Professional Documents
Culture Documents
IT Governance
IT Governance
Governance
Jimmy Ardiansyah
Arkansas – September 16, 2005
9 Tasks
Evaluate the effectiveness of IT governance
structure to ensure adequate board control over
the decisions, directions and performance of IT,
so it supports the organization's strategies and
objectives.
Evaluate IT organizational structure and human
resources (personnel) management to ensure that
they support the organization's strategies and
objectives.
Evaluate the IT strategy and the process for its
development, approval. implementation and
maintenance to ensure that it supports the
organization's strategies and objectives.
Evaluate the organization's 1T policies, standards,
procedures and processes for their development,
approval, implementation and maintenance to
ensure that they support the IT strategy and
comply with regulatory and legal requirements.
Evaluate management practices to ensure
compliance with the organization's IT strategy,
policies, standards and procedures.
Evaluate IT resource investment, use and
allocation practices to ensure alignment with the
organization's strategies and objectives.
Evaluate IT contracting strategies and policies
and contract management practices to ensure
that they support the organization's strategies and
objectives.
Evaluate risk management practices to ensure
that the organization's IT-related risks are
properly managed.
Evaluate monitoring and assurance practices to
ensure that the board and executive management
receive sufficient and timely information about IT
performance
15 Knowledge Statements
Knowledge of the purpose or IT strategies,
policies, standards and procedures for an
organizational and the essential elements of each
Knowledge of IT governance frameworks
Knowledge of the processes for the development,
implementation and maintenance of IT strategies,
policies, standards and procedures (e.g.,
protection of information assets, business
continuity and disaster recovery, systems and
infrastructure life cycle management, and IT
service delivery and support)
Knowledge of quality management strategies and
policies
Knowledge of organizational structure, roles and
responsibilities related to the use and
management of IT
Knowledge of generally accepted international IT
standards and guidelines
Knowledge of enterprise IT architecture and its
implications for setting long-term strategic directions
Knowledge of risk management methodologies and
tools
Knowledge of the use control frameworks (CobiT.
COSO, IS0 17799)
Knowledge of the use of maturity and process
improvement models (e.g., CMM, CobiT)
Knowledge of contracting strategies, processes
and contract management practices
Knowledge of practices for monitoring and
reporting of IT performance [e.g., balanced
scorecards, key performance indicators (KPI)]
Knowledge of relevant legislative and regulatory
issues (e.g., privacy. intellectual property,
corporate governance requirements)
Knowledge of IT human resources (personnel)
management
Knowledge of IT resource investment and
allocation practices [e.g.., portfolio management
return on investment (ROl)]
Corporate Governance
Ethical behavior of corporate executives toward
shareholders to maximize the return of financial
investment.
Distribution of rights and responsibilities among
different participants in the corporation such as
board, managers, shareholders; and it spells out
the rules and procedures for making decisions on
corporate affairs
Best Practice For I.T Gov’
Audit Role in IT Gov’
Audit plays a significant role in successful
implementation of IT Governance within an
organization; for example, Audit is best position
to provide leading practice recommendations to
senior management to help improve the quality
and effectiveness of the IT Governance initiative
I.S Strategy
Strategy Planning
Strategy Planning from IS standpoint relates to the
long term direction an org’ want to take to
leveraging IT for improving its business process
Steering Committees
SC for IT is important factor in ensuring that the IS
department is in harmony with the corporate
mission and objectives
Types of Policy
Advisory Policy – Optional
Regulatory Policy – Mandatory
Informational Policy - Complement
Risk Management
The process of identifying vulnerabilities an threts
to information resources used by an organization
in achieving business objective and deciding what
countermeasures to take in reducing risk to an
acceptable level.
Developing Risk Mgt
Program
Establish the purpose of the risk mgt program
To determine the organizational purpose for
creating risk mgt program
Sourcing Practice
* Delivery of IS Function
> Insourced
> Outsourced
> Hybrid
* IS Function can be performed
> Onsite
> Offsite
> Offshore
Outsourcing Practices and Strategy
Globalization Practices and Strategy
Capacity and Growth Planning
Industry Standard/Benchmarking
Service Improvement and User Satisfaction
Organizational Change Mgt
Financial Management Practice
Critical element of all business functions
Quality Management
The tool by which IS Department-based control
are controlled, measured, and improved
Performance Optimization
IS Org Structure and
Responsibility
IS Role and Responsibilities
* Librarian
* Data Entry
* System Admin
* Security Admin
* QA
* DBA
* System Analysis
* Security Architect
* Application Dev and Maintenance
* Infrastructure Dev and Maintenance
* Network Management
Segregation of Duties within IS
Segregation of Duties Control
* Transaction Authorization
* Custody of Asset
* Access of Data
Compensating Control for Lack of SG
* Audit Trails
* Reconciliation
* Exception Reporting
* Transaction Logs
* Supervisory Review
* Independent Review
Potential Problem of I.T.
Governance Implementation
High staff turnover
Inexperience staff
Poor motivation
Lack of adequate training
Frequent H/W and S/F upgrade
Unfavorable end-user attitude
Frequent H/W and S/F error
References
WWW.ISACA.ORG
WWW.ITTG.ORG
CISA Review Manual
Information
Jimmy Ardiansyah, MS-IT
Solution Developer @Acxiom Corp.
Arkansas 72801
USA