IT °Å¹ö³Í½ºÀÇ 4°¡Áö ±ÔÄ¢
The Rule of Four of IT Governance
ÀúÀÚ : Erik Guldentops, CISA, CISM
Ãâó : Information Systems Control Journal, Volume 6, 2007
IT °Å¹ö³Í½º´Â (¿©´À °Å¹ö³Í½º¿Í) Â÷¿øÀÌ ´Ù¸£´Ù! ±×°ÍÀº ±â¾÷ °Å¹ö³Í½ºÀÇ º»ÁúÀûÀÎ ¿ä¼ÒÀÓ¿¡ Ʋ¸²¾ø´Ù. Áö½ÄÀÇ ¿ø¸®¿Í ü°è°¡ ÇÊ¿äÇÑ °ÍÀº ´Ü¼øÈ÷ IT°¡ Áß¿ª½Ç¿¡¼ ¹«½ÃµÇ°í Àֱ⠶§¹®ÀÌ´Ù. ÀÌ»çȸ ¹× Áß¿ª ȸÀÇÀÇ ³íÀÇ °úÁ¦¿¡ (IT°¡) Æ÷ÇÔµÇÁö ¾ÊÀº °á°ú´Â IT °¡Ä¡¿Í ±âȸ°¡ ÃæºÐÈ÷ È°¿ëµÇÁö ¸øÇÏ°í, ±×¸®°í IT À§ÇèÀÌ Á¦´ë·Î ÀÌÇصǰųª ¿ÏȵÇÁö ¾Ê´Â´Ù.
Áø½ÇµÈ IT °Å¹ö³Í½º´Â Á¶±Ýµµ »çÄ¡½º·´Áö ¾Ê´Ù. ±×°ÍÀº Çö´ë ±â¾÷¿¡ ÀÖ¾î¼ ±Ùº»ÀûÀ¸·Î ÇʼöÀûÀÎ °ÍÀÌ´Ù. ¼ö³â Àü, °¡Æ®³Ê´Â ½ÃÀÛºÎÅÍ À߸øµÇ¾ú°Å³ª Çã¼úÇÏ°Ô °ü¸®µÇ´Â IT ÇÁ·ÎÁ§Æ®µé·Î ÀÎÇØ ¸Å³â ¹ÌÈ·Î ¼ö½Ê¾ï ´Þ·¯°¡ ³¶ºñµÇ°í ÀÖ´Ù°í ÁöÀûÇÏ¿´°í, ±×¸®°í ½ºÅĵð½Ã ±×·ìÀº Àü¼¼°è¿¡ °ÉÄ£ IT ÇÁ·ÎÁ§Æ®µéÀÇ Çö»óÀ» °¡Áö°í 18°³¿ù ¸¶´Ù ±×·¯ÇÑ °æÇâÀ» È®ÀνÃŲ´Ù.
¹«¾ùÀÌ À߸øµÇ°í Àִ°¡? ÃÖÁ¾ °á·ÐÀº ±â¾÷µéÀÌ ±×µéÀÇ »ç°í¿Í ¹®È¸¦ ¹Ù²Ü ÇÊ¿ä°¡ ÀÖ´Ù´Â °ÍÀÌ´Ù. ÀÌ°ÍÀ» ¿ä¾àÇÒ ¼ö ÀÖ´Â ¹æ¹ýÀ» »ý°¢ÇÏ°í ÀÖÀ» ¶§, ¼ýÀÚ 4°¡ Áß¿äÇÑ ¿ªÇÒÀ» ´ã´çÇϱ⠽ÃÀÛÇß´Ù. Val IT¿¡¼ ¼³¸íÇÑ´ë·Î ¡®4°³ÀÇ ¾Æ·¹½º(Ares, ÀÛÀº °í¹Î)¡¯ 1) ´Â »ç¾÷°¡µéÀÌ IT·ÎºÎÅÍ °¡Ä¡¸¦ ¾ò±â À§ÇÏ¿© ÇÊ¿äÇÑ °ÍµéÀ» »ý°¢ÇÏ°Ô ÇÏ´Â ÁÁÀº ¾È³»ÀÚÀÌ´Ù. ´ÙÀ½ 4°³ÀÇ ±ÔÄ¢µéÀº ºñÁî´Ï½º¿¡ ÇÊ¿äÇÑ Ä¿´Ù¶õ º¯È¿¡ ´ëÇÑ »ý°¢À» Çϵµ·Ï µµ¿ÍÁÙ °ÍÀÌ´Ù:
1. IT °Å¹ö³Í½º´Â È¿°ú¿¡ °üÇÑ °ÍÀÌ´Ù. °¡·É, »ç¾÷°¡µéÀº »ç¾÷ÀÌ ´õ Àß µÇµµ·Ï ÇÏ´Â ½Ãµµµé(initiatives)¿¡ ÅõÀÚÇÏ´Â °Í°ú °°Àº Á¤´çÇÑ ÀÏÀ» ÇÒ ÇÊ¿ä°¡ ÀÖ´Ù. ÀÌ°ÍÀÌ ±×¸² 1¿¡¼ º¸¿©ÁÖ´Â ¡®4°³ÀÇ ¾Æ·¹½º¡¯ °¡¿îµ¥ ù¹ø°ÀÌ´Ù. ¿©·¯ ±â»ç, Á¶»ç ±×¸®°í ¹ßÇ¥ µîÀº Áö¼ÓÀûÀ¸·Î ºñÁî´Ï½º¿Í IT ÀÇ ¿¬°è¸¦ °Á¶ÇÏÁö¸¸, ½ÇÁúÀû ³»¿ëÀº ºñÁî´Ï½º¿Í IT °£¿¡ ÇÔ²² ³ª´©´Â °ÍÀÌ´Ù: ¿î¿µ À§¿øȸ¿¡¼ ÀÇ»ç°áÁ¤À» ÇÔ²² ÇÏ´Â °Í; Çù·Â ¹× ¿©·¯ ºÐ¾ßÀÇ ÆÀÀ» ÅëÇؼ ÀÌÇØ¿Í ½ºÅ³(skills)À» °øÀ¯ÇÏ´Â °Í; ±×¸®°í Ã¥ÀÓ, À§Çè ±×¸®°í º¸»óÀ» ÇÔ²² ³ª´©´Â °Í;
(¿ªÀÚ ÁÖ: Àü»ç¸¦ ¶æÇÏ´Â ¸»ÀÎ ¾Æ·¹½º(Ares)´Â ±×¸®½º ½ÅÈ¿¡ ³ª¿À´Â ½ÅÀ¸·Î¼, °øÆ÷¿Í Å×·¯ÀÇ ½ÅÀ¸·Î ºÒ¸®±âµµ ÇÏÁö¸¸, ÀÌ º¸´Ù´Â ¡®Çൿ°ú °áÁ¤À» ÁÖ°üÇÏ´Â ½Å¡¯ÀÇ »ó¡Àû ÀÇ¹Ì·Î½á ºÙ¿©Áø À̸§ÀÌ ¾Æ´Ñ°¡ »ý°¢µÊ)
2. ºÒÈ®½Ç¼ºÀ» ¹Þ¾Æµé¿©¾ß¸¸ ÇÑ´Ù. ÀÌ°ÍÀº ºóÆ´¾ø´Â ¼ýÀÚ¸¦ Á¿´Â À繫´ã´ç ÃÖ°í ÀÓ¿ø°ú ´Ù¸¥ Áß¿ªµéÀÇ ÃëÇâ¿¡´Â ¸ÂÁö ¾ÊÁö¸¸, Á¶Á÷µé¿¡°Ô´Â ½Å¼ÓÇÏ°Ô ¼öÁ¤ Á¶Ä¡¸¦ ÃëÇÒ ¼ö ÀÖµµ·Ï ÇÏ´Â ¸ÞÄ¿´ÏÁòÀ» ÇÊ¿ä·Î ÇÏ´Â ¿©·¯ º¯¼öµéÀÌ ÀÖ´Ù. ¿©±â¿¡´Â ÇÁ·ÎÁ§Æ® ºñ¿ë, ³³±â, °í°´ Çൿ ±×¸®°í ½ÃÀå °¡¼³ µîÀÌ Æ÷ÇԵȴÙ. ±×·¸Áö¸¸ Á¶Á÷µéÀº ºÒÈ®½ÇÇÏÁö¸¸ °Å´ëÇÑ ÀÌÀÍÀ» °¡Á®´Ù ÁÙ °¡´É¼ºÀÌ ÀÖÀ¸¸ç, µ¿½Ã¿¡ ¿¹»ó ÀÌÀÍÀ» Á¦°øÇÏÁö ¸øÇÒ Â¡ÈÄ°¡ Ä¿Áö¸é ¹æÇâÀ» ¼öÁ¤Çϰųª ¸ØÃçÁú ¼ö¹Û¿¡ ¾ø´Â ½ÃµµµéÀ» ½ÃÀÛÇÏ´Â ÀÚü°¡ µÎ·Á¿ï »ÓÀÌ´Ù.
3. IT °Å¹ö³Í½º´Â ¿ÏÀü¼º¿¡ °üÇÑ °ÍÀÌ´Ù. IT ÇÁ·ÎÁ§Æ®¿¡ ´ëÇÑ ºñÁî´Ï½º ÄÉÀ̽º´Â ¿ÏÀüÇÑ °ÍÀÌ ¿ä±¸µÈ´Ù, Áï, ¾ÆÀ̵ð¾î ¹ßÀǺÎÅÍ ÇØ´ç ¼ºñ½ºÀÇ Ã¶¼ö±îÁö ¾à¼ÓÇÑ ÀÌÀÍÀ» È®º¸Çϴµ¥ ÇÊ¿äÇÑ ¸ðµç È°µ¿µéÀ» ¸Á¶óÇÒ ÇÊ¿ä°¡ ÀÖ´Ù. ÈÄÀÚ(¾ÆÀ̵ð¾î ¹ßÀÇ)´Â ÀÌ¹Ì (Á¶Á÷) ¹®ÈÀûÀÎ º¯È¸¦ ¿ä±¸ÇÏ´Â Ä¿´Ù¶õ µµÀüÀÌ´Ù. ¿Ö³ÄÇϸé ÇöÀçÀÇ ¼ºñ½º Á¦°øÀÌ ºñÁî´Ï½º ÄÉÀ̽ºÀÇ ¿ä¼Ò·Î °ÅÀÇ °í·ÁµÇÁö ¾Ê°í, ¶ÇÇÑ Àüü ¼ºñ½º¿¡¼ ¾ÖÇø®ÄÉÀ̼ÇÀ» ±¸¸ÅÇÏ´Â ºñ¿ëµµ ÀüÇô °í·ÁµÇÁö ¾Ê±â ¶§¹®ÀÌ´Ù. ÀÌ°ÍÀº µÑ°¿Í ¼Â° ¡®Ares¡¯ ¿Í °ü·ÃÀÌ ÀÖÀ¸¸ç, ºñÁî´Ï½º°¡ ¿Ã¹Ù¸¥ ºñÁî´Ï½º ¹× ±â¼ú ¾ÆÅ°ÅØó¸¦ °¡Áö°í ÀÖ´ÂÁö, ±×¸®°í È®¸³µÈ Ç°Áú Ç¥ÁØ¿¡ ¸ÂÃç Á¦°øµÇ°í ÀÖ´ÂÁö¸¦ Á¶»çÇÏ´Â °ÍÀÌ´Ù.
4. IT °Å¹ö³Í½º´Â ¼®¸í¼º(accountability)¿¡ °üÇÑ °ÍÀÌ´Ù. IT-enabled ºñÁî´Ï½º ½Ãµµ(ÅõÀÚ)·Î âÃâµÉ ÀÌÀÍ¿¡ ´ëÇÏ¿© ¾à¼ÓÀÌ ÀÖ¾ú´Ù¸é, ´©±º°¡´Â ÀÌ·¯ÇÑ ÀÌÀÍ¿¡ ´ëÇؼ ³¡±îÁö Ã¥ÀÓÁú ÇÊ¿ä°¡ ÀÖ´Ù. ¼®¸í¼ºÀº IT ¼ºñ½º¸¦ Á¦°øÇÏ´Â °Í¿¡ ±×Ä¡Áö ¾Ê´Âµ¥, ±× ÀÌÀ¯´Â ±Ã±ØÀû ÀÌÀÍÀº °ü·Ã ºñÁî´Ï½º ÇÁ·Î¼¼½ºÀÇ º¯È¿¡ µû¸¥ °á°ú·Î¸¸ ¾ò¾îÁö±â ¶§¹®ÀÌ´Ù. ÇÁ·ÎÁ§Æ® ¸®´õµéÀÌ ¸Å·ÂÀ» ´À³¢´Â ±â¼úÀû IT ÇÁ·ÎÁ§Æ®µéÀÌ ÀÖÀ¸³ª, (ÀÌ·¯ÇÑ ÇÁ·ÎÁ§Æ®µé °¡¿îµ¥) °·ÂÇÑ Á¶Á÷Àû, Àΰ£Àû ¿µÇâÀ» Áö´Ñ ÇÁ·ÎÁ§Æ®¿¡ µµ´ÞÇϱâ±îÁö ÁøÇàµÇ´Â °ÍÀº °ÅÀÇ ¾ø´Ù. ±×·³¿¡µµ ºÒ±¸ÇÏ°í, ±×·¯ÇÑ ½ÃµµµéÀÌ Ãʱ⿡´Â ºÒÈ®½ÇÇÏÁö¸¸, À̵û±Ý °Å´ëÇÑ ÅõÀÚ ¼öÀÍÀ» ³º°Ô µÇ´Â ºÐ¸íÇÑ Áõ°Å°¡ ÀÖ´Ù. ¼®¸í¼ºÀº ÀÏÀÌ À߸øµÇ¾úÀ» °æ¿ì»Ó¸¸ ¾Æ´Ï¶ó, ¼º°ø¿¡¼ º¸»óÀÌ ÁÖ¾îÁú ¶§¿¡µµ Àû¿ëµÈ´Ù.
¡®4°³ÀÇ ¾Æ·¹½º¡¯¿¡ ´õÇÏ¿©, ÀÌ 4°¡Áö ±ÔÄ¢µéÀº ±â¾÷µéÀÌ IT¿¡ ´ëÇÑ ±×µéÀÇ »ç°í¸¦ º¯È½ÃÅ°´Âµ¥, ±×¸®°í ±â¾÷ °æ¿µ¿¡ ÀÖ¾î¼ IT¸¦ ´Ù¸¥ °Íµéó·³ °í·ÁÇϵµ·Ï Çϴµ¥ µµ¿òÀÌ µÉ ¼ö ÀÖ´Ù. ÀÎÀû ÀÚ¿ø, Áö½Ä ±×¸®°í À繫°¡ ÇÊ¿ä·Î ÇÏ´Â °Íó·³ ITµµ °Å¹ö³Í½º¸¦ ÇÊ¿ä·Î ÇÑ´Ù. ±×¸®°í, IT¿¡ ÅõÀÚÇÒ ¶§, Á¶Á÷Àº IT ÅõÀÚ¸¦ ¿©´À ´Ù¸¥ ÅõÀÚó·³ »ý°¢ÇÒ ÇÊ¿ä°¡ ÀÖ´Ù (¿¹¸¦ µé¸é, IT °Å¹ö³Í½º·Î½á°¡ ¾Æ´Ï¶ó ±â¾÷ °Å¹ö³Í½º Â÷¿øÀ¸·Î °£ÁÖ). ºñ·Ï IT¸¦ º¸´Ù Àß ´Ù½º¸±(govern) ÇÊ¿ä°¡ ÀÖÀ»Áö¶óµµ, ±Ã±ØÀûÀ¸·Î IT´Â Áö¿ø ±â´ÉÀ̶ó´Â °ÍÀ» ±â¾ïÇÏ´Â °ÍÀÌ Áß¿äÇÏ´Ù. ¿Ö³ÄÇϸé, IT´Â ºñÁî´Ï½º°¡ ÀÌÀÍÀ» âÃâÇÒ ¼ö ÀÖµµ·Ï Çϱâ À§ÇØ ÇÊ¿äÇÑ ÀÏÀ» ÇÒ ÇÊ¿ä°¡ Àֱ⠶§¹®ÀÌ´Ù. ±×°ÍÀº ±ÝÀ¶°è¿¡ Á¾»çÇÏ´Â ¾î´À CIOÀÇ ´ÙÀ½°ú °°Àº ¸»·Î °¡Àå Àß Ç¥ÇöÇÒ ¼ö ÀÖ´Ù: ¡®IT´Â ÀüÇô ¿¹»êÀ» °¡Áö°í ÀÖÁö ¾Ê°í, IT´Â ¾î¶°ÇÑ °¡Ä¡µµ âÃâÇÏÁö ¸øÇÑ´Ù¡¯.
Endnotes
1 Based on the ¡®Four Ares¡¯ as described by John Thorp in his book, The Information Paradox, written jointly with Fujitsu, first published in 1998 and revised in 2003
Erik Guldentops, CISA, CISM
is an executive professor at the University of Antwerp Management School (Belgium). He has initiated and provided leadership to the COBIT and Val IT initiatives since their inception.
Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscript-xion to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute¢ç and their committees, and from opinions endorsed by authors¡¯ employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
© 2007 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
|