SME businesses are a success story in this part of the world and I always feel it so enthralling to read about the great people who have been behind these successes. As a Consultant, interacting with these achievers is enriching and lively. One of the common lamentations of most of the business leaders is, "I am not able to control or drive my businesses the way I used to do several years back?" Analyzing the reasons made me realize two key things which are typical to SMEs in the Middle East :
- Micro management by business owners
- Resistance to changing functioning of business triggered by IT
The use of IT can be considered as one of the major drivers of economic wealth in the 21st century and is an inevitable part of any business today. Thus, the success of any business in today's world has a lot to depend on IT. IT by its very nature also has inherent risks and the importance of IT Governance cannot be understated as a key element for success of the business.
The purpose of any IT Governance Mechanism is to provide management and business process owners with a model that helps in delivering value from IT and understanding and managing the risks associated with IT. Organisations can approach IT governance on an adhoc basis and create their own frameworks based on the experience found within the organization, or they can adopt standards that have been developed and refned through the combined experience of hundreds of organizations and people.
By adopting a standard IT governance framework, enterprises realize a number of benefts. A number of standard IT governance frameworks exist today and one of the most widely used is the Control Objectives for Information and Related Technology (COBIT). COBIT is focused on what is required to achieve adequate management and control of IT, and is positioned at a high level. The COBIT framework was created with the main characteristics of being business-focused, process-oriented, controls-based and measurement-driven.
IT Governance in SMEs
Morison Menon conducted a survey among SMEs to determine the top COBIT controls that SMEs should have in place for securing information assets
COBIT QuickStart, is a baseline for small and medium-sized enterprises and other organisations where IT is not mission- critical or essential for survival. It can also serve as a starting point for organizations in their move towards an appropriate level of control and IT governance
While COBIT consists of 210 control 79 objectives and 34 processes in four domains, QuickStart consists of 59 control objectives and 32 processes in four domains. COBIT QuickStart consists of a framework and a baseline. The framework describes what QuickStart is, why it is needed and how to determine its suitability for a given organisation. The baseline consists of the processes and control objectives, as well as simplifed versions of Responsible, Accountable, Consulted and Informed (RACI) charts and key metrics COBIT QuickStart is a simplifed version of COBIT aimed at small and medium-sized enterprises, and can be used as a starting point for organizations in their move towards implementing COBIT.
In the next issue, I would discuss more in depth on how COBIT can be applied to SMEs through a case study.
|Rank||Control Objective||What to Implement|
|1||Network Security||Updated frewall, secure wireless
|2||Virus protection||Updated anti-virus, anti-spyware
|3||Backups||Regular and tested backup
|4||File access privilege
|Role-based access control, least
|5||IT as part of strategic
|Technologies that support business
|6||IT continuity and
|Basic disaster recovery plan (DRP)
|7||ID and authorisation
|Complex passwords, password
|Leadership from CEO for IT control
|Basic risk assessment and/or self
|10||Employee IT security
|Training for e-mail, Web, and
|11||Data input controls||Field formats, periodic data range