IT Governance Flashcards
A strong IT governance model will have practices and policies with the following components:
- availability
- architecture
- metadata
- policy
- quality
- regulatory compliance and privacy
- security
What is the Information Technology Infrastructure Library (ITIL) framework?
- originally created by the British government that evolved into a JV between the gov and the private firm Axelos
- a globally recognized IT governance framework that is more focused on the delivery of IT services across the following 4 domains:
1. Organizations and people
2. Info and technology
3. Partners and suppliers
4. Value streams and processes
What is corporate strategy?
- the way in which an org achieves the goals and objectives established by its vision
- shapes an org’s operations and business model, which could be low cost leadership strategy, product differentiation strategy or and ESG strategy
- the chosen corporate strategy must be supported by an appropriate IT strategy and IT governance
What is IT strategy?
- aligning IT strategy with corporate strategy objectives will optimize an org’s efforts in achieving those objectives
- documentation of this strategy and architeccture will give mgmt a strong understanding of the company’s capabilities which will play a key role in defining the activities in which the org should engage
- the following may impact a co’s corporate strategy: IT personnel, network design (decentralized vs centralized and physical vs virtual), cybersecurity, and disaster recovery and business continuity
Define the role of people within IT governance
- are the decision makers and drivers of the way IT governance is structured
- involvement of leaders and members at all levels of the org is necessary for IT governance to be executed effectively
Board of Directors- oversees and appoints executive postions, typically the CEO; evaluates policies
Executive Mgmt- enforces policies, provides infrastructure and sets “tone at the top”
Middle Mgmt- carries out policies
IT Support Staff- executives, network engineers, help desk, cybersecurity experts, function-specific roles
Accountants- stewards, part of project development, testers
End Users- best equipped to understand the day-to-day technology needs for organizational activities
External Stakeholders- Vendors, customers, government, auditors
Describe the project development teams related to governance execution
- typically includes members of mgmt, IT systems personnel, accountants and system users
- this team is responsible for project planning and tracking, IT infrastructure design, change mgmt and monitoring project performance
- monitor the project to ensure timely and cost effective completion
- managing the human element
- frequently communicating with users and holding regular meetings to consider ideas and to discuss progress so there are no surprises at project completion
- manage risk and escalate issues that cannot be resolved within the team
Describe the steering committee related to governance execution
- responsible for the oversight of the info systems function
- consists of high level mgmt and executives (CIO, the controller, IT department heads)
- develop and communicate strategic goals
- reviewing the iT budget and allocate IT costs
- provides ongoing guidance and addresses big picture issues that arise
- ensures mgmt engagement and participation
- monitors the project development team’s progress
- has a more holistic view of the enterprise than the project development team which enables the committe to address concerns that may go across business units and departments while also facilitating the coordination and integration of info systems activities to increase goal congruence and reduce goal conflict
What is a Business Impact Analysis (BIA)?
- identifies the business units, departments and processes that are essential to the survival of an entity as well as the organizational impact in the event of failure or disruption
- will identify how quickly essential business units can return to full operation following a disaster
- will identify the resources required to resume business operations
Objectives:
- estimate the quantitative or financial impact to the organization, assuming a worst case scenario
- estimate the qualitative impact to the org and the effect it could have on operations, assuming a worst case scenario
- identify the org’s business unit processes and the estimated recovery time frame
Define high impact
the department:
- cannot operate without this resource
- may experience a high recovery cost
- may fail to meet the org’s objectives or maintain its reputation
Define medium impact
the department:
- could partially function temporarily for a period of days or a week
- may experience some cost of recovery
- may fail to meet the org’s objectives or maintain its reputation
Define low impact
the department:
- could operate for an extended period of time or
- may notice an effect on achieving the org’s objectives or maintaining its reputation
Define high likelihood
- the risk is highly probable, has occurred recently, can occur frequently or controls to prevent it are ineffective
Define medium likelihood
- the risk could occur but controls are in place that may impede successful exercise of the vulnerability
Define low likelihood
- the risk is improbable or controls are in place to prevent or significantly impede successful exercise of the vulnerability
Responses can be classified using the following risk actions:
Immediate action (I)- take corrective action as soon as possible
Delayed action (D)- implement corrective actions within a reasonable time frame
No action (N)- take no corrective action. accept the level of risk