ISACA Journal - 2011 Volume 3

Five Questions With...

Do you have something to say about this article?

Visit the Journal pages of the ISACA web site

( www.isaca.org/journal), find the article, and choose the Comments tab to share your thoughts.

Francisco Garcia Moran Francisco Garcia Moran started his career as a teacher and IT engineer at the University of Seville (Spain) and worked for several years in the IT departments of the Ministry of Education and Science at the national level and at the Regional Government of Andalusia, where he worked as the head of several IT services.

Q How do you see the role of governance of enterprise IT (GEIT) changing in the next
five years?

A I see IT governance being more and more aligned with enterprise governance.

Actually, the ultimate goal is that IT governance is completely integrated into enterprise governance since an organization does not have separate IT and business goals, but has business goals with, most of the time, IT components.

In the European Commission (EC), the business has started fully understanding the importance of this alignment, given the fact that the organization relies more and more on IT tools and systems to improve performance, efficiency, effectiveness and compliance and to support European Union (EU) policies. Today, nearly every EU directive or regulation contains provision for the development and implementation of an information system and the associated infrastructure to support the policies. Furthermore, there is some legislation that would be impossible to implement without the support of IT tools.

IT tools are integrated into the business, and given the complexity of interaction among stakeholder organizations, IT governance—and, more globally, governance at all levels—will need to improve a great deal in the coming years.

appointed Director General in November 2005. DIGIT defines the IT strategy of the EC, provides information and communication technology (ICT) corporate services, and is also responsible for the European program Interoperable Solutions for Public Administrations (ISA).

Garcia Moran is a member of the Management Board of the European Network and Information Security Agency (ENISA) and the World Bank’s High Level E Transformation Group (HLEG).

Garcia Moran is an avid sports enthusiast. When not in the office, he can be found cycling, playing tennis or basketball, or jogging. He also enjoys reading and classical music.

Q How did major frameworks (e.g., COBIT®, ITIL, ISO 27001) change the landscape of IT
management, and what impact did they have
on DIGIT?

A The EC uses these frameworks intensively in its IT management and, particularly, in DIGIT in which ITIL, or standard project management methodologies, are systematically deployed.

Furthermore, when carrying out IT audits, these frameworks are used as references. The standard wording at an audit kick-off meeting is, for example:

Audit scope: The scope of the audit includes the following COBIT processes: • DS1 Define and manage service levels.

• DS2 Manage third-party services.

• ME1 Monitor and evaluate IT performance.

• ME3 Ensure compliance with external requirements.

Audit framework:
• Regulatory framework at EC
• 16 internal control standards (baseline
requirements as of 1 January 2008),
• Legislation (e.g., Regulation 45 (2001)
on personal data protection), internal
regulation framework (e.g., CEAF,
C(2006)3602, SEC(2006)898 & 899).