What is IT Governance?

• It’s about organization leadership

• Decision making that leads to better alignment
of IT and the business
• IT delivering more business value
• IT resources are used responsibly
• IT risks are managed appropriately
•Governance is relates to processes and
decisions that seek to define actions, grant power
and verify performance. 1
Corporate governance
 Corporate governance is the system by which
companies are directed and controlled.
 Corporate governance applied to overall
business system run and monitored.
 It is overall governance.

2
Corporate Governance
Corporate Governance: Leadership by
corporate directors in creating and presenting
value for all stakeholders

IT Governance: Ensure the alignment of IT

with enterprise objectives
 Responsibility of the board of directors and
executive mgmt
 Information and technology (IT)
governance is a subset discipline of corporate
governance, focused on information and
technology (IT) and its performance and risk
management. The interest in IT governance is
due to the on-going need within organizations
to focus value creation efforts on an
organization's strategic objectives and to
better manage the performance of those
responsible for creating this value in the best
interest of all stakeholders.
4
Audit role in IT Governance
 Audit provides leading practice
recommendations to senior management to
help improve the quality and effectiveness of
the IT governance initiative implemented.
 Scope of work of functional areas.
 Reporting line to be used.
 Access to information both within the
organization and from third party service
provider. 5
Information security governance
 Within IT Governance ,Infor security
governance should become a focused activity
wit specific value drivers.
CIA
 Confidentiality: Preventing from unauthorized
disclosure
 Integrity: Preventing from unauthorized
modification
 Availability: Preventing denial of service
6
 The basic outcomes of effective security
governance should include strategic alignment
,risk management .These outcomes are enabled
through the development of:
 Performance measurement: (SMART)
 Resource management: Utilize Information
security knowledge and infrastructure
efficiently and effectively.
 Process Integration: This focuse on the
integration of an organizations management
assurance processes for security.
7
Roles and Responsibilities of
Senior Management
 Board of Directors:
Involve in approving policy, ensuring
appropriate monitoring and reviewing
metrics, reports and trend analysis.
Senior Management:
-Implementing effective security governance
and defining the strategic security objectives .

8
 IT Governance Committees
IT Strategic Committee
Focuses on Direction and Strategy
Advises board on IT strategy and alignment
Board members
& specialists
Optimization of IT costs and risk

IT Steering Committee
Focuses on Implementation
Business executives Monitors current projects
(IT users), CIO, key Decides IT spending
advisors (IT, legal, audit,
finance)
IT Strategy Committee
Main Concerns
 Alignment of IT with Business
 Contribution of IT to the Business
 Exposure & containment of IT Risk
 Optimization of IT costs
 Achievement of strategic IT objectives
IT Steering Committee
Main Concerns
 Make decision of IT being centralized vs.
decentralized, and assignment of responsibility
 Makes recommendations for strategic plans
 Approves IT architecture
 Reviews and approves IT plans, budgets, priorities &
milestones
 Monitors major project plans and delivery
performance
Strategic Planning Process
Strategic: Long-term (3-5
year) direction considers
organizational goals,
regulation (and for IT: Strategic
technical advances)
Tactical: 1-year plan moves Tactical
organization to strategic
goal
Operational: Detailed or Operational
technical plans
Polices and procedures
 Policies and procedures are high-level
document that represents the corporate
philosophy of an organization.
 Procedures are detailed steps defined
and documented for implementing
polices.

13
 Policy Statements
Most corporate policies must be translated to concrete
statements

Major elements:
•Information Classification
•System Criticality
•Operational Context
IDS
Information security policy
document
 A definition of Infor security,its overall objective and scope.
 A statement of management intent,supporting the goals and
principles of information security in line with business
objectives.
 A framework for setting controls
 A brief explanation of the security policies, principles,
standards and compliance requirements.
 A definition of general and specific responsibilities for
information security management,including reporting
information security incidents.

16
Acceptable user policy
 Inappropriate use of IT resources by users
exposes an enterprise to risk, including virus
attacks , compromise of network systems and
security incidents.
 Internet usage policy prescribes the code of
conduct that governs the behavior of user
while connected to the network/internet.

17
 Framework IT Control objects
BUSINESS
What you GET PROCCESSES
What you Need

Information Criteria
INFORMATION •effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
INFORMATION • Compliance
RESOURCES • Reliability

• People
• Application Systems DO They Match?
• Technology
• Facilities
• Data

18
IT Governance, as Defined by IT Governance Institute (ITGI)

IT governance is:
• The responsibility of the board of directors
and executive management
• An integral part of enterprise governance,
consisting of the leadership, organizational
structures and processes that ensure that
the enterprise’s IT sustains and extends
the organization’s strategies and
www.itgi.org
www.itgi.org objectives

RESOURCE 2005 64% Doing something about it 36%

MANAGEMENT
2003 58% 42% Not doing something about it

19
 IT Governance Domain
Strategic Focuses on ensuring the linkage of business and IT
plans and on aligning IT operations with enterprise
alignment operations

Value delivery IT delivers the promised benefits against the strategy,

concentrating on optimizing costs and proving the
intrinsic value of IT

Resource Is about the optimal investment in, and the proper

management of, critical IT resources: applications,
management information, infrastructure and people

Risk management Senior management, appetite for risk, compliance

requirements, transparency about the significant risks
to the organisation

Performance Tracks and monitors strategy implementation, project

measurement completion, resource usage, process performance and
service delivery to achieve goals measurable beyond
conventional accounting
20
IT Governance Stakeholders

Board and Set direction for IT, monitor results and insist
executive on corrective measures

Business management Defines business requirements for IT and ensures

that value is delivered and risks are managed

Delivers and improves IT services as required

IT management by the business

Provides independent assurance to

IT audit demonstrate that IT delivers what is needed

Risk and Measures compliance with policies and

compliance focuses on alerts to new risks

21
The Need for IT Governance

Security Keeping
IT Running
Aligning Managing
IT with Complexity
Business

Value/Cost Regulatory
Compliance
• Millions of dollars on IT spending
• Decentralized IT computing and Business operations
• Increasing numbers of severe security breaches
• IT ability to scale and sustain operation
• Various IT delivery models
• Regulatory compliance.
22
Stakeholders need to know that:

• IT strategy is aligned with strategy

•effectively communicating
• The organization is structured to facilitate the
implementation of its strategy and goals
• Risks and opportunities are effectively managed
• Performance against objectives are transparent

23
 CoBIT and IT Governance
Control Objectives IT (CoBIT) is an International standard in directing and
controlling an enterprise’s information technology. CoBIT sets the standards of
measuring IT Governance process maturity.

Business Process Maturity Domain

Requirements

•Plan and Organize

•Acquire and Implement
Basic CoBIT Principle
•Delivery and Support
•Monitor and Evaluate
IT Processes IT Resources

24
 Benefits of CoBIT

1. CoBIT offers an IT Governance Auditing

Framework
2. Internationally recognized standard for best
management practices and processes
3. IT risks and IT controls are easily communicated
to IT and non-IT professionals

25
IT Governance Audit Objectives
Information being relevant and pertinent to the business process as
Effectiveness well as being delivered in a timely, correct, consistent and usable
manner
Provision of information through the optimal (most
Efficiency productive and economical) use of resources

The protection of sensitive information from

Confidentiality
unauthorised disclosure

Relates to the accuracy and completeness of information

Integrity

Information being available when required by the business process now and in
Availability the future; it also concerns the safeguarding of necessary resources and
associated capabilities

Complying with those laws, regulations and contractual arrangements to which the business
Compliance process is subject, i.e., externally imposed business criteria as well as internal policies

The provision of appropriate information for management to operate the entity and to exercise its
Reliability
fiduciary and governance responsibilities ©2007 IT Governance Institute

26
CoBIT Four IT Process Domains

•Plan and Organize

Business

•Acquire and Implement

Requirements

•Delivery and Support

•Monitor and Evaluate
IT Resources

27
Plan and Organize (PO)
► Objectives:
 Planning, communicating and
managing the realization of the Plan and Organize
strategic vision PO1 Define a strategic IT plan.
 Implementing organizational and PO2 Define the information architecture.
technological infrastructure
PO3 Determine technological direction.
► Scope:
PO4 Define the IT processes, organization
 Is the enterprise achieving optimum
and relationships.
use of its resources?
PO5 Manage the IT investment.
 Does everyone in the organization
understand the IT objectives? PO6 Communicate management aims and
 Is the quality of IT systems direction.
appropriate for business needs? PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.

28
Acquire and Implement (AI)
► Objectives:
 Identifying, developing or acquiring,
implementing, and integrating IT Acquire and Implement (AI)
solutions
AI1 Identify automated solutions.
 Changes in and maintenance of
AI2 Acquire and maintain application
existing systems
software.
► Scope:
AI3 Acquire and maintain technology
 Are new projects likely to deliver infrastructure.
solutions that meet business needs?
AI4 Enable operation and use.
 Are new projects likely to be AI5 Procure IT resources.
delivered on time and within budget?
AI6 Manage changes.
 Will the new systems work properly AI7 Install and accredit solutions and
when implemented?
changes.

29
Deliver and Support (DS)
► Objectives:
Deliver and Support
 The management of security,
continuity, data and operational
facilities DS1 Define and manage service levels.
 Service support for users DS2 Manage third-party services.
► Scope: DS3 Manage performance and capacity.
DS4 Ensure continuous service.
 Are IT services being delivered
in line with business priorities? DS5 Ensure systems security.
DS6 Identify and allocate costs.
 Is the workforce able to use IT
systems productively and DS7 Educate and train users.
safely? DS8 Manage service desk and incidents.
 Are adequate confidentiality, DS9 Manage the configuration.
integrity and availability in DS10 Manage problems.
place? DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.

30
Monitor and Evaluate (ME)
► Objectives:
 Performance management Monitor and Evaluate
 Monitoring of internal control
► Scope: ME1 Monitor and evaluate IT performance.
 Is IT’s performance measured to ME2 Monitor and evaluate internal control.
detect problems before it is too ME3 Ensure compliance with external requirements.
late? ME4 Provide IT governance.
 Does management ensure that
internal controls are effective and
efficient?
 Can IT performance be linked to
business goals?
 Are risk, control, compliance and
performance measured and
reported?

31