Professional Documents
Culture Documents
IT Governance - Performance Measures Final
IT Governance - Performance Measures Final
IT Governance - Performance Measures Final
Oversight Bodies Established oversight bodies with clear terms of These oversight authorities may Relevant representation is
reference and appropriate membership from have accountability for: required from business and IT
the business Governance, Strategy,
Investment and Performance
Service Management
Solution Delivery
Third-Party Management
Architecture, Technical Support
and Operations
Risk, Compliance and Internal
Controls
Security and Business Continuity
IT Governance Project Initiate the IT Governance Project Treat the IT governance initiative Implement IT Governance
as a project activity with a series of
phases rather than a “one-off” step
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
Leadership and The board is to:
Direction Place IT on the board agenda
Clarify business strategies and objectives,
and the role of IT in achieving them
Delegate responsibility for implementing an
IT governance framework to management
Determine and communicate levels of risk
tolerance/appetite
Oversee the development of the information
security strategy and delegate its
implementation to IT management
Assign accountability for the organisational
changes needed for IT to succeed.
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
Monitoring and The board is to:
Evaluation Ensure that IT is aligned with strategic
objectives
Monitor and evaluate the extent to which IT
actually sustains and enhances the
organisation’s strategic objectives
Use the Risk and Audit committees to assist
the board fulfil its responsibilities
Ensure that prudent and reasonable steps
have been taken in regard to IT governance
Monitor and evaluate the acquisition and
appropriate use of technology, process and
people
Ensure that an internal control framework
has been adopted, implemented and is
effective
Ensure that information assets are managed
effectively
Protect information and intellectual property
Ensure personal information is treated by the
company as an important business asset
Ensure information records provide adequate
evidence of business activity
Monitor the application of King III
governance principles by all parties, at all
levels (starting with the board), at all stages
of business operations, across organisational
boundaries (including third parties) and for
the acquisition and disposal of IT goods and
services
Obtain project assurance from independent
experts that IT management apply all basic
elements of appropriate project
management principles to all IT projects
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
IT Reporting to the Ensure IT reporting is adequate for their Management must increase
Board purpose transparency and provide the board
with complete, timely, relevant,
accurate and accessible information
about:
The likelihood of IT achieving its
objectives?
IT’s resilience to learn and adapt?
The judicious management of the
inherent risks from using IT,
including disaster recovery?
How well IT has recognised
opportunities and acted on them?
GOVERNANCE A IT governance framework assists those at the highest level of organisations ensure that IT use contributes positively to the performance of the
FRAMEWORK organisation and conforms with the organisational obligations (regulatory, legislation, common law, contractual) concerning the acceptable use of IT
Processes Maintain oversight of the establishment and Exercise control over the Establish and maintain IT Processes
maintenance of IT processes establishment and maintenance of as:
IT processes Process serves as the foundation
for the definition of a management
system used to capture and
document details about
ownership, scope, responsibilities,
measurements, structured working
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
practices and interfaces.
Processes describe the life-cycle of
activities (with feedback loops) and
enable the development and
implementation of a lean,
sustainable capability to achieve
the outcomes (business goals)
desired.
Processes ensure a stable,
controlled, repeatable service that
can be objectively measured
against deliverables and outcomes
achieved.
Governance Monitor that those given responsibility to Enforcing governance mechanisms Governance mechanisms include
Mechanisms deploy governance mechanisms strategies, goals, policies, steering
acknowledge and understand their committees, oversight authorities,
responsibilities. processes, procedures, roles, job
Monitor the performance of those given descriptions, plans, schedules,
responsibility in the governance of IT contracts, proposals, authorisations,
standards and scorecards with a view
to deliver value and minimise risk.
Governance of Oversee the business requirement for Ensure that information conforms To satisfy business objectives,
Information information to the business requirements in information needs to conform to the
order for it to satisfy business business requirements that:
objectives information is relevant and
pertinent to the business process,
and is
delivered in a timely, correct,
consistent and usable manner
Information is provided through
the optimal (most productive and
economical) use of resources
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
Sensitive information is protected
from unauthorised disclosure
Information is accurate and
complete, and its validity is in
accordance with business values
and expectations
Information is available when
required by the business process
now and in the future as a result of
deploying the necessary resources
and associated capabilities
Information provided complies
with the laws, regulations and
contractual arrangements to which
the business process is subject, i.e.,
externally imposed business
criteria as well as internal policies
Information provided is
appropriate for management to
operate the entity and exercise its
fiduciary and governance
responsibilities.
Accountability Ensure that decision-making occurs as a part of When assigning decision-making
Framework (Decision a process with clearly defined roles and authority:
Rights) accountabilities. start by articulating the decision
that needs to be made, then
determine the steps that must
be carried out to reach a
decision
identify who must provide input,
and what activities are required
to obtain such input, and how
determine who will decide,
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
ensuring that the decision
makers are equipped with the
information to make a fact-
based decision
More granular assignment of
responsibilities and decision
rights is achieved through the
preparation of detailed process
workflow charts
IT Internal Controls Ensure that an IT control framework is adopted Exercise control over the adoption An IT controls framework to be
Framework and implemented, and that the board receives and implementation of an IT adopted or established comprising of
independent assurance of its effectiveness. control framework Accounting controls (“General”
controls, “Application” controls and
“User” controls) and Administrative
controls.
General controls are found in the
infrastructure, technology and
system software.
Application controls are specific to
business processes.
User controls are the manual
checks performed by staff.
Administrative controls represent
the wider concerns of
management, particularly with
regard to efficiency and
effectiveness of administration,
and increased profitability.
The Role and Appoint a suitably qualified and experienced The CIO/CTO to: Implement an IT Governance
Responsibilities Chief individual as the chief information officer (CIO) Interact regularly on matters of framework to deliver value and
Information Officers or chief technical officer (CTO) IT governance with the board, or manage risk
appropriate board committee, or Implement IT processes and
both governance mechanisms
Understand the accountability Implement IT frameworks, policies,
and responsibility of IT procedures and standards
Take responsibility for the Develop and implement an IT
implementation and monitoring governance charter and policies
of IT governance managers to provide timely
Seek leadership from the board, information, comply with the
obtain direction and an direction given and to conform to
understanding of the ethics and the principles of good governance
values that will influence and Adopt and implement an IT control
guide practices and behaviour framework
within IT to achieve sustainable Implement an ethical IT
performance governance and management
Implement an Accountability culture
framework to assign decision- Implement an ethical IT
making rights governance and management
Implement a suitable culture
organisational structure and Implement an IT controls
define terms of reference framework
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
Be a bridge between IT and the
business
Ensure transparency through
regular reporting to the board
Enable IT to add value to the
business and mitigate risks
Incorporate IT into the business
processes in a secure,
sustainable manner
Encourage the desirable use of IT
by requiring
Create an awareness of the
maturity levels of governance
Build management skills and
competencies to govern and
promote a common language
Incorporate IT governance in
corporate governance
Implement processes to ensure
that reporting to the board is
complete, timely, relevant,
accurate and accessible
Obtain assurance on the
effectiveness of the IT control
framework
Sustain and enhance the
strategic objectives
Implement a strategic IT
planning process that is
integrated with the business
strategy development process
Enable the improvement of the
company’s performance and
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
sustainability
Integrate IT plans with the
business plans
Define, maintain and validate the
IT value proposition
Align IT operations with business
operations
Align IT activities with
environmental sustainability
objectives
Implement a robust process to
identify and exploit, where
appropriate opportunities to
improve performance and
sustainability of the company in
line with triple bottom line
objectives
Include relevant representation
from the business in oversight
structures
Have regard for the legislative
requirements that apply to IT
Understand business
requirements and long-term
strategy
Have a strategic approach and
facilitate the integration of IT
into business strategic thinking
Translate business requirements
into efficient and effective IT
solutions
Exercise care and skill over the
design, development,
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
implementation and
maintenance of sustainable IT
solutions
Support the business and
governance requirements in a
timely and accurate manner
through the acquisition of
people, process and technology
Optimise resources usage,
leverage knowledge
Ensure that the business value
proposition is proportional to
the level of investment
Deliver the expected return from
IT investments
Measure and manage the
amount spent on and the value
received from technology
Protect information and
intellectual property
Conduct post-implementation
reviews to learn from each
implementation
Promote sharing and re-use of IT
assets
Ensure all parties in the chain
from supply to disposal of IT
services and goods apply good
governance principles
Monitor and enforce good
governance across all suppliers
Obtain independent assurance
that outsourced service
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
providers have applied the
principles of IT governance
Obtain independent assurance of
the effectiveness of the IT
controls framework
implemented by service
providers
Obtain independent assurance
that the basic elements of
appropriate project
management principles are
applied to all IT projects
Regularly demonstrate to the
board that the company has
adequate business resilience
arrangements in the event of a
disaster affecting IT
Implement a risk management
process based on the boards risk
appetite
Design, implement and monitor
the IT risk management plan
Maintain an IT risk register,
including IT legal risks
Comply with applicable laws and
regulations
Perform continual risk
assessments
Select and use an appropriate
framework for managing risk
(Group BRM Risk Management
Framework)
Consider and implement
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
appropriate risk responses
Minimise risks
Manage information assets
effectively
Ensure the integrity and
availability of information and
information systems in a timely
manner
Implement information records
management and ensure
information assets are identified,
classified, retained, stored,
archived, protected and made
available when required for
business and legal purposes
Establish a business continuity
programme for the company’s
information and successful
execution of the business’
activities
Identify all personal information
processed by the company and
treat this as an important
business asset, including being
processed in accordance with
applicable laws
Implement an information
security strategy
Implement an information
security management system in
accordance with an appropriate
information security framework
(Group BRM Information
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
Security Framework)
Provide the Audit and Risk
Committees with relevant
information about IT risks and
the controls in place
Measure, manage and
communicate IT performance
Report to the IT Steering
Committee on IT performance
Consider using IT to aid the
company’s risk management,
compliance and audit efforts.
STRATEGIC The Board should ensure that IT is Aligned with Business Objectives, including Economic, Social and Environmental Sustainability
ALIGNMENT
Alignment With g Ensure that Business goals are cascaded to IT Take responsibility for and cascade Ensure that Group objectives, IT
Objectives goals, process goals and activity goals Group objectives, IT goals, process goals, process goals and activity
goals and activity goals to IT goals are understood and
management achievable
Deliver on the above goals
Align IT activities with the
performance and sustainability
objectives of the company”
Strategic objectives are attained
through the effective and efficient
management of IT resources. This
assists management understand
“what is the outcome expected”,
“what does success look like” and
“who will recognise this success”.
Integration of Strategic Ensure that IT achieves, sustains and extends Exercise control ensuring that IT Implement a strategic IT planning
IT Planning With the the company’s strategic objectives achieves, sustains and extends the process that is integrated with the
Organisational strategic objectives business strategy development
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
Strategic and Business process, and:-
Objectives IT plans are integrated with the
business plans
IT operations are aligned with
business operations
The IT function, roles and reporting
lines are structured to reflect the
integration of IT with the business
operations
IT contributes towards the
company’s objectives in an
effective and efficient manner
The IT contribution towards the
attainment of the company’s
objectives is monitored and
measured
The IT value proposition has been
defined, maintained and validated
The effect of IT on the
environment is considered
There is a process in place to
identify and exploit opportunities
where IT can create value and
assist the company to gain
competitive advantage for the
company
The IT steering committee contains
both business and IT
representation
A business-oriented CIO is
appointed
The CIO has an understanding of
the business strategy
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
The CIO has access to the board
and executive management
IT investment and expenditure
supports the business objectives
The role of IT in achieving strategic
business objectives is clear
IT spend is measured and managed
to deliver value to the business
IT assurance is addressed as an
integral part of the normal
assurance activities
IT risk is addressed as an integral
part of the normal risk
management activities
IT compliance with legal
requirements is addressed as an
integral part of the normal
compliance activities
IT risks are understood and
managed from a business strategic
perspective
Direction From the Top Translate its leadership into clear statements of An example would be the policy
direction that management of the organisation defined by the CIO for board
can follow. approval as to the nature, extent
and accountability for
implementing information security
Define, Maintain and Ensure that the value proposition of IT is Within value chain analysis, there Add business value by enabling the
Validate the IT Value determined by clarifying the role of IT in are two generic strategies an organisation to differentiate its value
Proposition achieving business strategies. Oversee the organisation can pursue to achieve chain from each of its competitors’
definition, maintenance and validation of the IT a competitive advantage by: value chains.
value proposition Creating a low-cost competitive IT activities to be prioritised in areas
advantage by reducing the cost where there is greater contribution
of an individual value chain of value.
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
activity or reconfiguring the
value chain.
Creating a value-added
competitive advantage by
increasing the value of an
individual chain activity or
reconfiguring the value chain.
Aligning IT Operations Ensure that IT activity goals are aligned with IT Business goals cascaded down to
With Business process goals, which in turn are aligned to IT the activity level within IT providing
Operations organisational goals and business goals substance to the requirement of
aligning IT with strategic goals
Sustainability Ensure sustainable capability to perform as Nurturing, protecting, capturing, Sustainability is about maintaining
expected. retaining and developing human the capability to perform as
capital is a vital ingredient in the expected. Without investment,
sustainable economic performance capability within IT is certain to
of any enterprise diminish over time and dependency
would grow on external solution
providers. Without the necessary
skills the company will not be able to
exploit business opportunities that
may come their way in the future.
Performance and Monitor and evaluate the extent to which IT Implement improvements related Implement a robust process to
Sustainability actually sustains and enhances the to IT performance and identify and exploit, where
Improvements organisation’s strategic objectives sustainability appropriate, opportunities to
improve performance and
sustainability of the company in line
with triple bottom line objectives.
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
Process orientation, with an element
of self-analysis, provides for
continuous improvement often
described as the Deming cycle of
“Plan-Do-Check-Act”.
Concern For the Established environmental policy Align IT activities with Aligning IT activities with
Environment Ensure that green IT initiatives are aligned environmental sustainability environmental sustainability
with the overall strategy and corporate social Implement Green IT principles objectives requires management to
responsibility programme by aligning IT based on the environmental consider the environmental aspects
activities with environmental sustainability policy established by the board. and significant Impacts of IT and IT
These principles provide decision activities, including:
makers with predefined Energy saving
preferences when alternative Switch and Data centre facilities
options are available. design
Switch and Data centre heat
recycling
Advanced cooling technologies
Processor design and server
efficiency
Energy management for the
office environment
Integrated energy management
for the software environment
Combined heat and power
Use of modelling and monitoring
software
Risk Assessment Using Ensure that a process-orientated model like Adopt a process-orientated model Implement the IT control framework
a Generally Recognised CobiT forms the basis of the IT Control that provides management with a
Methodology framework as this provides management with a framework that assists in their
framework that assists with understanding the understanding of the scope of risk
scope of risk assessment and helps avoid gaps assessment and helps to avoid
when conducting the risk assessments. gaps when conducting the risk
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
assessments
Risk Assessment Ensure that risk assessments are to be Direct and control risk assessments Perform risk assessments and report
Outputs performed on an ongoing basis with the and reporting thereof on the assessment focusing on
outputs of risk assessments provided to the significant risks and the effectiveness
board and management with a realistic of internal control in managing those
perspective of the material risks facing the risks.
organisation
Risk Register Monitor and evaluate the register of risks Communicate openly with the Report any significant control failings
including a profile of aggregated risks, board on matters relating to risks or weaknesses identified in a report,
correlated risks and risk concentrations with a and controls including the effect that they have
balanced assessment of the significant risks and had, or may have had, on the
the effectiveness of internal control in organisation, and the actions being
managing those risks. taken to rectify them.
Reputational, Monitor and evaluate reputational, Direct and control risk assessments Address the broader issues of
Sustainability and sustainability and ethics risks and reporting thereof organisational reputation,
Ethics Risk Assessment sustainability and ethics when
assessing risk
Alignment of IT with Implement IT governance, splitting Exploit available business Map IT objectives with business and
Business Objectives responsibility between the board and opportunities by exploiting sustainability objectives and address
and Sustainability management information technology in any gaps
Specify the decision rights and accountability innovative ways based on the
framework to encourage the desirable board’s risk appetite and the
culture in the use of IT direction provided
Take an active role in IT strategy and
governance
Stay informed and able to exercise the
necessary oversight during times of major
investment in IT
Take full accountability and be responsible
for the decisions made where Technology, is
promising a major transformation of the
organisational business processes
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
Business Continuity Monitor and evaluate business resilience Demonstrate that there are Implement adequate business
arrangements in the event of a disaster adequate business resilience resilience arrangements in the event
affecting IT arrangements in the event of a of a disaster affecting IT
disaster affecting IT.
Information Delegate responsibility for information Demonstrate that information Ensure the integrity and availability
Management management management efforts are adequate of information and information
systems in a timely manner
Retain records
Comply with security and privacy
requirements.
Data Privacy Monitor and evaluate processes for managing Ensure that resources are deployed Implement the processes for
personal information and relevant compliance to manage personal information managing personal information to
with the applicable laws and to ensure compliance with the ensure compliance with the
applicable laws applicable laws
Information Security Delegate responsibility for Information Security Resources must be deployed to Implement the information security
Management develop, implement and manage management strategy and required
an appropriate Information systems
Security Management strategy and
system
The Use of Technology Obtain assurance that technology is being used Consideration must be given to the Implementing suitable technology to
to Aid the to aid business risk management functions suitability, economy and manage risk and compliance (e.g.
Management of Risk effectiveness of using technology policies, standards, etc)
and Compliance at various stages of the processes
to manage risk and compliance
Financial/Resource Optimising Knowledge, IT Infrastructure and Relationships
Management
Resource Management Ensure that the economic, social and CIO/CTO responsibilities include: Leverage knowledge and skill,
environmental resources are treated capture the lessons learnt and build
responsibly and that their performance is monitoring and evaluating the capability
reported on in an “integrated report” extent to which IT actually
Direct management to focus on ensuring the sustains and enhances the
optimal use of available resources, including strategic objectives
knowledge, infrastructure and partnerships monitoring and evaluating the
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
Consider any outsourced IT services as this acquisition and use of IT
remains the responsibility of the Board and resources to ensure that they
external assurance regarding the governance support business
must be considered. requirements
monitoring and evaluating the
acquisition and appropriate
use of technology, process
and people
overseeing IT investment to
ensure that IT expenditure is
in proportion to the delivery
of business value
ensuring good governance
principles apply to all parties
that provide IT resources. This
includes suppliers of
hardware, software, skills and
IT services
Remaining accountable for
ensuring that effective IT
governance is in place where a
resource has been “outsourced”.
The following outsourcing issues
are important:
Governance of outsourced
services
Compliance in an outsourced
environment
Capability to outsource
Capability of service providers
to provide contracted
services.
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
Considerable additional risks
from outsourcing –
compliance, staff turnover,
control of costs
Nature of third-party contracts
(outsourced services or lease
agreements for equipment
and the hiring of staff)
Adequacy of service level
agreements
Pricing and charging practices
What capability is required at
termination of the outsourcing
contract?
The audit committee must
include these assurance tasks
within the normal assurance
activities.
Performance Proper IT Governance Assists the Board Ensure that IT Use Contributes Positively to The Performance of the Organisation
Measurement
IT Governance and Consider performance management which The CIO/CTO must consider the Report to the Board about IT:
Performance underpins IT governance by proving the value following in terms of performance
Management proposition and measuring the performance measurement: achieving its objectives
of IT. being resilient and agile to adapt
Request reviews by independent experts to Outcomes expected by to changing strategic needs
ensure that appropriate project management stakeholders - key goal indicators judiciously managing risks
principles are applied. Measurement of the enablers recognising and acting on business
used to achieve these outcomes opportunities.
Management’s control of IT managers and staff must
activities critical to the success of develop performance
the enablers. management systems that
IT goals and measures must flow optimise operational customer
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
directly from strategic goals. results from an organisational
perspective.
IT goals and measures in support
of individual operational
customers must meet IT
department or business unit
objectives. In turn, IT function or
business unit objectives must map
directly to both programme and
organisation-wide strategic
directions and goals.
IT goals and measures must be
tracked in a seamless fashion back
to the business objectives and
group goals.
Approach to Measure not only the outcomes of the Institutionalised a managed Implement a performance
Performance governance activities but also the relevance process by doing the following: management system for monitoring
Measurement and effectiveness of the applied governance and tracking the outcomes of the
framework, processes and measurements. Assigning responsibility and governance activities and the
authority for performing the effectiveness of the applied
process governance framework and
Adhering to organisational processes
policies
Following established plans and
process descriptions
Providing adequate resources
(including funding, people,
methods and tools)
Training the people performing
and supporting the process
Placing designated work
products under appropriate
levels of configuration
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
management
Identifying and involving
relevant stakeholders
Monitoring and controlling the
performance of the process
against the plans for performing
the process and taking corrective
actions
Objectively evaluating the
process, its work products, and
its services for adherence to the
process descriptions, objective
and standards, and
addressing non-compliance
Reviewing the activities, status,
and results of the process with
higher-level management and
taking corrective action.
Risk & Audit Risk and Audit Committees should Assist the Board in Carrying out its IT Responsibilities
Committees
Risk Committee Fully understand the overall exposure to IT Establish measures such as the Fully commit to the goal of
risks from a strategic and business ones documented here, monitor implementing, supporting and
perspective and evaluate these measures in maintaining an effective risk
Obtain assurance that all significant risks are order to provide assurance on committee
managed in an appropriate manner effectiveness of the risk
management efforts to the risk
committee
Audit Committee Oversee the reporting and assurance As information technology often Fully commit to the goal of
functions on behalf of the board and serve as provides the system of internal supporting and maintaining an
a link between the board and these functions controls, the CIO and IT effective audit committee.
Monitor the integrity and completeness of management are therefore At least annually conduct a formal
the organisation’s financial reporting and required to conduct suitable tests documented review of the design,
compliance with other regulatory and report back to the audit implementation and effectiveness
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
requirements committee. of the system of internal financial
Review aspects of risk and sustainability controls by conducting suitable
issues where it is mandated to do so by the testing and report back to the
board chiefs and audit committee.
Obtain appropriate assurance that controls Enables the audit committee to
are adequate to address the risks in areas perform its responsibilities to
that are not appropriately governed (e.g. oversee the integrity of the
outsourcing and ERP implementations) that financial information. (External
expose the organisation to higher levels of auditor attestation on internal
risk. financial controls is not a
requirement).
Managing Information The Board is to Ensure Information Assets are Managed Effectively
Information Ensure information assets are managed Direct and control the effective Manage information assets
Management effectively management of information assets effectively, ensuring the integrity
and availability of information and
information systems in a timely
manner.
Manage information throughout
the life cycle by implementing
suitable processes
Identify, classified, retained,
stored, archived, protect and make
available when required for
business and legal purposes any
Information records providing
evidence of business activity which
are important information assets
Information Privacy Ensure privacy of information where required Direct and control the appropriate Identify and treated all personal
identification and treatment of all information processed as an
personal information considered a important business asset, including
business asset and ensure being processed in accordance with
compliance with applicable laws. applicable laws
Information Security Ensure that an information security Direct and control the strategy for, Implement the information security
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
management system is implemented and establishment and strategy and an information security
according to an applicable information implementation of information management system in accordance
security framework. security management framework with an appropriate information
Oversee the development of the information and systems security framework.
security strategy and delegate its
implementation to IT management.
Compliance Proper IT Governance Assists Directors in Assuring Conformance with Obligations (Regulatory, Legislation, Common Law, Contractual) concerning the
Acceptable Use of IT
Compliance with Establish a review process to ensure Direct and control the process to Identify the IT laws, regulations
Obligations compliance with laws, regulations and identify and comply with laws, and contractual requirements that
contractual requirements. regulations and contractual the organisation must comply
Ensure that all relevant IT laws are adhered requirements with.
by ensuring that an effective compliance Identify compliance Implement systems to address the
framework is and processes are requirements, optimise and compliance requirements
implemented. evaluate the response, obtaining Optimise and evaluate the
Consider any standards, guidelines or assurance that the requirements compliance requirements and
practices that would be relevant to the IT have been complied with and, report on any non compliance
organisation. finally, integrating IT’s
compliance reporting with the
rest of the business.
A Single, Holistic Ensure that all compliance efforts are Direct and control the process to Find a practical way to deal with
Approach to integrated across the organisation integrate all compliance initiatives compliance considering the ever-
Compliance related to IT across the increasing number of regulators,
organisation regulations, legislation and
contractual obligations
Adopt a process-orientated
approach, starting with a single,
generally accepted baseline of
controls to which additional
regulatory and statutory controls
are then added to achieve
compliance with external
regulators and internal
DOMAIN ATTRIBUTE RESPONSIBILITY - DESCRIPTION/ACTIVITIES
Board CIO/CTO IT Management
requirements
Consider how IT can be used to
assist with managing its and
business compliance obligations
Compliance should be Ensure that all compliance efforts are Direct and control the process to Sustainability comes through
made Sustainable sustainable maintain and sustain all controls being:
compliance initiatives related to IT Enabled through documented
processes
Supported by the capability of
people
Made effective through
automation
Regularly monitored