Let’s start with some assumptions, IT department employed an administrator to manage one of critical systems at the organization this employee have the permission to install any software, another assumption you want to setup a new workstation for new business employee and the IT not have the proper document to manage this setup administrator setup the workstation without any procedures to follow, can you guess what the risk behind the two assumptions?
Like any operations you need to control and manage the IT operations, what about the risk of the first assumption if the organization has a control unit monitor and control all administrators operations? This risk will be decrease and the organization will be safer, the second assumption give the IT employee to install what he/she want, maybe give the business employee an administrator permission to manage him/her workstation, what if you have a document contain all software’s and the permission for all business employees should be installed ? Again the risk will be decreased and the environment will be typical and follow the organization procedures and policies, you can audit control and manage the IT operations easily.
IT should have an“IT Governance“ function, the IT Governance will be responsible to setup the procedures, policies, processes… etc. to monitor and control the IT organization and keep IT environment safer and more auditable and controllable.
IT Governance is the responsibility of executives and the board of directors and consists of the leadership, organizational structures and processes that ensure that the enterprise?s IT sustains and extends the organization?s strategies and objectives (IT Governance Institute)
COBIT one of IT Governance framework and I found it very helpful to start with to build the IT Governance in your IT Organization, for more information about COBIT you can access the ISACA website: https://www.isaca.org/Pages/default.aspx
and you can ask contact me directly.i will be happy to serve you anytime.