IBM today outlined its strategy towards IT governance and risk management, a phrase that security professionals use to describe the management of IT assets and processes, including enforcing security policy and ensuring business continuity.

IBM, which has been on a buying spree of companies in the risk-management arena, says the IBM Governance & Risk Management division will be providing professional services, combined with tailored product offerings, to customers seeking help in coming up with corporate plans and implementing them.

“There are basically two holes in IT governance -- how to get reliable information about current applications and architectures in order to set the direction of policies, and then where do you enforce that policy,” says Bob Madey, vice president of strategy and business development at IBM Tivoli.

During the past year, IBM has seen IT governance and risk management as a growing market, and to beef up its product portfolio, has sought out and acquired smaller vendors with specific product expertise, including Consul, FileNet, Micromuse and Internet Security Systems.

The products obtained in these acquisitions, such as the Micromuse Netcool security-information management that has been integrated into the Tivoli Business Systems Manager, are the arrows in IBM’s quiver in the effort to convince customers that it can help with their risk-management concerns.

However, Madey says it’s not necessary to be an IBM Tivoli customer to benefit from the IBM’s IT governance and risk management services.

IBM says its learning curve on the security topic has accelerated through a group it established three years ago called the Data Governance Council, which comprises 34 IBM customers and 12 IBM business partners and vendors.

Steve Adler, IBM program director of the Data Governance Council, says the group is comprised mainly of CISOs, CIOs and some CEOs. They meet regularly to discuss in private the impact that regulations such as Gramm-Leach-Bliley and numerous data-privacy regulations are having on their organizations, he says.

“There are data-use issues when companies are outsourcing application development offshore, for instance, or merchants are holding sensitive data” Adler says. “We spend the time talking about these problems. And we’ve come up with a list of best practices we see as a ‘maturity model.’”