Good governance

Unlike in the West, IT governance laws in the Middle East aren’t so strict. But does that mean that you can afford to ignore them?

Tags: KuwaitOmanQatarSaudi ArabiaUnited Arab Emirates
  • E-Mail
Good governance Compliance isn’t just an issue for the financial sector. It has just as much relevance elsewhere.
More pics ›
By  Piers Ford Published  September 19, 2010

Unlike in the West, IT governance laws in the Middle East aren’t so strict. But does that mean that you can afford to ignore them and work outside of good governance frameworks? We speak to businesses from across the region to find out whether that is the case.

If you work in the international finance industry, you’ll already know that it’s impossible to move far in IT governance without running into compliance issues with Sarbanes-Oxley and Basel II, two vital pieces of legislation that enforce strict audit controls around data access and risk management.

But as far as the wider corporate IT community goes, there is a host of constantly evolving local legislation that, if anything, is having a more powerful effect on the development of policies and frameworks at a local level in the Middle East.

In many cases, precise compliance requirements will depend on the nature of the business and jurisdiction, according to David Yates, head of commercial IP and technology at Middle East law firm Al Tamimi & Company.

Yates says the formation and continuing operation of effective IT legal and regulatory compliance involves assessing the requirements and impacts of a bewildering range of legislation: copyright law, the various laws and regulations which affect data protection, use and transfer, and personal privacy, the electronics transactions and e-commerce law, the printing and publications law, and other laws which regulate content that is put out into the public domain, the cyber crimes law; and the Telecommunications Regulatory Authority’s (TRA) policies concerning unsolicited commercial messages and VoIP.

“The IT function of an organisation cannot be considered on its own when assessing legal and regulatory compliance,” he says. “For instance, an internet service provider will be required to consider branding, copyright and moral rights in relation to the use of content, and liability for user-generated content, and will also be required to work with the legal team monitoring compliance with anti-money laundering legislation and central bank requirements,” adds Yates.

“The IT function of an organisation with branches throughout the Middle East, and data storage and call centres offshore, will be required to consider the policies of the telecommunication regulators in each of the jurisdictions they operate in.

“With an increasing range of enterprises evolving their business practices with the use of IT, the nature and scope of IT governance broadens. For instance, the use of e-health record keeping gives rise to a broad range of privacy and negligence exposures, which need to be carefully managed. Similarly, shifting to, or developing an e-commerce platform can mean that compliance with tax and other financial regulatory conditions depends on effective IT governance.”

To further complicate matters, every country in the region seems to have its own micro-compliance mechanism. Mohamed Rizvi, head of information security and advisory services at outsourcing specialist eHosting DataFort says that the UAE is exerting a useful influence on IT governance practices in the GCC countries, particularly when it comes to information security. But he would like to see much more commonality across the region.

“To give you an example, the TRA recently announced that from October 2010, Blackberry services will no longer be available in this part of the world due to potential security threats,” he says.

“There are laws and regulations in the UAE that are taken care of by both the federal and local governments. Free zones like Dubai Internet City and Dubai International Financial City (DIFC) have stringent controls over e-transactions where policies are put in place to ensure that there is protection and processes over what electronic data can be sent, shared and published. DIFC has data protection laws that were established in 2006, whereas federal laws in the UAE to combat cyber crimes in ecommerce were established in 2007.”

Rizvi says there is continual improvement to laws and regulations impacting on IT governance in the region. However, he adds: “To improve the state of IT governance, we would need to see a more integrated single framework between decision makers. There is a need for a common framework for all Gulf countries, as there are in other regions, so that regulations regarding security and communication, for instance, are enforced and followed in a consistent manner.”

Compliance with legislation aside, the wider benefits of good IT governance in terms of improved operational efficiency could be better understood by CIOs in businesses of every kind. And that means forging an ever-closer strategic alliance between the IT function and the business itself.

“Good IT governance allows the IT department to work optimally in enabling operations of the organisation for delivery of both internal and external services,” says Ramez Shehadi, a partner at management consultancy Booz & Company.

“Through effective performance management, good IT governance allows IT departments to constantly improve their work in an environment of clear expectations and rational accountabilities. It also brings the profile of the IT department to the forefront, positioning it as a partner to business rather than as merely a back-office support function.”

The CIO or IT director who is serious about driving a good IT governance strategy across the organisation needs the co-operation of senior colleagues — particularly those in charge of the corporate finances.

“CIOs, CTOs and IT managers should consult their CFOs to discuss the potential for fraud, malicious damage, insider trading or terrorism within their organisation through the manipulation of access to IT resources,” suggests Stuart Hodkinson, general manager at compliance management vendor Courion.

“In a lot of cases, CFOs are grappling with compliance audits that are often a symptom of underlying problems. Once they understand the risk of doing nothing, then funding is often secured where it wasn’t originally budgeted for.”

Tony Lteif, CEO of Gulf IT security specialist Security Matterz — which represents policy and procedure management vendor NETconsent in the region — agrees that while the IT director is directly responsible for the implementation of IT policy, the board itself has a duty of overseeing the benefits of good IT governance.

“An effective IT governance framework requires everyone in the organisation to understand their IT responsibilities and be held accountable for their actions,” he says. “Technical controls are no longer, in isolation, enough to protect organisations. A combination of people, technology and process is required.

“An efficient and cost-effective process for communicating policy changes and monitoring policy uptake ensures good IT governance is sustainable and provides irrefutable proof of the benefits of compliance.”

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code