Governance and Management of IT

CORPORATE GOVERNANCE

Corporate Governance: The system by which business corporations are directed and controlled It is a set of responsibilities and practices used by an organizations management to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilitized

IT GOVERNANCE

One of the domains of Enterprise Governance : How IT is applied within the enterprise. IT is now regarded as an integral part, CEOs, COOs, CFOs, CIOs and CTOs, agree that strategic alignment between IT and enterprise objectives is a critical success factor Key element of IT governance is the alignment of business and IT, leading to the achievement of business value.

It is concerned with two issues: IT delivers value to the business Driven by strategic alignment with the business IT risks are managed Driven by embedding accountability into the enterprise.

INFORMATION TECHNOLOGY MONITORING AND ASSURANCE PRACTICES FOR BOARD AND SENIOR MANAGEMENT
Traditional involvement of board-level executives in IT issues was to defer all key decisions to the companys IT professionals. IT governance implies a system in which all stakeholders, including the board, internal customers and departments such as finance, provide input into the decision-making process. IT governance is the responsibility of the board of directors and executive management. Key IT governance practices are: IT Strategy Committee, Risk Management and IT Balanced Scorecard.

FIVE FOCUS AREAS OF IT-GOV

Strategic Alignment: Focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. Value Delivery: About executing the value proposition throughout the delivery cycle, ensuing that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT Resources Management: requires risk awareness by senior corporate officers, a clear understanding of the enterprise's appetite for risk, understanding of compliance requirements, transparency about the 5 significant risks to the enterprise.

Resource management: About the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people.
Performance measurement: Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.

IT GOVERNANCE FRAMEWORKS

Control Objectives for Information and related Technology (CoBIT) was developed by the IT Governance Institute (ITGITM) to support IT governance by providing a framework to ensure that: IT is aligned with the business, IT enables the business and maximizes benefits, IT resources are used responsibly, and IT risks are managed appropriately. COBIT provides tools to assess and measure the performance of 34 IT processes within an organization.
The ISOIIEC 27001 (ISO 27001) series of standards is a set of best practices that provides guidance to organizations implementing and maintaining information security programs. ISO 27001 originally was published in the United Kingdom (UK) as British Standard 7799 (BS7799) and has become a well known standard in the industry.
7

The IT Infrastructure Library (ITIL) was developed by the UK Office of Government Commerce (OGC), is a detailed framework with hands-on information regarding how to achieve successful operational service management of IT.
Etc.

AUDIT ROLE IN IT GOVERNANCE

IT is governed by good or best practices which ensure that the organization's information and related technology: support the enterprise's business objectives (i.e., strategic alignment), deliver value, use resources responsibly, manage risks appropriately and measure performance. Audit plays a significant role in the successful implementation of IT governance within an organization. Audit is well positioned to provide leading practice recommendations to senior management to help improve the quality and effectiveness of the IT governance initiatives implemented.

The following aspects related to IT governance need to be assessed: Alignment of the IS function with the organization's mission, vision, values, objectives and strategies Achievement of performance objectives established by the business (e.g., effectiveness and efficiency) by the IS function Legal, environmental, information quality, fiduciary, security, and privacy requirements The control environment of the organization The inherent risks within the IS environment 10 IT Investment/expenditure

IT STRATEGY COMMITTEE

As a committee of the board, it assists the board in overseeing the enterprise's IT-related matters by ensuring that the board has the internal and external information it requires for effective IT governance decision making.
This is a mechanism for incorporating IT governance into enterprise governance.

11

IT STRATEGY COMMITTEE VS. IT STEERING COMMITTEE

IT Strategy Committee Advises the board and management on IT strategy Is delegated by the board to provide input to the strategy and prepare its approval Focuses on current and future strategic IT issues IT Steering Committee Assists the executive in the delivery of the IT strategy Oversees day-to-day management of IT service delivery and IT projects Focuses on implementation

12

INFORMATION SECURITY GOVERNANCE

Information security governance is the responsibility of the board of directors and executive management, and must be an integral and transparent part of enterprise governance. Within IT governance, information security governance should become a focused activity with specific value drivers:

confidentiality, integrity, and availability of information, continuity of services and protection of information assets.
13

Until recently, the focus of protection has been on the IT systems that collect, process and store the vast majority of information rather than the information itself.

The reach of protection efforts should encompass not only the process or Systems that generates the information but also the continued preservation of information generated as a result of the controlled processes.
14

OUTCOMES OF SECURITY GOVERNANCE

Strategic alignment: Align information security with business strategy to support organizational objectives. Risk management: Manage and execute appropriate measures to mitigate risks and reduce potential impacts on information resources to an acceptable level. Value delivery: Optimize security investments in support of business objectives. Performance measurement: Measure, monitor and report on information security processes to ensure that SMART (Specific, Measurable, Achievable, Relevant and Time-bound) objectives are achieved. Resource management: Utilize information 15 security knowledge and infrastructure efficiently and effectively.

Information security governance is the responsibility of the board of directors and executive management, and must be an integral and transparent part of enterprise governance.
Effective Information Security Governance

To achieve effective information security governance, management must establish and maintain a framework to guide the development and management of a comprehensive information security program that supports business objectives
This framework provides the basis for the development of a 16 cost-effective information security program that supports the organizations business goals.