IT GOVERNANCE COURSES FOR CIO :: December

The field of IT governance is defined differently in the numerous articles and books written on the topic. The lack of consensus is dm. Some of the prevalent definitions of IT governance as stated below:

IT governance is the organizational capacity exercised by the board, executive management and IT management to control the formulation and implementation of IT strategy and in this way ensure the fusion of business.

IT governance is specifying the decision rights and accountability frameworks to encourage desirable behavior in the use of IT.

IT governance is the selection and use of relationships such as strategic alliances or joint ventures to obtain key IT competencies. This is analogous to business governance, which involves make- vs. -buy choices in business strategy. Such choices cover a complex array of interfirm relationships, such as strategic alliances, joint ventures, marketing exchange and technology licensing.
IT governance is the strategic alignment of IT with the business such that maximum business value is achieved though development and maintenance of effective IT control and accountability, performance management and risk management.

According to the IT Governance Institute (ITGI), IT governance is the responsibility of the Board of Directors and Executive Management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives.

According to Weill and Ross from MIT CSIR, IT governance is the decision rights and accountability- framework for encouraging desirable behaviors in the use of IT. IT governance reflects broader corporate governance principles while focusing on the management and use of IT to achieve corporate performance goals. Because IT outcomes are often hard to measure, firms must assign responsibility for desired outcomes and assess how well they achieve them. IT governance shouldn’t be considered in isolation because IT is linked to other key enterprise assets (i.e. financial, human, intellectual property, physical and relationships). Thus, IT governance might share mechanisms (such as executive committees and budget processes) with other asset governance processes, thereby coordinating enterprise-wide decision making processes.

Whereas corporate governance encompasses all organizational assets and processes, IT governance focuses especially on the IT organization. IT managers are answerable to the board for risks and audit findings associated with their organization. However, as an integrated component of corporate governance, IT management cannot ignore the bigger picture. It must consider not only IT goals and responsibilities, but technology’s integrated role in corporate processes.
With this big picture in mind, IT governance and strategy encompasses the core deﬁnitions, structures, and processes that shape all IT efforts and systems. Auditable functions of IT governance include:

Deﬁnition of what the IT organization is and does, including values and goals
IT risk deﬁnition and management

Deﬁnition of roles and responsibilities, including leadership structures

Strategic planning, monitoring, and continual improvement

Oversight of standards, policies, and procedures

Oversight of technical foundations, such as IT infrastructure, architectures, a semantic baseline or glossary, and data management,

Asset management, including staff, systems, media, networks, and content

Resource planning

Investment management

Every IT practice, program, and procedure is guided by these functions. Information security, business continuity, records management, and all other strategic initiatives live and die by their effectiveness.
In general, governance principles, whether in IT or business, are somewhat canonical. However, corporate governance guidance issued by international organizations can provide a foundation for IT governance principles. Over the past ﬁve years, governance research groups and standards bodies have increasingly updated their guidance with deference to IT.

And IT-speciﬁc frameworks and guidance have been developed independently and as a complement to existing corporate governance documents.

“The Principles of Corporate Governance,” issued by the Organisation for Economic Co-operation and Development (OECD). Although designed for public-company oversight, the principles can be broadly applied to non-public companies and internal organizations. In December 2006, the OECD also issued an audit guide, “Methodology for Assessing the Implementation of the OECD Principles on Corporate Governance,” an assessment framework with governance principles.

The UK Financial Reporting Council’s “Internal Control: Revised Guidance for Directors on the Combined Code,” conventionally called the Turnbull Guidance, offers a more speciﬁc approach to maintaining and reviewing a system of internal control.

“Enterprise Risk Management—Integrated Framework,” commonly called “COSO,” after its publisher, the Committee of Sponsoring Organizations of the Tread way Commission (COSO) is similar in outlook and focus to the Turnbull Guidance, but includes a more robust and explicit internal control framework. COSO is recognized by the US SEC and PCAOB as an approved control framework for SOX.

“Organizational Governance: Guidance for Internal Auditors,” a position paper from the Institute for Internal Auditors (IIA), ties corporate governance principles to audit goals and roles. Much of the content can be used as a model for IT governance and auditing.

CobiT, published by the Information Systems Audit and Control Association (ISACA), is widely considered the leading framework for IT controls. CobiT 4.0 covers 34 high-level objectives, comprising 215 control objectives in four domains: planning and organization, acquisition and implementation, delivery and support, and monitoring and evaluation. ISACA also publishes correlative audit guidelines, management guidelines, and an implementation toolset.

CobiT is perhaps the most widely used IT control framework, since it spans the gamut of IT; offers mappings to other governance standards; and is supported by many published materials, education, and a vast user community.

Adoption of CobiT as a primary best-practices standard is also facilitated by several mapping documents that can help IT managers align their processes, governance, and regulatory response. ISACA’s supporting document IT Control Objectives for Sarbanes-Oxley, 2nd Edition contains a general map of CobiT processes to PCAOB Auditing Standard No. 2. In May 2006, ISACA issued CobiT Mapping, Overview of International IT Guidance, 2nd Edition, which provides a general comparison of COSO and CobiT frameworks.

In January 2007 ISACA also published a map of CobiT and the IT Infrastructure Library (ITIL) from the UK Ofﬁce of Government Commerce. By aligning the two UK documents, it is possible to map COSO to ITIL at a high level, and therewith compile a framework that aligns enterprise risk management principles with IT controls and, ﬁnally, fairly narrowly deﬁned IT services. Links to each of these documents is included in the appendix of this paper.

Note:
Since the passage of SOX, Turnbull and COSO have emerged as the major pillars of compliance and risk management. From an IT perspective, COSO is more accessible than Turnbull, since it is more widely documented and has been approximately mapped to a an IT control framework, Control Objectives for Information and related Technology (CobiT), published by the Information Systems Audit and Control Association (ISACA). Although COSO is officially endorsed for SOX compliance, CobiT has received no official endorsement. While most companies had IT governance processes and some controls in place long before they were required by SOX and other regulations, the adoption of frameworks to organize and round out governance and control efforts is a governance best practice. Frameworks such as CobiT provide a comprehensive overview of control objectives against which to standardize and align IT governance and auditing efforts.

IT GOVERNANCE COURSE 2: The Growing Need of IT Governance and IT audit

In an annual survey of Information security practices conducting by The Deloitte & Touche at 169 financial institutions found that 98 percent of them are spending more on information security this year than last year, and putting a greater emphasis on IT governance. In a related trend, 81 percent of the financial institutions surveyed said they’ve adopted a formal Information Security Governance framework, up from about 70 percent last year. The vast majority of the remaining respondents said they are in the process of establishing their own to fill their need.

Deloitte information security survey was gathering information from CIO from Japan 22 percent and the larger Asia Pacific region, 12 percent from the United States, 23 percent from Latin America, 7 percent from Canada, 31 percent from Europe, the Middle East and Africa, and 5 percent from the former Soviet Republics. The survey also tell us; 38 percent of the organizations surveyed did not measure their security budget on a per capita basis, of those that did, 7 percent said they spend more than US$1,000 per person, 7 percent between $501 an $1,000 per person, 14 percent between $251 and $500, 23 percent between $100 and $250, and 11 percent under $100. This indicated that getting through internal and external audits can be tough wherever you are. They report that the main audit obstacles are networks that still allow excessive access rights; lack of adequate audit logging; and failure to assure access control complies with formal business procedures.

According to the 2007 Global Security Survey, the cost for security system spending is up as much as 15 percent over last year at 11 percent of the 169 corporations surveyed, which include banks, and financial instutions from 32 countries. The highest cost were made in IT audit and IT auditor certification costs, logical access control products, infrastructure protection devices and compliance and risk management. The survey also asked the respondents questions about technology use. Questions asking whether organizations are allowed to use wireless technologies, including wireless LANs, infrared networking or mobile devices, due to security reasons. Forty five percent of the respondents said their organizations prohibit use of wireless LANs, 75 percent prohibited infrared networking; and 13 percent prohibited mobile devices, including PDAs and BlackBerries.

Those not prohibiting use of wireless sought to offer employees guidelines on secure use, published policies on acceptable business use or did implement wireless technologies.

You need more? here you go…

IT GOVERNANCE COURSE 1: Definition of IT Governance, Still Unclear?

IT GOVERNANCE COURSE 3: The Beneﬁts of IT Governance for Your Corporate

IT GOVERNANCE COURSE 4: Why Corporate Governance Need IT Audit?

IT GOVERNANCE COURSE 5: Who Is Responsible for IT Governance?

IT GOVERNANCE COURSE 6: Best Practices, Why the board need it?

IT GOVERNANCE COURSE 7: IT Governance Steering Committee in Corporate Governance

IT GOVERNANCE COURSE 8: How to Measure the Performance of the corporate Governance?

IT GOVERNANCE COURSE 9 : Information Security Governance

IT GOVERNANCE COURSE 10 : Who Attack Us?

IT GOVERNANCE COURSE 11: The Art of Intrusion and Attacking

IT GOVERNANCE COURSE 12: How to Role, Strategize and Plan the Corporate Governance?

IT GOVERNANCE COURSE 14: Identify the Risk and Manage It

IT GOVERNANCE COURSE 15 : Step by Step to Risk Assessment

IT GOVERNANCE COURSE 16: Management Practices and Controls

IT GOVERNANCE COURSE 17 : Change Management and Improvement Quality Techniques

IT GOVERNANCE COURSE 18 : Understanding Personnel Roles and Responsibilities

Get free blog up and running in minutes with Blogsome | Theme designs available here