IT Governance Flashcards
How leadership accomplishes the delivery of mission-critical business capabilities using IT strategies, goals, and objectives:
IT Governance
7 elements of IT Governance:
Availability, architecture, metadata, policy, quality, regulatory compliance and privacy, and security
What three organizations issue guidance and best privatizes for establishing effective IT governance?
COSO’s internal control integrated framework
ISACA’s controls objectives for information and related technology (COBIT) framework
Axelo’s information technology infrastructure library (ITIL) framework
COSO internal control integrated framework has to categories that pertain specifically to internal control over IT, they are:
Control activities
Information and communication
ISACA’s COBIT framework distinguishes between governance and management objectives. Governance objectives are all in a single domain that is centered on evaluating, directing, and monitoring. Managements are grouped how?
Into 4 domains tat focus on supporting activities, integrating IT solutions into business processes, delivering IT services securely, and monitoring IT task performances with internal targets.
The ITIL framework focuses on delivering IT services across what four domains?
Organizations & people
Information & technology
Partners & suppliers
Value streams & processes
IT governance should support what? And vice versa
Organizational objectives
Aligning the corporate strategy objectives with this will optimize and organizations efforts in achieving those objectives.
IT strategy
What IT factors might impact the company’s corporate strategy?
Available IT personnel
Network design - (decentralized or centralized network)
Cybersecurity
Network design - (physical or virtual network)
Disaster recovery & business continuity
Who are the decision makers and drivers of the way IT governance is structured?
The people within an organization
BOD, Executive Management, Middle Management, Accountants, IT staff, External Stakeholders, End users
Performs oversight that IT is supporting the business strategy and operational needs
Board of Directors
Make key strategic decisions and responsible for ensuring IT governance structure is in place and effective. Also set a clear tone at the top.
Executive Management
Responsible for carrying out governance policies and make sure subordinates are doing the same. Ensures IT projects have appropriate resources and support
Middle Management
Below Exec management, but above end users
Responsible for daily planning of IT governance policies and/or carrying out these policies; design no maintain a company’s network; firs response when end users have IT problems; and ensure safe and secure use of IT assets.
IT support staff
Much of the data they handle is confidential. They act as stewards of accounting information systems, members of project development teams, and test a lot of IT systems
Accountants
Everybody else that uses the IT systems. Responsible for following processes that have been established within the IT governance structure.
End users
The two process groups within IT governance execution is:
Project development team
Steering committee
Management, IT system personnel, accountants, and system users form a team responsible for project monitoring, managing human elements, communicate, and manage risk and escalate issues that cannot be resolved within the team for new IT projects:
Project development teams
Consists of high level management and executives, experts, IT development heads, and other people in authoritative positions that develop and communicate strategize goals, review budgets budgets and allocate costs, provide ongoing guidance, ensure management participation, and monitor project development progress:
Steering committees
Identifies how quickly essential business units or processes can return to full operation following a disaster. Also identifies the resources required to resume business operations.
Business impact analysis
What are the steps in assessing risk in IT:
Identify IT resources and assets that exist
Evaluate the impact and likelihood of risk
Evaluate outcomes
Implement a response
Determines the criteria for categorizing the list of information resources as high, moderate or low related to the effect on day to day operations. Criteria include characteristics such as how critical the asset is to business operations, costs of a failure, publicity, an any legal or ethical issues.
Impact
Under this impact:
The company cannot operate without it, high recover costs, the company may fail to meet objectives or maintain its reputation
High impact
Under this impact:
The company could partially function temporarily, some costs of recovery, the company may fail to meet objectives or maintain its reputation.
Moderate impact
Under this impact:
The company could operate for an extended period of time, or may notice an effect on achieving the organizations objectives or an effect on its reputation
Low impact
Under this likelihood:
The risk is highly probably, has occurred recently, can occur frequently, or controls o prevent it are ineffective
High likelihood
Under this likelihood:
The risk could occur, but controls are in place that may impede its vulnerability
Medium likelihood
Under this likelihood:
The risk is improbable, or controls are in place to prevent or significantly impede vulnerability
Low likelihood
