IT Governance and Change Management

✅The Ultimate ITGC (IT General Controls) Checklist. (covers the classic COBIT/SOX-aligned areas): 1. Access Management User provisioning and de-provisioning process documented and enforced Access rights granted on “least privilege” basis Periodic user access reviews performed (at least quarterly) Segregation of Duties (SoD) enforced and conflicts monitored Terminated users’ access revoked promptly Multi-factor authentication (MFA) in place for critical systems Privileged account usage logged and monitored 2. Change Management All system/application changes formally requested, reviewed, and approved Impact/risk assessments performed before implementation Segregation between developer, tester, and production environments Emergency changes documented and reviewed retrospectively Testing evidence maintained for each change Version control in place for code/configurations Back-out plans prepared and tested for critical changes 3. IT Operations / System Management Regular backup schedule documented and tested (restore tests included) Monitoring and alerting in place for critical systems Batch processing monitored and exceptions reviewed Incident/problem management processes documented and followed Patch management: OS, applications, and databases patched timely Capacity planning and performance monitoring conducted regularly Third-party/vendor support properly documented and reviewed 4. Logical Security Password policies align with organizational/security standards Inactive accounts disabled after defined period Shared/generic accounts prohibited or strictly controlled Remote access secured (VPN, MFA, logging) Security configurations standardized and baseline documented Encryption used for sensitive data in transit and at rest 5. Physical Security (Data Centers / Critical Assets) Restricted physical access with logging/badge systems Visitors escorted and logs maintained Fire suppression, UPS, and environmental controls in place Regular review of access to data center rooms Surveillance and monitoring operational 6. System Development Lifecycle (SDLC) Formal methodology in place (Agile/Waterfall documented controls) Requirements documented and approved before development Code review and peer testing documented Segregation between development, testing, and production enforced Post-implementation reviews performed 7. Governance & Oversight Risk and control ownership clearly assigned Policies and procedures documented, communicated, and updated Regular ITGC testing performed (internal/external audit) Issues tracked, remediated, and reported to management Compliance with regulatory requirements (e.g., SOX, ISO, NIST, GDPR) #ITGC #RiskManagement #ITGovernance #Compliance #InternalAudit #SOXCompliance #ISO27001 #CyberSecurity #DataSecurity #GRC #BusinessContinuity #ChangeManagement #ITControls #AuditReady #OperationalExcellence

For one of my customers, new initiatives take months to get off the ground. The lines of businesses found a way to get around the central IT. For this customer ❗ The Business Review Board took over 6 months to approve the funding. This initial hurdle alone created significant delays and lost opportunities. ❗ IT governance involved multiple review boards –like architecture, security, and compliance – each taking a minimum of one month. ❗ Scheduling and prioritizing development were perpetually dependent on resource availability or the onboarding of vendor resources. This meant that a simple initiative could be stalled for a year, before work began. The business landscape had shifted, the initial needs had evolved, some key stakeholders had moved on, and the original urgency often dissipated. During an annual technology plan review, we uncovered several instances of "shadow IT," where business teams took matters into their own hands ⛔ The marketing team had independently built their own analytics solution by hiring interns and leveraging Snowflake. ⛔ The sales team was utilizing a separate Salesforce subscription to optimize lead management, outside the homegrown CRM system. ⛔ The manufacturing team had established their own Azure cloud account to implement an IoT solution. The root cause of these delays were -  ☞ Expertise gap - The boards focus on governance and risk mitigation. They lack subject matter experts who could quickly assess the technical feasibility and implications. ☞ Boilerplate templates - The boards relied on elaborate, one-size-fits-all templates. Requesters are forced to complete extensive sections, even if they hold little relevance to the specific initiative. ☞ Siloed governance - Each board operates in isolation, adhering to its own timelines, processes, and evaluation criteria. Direct communication is minimal, with all information exchange funneled through the templates.  AI is going to further enable lines of business in compressing the timeline for their initiatives. However, these approaches are not without cost and security risks. IT organizations need to adopt a flexible and agile governance model to avoid shadow IT. Here are six actions you can take - 💎 Invite subject matter experts relevant to an initiative to accelerate review and decisions. 💎 Tailor the templates based on size, complexity, risk profile, and technology domain of each initiative. 💎 Create cross-functional working groups or joint review sessions to streamline the communication. 💎 Align all boards to focus on common business objectives and goals. 💎 Adopt an agile framework with iterative reviews and feedback loops instead of expecting all answers upfront. 💎 Establish clear guidelines and empower teams to make their decisions. The guidelines can include pre-approved patterns of technologies, architectures, and solutions. #ceo #cio #cto #agileleadership #businessgrowth #enterprisearchitecture Agile C-Level

If you ask a data engineer what they think of data governance, they’ll probably say: "It’s just more paperwork." And they’re not wrong. People are told to follow policies but don't know why they should. And when things break, they will still get blamed. This is why so many policies don’t stick. They sound good in meetings but in real work, they slow people down. How can you design better governance programs then? ➨ Design governance with change management in mind. Start by listening: What makes it hard to follow policies today? Build with your team: Test new rules with data producers and consumers. Remove blockers: Automate checks and integrate the norms with existing tools. Share ownership: Make business teams part of the process with the data engineers. Governance works when it fits into how people already work, not when it’s pushed from the top. How are you making your governance easier for your team to follow?