King III recommends that IT should be integrated with company strategy, according to Judge Mervyn King, chairman of the King Committee.
 |
Judge Mervyn King told delegates that King III recommends that IT should be integrated with company strategy. In his keynote address, King said: "It is crucial for IT to be built into the business plan, as its main role is to facilitate the achievement of business strategy and add value." |
|
During his keynote address at the ITWeb IT Governance, Risk and Compliance Conference, in Johannesburg, King pointed out that companies no longer look at business in silos.
"It is crucial for IT to be built into the business plan, as its main role is to facilitate the achievement of business strategy and add value."
This view is echoed by Gary Hardy, director of risk management company IT Winners. He said organisations should develop a life cycle approach to IT to ensure that IT governance risk, and compliance (GRC) objectives are established in collaboration with key stakeholders, and that measurable targets are set and monitored.
"Organisations should identify their needs and look for current burning issues and external drivers," advised Hardy. In addition, they should get input from management, audit, and risk and compliance teams, as well as agreement from executive management, he added. King said the King III report recommends that all departments within organisations be aligned to strategy, so performance and sustainability can be achieved. "For this to be effective, there should be proper management in place for all the structures, processes, and mechanisms," King added.
KEEP IT SECURE
King also urged delegates to develop an information security management system (ISMS) for their businesses. "This ISMS should ensure the confidentiality of information, the integrity of information, and the availability of information, as well as information systems, in a timely manner," he stressed.
"The risks involved in IT governance have become significant, as IT systems have become integral to a company's strategy and business," King stated. Risk also includes the involvement of outside parties, such as service providers, so this makes IT risks form part of the company's risk management.
"Organisations should make sure there are adequate arrangements for disaster recovery, and if there are IT legal risks involved," he said. Above all, the company should make sure it is complying with applicable IT law.
Verine Etsebeth, lecturer at Wits Law School, spoke on IT law and procedures. "You can be held personally liable if you do not have information security in your company. While the buck stops at the board, before the director loses his holiday home he is going to fire you," warned Etsebeth.
Etsebeth identified the components of information security as physical security, technological security, and procedural security. Procedural security poses the biggest threat.
The Constitution (1996 s14); the Electronic Communications and Transaction Act (2002); the Protection of Personal Information Bill (2005); the Promotion of Access to Information Act (2000); and the Regulation of Interception of Information Act (2002) are all laws that apply to information security today, said Etsebeth. She advised companies to familiarise themselves with these laws and ensure full compliance.
MARTIN CZERNOWALOW
![[West and Central Africa Com]](/images/bnrWCA_120x120.gif "West and Central Africa Com")