IT Governance Flashcards
Fact: an IT governance framework outlines how leadership accomplishes the delivery of mission-critical business capabilities using IT strategies, goals, and objectives; IT governance is the duty of the board of directors and executive management, who create applicable policies and procedures as well as determine the proper organizational structures to deploy to sustain those critical capabilities
in general, a strong IT governance model will have practices and policies with the following components:
availability - systems, data, security
architecture - job roles, apps, hardware
metadata - data dictionaries, repository lists, system maps
policy - written procedures, best practices, recovery plans
quality - data integrity, system continuity, maintenance
compliance - PII/PHI/financial data, US regulations, global privacy laws
security - user authorization, physical access, system validation
What is COSO?
it was created by the Treadway Commission; it has two categories with principles that pertain specifically to internal control over information technology: control activities and information and communication
What is COBIT?
it was created by the ISACA; it provides a road map that organizations can use to implement best practices for IT governance and management (it recognizes these as two unique disciplines that exist for different reasons and require different sets of organizational resources); governance and management each have their own objectives
What is ITIL?
it was created by the British government that evolved into a joint venture between the government and the private firm Axelos; it delivers IT services across the following 4 domains: organizations and people, information and technology, partners and suppliers, value streams and processes
Fact: IT governance practices that are aligned with an organization’s strategic goals and objectives will empower IT resources so that the company effectively achieves those targeted results; the goals and objectives of an organization are manifested in its overall vision and strategy
a company’s vision represents its aspirations and goals, and its strategy is what helps the company reach those goals
a corporate strategy is the way in which an organization achieves the goals and objectives established by its vision; the strategy shapes an organization’s operations and business model
IT architecture design can have a significant effect on how a company executes its corporate strategy; as such, aligning IT strategy with corporate strategy objectives will optimize an organization’s efforts in achieving those objectives; the following IT factors may impact a company’s corporate strategy: available IT personnel, virtual/physical network design, cybersecurity, centralized/decentralized network design, and disaster recovery and business continuity
support functions also play a key role in determining an organization’s IT strategy because they enable administrative functions in a business
Fact: to execute and maintain effective IT governance practices over time, an organization requires recurring input and participation from top leadership, middle managers, IT staff, end users, and external stakeholders
the board of directors oversee and appoint executive positions (like the CEO); although the ultimate responsibility of setting governance policies may be attributed to the board, the daily planning and administration of these policies are the responsibility of management; the board must evaluate IT governance policies to ensure they meet the strategic and operational needs of an organization
executives make key strategic decisions and are responsible for ensuring an IT governance structure is in place and executed effectively; executives must also set a clear “tone at the top” so that others will follow their lead
What are project development teams?
they are formed for new IT projects and typically include members of management, IT systems personnel, accountants, and system users; this team is responsible for project planning and tracking, IT infrastructure design, change management, and monitoring project performance
What are steering committees?
they are responsible for the oversight of the information systems function; this committee consists of high-level management and experts, which may include executives such as the CIO, the controller, IT department heads, and others in a position of authority to make change
due to the authority level of its members, the steering committee has a more holistic view of the enterprise than the project development team; this enables the committee to address concerns that may go across business units and departments while also facilitating the coordination and integration of information systems activities to increase goal congruence and reduce goal conflict
Fact: the first step in assessing risk is to identify what IT resources and assets exist so that the organization can determine the base resources it needs to sustain minimum operations
these identified resources should then be categorized by the impact of loss and then by the likelihood of that loss occurring
impact: high (cannot operate without the resource), moderate (could partially function temporarily), low (could operate for an extended period of time)
likelihood: high, medium, low
responses can then be classified using the following risk actions: immediate action delayed action, and no action
Fact: once management has a list of categorized resources, risks, and actions, it can work to address the areas that are most likely to hard the organization
typically, management would review all high-impact resources that have high or medium risk actions and evaluate the mitigation strategy using the following steps:
identify mitigation recommendations, evaluate mitigation recommendations, cost-benefit analysis, and choose/plan/ implement (accept the risk, transfer the risk, mitigate the risk)
