What Should Board Executives Know About Their IT Operation?

As featured on LinkedIn

In the last few weeks there have been several major IT related incidents that have put the boards of major companies in the spotlight. These organisations have made the front-page news for all of the wrong reasons as these incidents have damaged the reputation of their companies, wiped billions off their share price and when the dust settles may take more than one CEO’s scalp.


Clearly, this is a wake-up call to other executives out there who may be wondering whether something similar could happen to their organisation. Of course it could!


Those executives who may find comfort in the art of delegation and feel insulated by a few layers of management between them and their technical colleagues may find it a bit of a shock when they are the ones being asked for their company’s policy on data security. I’d recommend any of them to talk to Dido Harding, CEO of TalkTalk and ask how she felt when she didn’t know whether her customers’ data was encrypted or not when interviewed by the media.


So what should the members of the board actually know about their company IT operations? After all, the profits of most companies are made greater through the use of technology – be it increased sales distribution channels (web, mobile, call centre) and increase efficiencies via process automation. It’s only fair that executives have more than a passing knowledge of how their engine room operates.


At ChallengeCurve we have compiled the 5 key areas for which all board members should have clear understanding and know who in their organisation has responsibility for each item. These areas have a focus on quality assurance and governance and are taken from our CurveQA framework.


•Where is your sensitive client, business and employee data stored?
•Which organisations (internal or external) have responsibilities to control and process this data?
•Are you adhering to European Data Protection Directive rules to protect personal data?
•Do you have a defined statement and justification on what personal data is being captured and how it is to be processed?
•Do you have personal data processing contracts in place with all external and affiliated member companies, defining data owner, controller and data processing responsibilities?
•Who is responsible in your organisation for managing personal and sensitive data and setting and controlling policies?


•Is sensitive data encrypted at point of rest (stored in a database), in transit (data that is being transferred) and in use (data being processed)?
•What level of security testing including independent penetration testing is being performed? How frequently is it checked?
•Do you have an employee data security policy in place detailing appropriate rules for maintaining employee and customer data as well as policies for social media use?
•Do you have a standard security training process for all new employees and is there a frequent refresh for all employees?
•Do you have a centrally defined policy for monitoring and managing all data breaches with clear guidelines and procedures for preventative/minimise data breaches, controlling a breach and escalation?
•Do you have a clear process for communicating with our customers, partners and regulatory bodies in the event of a breach?


•What external regulations must be adhered to: HIPAA, PCI DSS, ISO27001, etc.?
•What is the cycle of these regulation audits?
•What where the major findings from the last audit that need to be addressed? Are they being address?


Business Continuity
•Do you have an up to date business risk assessment? How frequently is it reviewed?
•Do you have an up to date business continuity plan? How quickly can this be activated and be operational?
•When did you last perform a full disaster recovery test? How frequently is this performed?
•What critical SLAs must be maintained in a disaster?


•Do you have a central change control board?
•Do you have full traceability and audit of all changes to critical IT systems & hardware?
•Is there an incident management and issue/risk escalation process in place? Is it being followed?
•Are there governance processes in place that are verifying business changes from business case definition, business requirements definition through to build and implementation?


The welfare and the growth of your company should be paramount. These are not areas where you can abdicate all understanding and responsibility onto others. If your organisation does have a major impact you may wish that you had paid a bit more attention.