Information Governance
COBIT is the framework for the “corporate governance of information technology” (Gelinas, Dull, & Wheeler 2014, p. 295). This paradigm enables companies to improve their IT operations and overall information management. COBIT provides a big picture due to the use of the holistic approach. The framework is based on five principles. The first principle is meeting stakeholders’ needs, which implies the balance between the organizational goals, the use of resources, and the realization of benefits through IT utilization (COBIT 5: enabling information 2013).
The second principle is “covering the enterprise end-to-end” (COBIT 5: enabling information 2013, p. 16). The framework sees IT-governance enablers (policies, processes, structures, culture, services, and so on) as inclusive and relevant for the entire organization. The third principle is the application of a single integrated framework, which involves the use of comprehensive practices and standards. The fourth principle is associated with the seven enablers, which includes principles and policies, processes, structures, culture, information, services and infrastructures, and skills and competencies (COBIT 5: enabling information 2013).
This principle focuses on the use of a holistic approach and a focus on the seven enablers. Finally, the fifth principle implies a clear separation of principles and activities that refer to governance and management.
It is necessary to note that these principles enable organizations to operate efficiently through the use of effective IT governance strategies. The case in question is illustrative in terms of the importance of the implementation of the principles mentioned above (Austin & Short 2009). It is possible to focus on such principles as covering the enterprise end-to-end, application of an integrated framework, and enabling the holistic approach.
iPremier focuses on profits and meeting organizational goals. IT is seen as a tool to achieve the aim rather than a company’s asset. This attitude is related to the second principle mentioned above, and it is clear that the company did not follow it. The company’s approach translated into inefficient equipment and the lack of resources in the IT department. The company does not have a server where the data concerning customers (such valuable information as financial data) could be stored. This information was vulnerable to attack. It is crucial to make sure that the data are safe and that there is proper equipment to ensure this data security.
It is also necessary to add that the third principle is not followed as well. The company seems to have some guidelines where procedures applicable in certain situations are described (Austin & Short 2009). However, the employees do not know where the guidelines are or what is mentioned there. This neglect of the principle of an integrated framework led to significant confusion and a waste of a lot of time. Employees did not know what exactly to do, and when the IT professional went to the company providing the IT service, she was unable to get to work. There should be specific procedures and protocols that would enable the company to identify the problem and address it properly.
Finally, the company did not comply with the fourth principle as IT governance is not integrated into the entire system. There are only some attempts to bring order to the IT sphere, but the lack of focus on this area has resulted in a lot of confusion. The company’s priorities (growth and profit) were not related to IT governance. The procedures were not described or developed properly, and employees were mainly unprepared for any non-standard situations. It is unclear whether the hacker attack had any negative consequences for the customers as well as the company (its reputation, financial losses). However, the lack of compliance with the principles of COBIT often has negative implications for organizations. It is possible to consider some data breaches that took place within the past 12 months.
One of the most notorious information leaks of recent years is the breach at Mossack Fonseca, the law company located in Panama. The reasons for the information breach have not been reported properly. However, according to the available information, the data leak occurred as a result of an email attack, which was successful as the company did not utilize widely used Transport Layer Security protocols (Gross 2016). This information breach had various implications. Clearly, it had a tremendous negative effect on the company’s reputation. More importantly, it affected the organization’s customers, mostly politicians. Their reputations were damaged considerably. These consequences are the most undesirable as the security of customers is the priority of any company.
Another leak also involved financial information disclosure. The information breach occurred at Qatar National Bank (Murdock 2016). As a result of the data leak, 1.4GB of customers’ financial information was exposed (Murdock 2016). The data included customers’ names and addresses as well as their credit card information. The seriousness of the situation can be acknowledged when looking at the list of the bank’s customers.
These include the Al-Thani royal family, some people related to the state’s security services, and so on. The bank’s official note was that there was an insignificant amount of trustworthy information on customers, but the major portion of the data exposed was available from various social networks. Thus, the bank’s top managers stress that the target of the attack was not the customers’ information per se but the bank’s reputation. Of course, such attacks may discourage people from addressing the financial institution, which they find vulnerable. Existing clients may also want to find other places for their money. At the same time, this breach can also hurt customers whose money can be stolen in addition to their information (as well as strategies used to hack the bank’s security system).
Another data breach involved mobile applications and quite limited information, including customers’ passwords, logins, and addresses (Golden 2016). Reportedly, the CBS mobile website was attacked, and some customers’ data were compromised. The company’s officials stress that financial information was not disclosed. However, the organization’s reputation was still damaged. The customers could see that their information was not secured and that the company could not be trusted.
On balance, it is possible to note that any information leak is a serious issue for any company. In the vast majority of cases, it has a detrimental effect on the company’s reputation. However, in some cases (for example, the Panama law company’s case), many customers may have various issues, which could include significant damage to their reputation. At that, compliance with the principles of information governance can secure companies and their data. It is crucial to make sure that the company employs a holistic approach where information governance is one of the major priorities.
Reference List
Austin, RD & Short, JC 2009, ‘iPremier (A): denial of service attack (graphic novel version)’, Harvard Business School, pp. 1-32.
COBIT 5: enabling information 2013, ISACA, Rolling Meadows, IL.
Gelinas, UJ, Dull, RB & Wheeler, P 2014, Accounting information systems, Cengage Learning, Stamford, CT.
Golden, J 2016, ‘CBS had data leak during March Madness: security firm‘, CNBC. Web.
Gross, G 2016, ‘The massive Panama papers data leak explained‘, Computer World. Web.
Murdock, J 2016, ‘Qatar National Bank admits leaked financial data on customers’ may be accurate‘, International Business Times. Web.