Session
Information Systems and Security
Description
Today, still, ICT Governance is being regarded as a departmental concern, not an overall organizational concern. History has shown us that implementation strategies, which are based on departments, results in fractional implementations leading to ad hoc solutions with no central control and stagnation for the in-house ICT strategy. Further, this recently has created an opinion trend; many are talking about the ICT department as being redundant, a dying out breed, which should be replaced by on-demand specialized external services. Clearly, the evermore changing surroundings do force organizations to accelerate the pace of new adaptations within their ICT plans, more vivacious than most organizations currently is able to. This leads to that ICT departments tend to be reactive rather than acting proactively and take the lead in the increased transformation pace in which organizations find themselves. Simultaneously, the monolithic systems of the 1980ies/1990ies is often very dominating in an organization, consume too much of the yearly IT budget, leaving healthy system development behind. These systems were designed before data became an organizational all-encompassing resource; the systems were designed more or less in isolation in regards to the surrounding environment. These solutions make data sharing costly and not at all optimal. Additionally, in strives to adapt to the organization’s evolution, the initial architecture has become disrupted and built up in shreds. Adding to this, on May 25, 2018, an upgraded EU Privacy Regulation on General Data Protection Regulation (GDPR) will be activated. This upgraded privacy regulation includes a substantial strengthening of 1994’s data privacy regulation, which will profoundly affect EU organizations. This regulation will, among other things, limit the right to collect and process personal data and will give the data subject all rights to his/her data sets, independentof where this data is/has been collected and by whom. Such regulation force data collecting and processingorganizations to have total control over any personal data collected and processed. This includes detailedunderstanding of data flows, including who did what and when and under who’s authorization, and how data istransported and stored. Concerning data/information flows, maps are a mandatory part of the system documentation. This encompasses all systems, including outsourced such as cloud services. Hence, individual departments cannot any longer claim they “own” data. Further, since mid-2000, we have seen aglobal inter-organizational data integration, independent of organizations, public or private. If this integration ceasesto exist, the result will be a threat to the survival of the organization. Additionally, if the organization fails to providea transparent documentation according to the GDPR, substantial economic risk is at stake. So, the discussion aboutthe ICT departments’ demise is inapt. Any organizational change will require costly and time-consuming ICTdevelopment efforts to adapt to the legislation of today’s situation. Further, since data nowadays is interconnectedand transformed at all levels, interacting at multiple intersections all over the organization, and becoming a unifiedbase of all operative decisions, an ICT governance model for the organization is required.
Keywords:
ICT Governance, Privacy, IT, GDPR, Data flow, Data integration
Session Chair
Naim Preniqi
Session Co-Chair
Blerton Abazi
Proceedings Editor
Edmond Hajrizi
ISBN
978-9951-437-54-7
Location
Durres, Albania
Start Date
28-10-2017 2:00 PM
End Date
28-10-2017 3:30 PM
DOI
10.33107/ubt-ic.2017.198
Recommended Citation
Magnusson, Lars; Elm, Patrik; and Mirijamdotter, Anita, "Towards Secure Data Flow Oriented Multi-Vendor ICT Governance Model" (2017). UBT International Conference. 198.
https://knowledgecenter.ubt-uni.net/conference/2017/all-events/198
Towards Secure Data Flow Oriented Multi-Vendor ICT Governance Model
Durres, Albania
Today, still, ICT Governance is being regarded as a departmental concern, not an overall organizational concern. History has shown us that implementation strategies, which are based on departments, results in fractional implementations leading to ad hoc solutions with no central control and stagnation for the in-house ICT strategy. Further, this recently has created an opinion trend; many are talking about the ICT department as being redundant, a dying out breed, which should be replaced by on-demand specialized external services. Clearly, the evermore changing surroundings do force organizations to accelerate the pace of new adaptations within their ICT plans, more vivacious than most organizations currently is able to. This leads to that ICT departments tend to be reactive rather than acting proactively and take the lead in the increased transformation pace in which organizations find themselves. Simultaneously, the monolithic systems of the 1980ies/1990ies is often very dominating in an organization, consume too much of the yearly IT budget, leaving healthy system development behind. These systems were designed before data became an organizational all-encompassing resource; the systems were designed more or less in isolation in regards to the surrounding environment. These solutions make data sharing costly and not at all optimal. Additionally, in strives to adapt to the organization’s evolution, the initial architecture has become disrupted and built up in shreds. Adding to this, on May 25, 2018, an upgraded EU Privacy Regulation on General Data Protection Regulation (GDPR) will be activated. This upgraded privacy regulation includes a substantial strengthening of 1994’s data privacy regulation, which will profoundly affect EU organizations. This regulation will, among other things, limit the right to collect and process personal data and will give the data subject all rights to his/her data sets, independentof where this data is/has been collected and by whom. Such regulation force data collecting and processingorganizations to have total control over any personal data collected and processed. This includes detailedunderstanding of data flows, including who did what and when and under who’s authorization, and how data istransported and stored. Concerning data/information flows, maps are a mandatory part of the system documentation. This encompasses all systems, including outsourced such as cloud services. Hence, individual departments cannot any longer claim they “own” data. Further, since mid-2000, we have seen aglobal inter-organizational data integration, independent of organizations, public or private. If this integration ceasesto exist, the result will be a threat to the survival of the organization. Additionally, if the organization fails to providea transparent documentation according to the GDPR, substantial economic risk is at stake. So, the discussion aboutthe ICT departments’ demise is inapt. Any organizational change will require costly and time-consuming ICTdevelopment efforts to adapt to the legislation of today’s situation. Further, since data nowadays is interconnectedand transformed at all levels, interacting at multiple intersections all over the organization, and becoming a unifiedbase of all operative decisions, an ICT governance model for the organization is required.