IT Governance Case Study
Datasec/Uruguay

ABSTRACT

Uruguay is a small South American country that stands out for its high level of human development in Latin America, according to the United Nations Development Programme.

To take advantage of expertise from Uruguayan professionals in the science and technology field and encourage improved business outcomes, the government of Uruguay decided to co-fund innovative projects by means of a Technological Development Program (PDT) that relied on funding from the Interamerican Bank of Development (BID).

After the Request for Proposal process, PDT approved a project to support the development of IT governance-related software that was based on the Control Objectives for Information and related Technology (COBIT®) framework developed by the IT Governance Institute.

The project was completed by Datasec S.R.L., a firm of consultants and software developers that has developed software and bibliography. Its products and services specialize in IT governance, COBIT and IT security.

The first Datasec COBIT-based software was named MEYCOR COBIT Control Self Assessment (CSA). Launched in 1999, the software was put to use for clients in the company's consulting services. After trials and enhancements, MEYCOR COBIT CSA continues to be successfully implemented by several companies in Uruguay and around the world.

BACKGROUND

After a period of intense research and experience with COBIT-related applications and qualitative risk analysis methodologies such as Marion (French) and CRAMM (English), MEYCOR COBIT CSA was designed and developed.

The software design was geared to encompass the following purposes:

• Allow COBIT functionality not only for large companies, but also for middle-sized and small organizations.
• Sponsor multiple entry points-because of the tool's flexibility it can be introduced in companies at many levels including board members, CIOs, managers, auditors, IT security experts, advisors and consultants
• Automatically generate improvement recommendations linked to radar graphs that allow the organization to monitor its achievements on each COBIT process
• Ensure a connection between control objectives with a primary category in IT security and low level multi-platform security requirements (AS/400, UNIX, Windows, Oracle, etc.) that makes some information security governance tasks easier
• Broaden the granularity of key issues inside different control objectives
• Include an audit module that contains COBIT Audit Guidelines and allows for the verification of users' answers regarding the status of each control objective

Many of the organizations that incorporated IT governance activities have attained outstanding achievements. Among those in Uruguay that have gone through COBIT implementations, Republica O. Del Uruguay Bank (BROU), the most important financial institution of the country with more than ten CISAs on staff, has attained significant value.

PROCESS

After observing success with MEYCOR COBIT CSA in many Uruguayan organizations, such as BROU, Banco Hipotecario del Uruguay (mortgages), Ancap (oil company), Montevideo Stock Exchange, Tribunal de Cuentas (a government general accounting office ) and others, Datasec looked for national support to continue developing software tools covering different features of the COBIT framework. The anticipated opportunity was presented by PDT and BID, the previously mentioned initiative endorsed by the Ministry of Education and Culture of Uruguay.

BROU continues to be a leader in Uruguay in the quest for a comprehensive COBIT implementation. It first adopted COBIT after a management decision by its Technology and Operations Division in October 2000 and immediately began to use COBIT tools. BROU has achieved much success so far because of the drive and awareness of its human resources team, which has developed the following goals:

1. BROU board of directors approval of an IT strategic plan stating that the IT organization has to align its activities and functions to the principles of IT governance
2. The assignment of responsibilities and accountabilities regarding COBIT processes to different departments, for example:
   

   2.1 IT Management: PO1, PO4, M3, M4
   2.2 Technology Department: PO2, PO3, PO8, PO9, DS2, DS5, DS11, M2
   2.3 Planning Department: PO5, PO7, PO10, PO11, DS6, M1
   2.4 Information Systems Board: PO6
   2.5 Operational Adjustment Department: AI1, AI2, AI4, AI5, AI6, DS1, DS7
   2.6 Infrastructure Department: AI3, DS3, DS4, DS8, DS9, DS10, DS12
   2.6 Centralized Operation Department: DS13
   

3. The information collection and measurement of each COBIT process status, according to the maturity model established by COBIT Management Guidelines
4. A benchmarking of BROU with others banks in Uruguay regarding key business parameters such as information assets, technological risks, resources and skills, external resources and business focal points

To ensure business alignment of the decisions involving IT matters with an unquestionable IT governance vision, the BROU board of directors created a Technology Committee (similar to an IT steering committee). The members of this committee are two directors, BROU senior management and the BROU IT manager.

BROU currently is scheduled begin the follow-up and measurement of key goal and performance indicators with the help of software developed by Datasec S.R.L. under the project funded by the Interamerican Bank of Development (BID).

CONCLUSION

Promoting IT governance through the project funded by BID, the country of Uruguay is proactively seeking to improve its condition and rate of scientific and technological development. More specifically, it is focused on promoting IT leadership from the top level of companies.

By utilizing the comprehensive COBIT framework, public and private companies as well as the Uruguayan government are assured of having a high-level reference for decision-making regarding IT issues. This is of great business and financial value because it improves upon the structure where senior managers are poorly involved in IT strategies, policies and supervision. The board of directors and senior managers, as well as professionals at every level, have a strong role to fulfill in effective IT governance, and COBIT maps the way.