IT CONTROLS AND

GOVERNANCE GUIDE
TABLE OF CONTENTS

IT Controls and Governance Guide

03 Outside View of Increased Regulatory Requirements

04 Pressures on Business Today
05 Risks and Challenges
06 IT Governance Definition
07 IT Governance
08 IT Risk Management
10 Elements of IT Governance
11 IT Governance Capability Maturity Model (CMM)
12 IT Governance V/S Compliance
14 Common Governance Implementation Strategy
15 How to get started
16 Best Practices for Managing Risk and Achieving Value
21 Key Success Drivers
22 Business Drivers for IT Best Practices Adoption

2
OUTSIDE VIEW OF INCREASED REGULATORY
REQUIREMENTS

• Regulatory compliance is often seen as “sand in the gears,” or requirements that increase cost,
introduce friction into the business processes, and have little or no payback.
• Introduction of multiple standards and an increasingly complex regulatory environment has disrupted
IT governance focus on improving process efficiencies.
• Limited awareness of unified mapping of new standards and requirements has resulted in the
duplication of efforts.
• Shifts in technology use, such as the use of cloud computing, have introduced new risks to
businesses and introduced uncertainty on how to mitigate these risks while continuing to meet new
requirements.

3
PRESSURES ON BUSINESS TODAY

Increased
Board and Executive
Accountability
Uncertainty Liability

Multiple Modern Spiraling

Diverse Risks Enterprise Compliance Costs

Speed Variability
Globalization

4
RISK AND CHALLENGES

Three questions that must be addressed to achieve Among the enterprise's challenges and concerns are:
effective IT governance:

What decisions must be made to ensure effective Aligning IT strategies with the business strategies 
management and use of IT?

Who should make these decisions? Cascading strategies and goals down into the
enterprise 

Who provides organizational structures that facilitate Providing organizational structures that facilitate the
the implementation of strategies and goals? implementation of strategies and goals 

Insisting that an IT control framework be adopted and

implemented

Measuring IT's performance

5
IT GOVERNANCE DEFINITION

• IT governance is the management

environment used to align, control
and assure the delivery of technology Corporate
to the business. Structure and
• IT governance helps ensure that IT Culture
supports business goals, optimizes IT Strategic Vision
business investment in IT, and
Policies and
appropriately manages IT-related Procedures IT Governance Environment
risks and opportunities.
Chief information officer
• IT governance also encompasses the
management of the risks associated
Strategy and
with the use of technology, the Organization
delivery risk of providing an
application environment and the Audit and
control of technology-based Control and Compliance
Risk and Value and
resources. Monitoring Security Performance
• The approach to IT governance IT Governance Perspective
should be customized to each client’s
requirements. An example approach IT Management
is described on the following pages.
IT Systems
IT Experts IT Management
Tasks
IT Components
IT Resources
IT Operations

6
IT GOVERNANCE(1/2)
Reacting quickly, and with confidence, to change can determine success or failure. A leading view is that failure of the CIO to take control not
only impact the performance of IT but can have catastrophic implications on the wider business. As organizations continue to look for a
competitive edge, it is imperative to seek answers to the following questions:

• What services/systems do I now have responsibility for?

Services • What business processes do they support?

• What are the significant issues I have inherited?

• Does anything need to be fixed urgently?
Issues • Are these issues pervasive in nature or confined to an individual business unit or service?
• Are issues addressed by tactical solutions or strategic programs of work?

• How many people do I now have?

People • Who are the key individuals that the business depends on?
• Are roles, responsibilities and reporting lines clearly defined and understood?

Architecture
• What degree of standardization exists across the new organization in terms of infrastructure, enterprise
and architecture, processes and functional activity?
Standards

7
IT GOVERNANCE(2/2)

• What regulatory requirements am I now governed by?

Legislation • Is the organization in compliance with these regulations?

• What service centers do we operate?

Shared • Which systems, services or business units do they support?
Services • Is there scope for more efficiency to be gained from shared services?

• What IT-enabled projects are currently underway?

Portfolio • In view of changing business priorities and challenges, should any of these projects now be rationalized, rescoped
Management or cancelled?

8
IT RISK MANAGEMENT: GOVERNANCE FRAMEWORK
The governance framework is a diagrammatic overview of the four key areas of risk and control management that can be applied within an
information technology group, namely governance, process and control, training and communication, and the toolkit. The framework is intended
to be used by an organization’s risk and control community to explain how risk and control are being managed within the IT group and how they
enable a fully informed risk and control position to be produced. The data structure allows for the mining of the data and flexible stakeholder
reporting.

Boards and
Operational Risk Business Units
Committees

IT Risk and Control Governance

Policy and Governance

Risk and Control

Internal Audit
Committee

Risk Attestations and

Risk and Control Management Risk Indicators Control Issues and
Process and Control Management Management
Assessment Assurance and Risk Events Actions
Universe Reporting

Continuous Control Improvement

Capability and
Communication Training and Communication

Risk and Control Toolkit

Toolkit Policies and Risk and Control People and Frameworks and
Reports Solutions and Data
Standards Process Library Organization Models

9
FIVE ELEMENTS OF IT GOVERNANCE

Strategic Alignment
• Link business and IT plans.
• Define IT value proposition. IT Governance Practices and Goals
• Align IT operations with business operations. Strategic Alignment
Risk Performance Resource
Risk Management Management Management Management
• Be aware of IT risk and understand risk appetite. Value Delivery
• Be transparent.
• Identify accountability and risk management processes.

Performance Management
• Measure strategy implementation.
• Measure value delivery.
• Drive behaviors and improve them.

Resource Management
• Optimize investment in resources.
• Discipline resources management.
• Align capabilities.

Value Delivery
• Deliver benefits against strategies.
• Execute the IT value proposition.
• Improve intrinsic value of IT.

10
IT GOVERNANCE MATURITY MATRIX

Resource Performance
Strategic Alignment Value Delivery Risk Management
Management Management
Realization IT is integral to business- IT is viewed as a strategic Risk management is a Resources are deployed A balanced scorecard is
of Value achieving strategic partner of the business. continuous process strategically considering utilized to monitor IT
Proposition objectives. IT presents Solutions are presented to coordinated by the board internal and external effectiveness. The
Optimized solutions to the business the business; then are and management. models using defined scorecard is presented to
in a proactive manner. delivered on Organization risk tolerance evaluation criteria based on the board and other key
time/budget/scope. is well-known. strategic objectives. executives.

The board of executive IT is cost-effective in Annual IT risk assessments IT projects, purchasing IT fully understands the
management evaluates delivering high-quality are completed according to processes, IT asset operational levers that drive
business strategies to services that meet the accepted methodologies. management processes the business and these
ensure alignment on a needs of the enterprise. Preventive controls and and resource management levers are measured,
Managed regular basis. Long-term, Communication is frequent monitoring mechanisms processes are integrated monitored, summarized and
tactical IT plans map to and structured. IT help to ensure that key and measured for reported regularly to
business strategies. proactively seeks to risks are mitigated. effectiveness. stakeholders.
enhance business value.

A formal process to IT is viewed as an enabler Risks are known, prioritized Skill set inventories are Service levels with the
evaluate and prioritize of business processes and and reevaluated on a maintained and gaps are business are defined and
potential IT projects is activities are in place that regular basis. Mitigation identified. Processes that tracked. A process to
Process defined. Established confirm that business activities are defined for integrate projects and monitor compliance with
Defined criteria are consistently requirements are being met each risk and some maintenance activities are service-level agreements
Maturity
applied to facilitate cross- and budget goals are monitoring structures are in defined and deliver IT (SLAs) is defined and
functional committee achieved. operation. assets and resources when results are communicated.
decisions. needed.

IT maintains existing Business views IT as a Risks have been identified An organizationwide chart Some measurements are
systems but is viewed utility. Consistent and some mitigation exists and is maintained. A taken regularly and
primarily as an order communication exists activities are in place. IT list of applications and communicated consistently.
taker. Project decisions between the groups, but IT knows how to respond infrastructure assets can be Gaps exist between what is
Repeatable involve business generally is contacted when when an incident occurs, generated but may not be measured and what matters
personnel and requires there are issues. but procedures are updated regularly. to the business.
business case format. informal.

IT projects and services Communication between IT IT is unaware of the risks Reporting lines and skill Some measurements are
may or may not align with and the business is that are present across the sets are known by taken in a few areas of IT.
business needs or irregular or ineffective. company landscape. Risk management but are not They may be
Initial/Ad hoc objectives. Project Projects are often delayed, assessment activities occur inventoried or organized. IT communicated by some
decisions are made do not deliver expected occasionally or in response asset management means but are not used to
unilaterally or without scope or are over budget. to an incident. practices are informal. source issues or proactively
Risk of established criteria. assess them.
Failure

11
IT GOVERNANCE: VALUES AND RISK DRIVERS

Strategic Risk Performance Resource Value

Alignment Management Measurement Management Delivery
• IT is more responsive to • Risks are identified before • Process performance is • IT resources are • Solutions and services
the enterprise’s they are materialized. increased. effectively and efficiently delivery is cost-efficient
objectives. • Awareness of risk • Areas of improvement are utilized. • IT resources are
• IT resources help to exposures is increased. identified. • IT costs are optimized. frequently used.
facilitate the business • Accountability and • Processes are overseen • The likelihood of benefit • Business needs are
Value Drivers

goals in an efficient and responsibility for effectively and realization is increased. supported efficiently.
effective manner. managing critical risks are transparently. • •
IT planning is supported Increasing support for the
• IT capabilities enable clear. • Timely and effective and optimized. use of IT by enterprise
opportunities for the • Approaches for managing management reporting is • stakeholders exists.
Readiness for future
business strategy. IT risks are effective. enabled. charge exists. • Increased value
• IT investments allocation • IT risk profiles are aligned contribution of IT to
and management are with management’s business objectives
efficient. expectations. occurs.

• IT investments are • Risks are not identified or • Performance gaps are not • Infrastructures are • IT investments are
allocated and managed managed ineffectively. identified. fragmented and misdirected.
ineffectively. • Increased expenses and • Stakeholder confidence is inefficient. • Value from IT assets and
• IT fails to support the costs to manage decreased. • Capabilities, skills and services is not obtained.
enterprise’s objectives. unanticipated risks occur. • Service deviations are not resources to achieve • Customer satisfaction is
Risk Drivers

• Strategic IT planning is • Critical IT applications and recognized and desired goals are decreased.
not aligned with the services failure occurs. addressed. insufficient. • Costs for IT
overall corporate strategy. • IT risk ownership is • Service performance • Strategic objectives are investments/operations
• IT directions are not lacking. failures cause legal and not achieved. are increased.
defined and do not regulatory compliance • Inappropriate priorities are • Expected benefits are not
support business goals. exposures. used for resources realized.
allocation.

12
IT GOVERNANCE INDICATORS: PROBLEM VS.
SUCCESS

Problem Indicators Success Indicators

• IT is not on board with the room • IT is on board with the room

agenda. agenda.
• IT is not directly represented at board • IT is directly represented at board
level. level.
• IT and business strategies are not • IT and business strategies are
concurrently prepared and aligned. concurrently prepared and aligned.
• IT is managed by technology rather • IT is managed by the business rather
than by business focus. than by technology focus.
• Business system implementations fail • Business system implementations are
or are late. on time and value-added.
• The organization is not making the • The organization is making the most
most of technology. of technology.
• IT-related metrics are inadequate or • IT-related value metrics are in place.
nonexistent.

1
3
IT GOVERNANCE VS. COMPLIANCE

Productivity
IT Governance
“Do it Right”
Strategy
Value-Defining
Policy Standards

Risk
IT Processes Management Compliance
• Val IT • CobiT • SOX
• ITIL • Operation Risk • Banking Regulations
• ISO Management • National Regulations
• Best Practices • IT Security • Other Regulations
“Do it Better” • IT Risk Management “Do it or Else”
Performance “Do it to Protect” Check and Balance
Value-Added Mitigation Transparency
Value-Preserving

Process Control Controls Regulation

Objectives Practices
(Statements)

Reporting and Metrics

14
COMMON GOVERNANCE IMPLEMENTATION
STRATEGY

• Security Policy and Program • Access Management Policy

• Security Strategy and and Standards
Architecture • IDAM Design and
• Security Implementation and Implementation
Deployment • Identity Credential Selection
• Security Metrics Services
• Incident Response • Identity Federation Strategy
• Awareness and Training and Implementation
Program ID Management
• Policy • Policy
• Standards • Implementation
• Alignment − SSO and RBAC
• Metrics • Federation
• Awareness • Trusted Credentials
• Training • Open Identities

Data Centric
Strength • Discovery
• Servers • Classification
• Network • Data Leakage • Data Classification
• Application
• Database
• Encryption • Data Leakage Services
• Privacy
• Compliance • Encryption and Storage
• PCI and HITRUST Strategy and Implementation
• Vendor Management
• Privacy Management and
Implementation
• Infrastructure Vulnerability • PCI Planning, Readiness and
• Application Vulnerability
Compliance
• Network Vulnerability • HITRUST Planning,
• Database Vulnerability
Readiness and Compliance
• Other Data Compliance
• Vendor Due Diligence
• Other Data Security and
Privacy Management

15
HOW TO GET STARTED

The road map for activating an effective IT governance framework begins with establishing clear
goals and objectives in order to align effort with the real needs of the enterprise, manage
expectations and ensure continual focus.

Typical Objectives of the Initial Implementation Phase Can Be:

• Define the meaning of governance in your organization and where/if IT governance fits.
• Identify any organizational/environmental/cultural constraints and enablers.
• Achieve a broad understanding of IT governance issues and benefits across all stakeholders.
• Agree, publish and gain acceptance of an initial IT governance framework, tools and processes.
• Complete an initial gap analysis against best practices to demonstrate where IT governance is already in place and
to highlight areas of focus for the road map.
• Create a project initiation document (PID) and/or terms of reference (ToR) that has the support of stakeholders.
• Identify and sign off on key performance indicators and critical success factors.
• Document estimated timescales, resource implications and expected ROI.
• Align the ITG initiative with business objectives/strategies.

After setting the goals and gaining support, activation consists of two steps: planning, based on analysis of the
current environment, followed by implementation itself.

Source (s): IT Governance: Developing a successful governance strategy – National Computing Centre

16
HOW TO GET STARTED: PLANNING
Below are recommended implementation planning activities:

• Identify champions.
− Stakeholders (including partners), input providers and IT strategy committee (council) members
• Establish an IT strategy committee (council).
• Identify IT “hot spots” in the organization, and where governance could enable hotspot resolution:
− Strategy
− Delivery
− IT cost
− Architecture
− Where current approaches have not worked or caused serious failures
• Identify skill set and capabilities needed from people involved.
• Identify existing good practices (pseudo governance) or successes that could be built upon/shared.
• Identify cost/benefit arguments – why do we need to do anything?
• Identify inconsistencies in processes/practices.
• Identify opportunities for the rest of business to get involved in IT.
• Explore opportunities to adopt an industry best-practice model or standards framework.
• Utilize external influences.
• Create a measurement approach for an area or activity in order to expose actual evidence of problems.
• Do some gap analysis against industry best practices.

Source (s): IT Governance: Developing a successful governance strategy – National Computing Centre

17
HOW TO GET STARTED: IMPLEMENTATION

Below are recommended activities for starting the implementation road map:

Activities

• Create a sound project structure.

“
− Define the scope (what is included/excluded) and deliverables.
− Agree on success criteria/quality criteria.
− Set realistic time frames.
− Allocate suitable resources and roles.
− Identify risks and a risk mitigation strategy.
•
•
•
Gain approval from senior management (the higher, the better).
Find reference sites or external examples to learn from.
Build a communication plan to gain buy-in, and break down barriers.
− Who
− What
− How frequent
“
− Purpose
• Do a pilot activity (demonstrate the business case) to show how it would
work and demonstrate potential benefits.
• Follow a phased introduction.
− Focus on critical but easier to address areas.
− Assess projects first.

Source (s): IT Governance: Developing a successful governance strategy – National Computing Centre

18
BEST PRACTICES FOR MANAGING RISK AND
ACHIEVING VALUE
Align IT With the Business

• Understand and support business objectives, performance goals and requirements.

• Understand how IT systems and activities support business requirements, processes and priorities.
• Link to key business imperatives – compliance, agility, revenue growth, cost optimization and customer satisfaction (speak the same
language).
• Involve business in managing key IT initiatives.
• Track, align and prioritize requests with business.
• Identify awareness, training and use of existing IT capability (e.g., ERP functionality).
• Business owns the “budget”.
• “One size IT” does not fit all.

Innovate

• Identify and implement solutions to support and enable operational and competitive advantages.

Ensure Business Continuity

• Implement policies, procedures, standards, redundancy, monitoring, training, etc.

• Test business continuity and disaster recovery plans.

Risk Assessment

• Assess and address risks to achieving business objectives.

• Inform executive management of IT risks and controls.

19
BEST PRACTICES FOR MANAGING RISK AND
ACHIEVING VALUE
Support Compliance

• Integrate IT into compliance processes.

• Leverage IT to optimize compliance.
• Determine segregation of duties.

Measure and Report Performance

• Achieve and improve stated service performance objectives (benchmarks, monitoring, action and improvement.).
• Monitor IT projects, processes, assets, resources and activities.

Manage Costs

• Manage financial costs to understand IT services project costs.

• Implement transparent cost allocation.
• Manage IT assets as a discipline and process.

Measure and Communicate Value

• Manage IT projects as business projects with well-defined business cases and ROI.
• Use a disciplined approach to manage portfolios, programs and projects.
• Read post-implementation reviews and feedback from the business.

20
BEST PRACTICES FOR MANAGING RISK AND
ACHIEVING VALUE
Establish Sound IT Management Structure

• Manage IT projects as business projects with well-defined business cases and ROI.
• Use a disciplined approach to manage portfolios, programs and projects.
• Read post-implementation reviews and feedback from the business.

21
IT GOVERNANCE: KEY SUCCESS FACTORS

Involve and sponsor senior management.

Manage communication and change.

Focus on execution and results.

Achieve targets and expectations.

Focus on business priorities and risks.

Implement evolution and continuous improvement.

22
BUSINESS DRIVERS FOR IT BEST PRACTICES
ADOPTION

01 Business demanding better returns from IT investment

02 Concern over increasing level of IT expenditure

03 The need to meet regulatory requirements for IT controls

04 Increasingly complex IT-related risks, such as network security

IT governance initiatives that include adoption of control frameworks and best practices to
05 help monitor and improve critical IT activities

06 The need to optimize costs by following, where possible, standardized approaches

07 The growing maturity and acceptance of well-regarded frameworks

Source (s): IT Governance: Developing a successful governance strategy – National Computing Centre

23