IT Governance Essay Example for Free

IT Governance EssayA presidential term view that consists of the line of descent face of IT ensuring that IT supports and enables the disdain dodging and the functional plaque of IT ensuring that the IT function itself runs efficiently and in effect (http//www.takinggovernanceforward.org).Executive SummarySuccessful enterprises recognize the benefits of data technology and mapping it to drive their stakeholders measure. These enterprises also deduce and tweak the associated attempts, such as increasing regulative compliancy and detailed dependence of many line of reasoning act upones on in castation technology (IT). The need for authorisation nigh the order of IT, the circumspection of IT- repaird risks and increased requirements for obligate over information ar now mute as key elements of enterprise governance.Value, risk and avow constitute the core of IT governance. statement Objectives for Information and related Technology (COBIT) provides good practices across a globe and surgical surgery mannikin and presents activities in a manageable and logical structure. COBITs good practices represent the consensus of experts. They atomic egress 18 strongly riveted more on simpleness, less on execution. These practices pull up stakes help optimize IT-enabled investments, take c ar proceeds delivery and provide a measure against which to judge when things do go wrong. For IT to be favored in delivering against patronage requirements, centering should put an inner(a) control administration or framework in place. The COBIT control framework contributes to these needs by* Making a link to the personal credit line requirements * Organizing IT activities into a by and large recognized process model * listing the major IT resources to be leveraged * Defining the precaution control objectives to be considered An adjudicate to these requirements of determining and monitor the appropriate IT control and executing trai n is COBITs definition of * Benchmarking of IT process mathematical operation and capability, expressed as maturity models, derived from the Softwargon Engineering Institutes Capability Maturity simulate (CMM)* Goals and metrics of the IT processes to define and measure their outcome and performance based on the principles of Robert Kaplan and David Nortons balanced business scorecard * Activity goals for getting these processes under control, based on COBITs control objectives The assessment of process capability based on the COBIT maturity models is a key part of IT governance implementation. After identifying critical IT processes and controls, maturity modeling enables gaps in capability to be identify and demonstrated to management. Action plans can thusly be developed to bring these processes up to the desired capability target level. Thus, COBIT supports IT governance by providing a framework to ensure that * IT is aligned with the business* IT enables the business and max imizes benefits* IT resources are utilisationd responsibly* IT risks are managed fitlyFigure 1 Adopted for this study Governance Focus atomic number 18as* Strategic alignment focuses on ensuring the gene linkage of business and IT plans defining, maintaining and validating the IT value proposition and aligning IT operations with enterprise operations. * Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the outline, concentrating on optimizing costs and proving the intrinsic value of IT. * imagination management is about the optimal investment in, and the proper management of, critical IT resources applications programmes, information, infrastructure and people. Key issues relate to the optimization of knowledge and infrastructure.* Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprises appetite for risk, understanding of conformism requirements, transparency about the material risks to the enterprise and embedding of risk management responsibilities into the organization. * Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.COBIT role modelA control framework for IT governance defines the reasons IT governance is needed, the stakeholders and what it needs to accomplish. Why? Increasingly, top management is realizing the pregnant impact that information can fork over on the success of the enterprise. Management expects heightened understanding of the way IT is operated and the likelihood of its macrocosm leveraged successfully for competitive advantage. In particular, top management needs to know if information is being managed by the enterprise so that it is* Likely to achieve i ts objectives* Resilient abounding to learn and adapt* judiciously managing the risks it faces* Appropriately recognizing opportunities and acting upon them Successful enterprises understand the risks and exploit the benefits of IT and find ways to deal with* Aligning IT strategy with the business strategy* Assuring investors and shareholders that a standard of due care around mitigating IT risks is being met by the organization * Cascading IT strategy and goals down into the enterprise* Obtaining value from IT investments* Providing organizational structures that facilitate the implementation of strategy and goals* Creating structural relationships and impelling communication between the business and IT, and with outside partners* Measuring ITs performance efforts cannot deliver effectively against these business and governance requirements without adopting and implementing a governance and control framework for IT to* Make a link to the business requirements * Make performanc e against these requirements transparent * Organize its activities into a more often than not accepted process model * Identify the major resources to be leveraged * Define the management control objectives to be considered Furthermore, governance and control frameworks are sightly a part of IT management good practice and are an enabler for establishing IT governance and complying with continu wholey increasing regulatory requirements. IT good practices have become significant due to a number of factors * Business managers and boards demanding a better(p) return from IT investments, i.e., that IT delivers what the business needs to enhance stakeholder value * Concern over the generally increasing level of IT expenditure* The need to regard regulatory requirements for IT controls in areas such as privacy and financial inform (e.g., the US Sarbanes-Oxley Act, Basel II) and in specific sectors such as finance, pharmaceutical and healthcare * The selection of service providers and the management of service outsourcing and acquisition * Increasingly complex IT-related risks, such as network trade protection * IT governance initiatives that take on adoption of control frameworks and good practices to help monitor and improve critical IT activities to increase business value and reduce business risk * The need to optimize costs by following, where possible, standardized, rather than specially developed, set aboutes * The growing maturity and consequent acceptance of well-regarded frameworks, such as COBIT, IT InfrastructureLibrary (ITIL), ISO 27000 series on information security-related standards, ISO 90012000 Quality Management SystemsRequirements, Capability Maturity Model Integration (CMMI), Projects in Controlled Environments 2 (PRINCE2) and A channelise to the Project Management Body of Knowledge (PMBOK) * The need for enterprises to assess how they are performing against generally accepted standards and their peers (benchmarking)Who?A governance and control framework needs to serve a variety of internal and external stakeholders, each of whom has specific needs * Stakeholders within the enterprise who have an interest in generating value from IT investments* Those who father investment decisions* Those who decide about requirements* Those who use IT services* Internal and external stakeholders who provide IT services* Those who manage the IT organization and processes* Those who develop capabilities* Those who operate the services* Internal and external stakeholders who have a control/risk responsibility* Those with security, privacy and/or risk responsibilities* Those performing compliance functions* Those requiring or providing assurance servicesWhat?To picture the requirements listed in the previous section, a framework for IT governance and control should * Provide a business focus to enable alignment between business and IT objectives * make water a process orientation to define the orbital cavity and extent of coverag e, with a outlined structure enabling easy navigation of content * Be generally acceptable by being consistent with accepted IT good practices and standards and independent of specific technologies * Supply a super acid language with a set of terms and definitions that are generally understandable by all stakeholders * Help garner regulatory requirements by being consistent with generally accepted corporate governance standards (e.g., COSO) and IT controls expected by regulators and external auditorsIT ResourcesThe IT organization delivers against these goals by a clearly defined set of processes that use people skills and technology infrastructure to run automatize business applications while leveraging business information. The IT resources identified in COBIT can be defined as follows * Applications are the automated user systems and manual procedures that process the information. * Information is the data, in all their forms, input, processed and output by the information sys tems in whatever form is used by the business. * Infrastructure is the technology and facilities (i.e., hardware, operating systems, database management systems, networking, multimedia, and the environment that houses and supports them) that enable the processing of the applications. * quite a little are the personnel required to plan, organize, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, outsourced or undertake as required. cultivateesTo govern IT effectively, it is important to appreciate the activities and risks within IT that need to be managed. They are usually tenacious into the responsibility domains of plan, build, run and monitor. The four interrelated domains of COBIT are * Plan and Organize (PO)Provides direction to solution delivery (AI) and service delivery (DS) * Acquire and Implement (AI)Provides the solutions and passes them to be turned into services * Deliver and Support (DS)Receives the solutions and makes them useable for end users * Monitor and Evaluate (ME)Monitors all processes to ensure that the direction provided is followedPlan and organize (PO)This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realization of the strategic spate needs to be planned, advertised and managed for different perspectives. A proper organization as well as proficient infrastructure should be put in place. This domain typically addresses the following management questions * Are IT and the business strategy aligned?* Is the enterprise achieving optimum use of its resources?* Does everyone in the organization understand the IT objectives?* Are IT risks understood and being managed?* Is the quality of IT systems appropriate for business needs? Acquire and implement (AI)To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, diverges in and maintenance of existing systems are covered by this domain to make sure the solutions continue to meet business objectives. This domain typically addresses the following management questions * Are new projects likely to deliver solutions that meet business needs? * Are new projects likely to be delivered on time and within work out? * Will the new systems work properly when implemented?* Will changes be made without upsetting contemporary business operations? Deliver and support (DS)This domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It typically addresses the following management questions * Are IT services being delivered in line with business priorities? * Is IT costs optimized?* Is the workforce able to use the IT systems productively and safely? * Are adequate confidentiality, integrity and availability in place for information security? Monitor and evaluate (ME)All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance. It typically addresses the following management questions * Is ITs performance measured to detect problems before it is too late? * Does management ensure that internal controls are effective and efficient? * Can IT performance be linked back to business goals?* Are adequate confidentiality, integrity and availability controls in place for information security?Processes need ControlsControl is defined as the policies, procedures, practices and organizational structures conceptioned to provide reasonable assurance that business objectives result be achieved and unwanted events will be prevented or detected and corrected. IT con trol objectives provide a complete set of high-level requirements to be considered by management for effective control of each IT process. They * Are statements of managerial actions to increase value or reduce risk * Consist of policies, procedures, practices and organizational structures * Are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and correctedEnterprise management needs to make choices relative to these control objectives by* Selecting those that are applicable* Deciding upon those that will be implemented* Choosing how to implement them (frequency, span, automation, etc.) * Accepting the risk of not implementing those that may apply The control objectives are identified by a two-character domain reference (PO, AI, DS and ME) plus a process number and a control objective number. In addition to the control objectives, each COBIT process has generic control requirements that are identifi ed by PCn, for process control number. They should be considered together with the process control objectives to have a complete view of control requirements.PC1 Process Goals and ObjectivesDefine and communicate specific, measurable, actionable, realistic, results-oriented and timely process goals and objectives for the effective execution of each IT process. Ensure that they are linked to the business goals and supported by suitable metrics.PC2 Process Ownership advance an owner for each IT process, and clearly define the roles and responsibilities of the process owner. Include, for example, responsibilityfor process design, interaction with other processes, right for the end results, measurement of process performance and the identification of improvement opportunities.PC3 Process Repeatability cast and establish each key IT process such that it is repeatable and consistently produces the expected results. Provide for a logical but flexible and saleable sequence of activities t hat will lead to the desired results and is agile enough to deal with exceptions and emergencies. Use consistent processes, where possible, and tailor only when unavoidable.PC4 Roles and ResponsibilitiesDefine the key activities and end deliverables of the process. Assign and communicate unambiguous roles and responsibilities for effective and efficient execution of the key activities and their documentation as well as accountability for the process end deliverables.PC5 Policy, Plans and ProceduresDefine and communicate how all policies, plans and procedures that drive an IT process are documented, reviewed, maintained, approved, stored, communicated and used for training. Assign responsibilities for each of these activities and, at appropriate times, review whether they are executed correctly. Ensure that the policies, plans and procedures are accessible, correct, understood and up to date.PC6 Process Performance ImprovementIdentify a set of metrics that provides insight into the o utcomes and performance of the process. Establish targets that reflect on the process goals and performance indicators that enable the achievement of process goals. Define how the data are to be obtained. Compare actual measurements to targets and take action upon deviations, where necessary. Align metrics, targets and methods with ITs overall performance monitoring approach. Effective controls reduce risk, increase the likelihood of value delivery and improve efficiency because there will be fewer errors and a more consistent management approach.In addition, COBIT provides examples for each process that are illustrative, but not prescriptive or exhaustive, of* Generic inputs and outputs* Activities and guidance on roles and responsibilities in a Responsible, Accountable, Consulted and advised (RACI) chart * Key activity goals (the most important things to do)* MetricsBusiness and it controlsThe enterprises system of internal controls impacts IT at three levels * At the executive m anagement level, business objectives are set, policies are complete and decisions are made on how to deploy and manage the resources of the enterprise to execute the enterprise strategy. The overall approach to governance and control is established by the board and communicated throughout the enterprise. The IT control environment is directed by this top-level set of objectives and policies. * At the business process level, controls are applied to specific business activities. Most business processes are automated and integrated with IT application systems, resulting in many of the controls at this level being automated as well. These controls are known as application controls. However, some controls within the business process tarry as manual procedures, such as authorization for transactions, separation of duties and manual reconciliations.Therefore, controls at the business process level are a combination of manual controls operated by the business and automated business and ap plication controls. Both are the responsibility of the business to define and manage, although the application controls require the IT function to support their design and development.* To support the business processes, IT provides IT services, usually in a shared service to many business processes, as many of the development and operational IT processes are provided to the whole enterprise, and much of the IT infrastructure is provided as a common service (e.g., networks, databases, operating systems and storage). The controls applied to all IT service activities are known as IT general controls. The original operation of these general controls is necessary for reliance to be placed on application controls. For example, poor change management could jeopardize (accidentally or deliberately) the reliability of automated integrity checks.SummaryEstablishing an effective governance framework includes defining organizational structures, processes, leadership, roles, and responsibiliti es to ensure that enterprise IT investments are aligned and delivered in accordance with enterprise strategies and objectives. Control over the process of providing IT governance that satisfies the business requirements for IT of integrating IT governance with corporate governance objectives and complying with laws, regulations and contracts. By rivet on preparing board reports on IT strategy, performance and risks, and responding to governance requirements in line with board directions.Achieved by* Establishing IT governance framework integrated into corporate governance* Obtaining independent assurance over the IT governance status. Measured by* Frequency of board reporting on IT to stakeholders (including maturity)* Frequency of reporting from IT to the board (including maturity)* Frequency of independent reviews of IT complianceReferences* Cobit 4.1 http//www.itgi.org* IT Governance Harvard University March 31, 2008* Governance Objective and Governance views of IT (Mapping) htt p//www.takinggovernanceforward.org