2.4 IT Balanced Score Card (Doshi) Flashcards
What is the balanced Scorecard?
A management tool that is used to measure the performance and effectiveness of an organization.
Key performance indicators of the IT balanced scorecard are:
(1) Financial,
(2) customer,
(3) internal process,
(4) innovation and
(5) learning
Key performance indicators of the Balanced scorecard are:
(1) Financial,
(2) Customer satisfaction,
(3) Internal process,
(4) Ability to innovate and learning
Standard IT Balanced Scorecard:
can be used to specifically measure IT organization performance and results.
Key perspectives of the Standard IT Balanced ScoreCard:
Establish, monitor and evaluate IT performance in terms of :
(1) business contribution
(2) future orientation
(3) operation excellence
(4) user orientation
In any given scenario, three indicators of IT balanced scorecard:
(1) customer satisfaction
(2) internal processes and
(3) ability to innovate.
Why should the balanced scorecard be used?
Because it’s the most effective means to aid the IT strategy committee and management in achieving the IT governance through proper IT and business alignment.
Success of IT Scorecard depends on:
Involvement of senior management in IT strategy planning.
Primary objective of IT balanced scorecard:
To optimize the performance
What needs to be defined before implementing IT balanced scorecard?
Key performance indicators (KPI)
Though financial performance is an indicator of generic balanced scorecard, it is
not part of IT balanced scorecard.
In any given scenario, use of IT balanced scorecard is the most effective means to
aid the IT strategy committee and management in achieving the IT governance through proper IT & business alignment.
In any given scenario, success of IT scorecard depends upon
involvement of senior management in IT strategy planning.
In any given scenario, primary objective of IT balanced scorecard is
to optimize the performance.
In any given scenario, key performance indicators (KPIs) need to be defined
before implementing IT balanced scorecard.
Standard IT Balanced Scorecard
- A process management evaluation technique that can be applied to the IT governance process in assessing IT functions and processes
- Method goes beyond the traditional financial evaluation
- One of the most effective means to aid the IT strategy committee and management in achieving IT and business alignment
Outcomes of security governance
- Strategic alignment—align with business strategy
- Risk management—manage and execute appropriate measures to mitigate risks
- Value delivery—optimize security investments
- Performance measurement – measure, monitor and report on information security processes
- Resource management—utilize information security knowledge and infrastructure efficiently and effectively
- Process integration – integration of management assurance processes for security
Information security governance requires strategic direction and impetus from:
- Boards of directors / senior management
- Senior management
- Steering committees
- Chief information security officers
Enterprise Architecture
- Involves documenting an organization’s IT assets in a structured manner to facilitate understanding, management and planning for IT investments
- Often involves both a current state and optimized future state representation
Enterprise Architecture
The Basic Zachman Framework
The Federal Enterprise Architecture (FEA) hierarchy:
- Performance
- Business
- Service component • Technical
- Data
From an IS standpoint, strategic planning relates to
the long-term direction an organization wants to take in leveraging information technology for improving its business processes
Effective IT strategic planning involves a consideration of the organization’s demand for IT and
its IT supply capacity
The IS auditor should
- Pay attention to the importance of IT strategic planning
- Focus on the importance of a strategic planning process or planning framework
- Consider how the CIO or senior IT management are involved in the creation of the overall business strategy
Which of the following would be included in an IS strategic plan?
A. Specifications for planned hardware purchases
B. Analysis of future business objectives
C. Target dates for development projects
D. Annual budgetary targets for the IS department
B. Analysis of future business objectives ?
Which of the following BEST describes an IT department’s strategic planning process?
A. The IT department will have either short-range or long-range plans depending on the organization’s broader plans and objectives.
B. The IT department’s strategic plan must be time- and project- oriented, but not so detailed as to address and help determine priorities to meet business needs.
C. Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements.
D. Short-range planning for the IT department does not need to be integrated into the short-range plans of the organization since technological advances will drive the IT department plans much quicker than organizational plans.
?
Steering Committee
- An organization’s senior management should appoint a planning or steering committee to oversee the IS function and its activities
- A high-level steering committee for information technology is an important factor in ensuring that the IS department is in harmony with the corporate mission and objectives
Maturity and Process Improvement Models
- IDEAL model
- CapabilityMaturityModelIntegration(CMMI)
- Team Software Process (TSP)
- Personal Software Process (PSP)
Policies and Procedures reflect management guidance and direction in developing controls over:
- Information systems
- Related resources
- IS department processes
Policies
- High level documents
- Must be clear and concise
- Set tone for organization as a whole (top down)
- Lower-level policies – defined by individual divisions and departments
Information Security Policy
• Defines information security, overall objectives and scope
• Is a statement of management intent
• Is a framework for setting control objectives including risk management
• Defines responsibilities for information security management
Acceptable Use Policy
Procedures are detailed documents that:
Define and document implementation policies
• Must be derived from the parent policy
• Must implement the spirit (intent) of the policy statement
• Must be written in a clear and concise manner
Risk Management is
The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives.
4 Processes in Risk Management
- Avoid
- Mitigate
- Transfer
- Accept
To develop a risk management PROGRAM:
(1) Establish the purpose of the risk management program
(2) Assign responsibility for the risk management plan
Risk Management Process
(1) Identification and classification of information resources or assets that need protection
(2) Assess threats and vulnerabilities and the likelihood of their occurrence
(3) Once the elements of risk have been established they are combined to form an overall view of risk
(4) Evaluate existing controls or design new controls to reduce the vulnerabilities to an acceptable level of risk
(5) Residual risk
IT risk management needs to operate at multiple levels including:
- The operational level
- The project level
- The strategic level
Risk Analysis Methods
(1) Qualitative
(2) Semiquantitative
(3) Quantitative
– Probability and expectancy
– Annual loss expectancy method
Risk Analysis Methods Management and IS auditors should keep in mind certain considerations:
- Risk management should be applied to IT functions throughout the company
- Senior management responsibility
- Quantitative RM is preferred over qualitative approaches
- Quantitative RM always faces the challenge of estimating risks
- Quantitative RM provides more objective assumptions
- The real complexity or the apparent sophistication of the methods or packages used should not be a substitute for commonsense or professional diligence
- Special care should be given to very high impact events, even if the probability of occurrence over time is very low
Human Resource Management
- Hiring
- Employee handbook
- Promotion policies
- Training
- Scheduling and time reporting
- Employee performance evaluations • Required vacations
- Termination policies
