Chapter 2 - Governance Flashcards
Politics
is effectively defined as having a different agenda and often includes using deceit, lies, or willful omission.
Govern
means to direct and to control the actions or conduct of others by using published rules and controls set by an authority. Executive officers are in charge of governance
Strategy
is defined as “an adaptation of behavior or structure with an elaborate and systematic plan of action.”
Corporate governance
is often defined as “ethical behavior of corporate executives toward shareholders, stakeholders, and protection of organizational assets to maximize the return of a financial investment.”
Records management system (RMS)
will provide governance details of specific handling instructions including pre-agreed-upon authorization to immediately interrupt running systems when data classified as high value is potentially exposed.
IT steering committee
is used to convey the current business requirements from business executives to the IT executive. The name of the committee is not as important as the function that it performs, and a committee may perform more than one function. What’s important is that the job of steering operations to business requirements is occurring.
The three layers of IT scoring are:
Mission
Strategy
Metrics
Types of policies
Advisory policy
Regulatory policy
Informational policy
Advisory policy
An advisory policy explains the condition to be prevented by the policy and provides notice as to the consequences of failure. The interested party may be an employee. The subject could be acceptable use of the Internet.
Regulatory policy
The term regulatory indicates that this policy is mandated by some type of law. All organizations under the jurisdiction of the regulation are expected to comply. Failure to comply will result in criminal liability.
Informational policy
Informational policies inform the public of the organization’s operating policies. Examples include the customer privacy policy, the customer refund policy, and the customer exchange policy.
Portfolio management
collection of assets of value (aka investments) is known as a portfolio. Examples include real estate property, treasury bonds, corporate stock ownership, gold bullion and intellectual property such as title to patent rights.
Program management
refers to ongoing activities necessary to support continuous operation. The program is usually managed by an executive vice president (EVP) who will be responsible for sustaining its operation.
Project management
are temporary endeavors that might operate outside of the normal organizational structure.
Project Management Office (PMO)
the primary role of the PMO is to provide centralized visibility of how resources are presently being consumed so the senior executives can start, stop, or restart projects as they see fit.
The four different suppliers in a project include:
Supplier of technical knowledge
Supplier of engineering (designs and prototypes)
Supplier of products
Supplier of personnel
Initiating
This process starts the project or a new phase of the project. It’s all about the sponsor defining the objective, putting up the money, and authorizing the project to begin.
Planning
This process group represents almost half of the PM processes. Planning is where the project scope, goals, and objectives are detailed. The focus of planning is to estimate, organize, and sequence all activities.
Executing
The largest portion of resources is used during executing activities. This group of activities comprises the major work to create project deliverables.
Closing
As each work package (activity) is completed, it’s time to pay vendors and put the files in an archive to close out that individual item in the project.
Performance review
refers to the identification of a target to be monitored, tracked, and assigned to a responsible party and the resolution of any open issues.
The Capability Maturity Model (CMM)
is a method for evaluating and measuring the maturity of governance processes in organizations. A rating scale from 0 to 5 is used. A score of zero indicates that nothing is occurring. Level 1 maturity indicates that the initial activity was successful and may later progress up to level 5, when the activity is statistically controlled for continuous improvement.
Performance reporting
serves to inform executives and stakeholders as to the progress of current activities.
COSO
sets the controls for monetary and banking systems.
Transborder communication
Data security is the number-one concern when planning for communication crossing the border.
Intellectual property
refers to data and knowledge that is not commonly known. This information possesses a commercial value. The IS auditor should understand how the organization is attempting to protect its intellectual property.
Data integrity
Is to ensure that data is accurate and safely stored.
IT governance
requires continuity planning for systems and data. Auditors need to be aware of multiple continuity objectives besides disaster recovery.
A short definition of IT governance is to effectively lead and monitor performance of the information technology investment. IT governance exists at three levels: strategic, tactical, and operational management.
Self-insurance
means the organization is accepting the risk with full liability for any consequences. If a loss occurs, the organization will pay everything out of its own pocket.
Business Process Reengineering (BPR)
is used to improve process performance by removing, combining, or replacing steps that are no longer important.
Benchmarking
is the process of comparing performance data (aka metrics). It can be used to evaluate business processes that are under consideration for reengineering.
Business impact analysis (BIA)
is a discovery process. Its purpose is to uncover the inner workings of any production-related process.
