Towards a Taxonomy of Challenges in an Integrated IT Governance Framework Implementation

ABSTRACT The rapid adoption of IT governance (ITG) frameworks in organizations worldwide, along with the subsequent need to select and integrate overlapping ITG frameworks has presented practitioners with challenges in choice and integration of frameworks. In this respect, the purpose of this study was to explore the ITG frameworks integration (ITGFI) challenges faced by organizations worldwide; develop and test a theory-based integrated ITG challenges (IIC) taxonomy model created from extant literature; and validate and compare these with those empirically extracted from three case studies in the United Arab Emirates (UAE). The results present the audience with a taxonomy of a prioritized set of common global and region-specific (UAE) ITGFI challenges. The study thus aids practitioners to prioritize and focus on these areas of an integrated ITG frameworks implementation. Keywords: IT governance integration; ITG frameworks; ITG integration challenge; taxonomy INTRODUCTION Information technology governance (ITG) has become an important topic for IT-based organizations worldwide (Ayat, Masrom, & Sahibuddin, 2011), and is considered critical for them (Aleem & Al-Qirim, 2012). Hence, to ensure that IT functions align with and support the enterprise's strategies and goals (Wessels & Loggerenberg, 2006), a balanced integration of ITG frameworks is necessary. From a financial perspective, Marrone and Kolbe (2010) commented that organizations that implemented ITG achieved profits 20% higher than those that did not. The adoption of ITG thus is a response to the growing pressure on all organizations to effectively manage and get returns from IT. ITG frameworks and standards have thus been described as high-level models designed to perform IT functionality professionally (De Haes and Van Grembergen (2008). The increasing demands of the industry coupled with compliance requirements have forced organizations to implement and integrate multiple frameworks and standards. According to Gehrmann (2012), IT management must comprise a combination of two sets of frameworks. Among the many IT best frameworks used in improving business and achieving goals, namely Control Objectives for Information and Related Technology (COBIT), Information Technology Infrastructure Library (ITIL), International Organization for Standardization (ISO) and the International Electro technical Commission (IEC) are being widely adopted worldwide (Nastase, Nastase, & Ionescu, 2009). They have been integrated due to the overlapping nature of their control mechanisms. Researchers agree that COBIT, ITIL, and ISO 17799 (ISO 17799 has been renamed as ISO 27002 in 2007, and closely related to ISO 27001) are the most valuable, popular, and widely adopted frameworks currently being used for business growth and success (Chatfield & Coleman, 2011; Sahibudin, Sharifi, & Ayat, 2008; Ula, Ismail, & Sidek, 2011), but also argue that ITIL, COBIT, and ISO/IEC 27002 can be used by any organization as comprehensive solutions for IT management (Gehrmann (2012). Many organizations implement multiple process frameworks and standards (Cater-Steel, Tan, and Toleman (2006). This was further proved in a Gartner survey on ITIL adoption in the Asia Pacific region, which shows that many organizations in Hong Kong, Singapore, and Australia implement ITIL, COBIT, Capability Maturity Model Integration (CMMI), and ISO 9001 concurrently (Heschl, 2004). Since all these frameworks overlap, using them independently prevents organizations from asserting full IT management and governance because each framework and standard has limitations in its application to the management of specific IT areas (Gehrmann, 2012). Integrating frameworks and standards provides a more comprehensive and efficient approach, enabling features that would be unavailable through individual frameworks (Cater-Steel et al., 2006; Gehrmann, 2012; Ula et al. …

[1]  Ernest Foo,et al.  Barriers to information technology governance adoption : a preliminary empirical investigation , 2011 .

[2]  Lutz Kolbe,et al.  Mapping Improvements Achievable through the Adoption of IT Governance , 2010, PACIS.

[3]  Gary Hardy,et al.  Using IT governance and COBIT to deliver value with IT and respond to legal, regulatory and compliance challenges , 2006, Inf. Secur. Tech. Rep..

[4]  Philip E. T. Lewis,et al.  Research Methods for Business Students , 2006 .

[5]  R. Pereira,et al.  A Literature Review: Guidelines and Contingency Factors for IT Governance , 2012 .

[6]  H. Susanto,et al.  Information Security Management System Standards : A Comparative Study of the Big Five , 2011 .

[7]  Leonid Smalov,et al.  Implementing it governance using COBIT: A case study focusing on critical success factors , 2012, World Congress on Internet Security (WorldCIS-2012).

[8]  Mark A. Toleman,et al.  Challenge of adopting multiple process improvement frameworks , 2006, ECIS.

[9]  Nasser Modiri,et al.  An Approach to Map COBIT Processes to ISO/IEC 27001 Information Security Management Controls , 2012 .

[10]  Mohammad Sharifi,et al.  Lessons learned in ITIL implementation failure , 2008, 2008 International Symposium on Information Technology.

[11]  Aliza Abdul Latif,et al.  Challenges in Adopting and Integrating ITIL and CMMi in ICT Division of a Public Utility Company , 2010, 2010 Second International Conference on Computer Engineering and Applications.

[12]  Sevgi Özkan,et al.  Governing Information Security in Conjunction with COBIT and ISO 27001 , 2011, ArXiv.

[13]  Vilmar Grüttner,et al.  IT Governance Implementation - Case of a Brazilian Bank , 2010, AMCIS.

[14]  Sebastiaan H. von Solms,et al.  Information Security governance: COBIT or ISO 17799 or both? , 2005, Comput. Secur..

[15]  Heru Susanto,et al.  Information Security Challenge and Breaches: Novelty Approach on Measuring ISO 27001 Readiness Level , 2012 .

[16]  Shamsul Sahibuddin,et al.  IT Governance and Small Medium Enterprises , 2022 .

[17]  Shari S. C. Shang,et al.  Barriers to Implementing ITIL-A Multi-Case Study on the Service-based Industry , 2010 .

[18]  John Tongren,et al.  A Preliminary Survey of Cobit Use , 1997 .

[19]  Z. M. Sidek,et al.  A Framework for the Governance of Information Security in Banking System , 2011 .

[20]  M. Sheelagh T. Carpendale,et al.  Analyzing Qualitative Data , 2017, ISS.

[21]  Paul Johannesson,et al.  The State of IT Governance in Organizations from the Public Sector in a Developing Country , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[22]  David Silverman,et al.  Qualitative research: meanings or practices? , 1998, Inf. Syst. J..

[23]  Geert Hofstede,et al.  National Cultures in Four Dimensions: A Research-Based Theory of Cultural Differences among Nations , 1983 .

[24]  Gary Hardy Guidance on Aligning COBIT, ITIL and ISO 17799 , 2005 .

[25]  Akemi Takeoka Chatfield,et al.  Promises And Successful Practice In IT Governance: A Survey Of Australian Senior IT Managers , 2011, PACIS.

[26]  Steven De Haes,et al.  Enterprise Governance of Information Technology: Achieving Strategic Alignment and Value , 2009 .

[27]  Saiqa Aleem,et al.  IT governance framework for e-government , 2012 .

[28]  A. Andrade,et al.  Interpretive Research Aiming at Theory Building: Adopting and Adapting the Case Study Design , 2009 .

[29]  Chi-Hoon Lee,et al.  A Study of the Causal Relationship between IT Governance Inhibitors and Its Success in Korea Enterprises , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[30]  Taizan Chan,et al.  Barriers to Formal IT Governance Practice -- Insights from a Qualitative Study , 2013, 2013 46th Hawaii International Conference on System Sciences.

[31]  Maico Gehrmann COMBINING ITIL, COBIT AND ISO/IEC 27002 FOR STRUCTURING COMPREHENSIVE INFORMATION TECHNOLOGY FOR MANAGEMENT IN ORGANIZATIONS , 2012 .

[32]  Debi Ashenden,et al.  Information Security management: A human challenge? , 2008, Inf. Secur. Tech. Rep..

[33]  Steven De Haes,et al.  Practices in IT Governance and Business/IT Alignment , 2008 .

[34]  R. Goosen,et al.  An integrated framework to implement IT governance principles at a strategic and operational level for medium-to large- sized South African businesses , 2013 .

[35]  Incorporating COBIT Best Practices in PCI DSS V2.0 for Effective Compliance , 2011 .

[36]  Shamsul Sahibuddin,et al.  Combining ITIL, COBIT and ISO/IEC 27002 in Order to Design a Comprehensive IT Framework in Organizations , 2008, 2008 Second Asia International Conference on Modelling & Simulation (AMS).