1.4-2 Governance Frameworks

Question 1

COBIT Overview

Answer 1

1996: Control Objectives for Information and Related Technologies
- A series of components, helping companies by increasing regulatory compliance and control over IT, integrating global IT standards and reducing business risks
- Developed by the Information Systems Audit and Control Association (ISACA)
- Helps implement IT governance
- Control framework (organizes and categorizes internal controls)
- IT focused

Question 2

(3) Requirements for successful IT governance implementation:

Answer 2

1. Commitment of senior management
2. Project management skills
3. Change management skills

Question 3

COBIT (5) Framework Foundation for IT Governance

Answer 3

1. Framework to organize IT governance practices by process, linking them to actual business needs
2. Mapping of business process descriptions and templates
3. Control objectives supporting security
4. Guidelines focused on objectives, performance measures, integration with other areas of governance
5. Maturity models that support process bench-marking, continuous improvement, optimize the costs of IT services/tech

Question 4

COSO Overview

Answer 4

1992: The Committee of Sponsoring Organizations of the Treadway Commission
- Provides executive management with the ability to assess and enhance internal controls to improve risk management
- Supported by 5 oversight organizations
- Controls needed for financial reporting
- Not specifically concerned with IT governance
- Supports other frameworks

Question 5

COSO (5) Framework for Internal Control Systems

Answer 5

1. Control environment establishes the processes for managing+developing employees
2. Control activities are directives to ensure policies & procedures are followed
3. Information + communications policies are developed for governance compliance
4. Risk assessments from internal/external sources
5. Continuous monitoring of control systems to assess deficiencies and improvements

Question 6

ISO 38500

Answer 6

2008: International Standards Organization
- Internationally accepted standards with best practices like quality & IT
- Corporate IT governance standard on the most efficient, most effective, and best use of an organization’s info tech
- Top-down assessment of IT governance structure
- Complements COBIT by bringing a senior-executive perspective
- Executive committee is usually formed during the implementation of ISO
- Provides standard structure for the (6) principles of good IT governance

Question 7

(6) Principles of Good IT Governance

Answer 7

1. Responsibility:
   people understand and accept their responsibilities
2. Strategy:
   current & future capabilities of IT
3. Acquisition:
   made for valid reasons
4. Performance:
   demand and capability, service quality can meet current and future requirements
5. Conformance:
   complies with all mandatory legislation/regulations
6. Human Behaviour: IT policies, practices and decisions show respect for human behaviour

Question 8

ISO 38500 Directors should govern IT through (3) tasks

Answer 8

1. Evaluate the current and future use of IT, considering external/internal pressures
2. Direct the preparations & implementation of plans/policies, ensuring IT meets business objectives
   Plans=direction for IT project investment
   Policies=establish acceptable use
3. Monitor conformance to the policies against the plans