IT Governance Checklist
Every year we depend on technology to help us store and manage various types of data for various purposes. Along with that comes the responsibility for managing it appropriately and according to IT governance best practices, which is a relatively new issue for boards to address. The responsibility for overseeing the management of electronic processes falls to the board of directors. This is no small task due the large number of individuals and employees that need to access the organization’s data on a regular basis.
Your initial attempts at governing information technology will certainly feel overwhelming. By taking things a step at a time, starting an IT governance checklist, and considering it a work in progress, your board will be well on its way to understanding how it can best tackle the difficult task of overseeing IT governance.
To help you get started, we’ve devised a thoughtful list of items for you to consider when working on oversight of your organization’s overall IT governance strategy. Be advised that this isn’t intended to be a comprehensive list and that you will need to customize it according to the needs of your industry and organization.
Strategic Alignment with IT
- IT should be involved in the organization’s strategic planning.
- IT should develop their own plan and work collaboratively with the board to support the organization’s strategic plan.
- Evaluate and outline the overall direction for technology.
- Review IT operations in every department.
- Establish IT budget and review with board.
- Establish best practices for IT initiatives.
- Devote some time and resources to assessing technologies for new business opportunities.
Delivering Value to the Organization
- The board should review IT policy annually.
- Regularly communicate with employees on IT policy and cybersecurity protocols.
- Ensure that all employees and third-parties follow policies.
- Review current IT program.
- Consider the impact of emerging technologies.
- Make recommendations for changes in vendors, equipment, and services.
Risk Management
- Perform a risk assessment.
- Review the organization’s disaster recovery plan and test the results.
- Engage a third party to assess the organization’s risk and make necessary changes.
- Regularly inform the IT department or other responsible individuals of new legislation or regulations and ensure compliance.
- Update changes in IT processes and document them in the risk management plan.
Managing IT Resources
- Schedule a regular budget review of IT operations.
- Regularly evaluate IT department personnel to prevent fraud or problems with inside actors.
- Monitor capital expenditures to ensure the IT department is on budget.
- Review the organization’s plan for safeguarding assets.
- Set up continuing training and development for IT staff.
Measuring IT Performance
- Understand how the firm measures performance.
- Establish performance standards for the IT department.
- Review the IT department’s performance results annually.
- Recommend changes for the IT department if needed.
- Assess the IT department’s performance as compared with peers.
- Is our process for data classification effective?
- How do we handle confidentiality of data that multiple departments and individuals need to access?
- How well does our IT staff enforces best practices and policies for security and confidentiality?
Understanding Data Volume
- Assess how much data the organization has.
- Diagram the sources that channel data into the organization.
- How much new data gets generated every year?
- Is the data in electronic or paper form?
Evaluate the Current Records Management System
- What is our current records management policy?
- Is our records management system centralized?
- Where is our electronic data stored?
- Identify and document the location of data backups.
- Ensure that data retention practices match data retention policies.
- Is there sufficient security for the handling of physical records?
- What groups or individuals have access to data management processes?
Establishing Processes for Legal Hold Compliance
- Who is responsible for controlling electronic devices?
- What is the process for tracking devices?
- Do we have a comprehensive legal hold handbook?
- How do we define legal hold data?
- What are the policies for using personal devices on the job and corporate data storage?
- Are employees trained in how and when to back up devices and is there a system in place to monitor it?
- Do we keep legal hold data separate from other data?
- How can we retrieve legal hold data during times of litigation or investigation?
Process for Managing Data
- What department or individual controls our data?
- Who do we need to share our data with?
- Are our organizational data management policies sufficient for compliance?
- Can we navigate data quickly?
- Do we have enough data storage for the next three to five years?
- Do we have a process for deleting data after a certain point?
- Do we have mobile app programs for accessing data?
- Do we need to make improvements in how we classify our data?
Mitigating Risk and Creating Cost Savings
- Do we have policies for handling sensitive data?
- Do we have a budget for data management and is it sufficient?
- Do we have efficient processes for managing data?
- Do we have protections in place to prevent data loss in addition to backup programs?
Processes to Account for Change and Adaptability
- Do we have sufficient flexibility in our data management processes to implement change quickly?
- Have we defined the proper internal and external individuals to update data management processes and policies including compliance policies?
- Does the board have a process to adequately oversee changes in the data management processes?
Consider this a prime opportunity for your board to work collaboratively with your IT department to make major improvements in your IT governance practices. As new advancements in technology emerge, revisit the checklist and make adjustments to your policies and your checklist accordingly.
Most importantly, be sure to stay current with new laws and regulations that may be forthcoming that will affect your IT governance activities now and in the future.