Thursday, June 6, 2019
IT Governance Essay Example for Free
IT Governance EssayA brass section view that consists of the business judicature of IT ensuring that IT supports and enables the business system and the operational governance of IT ensuring that the IT function itself runs efficiently and potently (http//www.takinggovernanceforward.org).Executive SummarySuccessful efforts recognize the benefits of teaching technology and use it to grapher their stakeholders value. These enterprises also understand and discern the associated risks, such(prenominal) as increasing regulatory configuration and critical dependence of many business processes on information technology (IT). The need for confidence nearly the value of IT, the attention of IT-related risks and increased requirements for turn back over information be now unders aliked as key elements of enterprise governance.Value, risk and have take a crap the core of IT governance. Control Objectives for Information and related Technology (COBIT) provides good practi ces across a domain and process exemplar and presents activities in a manageable and limpid structure. COBITs good practices represent the consensus of experts. They be strongly focuse more on control, less on effectuation. These practices impart help optimize IT-enabled investments, ensure cash in ones chipss delivery and provide a measure against which to judge when things do go wrong. For IT to be successful in delivering against business requirements, vigilance should put an internal control system or textile in place. The COBIT control framework contributes to these needs by* Making a link to the business requirements * Organizing IT activities into a generally current process model * Identifying the study IT resources to be leveraged * Defining the way control objectives to be considered An answer to these requirements of determining and monitoring the appropriate IT control and performance take aim is COBITs definition of * Benchmarking of IT process performance and strength, expressed as matureness models, derived from the Software Engineering Institutes Capability Maturity Model (CMM)* Goals and rhythmic pattern of the IT processes to repair and measure their outcome and performance based on the principles of Robert Kaplan and David Nortons balanced business scorecard * Activity goals for getting these processes under control, based on COBITs control objectives The assessment of process capability based on the COBIT matureness models is a key part of IT governance implementation. After identifying critical IT processes and controls, maturity modeling enables gaps in capability to be identified and demonstrated to forethought. Action plans can then be developed to bring these processes up to the desired capability target level. Thus, COBIT supports IT governance by providing a framework to ensure that * IT is aligned with the business* IT enables the business and maximizes benefits* IT resources are used responsibly* IT risks are manag ed appropriately recruit 1 Adopted for this study Governance Focus areas* Strategic alignment focuses on ensuring the linkage of business and IT plans specify, maintaining and validating the IT value proposition and aligning IT trading operations with enterprise operations. * Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT. * Resource instruction is about the optimal investment in, and the proper management of, critical IT resources applications, information, infrastructure and large number. Key issues relate to the optimization of knowledge and infrastructure.* Risk management requires risk sensory faculty by senior corporate officers, a clear understanding of the enterprises appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the validation. * Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and dish up delivery, using, for example, balanced scorecards that translate strategy into action to chance upon goals measurable beyond conventional accounting.COBIT FrameworkA control framework for IT governance defines the reasons IT governance is needed, the stakeholders and what it needs to accomplish. Why? Increasingly, top management is realizing the significant dissemble that information can encounter on the success of the enterprise. Management expects heightened understanding of the way IT is operated and the likelihood of its being leveraged successfully for competitive advantage. In particular, top management needs to know if information is being managed by the enterprise so that it is* Likely to achieve its objectives* Resilient enough to learn and adapt* Judiciously managi ng the risks it faces* befittingly recognizing opportunities and acting upon them Successful enterprises understand the risks and exploit the benefits of IT and find ways to deal with* Aligning IT strategy with the business strategy* Assuring investors and shareholders that a standard of collectible care around mitigating IT risks is being met by the judicature * Cascading IT strategy and goals down into the enterprise* Obtaining value from IT investments* Providing organizational structures that facilitate the implementation of strategy and goals* Creating constructive relationships and effective communication between the business and IT, and with external partners* Measuring ITs performanceEnterprises can non deliver effectively against these business and governance requirements without adopting and implementing a governance and control framework for IT to* Make a link to the business requirements * Make performance against these requirements transparent * Organize its activiti es into a generally accepted process model * Identify the major resources to be leveraged * Define the management control objectives to be considered Furthermore, governance and control frameworks are becoming a part of IT management good practice and are an enabler for forming IT governance and complying with continually increasing regulatory requirements. IT good practices have become significant due to a number of factors * Business managers and boards demanding a better return from IT investments, i.e., that IT delivers what the business needs to enhance stakeholder value * Concern over the generally increasing level of IT expenditure* The need to meet regulatory requirements for IT controls in areas such as privacy and financial account (e.g., the US Sarbanes-Oxley Act, Basel II) and in specific sectors such as finance, pharmaceutical and healthcare * The selection of wait on providers and the management of service outsourcing and acquisition * Increasingly complex IT-relate d risks, such as network security * IT governance initiatives that include adoption of control frameworks and good practices to help monitor and rectify critical IT activities to increase business value and reduce business risk * The need to optimize costs by following, where possible, standardized, rather than specially developed, approaches * The growing maturity and consequent acceptance of well-regarded frameworks, such as COBIT, IT InfrastructureLibrary (ITIL), ISO 27000 series on information security-related standards, ISO 90012000 Quality Management SystemsRequirements, Capability Maturity Model integration (CMMI), Projects in Controlled Environments 2 (PRINCE2) and A Guide to the Project Management Body of Knowledge (PMBOK) * The need for enterprises to assess how they are performing against generally accepted standards and their peers (benchmarking)Who?A governance and control framework needs to serve a variety of internal and external stakeholders, each of whom has specif ic needs * Stakeholders within the enterprise who have an interest in generating value from IT investments* Those who make investment decisions* Those who decide about requirements* Those who use IT services* Internal and external stakeholders who provide IT services* Those who manage the IT organization and processes* Those who develop capabilities* Those who operate the services* Internal and external stakeholders who have a control/risk right* Those with security, privacy and/or risk responsibilities* Those performing compliance functions* Those requiring or providing assurance servicesWhat?To meet the requirements listed in the previous section, a framework for IT governance and control should * Provide a business focus to enable alignment between business and IT objectives * Establish a process orientation to define the scope and extent of coverage, with a defined structure enabling casual navigation of content * Be generally acceptable by being undifferentiated with accepte d IT good practices and standards and independent of specific technologies * Supply a mutual language with a set of terms and definitions that are generally understandable by all stakeholders * Help meet regulatory requirements by being consistent with generally accepted corporate governance standards (e.g., COSO) and IT controls expected by regulators and external auditorsIT ResourcesThe IT organization delivers against these goals by a clearly defined set of processes that use people skills and technology infrastructure to run automated business applications while leveraging business information. The IT resources identified in COBIT can be defined as follows * Applications are the automated user systems and manual procedures that process the information. * Information is the data, in all their forms, input, processed and output by the information systems in whatever form is used by the business. * Infrastructure is the technology and facilities (i.e., hardware, operating systems, database management systems, networking, multimedia, and the environment that houses and supports them) that enable the processing of the applications. * People are the personnel required to plan, organize, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, outsourced or contracted as required. cognitive processesTo govern IT effectively, it is important to appreciate the activities and risks within IT that need to be managed. They are usually ordered into the responsibility domains of plan, build, run and monitor. The four interrelated domains of COBIT are * Plan and Organize (PO)Provides direction to solution delivery (AI) and service delivery (DS) * take away and Implement (AI)Provides the solutions and passes them to be turned into services * Deliver and Support (DS)Receives the solutions and makes them usable for end users * Monitor and Evaluate (ME)Monitors all processes to ensure that the direction provide d is followedPlan and organize (PO)This domain covers strategy and tactics, and concerns the realisation of the way IT can best contribute to the proceeding of the business objectives. The realization of the strategic vision needs to be planned, communicated and managed for different perspectives. A proper organization as well as technological infrastructure should be put in place. This domain typically addresses the following management questions * are IT and the business strategy aligned?* Is the enterprise achieving optimum use of its resources?* Does everyone in the organization understand the IT objectives?* atomic number 18 IT risks understood and being managed?* Is the quality of IT systems appropriate for business needs? Acquire and implement (AI)To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and tending of existing systems are covered by this domain to make sure the solutions continue to meet business objectives. This domain typically addresses the following management questions * Are new projects likely to deliver solutions that meet business needs? * Are new projects likely to be delivered on time and within budget? * pull up stakes the new systems work properly when implemented?* Will changes be made without upsetting current business operations? Deliver and support (DS)This domain is refer with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It typically addresses the following management questions * Are IT services being delivered in line with business priorities? * Is IT costs optimized?* Is the workforce able to use the IT systems productively and safely? * Are adequate to(predicate) confidentiality, integrity and availableness in place for information security? Monito r and evaluate (ME)All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance. It typically addresses the following management questions * Is ITs performance measured to detect problems before it is too late? * Does management ensure that internal controls are effective and efficient? * Can IT performance be linked back to business goals?* Are adequate confidentiality, integrity and availability controls in place for information security?Processes need ControlsControl is defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. IT control objectives provide a complete set of high-level requirements to be considered by management for effective contr ol of each IT process. They * Are statements of managerial actions to increase value or reduce risk * Consist of policies, procedures, practices and organizational structures * Are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and correctedEnterprise management needs to make choices relative to these control objectives by* Selecting those that are applicable* Deciding upon those that will be implemented* Choosing how to implement them (frequency, span, automation, etc.) * Accepting the risk of not implementing those that may apply The control objectives are identified by a two-character domain reference (PO, AI, DS and ME) plus a process number and a control objective number. In addition to the control objectives, each COBIT process has generic control requirements that are identified by PCn, for process control number. They should be considered together with the process control objectives to hav e a complete view of control requirements.PC1 Process Goals and ObjectivesDefine and communicate specific, measurable, actionable, realistic, results-oriented and timely process goals and objectives for the effective execution of each IT process. Ensure that they are linked to the business goals and supported by suitable metrics.PC2 Process OwnershipAssign an owner for each IT process, and clearly define the roles and responsibilities of the process owner. Include, for example, responsibilityfor process design, interaction with other processes, accountability for the end results, measurement of process performance and the identification of improvement opportunities.PC3 Process RepeatabilityDesign and establish each key IT process such that it is repeatable and consistently produces the expected results. Provide for a logical but flexible and saleable sequence of activities that will lead to the desired results and is agile enough to deal with exceptions and emergencies. Use consiste nt processes, where possible, and tailor only when unavoidable.PC4 Roles and ResponsibilitiesDefine the key activities and end deliverables of the process. Assign and communicate unadorned roles and responsibilities for effective and efficient execution of the key activities and their documentation as well as accountability for the process end deliverables.PC5 Policy, Plans and ProceduresDefine and communicate how all policies, plans and procedures that drive an IT process are documented, reviewed, maintained, approved, stored, communicated and used for training. Assign responsibilities for each of these activities and, at appropriate times, review whether they are executed correctly. Ensure that the policies, plans and procedures are accessible, correct, understood and up to date.PC6 Process Performance ImprovementIdentify a set of metrics that provides insight into the outcomes and performance of the process. Establish targets that reflect on the process goals and performance ind icators that enable the achievement of process goals. Define how the data are to be obtained. Compare actual measurements to targets and take action upon deviations, where necessary. Align metrics, targets and methods with ITs overall performance monitoring approach. rough-and-ready controls reduce risk, increase the likelihood of value delivery and improve efficiency because there will be fewer errors and a more consistent management approach.In addition, COBIT provides examples for each process that are illustrative, but not prescriptive or exhaustive, of* Generic inputs and outputs* Activities and guidance on roles and responsibilities in a Responsible, Accountable, Consulted and Informed (RACI) chart * Key activity goals (the most important things to do)* MetricsBusiness and it controlsThe enterprises system of internal controls impacts IT at three levels * At the executive management level, business objectives are set, policies are established and decisions are made on how to deploy and manage the resources of the enterprise to execute the enterprise strategy. The overall approach to governance and control is established by the board and communicated throughout the enterprise. The IT control environment is directed by this top-level set of objectives and policies. * At the business process level, controls are use to specific business activities. Most business processes are automated and integrated with IT application systems, resulting in many of the controls at this level being automated as well. These controls are known as application controls. However, some controls within the business process remain as manual procedures, such as authorization for transactions, withdrawal of duties and manual reconciliations.Therefore, controls at the business process level are a combination of manual controls operated by the business and automated business and application controls. some(prenominal) are the responsibility of the business to define and manage, althou gh the application controls require the IT function to support their design and development.* To support the business processes, IT provides IT services, usually in a shared service to many business processes, as many of the development and operational IT processes are provided to the whole enterprise, and much of the IT infrastructure is provided as a common service (e.g., networks, databases, operating systems and storage). The controls applied to all IT service activities are known as IT general controls. The reliable operation of these general controls is necessary for reliance to be displace on application controls. For example, poor change management could jeopardize (accidentally or deliberately) the reliability of automated integrity checks.SummaryEstablishing an effective governance framework includes defining organizational structures, processes, leadership, roles, and responsibilities to ensure that enterprise IT investments are aligned and delivered in accordance with enterprise strategies and objectives. Control over the process of providing IT governance that satisfies the business requirements for IT of integrating IT governance with corporate governance objectives and complying with laws, regulations and contracts. By focusing on preparing board reports on IT strategy, performance and risks, and responding to governance requirements in line with board directions.Achieved by* Establishing IT governance framework integrated into corporate governance* Obtaining independent assurance over the IT governance status. Measured by* Frequency of board reporting on IT to stakeholders (including maturity)* Frequency of reporting from IT to the board (including maturity)* Frequency of independent reviews of IT complianceReferences* Cobit 4.1 http//www.itgi.org* IT Governance Harvard University March 31, 2008* Governance Objective and Governance views of IT (Mapping) http//www.takinggovernanceforward.org
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.