1. Evaluate the effectiveness of IT governance structure
2. Evaluate the IT organizational structure & human resource
3. Evaluate the IT strategy and process
4. Evaluate the organization’s IT policies, standards, procedures and processes
5. Evaluate management practices
6. Evaluate IT resource investment, use and allocation practices
7. Evaluate IT contracting strategies and policies and contract management practices
8. Evaluate risk management practices
9. Evaluate monitoring and assurance practices
15 Knowledge statements:
Fundamentally, IT governance is concerned with two issues: that IT delivers value to the business and that IT risks are managed. The first is driven by strategic alignment of IT with the business. The second is driven by embedding accountability into the enterprise.
IT governance is the management system used by directors.
IT governance is the responsibility of the board of directors and executive management.
IT resources should be used responsibly, and IT-related risks should be managed appropriately.
This high-value goal can be achieved by aligning IT governance framework with best practices.
The key IT governance practices are IT strategy committee, risk management and IT balanced scorecard.
IT governance is a structure of relationships and processes used to direct and control the enterprise toward achievement of its goals by adding value while balancing risk vs. return over IT and its processes.
Govern IT within their enterprises are described in four focus areas: Strategic alignment, value delivery, resources management, risk management and performance measurement.
IT Governance Focus Area: Strategic alignment, Value delivery, Risk management, Resource management, Performance measurement.
Board of directors & executive management can use the information security governance maturity model to establish rankings for security in their organizations. The ranks are nonexistent, initial, repeatable, defined, managed and optimized. When the responsibilities for IT security in an organization are clearly assigned and enforce, and an IT security risk and impact analysis is consistently performed, it is said to be “managed & measurable”.
Cross-training is a process of training more than one individual to perform a specific job or procedure.
Compensating controls are internal controls that are intended to reduce the risk of an existing opotential control weakness that may arise when duties can’t be appropriately segregated. Overlapping controls are two controls addressing the same control objective or exposure. Since primary controls can’t be achieved when duties can’t or are not appropriately segregated, it is difficult to install overlapping controls. Boundary controls establish the interface between the would-be user of a computer system and the computer system itself and are individual-based, not role-based, controls. Access controls for resources are based on individuals and not on roles.
IT Governance Frameworks:
Control Objective for Information and related Technology (COBIT) : Framework that ensure IT is aligned with the business, IT enables the business and maximizes benefits, IT resources are used responsibly, and IT risks are managed appropriately.
ISO/IEC 27001 (ISO 27001): Guidance to organizations implementing and maintaining information security programs
ITIL: Framework with hands on information regarding how to achieve successful operational service management of IT
IT Baseline Protection catalogs, or IT-Grundschutz Catalogs: Detecting and combating security weak points in the IT environment.
Information Security Management Maturity Model (ITM3): SIM maturity model for security.
ISO/IEC 38500:2008 Corporate governance of information technology
The continual monitoring, analysis and evaluation of metrics associated with IT governance initiatives require an independent and balanced view to ensure a qualitative assessment that subsequently facilitates the qualitative improvement of IT processes and associated IT governance initiatives.
IT governance need to be assessed:
• Alignment of the IS function with the organization’s mission, vision, values, objectives and strategies.
• Achievement of performance objectives established by the business (e.g., effectiveness and efficiency) by the IS function.
• Legal, environmental, information quality, fiduciary, security, and privacy requirements.
• The control environment of the organization.
• The inherent risks within the IS environment.
The IT balanced scorecard (BSC) is a process management evaluation technique that can be applied to the IT governance process in assessing IT functions and processes.
BSC provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures of evaluate customer satisfaction.
Mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. Avoidance is a strategy that provides for not implementing certain activities or processes that would incur risk. Transference is the strategy that provides for sharing risk with partners or taking insurance coverage. Acceptance is a strategy that provides for formal acknowledgement of the existence of a risk and the monitor of that risk.
To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches.
Vulnerabilities represent characteristics of information resources that may be exploited by a threat. Threats are circumstances or events with the potential to cause harm to information resources. Probabilities represent the likelihood of the occurrence of a threat. Impacts represent the outcome of result of a threat exploiting vulnerability.
Enterprise architecture (EA) involves documenting the organization’s IT assets and processes in a structured manner to facilitates understanding, management and planning for IT investments. It involves both a current state and a representation of an optimized future state. In attempting to complete an EA, organizations can address the problem either from a technology perspective or a business process perspective.
The goals of IT governance are to improve IT performance, to deliver optimum business value and to ensure regulatory compliance. The key practice in support of these goals is the strategic alignment of IT with the business.
IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise. Reducing IT costs may not be the best IT governance outcome for an enterprise. Decentralizing IT resources across the organization is not always desired. Centralizing control of IT is not always desired.
IT governance maturity model:
0 Non-existent Management process are not applied at all
1 initial Process are ad hoc and disorganized
2 Repeatable Process follow regular pattern
3 Defined Process are documented and communicated (lowest label of maturity model)
4 Managed Process are monitored and measured
5 Optimized Best practices are followed and automated
Corporate governance is a set of management practices to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized. Hence the primary objective of corporate governance is to provide strategic direction. Based on the strategic direction, business operations are directed and controlled.
Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Strategic alignment primarily focuses on ensuring linkage of business and IT plans. Value delivery is about executing the value proposition throughout the delivery cycle. Resource management is about the optimal investment in and proper management of critical IT resources. Transparency is primarily achieved through performance measurement as it provides information to the stakeholders on how well the enterprise is performing when compared to objectives.
Internal control self-assessment (CSA) may highlight noncompliance to the current policy, but may not necessarily be the best source for driving the prioritization of IT projects.
It is critical that an independent security review of an outsourcing vendor be obtained.
A definition of key performance indicators is required before implementing an IT balanced scorecard.
Accountability cannot be transferred to external parties.
The security policy provides the broad framework of security, as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access.
Risks are mitigated by implementing appropriate security and control practices. Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, and contracts and SLAs are mechanisms of risk allocation.
Strategic planning sets corporate or departmental objectives into motion. Comprehensive planning helps ensure an effective and efficient organization. Strategic planning is time- and project-oriented, but also must address and help determine priorities to meet business needs. Long- and short-range plans should be consistent with the organization’s broader plans for attaining their goals.
Assessment methods provide a mechanism, whereby IS management can determine if the activities of the organization have deviated from planned or expected levels. These methods include IS budgets, capacity and growth planning, industry standards/ benchmarking, financial management practices, and goal accomplishment. Quality management is the means by which the IS department processes are controlled, measured and improved. Management principles focus on areas such as people, change, processes and security. Industry standards/benchmarking provide a means of determining the level of performance provided by similar information processing facility environments.