Para leer artículo en español pulse Aquí
Information is a key resource for all organizations, regardless of their size. It is created, used, retained, disclosed and destroyed. Technology plays a key role in these activities. Both information and technology (I&T) have become an integral part of all aspects of personal and enterprise life.
There has been a gradual increase in the number of small enterprises in the marketplace, causing visible impact on employment and production. In the current environment, it is vitally important that these enterprises are clear about the relevant role of I&T and engage in the challenge of digital transformation, taking advantage of the resources that are available in the market.
In this context, small enterprises that want to survive and grow must also create spaces for continuous improvement through small actions that can have a high impact on the improvement of their operations. The COBIT® 2019 framework, with its 7 components of governance and management systems and 40 clearly defined and detailed governance and management objectives, offers the opportunity to take advantage of good practices that arise from multidisciplinary contribution. The guidance is highly useful for all types of organizations, regardless of industry, sector, size or other classification.
That said, it is generally agreed that although trying to implement all the COBIT 2019 governance and management objectives, together with their key components would represent a utopia, it would lack an adequate cost-benefit ratio for a small enterprise. However, there are concrete activities and specific good practices that can be obtained from this enterprise framework, represented by its guides and associated tools, that can be useful for small enterprises based on 2 fundamental challenges they face today:
- Establishment of a healthy governance and management environment—Given the organizational structure and limited resources that commonly exist in small enterprises, it is difficult for them to establish a healthy governance and management environment, which can lead to an absence of policies and procedures that facilitate the achievement of objectives and a lack of skills and competencies to exploit new technologies in this changing environment.
- Lack of awareness on information security issues, including cybersecurity and data privacy—This, added to the lack of policies in these aspects and the absence of business recovery plans, puts small enterprises in a state of extreme vulnerability and high risk that jeopardize their survival.
For the first of these challenges, COBIT 2019 offers good practices (figure 1), including this highlight: Small enterprises should analyze their I&T objectives and goals and their possible contribution to their strategic objectives through a minimum infrastructure-required environment that facilitates innovation, including collaboration tools, remote work facilities and inexpensive applications or solutions that facilitate the automation of manual tasks by leveraging the provision of cloud services (Align, Plan and Organize [APO] APO04.01).
This will not be achieved unless the organization analyzes the drivers of its business and the industry, its strategy, other factors of its business environment, such as digital transformation (APO04.02), and other strategies that may come from the contribution of its collaborators on current I&T issues such as cloud tools (APO04.03).
In the pursuit of guaranteeing compliance with contractual and legal provisions, it is recommended that small enterprises keep a record of software acquired and maintain adequate license control (Build, Acquire and Implement [BAI] BAI09.05).
Finally, it is advisable to identify skills and competencies available from internal and external resources, identify the most relevant gaps and define an improvement plan (APO07.03).
For the second challenge, becoming oriented with security, data privacy and continuity issues, COBIT 2019 offers the following recommendations:
- Understand the environment and identify vulnerabilities in information security.
- Establish principles and policies for the security and privacy of information.
- Establish monitoring of the infrastructure to identify information security events.
- Define incident response actions and communications to be taken in the event of an outage
It is also recommended that small enterprises consider the good practices outlined in figure 2.
Regarding the needs associated with business continuity, small enterprises must identify critical solutions and services to consider their capacity and availability management (BAI04.02), including regulatory issues and contractual commitments (DSS04.01 and APO10.03). They must also identify critical hardware and software assets to provide the organization's services and consider the need for their replacement or upgrade with cloud options (BAI09.02).
Incidents that impact the continuity of the services must be registered and their solution managed through response actions (DSS02.02). It is also recommended that minimum backup requirements be defined to be able to recover vital information if necessary (DSS04.07).
With regard to information privacy, it is important to identify sensitive data and those responsible for the data (APO01.07) and to specify the roles and responsibilities to support the management of information that is deemed sensitive (APO14.01).
Conclusion
COBIT 2019 and its governance and management objectives can help support the establishment of a healthy governance and management environment and improve security, data privacy and continuity for small enterprises. It can also be helpful to seek advice from business chambers and professional communities to improve the value of I&T
Daniel Morales Banegas, CISA, COBIT 2019 Foundation, Design and Implementation COBIT 5 Design and Implementation, CSX-F, PMP
Is an IT governance and audit independent consultant, and an APMG International-accredited trainer for COBIT® 5 and COBIT 2019 foundation, and COBIT 5 design/implementation and assessor. He can be reached at morales.d.3@gmail.com.
Alexander Zapata Lenis, CISA, CRISC, CGEIT, COBIT 2019 Foundation, Design and Implementation, PMP
Is the director of IT governance at SAS, vice president of the ISACA® Medellin Chapter (Colombia) and an APMG International-accredited trainer for COBIT 2019 and COBIT 5 foundations and implementation. He can be reached at info@itgovernance.com.co.