Building IT governance into your management regime

Industry analysis by Beth Schultz, plus the latest news headlines.

First I must address an error I included in one of last week's newsletters, "Management and open source software, together at last." I had said the fledgling industry organization, the Open Management Forum, seemed to be defunct, but I was mistaken. A DNS error had made their Web site inaccessible from the address I had and from the links provided in a Google search. I am happy to report the OMC is alive and thriving with more than 30 members working toward open source and commercial management application interoperability. More on that group in future newsletters.

Now onto today's topic. Aspects of IT governance have come to the forefront of IT executives priorities in light of compliance deadlines for industry regulations such as Sarbanes-Oxley and Health Insurance Portability and Accountability Act (HIPAA). While there are commercial products that promise to help IT managers track compliance, IT governance in and of itself is not just about technology. It is about how IT delivers services -- either in a centralized or decentralized manner -- and the controls and documentation put in place to maintain accurate configurations and enforce processes. For instance, IT governance would monitor changes and access made to systems and assess if those acts comply with security or regulatory policies.

Forrester Research categorizes such products as governance, risk and compliance (GRC) management tools. The products comprise many functions once handled by disparate department across an enterprise organization.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

First I must address an error I included in one of last week's newsletters, "Management and open source software, together at last." I had said the fledgling industry organization, the Open Management Forum, seemed to be defunct, but I was mistaken. A DNS error had made their Web site inaccessible from the address I had and from the links provided in a Google search. I am happy to report the OMC is alive and thriving with more than 30 members working toward open source and commercial management application interoperability. More on that group in future newsletters.

Now onto today's topic. Aspects of IT governance have come to the forefront of IT executives priorities in light of compliance deadlines for industry regulations such as Sarbanes-Oxley and Health Insurance Portability and Accountability Act (HIPAA). While there are commercial products that promise to help IT managers track compliance, IT governance in and of itself is not just about technology. It is about how IT delivers services -- either in a centralized or decentralized manner -- and the controls and documentation put in place to maintain accurate configurations and enforce processes. For instance, IT governance would monitor changes and access made to systems and assess if those acts comply with security or regulatory policies.

Forrester Research categorizes such products as governance, risk and compliance (GRC) management tools. The products comprise many functions once handled by disparate department across an enterprise organization.

"Increased risk and regulatory pressures in a distributed enterprise are propelling organizations to craft consistent game plans for centralizing GRC oversight," reads a recent Forrester report. "Organizations are to establish a platform that maintains a system of record for GRC. This enables disparate compliance and governance technologies to combine into a coherent regime for managing GRC across the enterprise."

With the size of todays IT environments and the constant rate of change to systems, many vendors have emerged with products that would automate the monitoring and assessment of these myriad changes. One problem area is monitoring changes to determine if they comply with preset policies and that those making changes are authorized. In the past month alone, Active Reasoning and Tripwire updated their governance platforms to provide enterprise IT managers with more ways to ensure policies are followed and compliance demands are met.

To start, Tripwire updated its flagship software with more system support and enhanced capabilities that the company says help IT handle changes based on the systems to which they are made.

Tripwire Enterprise 6.0 comprises the company's previous products Tripwire for Networks Devices and Tripwire for Servers into one enterprise offering. Tripwire Enterprise 6.0 now can also determine if a change was made by authorized personal.

"A large number of organizations don't have to the tools in place to monitor change. Are changes made at the right time, made in the right way and is the person making them authorized to do so?" says Rob Warmack, Tripwire vice president of marketing and communications. "In this release, we can automatically detect change and analyze it to ensure that the change is OK."

Schultz is a longtime IT journalist. You can email her or find her here.