Domain 2: I.T.

Governance
Jimmy Ardiansyah Arkansas – September 16, 2005

9 Tasks
Evaluate the effectiveness of IT governance structure to ensure adequate board control over the decisions, directions and performance of IT, so it supports the organization's strategies and objectives. Evaluate IT organizational structure and human resources (personnel) management to ensure that they support the organization's strategies and objectives. Evaluate the IT strategy and the process for its development, approval. implementation and maintenance to ensure that it supports the organization's strategies and objectives.

Evaluate the organization's 1T policies, standards, procedures and processes for their development, approval, implementation and maintenance to ensure that they support the IT strategy and comply with regulatory and legal requirements. Evaluate management practices to ensure compliance with the organization's IT strategy, policies, standards and procedures. Evaluate IT resource investment, use and allocation practices to ensure alignment with the organization's strategies and objectives.

Evaluate IT contracting strategies and policies and contract management practices to ensure that they support the organization's strategies and objectives. Evaluate risk management practices to ensure that the organization's IT-related risks are properly managed. Evaluate monitoring and assurance practices to ensure that the board and executive management receive sufficient and timely information about IT performance

15 Knowledge Statements
Knowledge of the purpose or IT strategies, policies, standards and procedures for an organizational and the essential elements of each Knowledge of IT governance frameworks Knowledge of the processes for the development, implementation and maintenance of IT strategies, policies, standards and procedures (e.g., protection of information assets, business continuity and disaster recovery, systems and infrastructure life cycle management, and IT service delivery and support) Knowledge of quality management strategies and policies Knowledge of organizational structure, roles and responsibilities related to the use and management of IT

Knowledge of generally accepted international IT standards and guidelines Knowledge of enterprise IT architecture and its implications for setting long-term strategic directions Knowledge of risk management methodologies and tools Knowledge of the use control frameworks (CobiT. COSO, IS0 17799) Knowledge of the use of maturity and process improvement models (e.g., CMM, CobiT)

Knowledge of contracting strategies, processes and contract management practices Knowledge of practices for monitoring and reporting of IT performance [e.g., balanced scorecards, key performance indicators (KPI)]

Knowledge of relevant legislative and regulatory issues (e.g., privacy. intellectual property, corporate governance requirements) Knowledge of IT human resources (personnel) management Knowledge of IT resource investment and allocation practices [e.g.., portfolio management return on investment (ROl)]

Corporate Governance
Ethical behavior of corporate executives toward shareholders to maximize the return of financial investment. Distribution of rights and responsibilities among different participants in the corporation such as board, managers, shareholders; and it spells out the rules and procedures for making decisions on corporate affairs

Best Practice For I.T Gov’

Audit Role in IT Gov’
Audit plays a significant role in successful implementation of IT Governance within an organization; for example, Audit is best position to provide leading practice recommendations to senior management to help improve the quality and effectiveness of the IT Governance initiative

I.S Strategy
Strategy Planning from IS standpoint relates to the long term direction an org’ want to take to leveraging IT for improving its business process SC for IT is important factor in ensuring that the IS department is in harmony with the corporate mission and objectives
Steering Committees Strategy Planning

Types of Policy
Advisory Policy – Optional Regulatory Policy – Mandatory Informational Policy - Complement

Risk Management
The process of identifying vulnerabilities an threts to information resources used by an organization in achieving business objective and deciding what countermeasures to take in reducing risk to an acceptable level.

Developing Risk Mgt Program
To determine the organizational purpose for creating risk mgt program
Establish the purpose of the risk mgt program

To designate an individual or team responsible for developing and implementing the organizations’ risk mgt program

Assign responsibility for the risk mgt program.

Risk Mgt Process
Identification of IS resources or asset Asses threats and vulnerabilities associate with IS resources Evaluate and prioritize risks Select appropriate risk management strategies and implement your plan Establish control or evaluate existing control Monitor and update the risk management program

Risk Analysis Method
Use word or descriptive rankings to describe the impact. The descriptive ranking are associate with numerical scale. Use numerical value to describe the impact of risk using data from several types of resources.
Quantitative Analysis Method Semiquantitative Analysis Method Qualitative and Quantitative Method

IS Management Practices
* Hiring * Employee Handbook * Promotion Policies * Termination Policies
Sourcing Practice Personal Management

* Delivery of IS Function > Insourced > Outsourced > Hybrid * IS Function can be performed > Onsite > Offsite > Offshore

Outsourcing Practices and Strategy Globalization Practices and Strategy Capacity and Growth Planning Industry Standard/Benchmarking Service Improvement and User Satisfaction

Organizational Change Mgt
Financial Management Practice

Critical element of all business functions
Quality Management

The tool by which IS Department-based control are controlled, measured, and improved Provide the lead role to assure that organization information resources are properly protected
Performance Optimization Information Security Management

IS Org Structure and Responsibility
* Librarian * Data Entry * System Admin * Security Admin * QA * DBA * System Analysis * Security Architect * Application Dev and Maintenance * Infrastructure Dev and Maintenance * Network Management
IS Role and Responsibilities

Segregation of Duties within IS

* Transaction Authorization * Custody of Asset * Access of Data * Audit Trails * Reconciliation * Exception Reporting * Transaction Logs * Supervisory Review * Independent Review

Segregation of Duties Control

Compensating Control for Lack of SG

Potential Problem of I.T. Governance Implementation
High staff turnover Inexperience staff Poor motivation Lack of adequate training Frequent H/W and S/F upgrade Unfavorable end-user attitude Frequent H/W and S/F error

References
WWW.ISACA.ORG WWW.ITTG.ORG CISA Review Manual

Information
Jimmy Ardiansyah, MS-IT Solution Developer @Acxiom Corp. Arkansas 72801 USA To obtain the .ppt file please request to: komputer-teknologi@yahoo.com or please visit to: http://komputer-teknologi.net

Sign up to vote on this title
UsefulNot useful