

Note 1

II intentionally avoided using the word "involve", which is very popular in such definitions.

I would like to work with such an "enterprise governance" notion, that leaves no doubts behind, if this is at all possible. That is, no hidden details are "involved".

Note 2

The double responsibility of the top management is very important, the strategy is actually the document, how are they to perform their work, in the given inside and outside circumstances.

Note 3

I pondered a lot about assigning responsibility already at definitional level to the staff, too.

Then I decided to state explicitly, that everybody has work to do, auditors, business, auxiliary areas alike. I wanted to embrace, at the same time, every responsibility, that has already been identified by the predecessors, e.g. the direction and control system of OECD 2004, or ISO 38500, too.

Trying to take into consideration every idea, presented here, concerning such distinguished predecessors of my IT Governance interpretation, as ISACA CRM, COBIT, the advisory standard of ISO, I suggest the following definition.

The successful IT governance

I define, as one of the necessary conditions of successful enterprise governance, by directing IT in such a way, that it serves enterprise governance according to the intentions of the top management. Every member of the IT staff is responsible for it. The weight of their responsibility is directly proportional to their weight in the company hierarchy. The top management of the company is responsible for the supervision of the IT governance.

Note 1:

By adding the prefix "successful" I would like to emphasize, that this is actually a requirement, that can be over-declared by the PCUBE-SEC user, just as all my suggestions here. However, placing "success" into the definition might help the improvement of the quality of enterprise governance, together with that of the IT governance, and might improve the relations between top management and IT.

Note 2:

To emphasize the obligation to prepare a separate IT strategy did not seem to be necessary, this depends on the way of operations.

2.2 The PCUBE-SEC operational objective - remodelling the definition of the control

In document Óbudai Egyetem (Pldal 19-22)