The present research work can be expressed as follows: if different standards, methods, regulations and best practices are the result of many years of work done by experts in the IT field, these should be employed as a primary resource to determine the needs in our IT organization. This research concentrates on the use of IT compliance in the IT planning process because governance, risk and corporate management are interdependent [Bhimani, 2009] and together can lead the strategy. The proposed model is called MOPLACO (MOdel of IT Strategic and Tactical PLAnning based on COmpliance with IT Standards). The IT compliance is a new tendency dedicated to knowing the state of the organization in relation to the different IT standards, policies and regulations. At the beginning, this concept was closely related to complying with the laws and regulations within the intricate business world. However, the authors prefer to conceive IT compliance as something wider that can formulate the compliance of every type of IT external regulations and standards as internal policies and procedures. Some important norms MOPLACO recommends as basic are the service management standard ISO/IEC 20000, business continuity management standard BS25999, information security standard ISO/IEC 27001 or the IT governance standard ISO/IEC 38500.
Figure I: Example of partial coverage of IT areas from different standards.
Nowadays, regulations are gaining a lot of attention, mainly in banking, telecommunications or insurance [Grubb and Burke, 2008]. An organization is conditioned by different types of legislative or commercial regulations, or its own policies [Tarantino, 2006]. Compliance with these regulations is important to the organization because it reduces risk and avoids penalties from government agencies, improving corporate governance [Ingley and van der Walt, 2008][Rasmussen, 2008]. In recent years, due to their importance, governance, risk management and compliance, or GRC, have became very popular in organizations [Tarantino, 2008].
1. Governance: governance is a task for directors of organizations. It formulates policies and procedures that guide an organization to work according to their goals.
2. Risk management: risk management determines the level of tolerance by taking into account possible threats. It identifies the threats and establishes priorities.
3. Compliance: this area ascertains the compliance in relation to legislative or commercial regulations or the organization’s policies.
More specific to MOPLACO’s objectives, IT compliance presents information about how our IT organization is positioned in relation to different standards and regulations from the System Information area [Vu Broady and Roland, 2008]. The information IT Compliance provides is very significant for the organization to comply with IT regulations and to formulate its strategic plan. Within GRC, we have IT GRC that involves a multi-integrated IT Governance, risk and compliance management [Microsoft, 2008], in short, IT GRC is related to these three areas listed in the IT Policy Compliance Group [IT Policy Compliance Group, 2008]:
1. Create business value through an IT strategy, investment and alignment.
2. Decrease business and financial threats significantly by making use of IT.
3. Agreement between an organization’s policies, extreme legislation and obligation to comply with regulations.
All this information determines what the strategic needs of the IT departments are. Therefore, the IT organizations that want to improve their management and IT governance have a best model provided by IT standards to check recommendations and proposals. As a result of this, a collection of tools has emerged in the last few years in order to obtain an improvement such as assessment or evaluations with an associated maturity model. Several of these tools can be obtained freely, some are purchased and others obtained through many consultant organizations. The assessment is a set of questions like a questionnaire, which the organizations completes and it allows collecting information about how governance and IT management are carried out in an organization. The maturity model offers a scale of how the organization is positioned in relation to a specific model. These maturity levels range from level “0” non-existent to level “5”, optimum, following the CMMI standard [CMMI, 2006] that that classifies them according to details of area or maturity proposals per process or per type of requirement similar to the CobiT process [ITGI, 2007] or ITIL [Taylor and Nieves, 2007] evaluations study by processes and activities [Mihyar and Okan, 2001].
Once we have the information from the assessment, the organization’s maturity level can be established in relation to a best practices framework, and it is essential to determine the needs of the IT organization [Emmerich et al., 1999]. It also allows guidance principles to improve maturity. These can be applied to every planning process, either tactical or strategic. Additionally, a special IT attribute includes the consideration of strategies based on comparing high number of models (near 70 according to figure III), a feature that cannot be seen in other areas of the company (Sales, Human Resources, etc) that have fewer norms and standards. One thing that is certain about standards is the decrease of innovation because makes a company stay at the same level as its competitor. However, it is also true that the different organizations’ customization and prioritization of specific processes in relation to others and the constant evolution of standards prevent that homogenization.
In processing the assessment individually and not integrally as MOPLACO or other authors proposed [Deloitte, 2007] [Tapscott, 2006], some problems were found as:
1. Do not cover all the expected space that the IT evaluation process in an organization should cover. Some are very conditioned to the initial approach and objectives. Considering every type of standard as a silo takes inefficient work.
2. Some of them are more focused at the management and analysis levels than IT governance. Strategic decisions have more support from IT governance evaluation than IT management evaluation.
3. Do not have a framework to detect improvement opportunities, which means they maintain process marks that do not give accurate information about improvements that may be considered in future.
4. Do not perform a well-balanced study about the information needs in the organization, and the information presented is not properly organized.
This research provides a solution to these problems through the formulation of a Compliance Model supported by various standards and self-assessments, with a clearly defined structure and it balances the different standards. In consequence, it is a practical tool to detect improvements in any IT organization.
