Onwe CIO’s rules for IT service and governance1

Many CIO’s today have created their own set of leadership and management rules, written them
down distributed them to their organizations and integrated them into the daily life of the
organization. Some lists are very specific, covering such areas as governance, aligment, compliance
and capital expenditures, while others relate to actionable principles.

Bill Godfrey, CIO of Dow Jones, develope a set of rules that, ‘… in one formo r anotheer are there
to sustain, protect and Foster aligment…’ (Wailgum, 2005).

Gofrey’s fourteen big rules for IT service and governance are:

Rule 1 – Strategic planning

 Al technology divisions will have a documented tehnology plan.

 All technology divisions will have published goals and objectives.

Rule 2 – Production prioritization

 Production problems classified as ‘severity one’ production problems take resource

precedent over all else. Management and staff will work on ‘severity one’ problems
immediately and continually until resolved.

Rule 3 – Enterprise architecture

 All technology divisions will have a documented high level architecture.

 All technology divisions will adhere to infrastructure standards or seek exception approval.
 All technology projects costing more than $250.000 in total must be approved through an
‘early look’ screening process prior to capital approval submision.

Rule 4 – Project management

 There will be 100% adherence to the Project management process for all non-trivial
develplment projects (projects estimated to take more that two weeks of staff time).
 All development projects will have a specifically identified buisiness sponsor, and a
specifically identified IT Project leader prior to initiation.
 All development projects requiring infraestructure support will directly involve
infrastructure suppor staff during Project initiation, giving the infrastructure staff an
opportunity to directly participate in the design of systems solutions.

Rule 5 – Time management

 All the staff time will be appropriately entered into the IT time reporting system on a
weekly basis.

1
Implementing IT governance – A practical guide to global best practices in IT management.
Rule 6 - Technology business management

 As represented in appproved budgets, technology costs will not exceed plan unless explicit
approval is granted by the CIO.
 Technology contracts will be managed and approved through business management
services or purchasing.
 All third-party contractors and consultants will sign non-disclosured agreements, managed
under the non-employee security policy, and managed through the company’s preferred
vendor program.

Rule 7 - Capital approval management

 All projects will adhere to corporated expenditure authorization processes.

 All projects are required to have appropiate IT senior leadership team sign-offs prior to
business line submission.
 For all projects requiering CIO approval, all staff work and IT senior leadership team
approvals will be complete prior to seeking CIO approval.
 Any project with a total cost of more than $250.000 will be submitted to finance for
formal business case review.

Rule 8 – Requesting proposals from third parties

 All requests for proposals from third parties will be reviewed and approved by the CIO
prior to excecution.
 All request fro proposals from thid party parties which could have infrastructre
implications will be reviewed and approved by IT infrastructure services prior to
excecution.

Rule 9 – Relationships management

 Business technology directors are 100% accountable for all technology, direct and indirect,
in support of their assigned business lines.
 Business technology directors ‘own’ all business application vendor relatioinships.
 Enterprises technology directors ‘own’ all infrastructure vendor relationships.

Rule 10 – Infrastructure management

 Enterprises infrastructure services is 100% accountable for the global infrastructure.

 Enterprise infrastructure services is the only organization that makes infrastructure
decisions.
 Enterprise infrastructure services own and manages all infrastructure capital.

Rule 11 – Compliance with audit, regulatory and legal requirements

 Information technology services will comply will all audit, regulatory and legal
requirements.
 The IT senior leadership team is accountable for compliance.
Rule 12 – Operations procedural compliance

 There will be 100% compliance with [the] Enterprise change control policy and procedure.
 All production applications will be supported by a service level agreement between IT and
the business.

Rule 13 – Information security

 All technology staff will comply with the company’s information security policy.
 Information security approval must be secured prior to implementing new technology or
making major enhancements to existing technology. This review and approval is to take
place before an informal or formal obligations are made between the Company and
suplier.
 All Access to a financially significant applications will be managed and controlled through
information security.

Rule 14 – Sarbanes-Oxley compliance

 There will be 100% compliance to all Sarbanes-Oxley controls.

 All IT leaders will be thoroughly familiar with the IT general control policies regarding
governance, Project management, operations, Access control and data management.
 All IT leaders, supervisor and above, are responsable and accountable for Sarbanes-Oxley
compliance across their respective áreas of control.