The Difference Between the Information Technology

Technology Steering Committee

One of the primary differences between an IT Steering Committee and the IT Oversight Committee is that an IT Steering Committee consists mainly of business unit leaders and department heads and does not normally in-clude members such as the CEO or CFO (Hoffman, 2004). An IT Steering Committee does not operate at board level but at management level. The IT Oversight Committee, however, does include board-level participation, the same as any other sub-committee of the BoD and operates at board level. These differences demonstrate that the functions of the IT Oversight Committee and an IT Steering Committee are dissimilar. The aim of the IT Oversight Committee is to make recommendations to the BoD regarding an appropriate IT strategy for the organization (IT Governance Institute, 2004). From this point one or more IT Steering Committees assists Execu-tive Management in implementing the IT strategy decided upon by the BoD (IT Governance Institute, 2004). Some typical duties of an IT Steering Com-mittee include overseeing significant IT projects and handling IT priorities and the allocation of IT resources (IT Governance Institute, 2004).

The IT Oversight Committee helps the BoD set an appropriate strategy for organizational IT Governance endeavors, whereas, one or more IT Steer-ing Committees aim to implement this strategy to realize the vision of the BoD in terms of IT Governance.

7.5 Conclusion

The provision of clear insight and advice in terms of IT strategy contributes towards an improved system of internal control that better supports the overall Corporate Governance objectives of the organization as well as in-formation security. However, there is a possibility that the discussions of the IT Oversight Committee may become too detailed or technical and it is necessary to emphasize that its focus should remain on IT oversight and strategic planning (Nolan, 2004). There appears to be some debate about the membership of the IT Oversight Committee. Previous findings are based

on current literature, but, IT oversight is still a new concept which is sub-ject to review and adjustment. However, corporate BoDs who undertake the challenge of IT oversight demonstrate that they understand the scope of their corporate accountability and responsibility and are proactive in their leadership duties and understand that since IT plays a major role it is nec-essary to govern its use effectively to reduce risks to corporate information assets. Although, none of the prominent Corporate Governance manuals or approaches dictate the existence of an IT Oversight Committee, several sources have promoted its employment. Therefore, it can be motivated that an IT Oversight Committee is an absolute necessity when IT plays a major role in business, according to the arguments presented in this chapter.

These arguments demonstrate the accomplishment of the primary objec-tive of the study. This objecobjec-tive involved the development of an ISG frame-work and the promotion of the significance of IT oversight enabling all aspects of business information risk to be governed effectively. This ensures the ef-fective alignment of IT with business and that information risks, including IT-related ones, are understood by the BoD and mitigated effectively through ISG and IT oversight. The achievement of the primary objective marks the resolution of the primary research question and emphasizes the importance of Information Security as a Corporate Governance responsibility.

Conclusion

145

Conclusion

147

8.1 Introduction

Information Security is an important organizational function. This disser-tation aims to emphasize the importance of Information Security as a Cor-porate Governance responsibility. Several key topics were discussed through the various chapters of the dissertation to achieve this. Some of these topics include Corporate Governance, Risk Management and the impact of IT on modern organizations. Greater dependence on IT has led organizations to be exposed to a wide variety of risks that threaten the security of corporate information assets. Information risks need to be brought under control and IT Risk Management plays a role in mitigating the technology-related risks to information. However, information is not only exposed to IT-related risks, therefore, proper Information Security efforts are required beyond those that merely mitigate IT-related risks. Organizations must strive to implement Information Security effectively and ensure it supports their business goals and the interests of the shareholders.

There needs to be strong board-level support for the Information Se-curity function through sound Information SeSe-curity Governance efforts to align it with the goals and objectives of the organization. These efforts will ensure organizations uphold shareholder interests, organizational goals and objectives and demonstrate due care and due diligence which is necessary to satisfy organizational compliance with legal and regulatory requirements.

The BoD needs clear direction to implement Information Security Gover-nance effectively. This dissertation proposed a framework for Information Security Governance to facilitate the BoD in exercising sound Information Security Governance, thereby, demonstrating due care and due diligence for Information Security.

The BoD needs to be aware of the many risks that IT presents, including IT-related information risks because IT plays a major role in enabling an organization to achieve its business objectives. It was stated previously that IT seems to be a neglected topic at board level. This can weaken organiza-tional Information Security Governance efforts because IT has a significant role to play in the storage, transmission and processing of information as-sets. Sound IT Governance efforts are required at board level to ensure that IT and IT strategy support the organizational business goals and objectives,

which include goals and objectives for Information Security. This disserta-tion motivated the importance of the IT Oversight Committee since the BoD appears to lack adequate knowledge and expertise to facilitate accurate IT decision making. The IT Oversight Committee has the knowledge and ex-pertise to advise to BoD on appropriate IT strategy and ensures that such strategy supports Information Security.

The arguments presented above form the basis of this study. The fol-lowing section presents a summarized account of each chapter and helps to motivate the main argument of the study.