SlideShare a Scribd company logo

Ict governance

Download as DOCX, PDF
Zablon Peter
Zablon Peter

Governance relates to management, policies, procedures, and decisions for a given area of enterprise responsibility.Hence IT related assets should be governed in way that it will of profitability to the company in order to achieve its goals and objectives.

Related slideshows

Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information System
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
1 of 10
CORPORATE ICT GOVERNANCE. 1 Governance relates to management, policies, procedures, and decisions for a given area of enterprise responsibility (e.g., corporate operations, IT services). For example, corporate governance entails how the boards direct a corporation, and the regulations, policies and procedures that apply to that direction. IT governance is a subset discipline of corporate governance that is focused on IT systems and their performance and risk management. Corporate Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction ensuring that the objectives are achieved ascertaining that risks are managed appropriately and ensuring that the enterprise’s resources are used responsibly. Or they are the procedures and processes according to which an organization is directed and controlled. Corporate Governance of ICT it is the system by which the current and the future use of ICT is directed and controlled. Corporate Governance of ICT involves evaluating and directing the use of ICT to support the organization and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organization. IT Governance focuses on:  IT principles – clarifying the institutional role of IT  IT investment and prioritization – choosing which initiatives to fund and how much to spend  IT architecture – defining integration and standardization requirements  IT infrastructure – determining and enabling shared services  Business application needs – specifying the business need for purchased or internally developed IT applications ICT Governance Benefits. If the Corporate Governance of ICT is effectively implemented and maintained , the following benefits will be realized: i. Improved achievement of Public Service-wide and departmental strategic goals ii. Improved effective public service delivery through ICT-enabled access to government information and services iii. Improved ICT enablement of business iv. Improved delivery of ICT service quality v. Improved stakeholder communication vi. Continuous improvement of business and ICT alignment vii. Improved trust between ICT, the business and citizens viii. Increased alignment of investment towards strategic goals. ix. Improved return on ICT-enabled investment
CORPORATE ICT GOVERNANCE. 2 x. ICT risks managed in line with the priorities and appetite of the Public Service and the department xi. Appropriate security measures to protect the departmental and employee information xii. Improved management of business-related ICT projects xiii. Improved management of information as it is managed on the same level as other resources such as people, finance and material in the Public Service xiv. ICT pro-actively recognizes opportunities and guides departments and the Public Service in timeous adoption of appropriate technology xv. Improved ICT ability to learn and agility to adapt to changing circumstances, and xvi. ICT executed in line with legislative and regulatory requirements. Monitoring of controls and risks. Risk monitoring is the process of keeping track of identified risks, ensuring that risk response plans are implemented, evaluating the effectiveness of risk responses, monitoring residual risks, and identifying new risks. The purpose of monitoring is to determine whether:  Risk responses have been implemented.  Risk responses were effective (or new responses are needed).  Project assumptions are still valid.  Any risk triggers have occurred.  Risk exposure has changed.  Policies and procedures are being followed-  Any new risks have emerged. Monitor and Control Risks Inputs Tools Outputs 1. Risk register 2. Project management plan 3. Work performance information 4. Performance reports 1. Risk reassessment 2. Risk audits 3. Variance and trend analysis 4. Technical performance measurement 5. Reserve analysis 6. Status meetings 1. Risk register updates 2. OPA updates 3. Change requests 4. Project management plan updates 5. Project document updates Four Key Inputs for Monitor and Control Risks: 1. Risk Register: Provides the list of identified risks, risk owners, agreed responses, risk triggers (symptoms and warning signs), residual and secondary risks, watch list of low priority risks, and planned reserves- 2. ICT Management Plan: Contains the risk management plan which assigns people, risk owners, and the resources needed to carry out risk monitoring activities. 3. Work Performance Information: The status of the work is a major input to risk monitoring and control. Performance reports give insights into whether risks are occurring and whether response plans need to be implemented. Specific status of interest includes:
CORPORATE ICT GOVERNANCE. 3  Deliverable status  Schedule progress  Costs incurred 4. Performance Reports: These reports analyze the work performance information just mentioned to create status reports and forecasts using various methods such as earned value. Six Key Tools for Monitor and Control Risks: 1. Risk Reassessment: The ICT team should regularly check for new risks as well as "reassessing" previously identified risks. At least three possible scenarios should be considered: a) new risks may have emerged and a new response plan must be devised, b) if a previously identified risk actually occurs, the effectiveness of the response plan should be evaluated for lessons learned, and c) if a risk does not occur, it should be officially closed out in the risk register. 2. Risk Audits: Evaluate and document the effectiveness of risk responses as well as the effectiveness of the processes being used. Risk audits may be incorporated into the agenda of regularly scheduled status meetings or may be scheduled as separate events. 3. Variance and Trend Analysis: Used to monitor overall project performance. These analyses are used to forecast future project performance and to determine if deviations from the plan are being caused by risks or opportunities. 4. Technical Performance Measurement: Using the results of testing, prototyping, and other techniques to determine whether planned technical achievements are being met. As with trend analysis, this information is also used to forecast the degree of technical success on the project. 5. Reserve Analysis: Compares the remaining reserves to the remaining risk to determine whether the remaining reserve is adequate to complete the project. 6. Status Meetings: Risk management should be a regular agenda item at the regular team meetings. Five Key Outputs for Monitor and Control Risks: 1. Risk RegisterUpdates: Records the outcomes of risk monitoring activities such as risk reassessment and risk audits. Also records which risk events have actually occurred and whether the responses were effective. 2. Organizational Process Assets Updates: Includes risk plan templates, the risk register, the risk breakdown structure, and lessons learned. 3. Change Requests: When contingency plans are implemented, it is sometimes necessary to change the project management plan. A classic example is the addition of extra money, time, or resources for contingency purposes. These change requests may lead to recommended corrective actions or recommended preventive actions. Corrective actions may include contingency plans (devised at the time a risk event is identified and used later if the risk actually occurs) and workarounds (passive acceptance of a risk where no action is taken until or unless the risk event actually occurs). The major distinction is that workaround responses are not planned in advance. 4. ICT Management Plan Updates: Again, if approved changes have an effect on risk information or processes, the project management plan should be revised accordingly. 5. Project Document Updates: Documents that may be updated include:  Assumptions log updates  Technical documentation updates
CORPORATE ICT GOVERNANCE. 4 IT Audit ISACA (the Information Systems Audit and Control Association) is a global professional organization dedicated to audit, control and security of information systems. The key ISACA qualification for IT auditors is CISA (Certified Information Systems Auditor). An information technology (IT) audit or information systems (IS) audit is an examination of the controls within an entity's information technology infrastructure. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. An IT audit is the process of collecting and evaluating evidence of an organisation's information systems, practices, and operations. Obtained evidence evaluation can ensure whether the organisation's information systems safeguard assets, maintains data integrity, and is operating effectively and efficiently to achieve the organisation's goals or objectives Here are three types of reports; however, a SOC 2 & 3 report provide more information about the security, availability and data safeguards that a service organization has employed, such as what would be needed within a Cloud platform. Types of Reports: There are three types of reports; however (Service Organization Controls) a SOC 2 & 3 report provide more information about the security, availability and data safeguards that a service organisation has employed, such as what would be needed within a Cloud platform. Types of Reports:  A SOC 1 Report provides information to clients on the internal controls that affect your organization’s financial statements.  A SOC 2 Report provides information on non-financial controls that affect data security, privacy, availability, confidentially and processing integrity. The report verifies the application and implementation of controls.  A SOC 3 Report provides information on non-financial controls and verifies whether the controls that were applied and implemented are effective in achieving their objective How do internal audits add value to security governance? There are various ways in which auditing helps in assurance purposes:  Internal control assessment Systems audits are designed to assess the full scope of the organization’s financial and performance control systems and to identify deficiencies and recommend
CORPORATE ICT GOVERNANCE. 5 corrective actions (IIA, 2006). Audits achieved through the implementation of proper IT controls mitigates IT risk and increases operational efficiency and effectiveness.  Process standardization Audits have the capability of creating a culture of change management which can transform low and medium-performing organizations into high performers, delivering more value to the business with less risk.  Risk mitigation Internal auditors are not just internal watchdogs but play an important role in assurance and consulting activity. Audit departments offer a variety of other services such as risk-based audit (identifying risks in various business processes) and pre- implementation review (participating in systems development or reviewing development stages).  Training Auditors also add value through educating employees about the benefits of certain security measures in an organization. These involve self assessment (workshop administration, collecting data to address Outsourcing of IS controls and impact on outsiders The institute of internal auditors (IIA) and Information Systems Audit and control Association (ISACA) have established a common set of guidelines for risk assessment in case of outside vendors. Impact of outsourcing services outside the organization requires a tab on the vendors operations as well, since the vendor can provide a potential gateway for security breaches. IT Outsourcing: The Reasons, Risks and Rewards In this the 3 R's of outsourcing: Reasons, Risks and Rewards, specifically as they relate to information technology (IT). And, as a bonus, we'll provide some tips to help you manage successful relationships with your IT service providers (whether they are full-time staff, or outsourced). The Reasons According to the Outsourcing Institute's Outsourcing Index 2000, there are many reasons why companies outsource. Here are some of the top reasons: 1. Reduce and control operating costs. When you outsource, you eliminate the costs associated with hiring an employee, such as management oversight, training, health insurance, employment taxes, retirement plans etc. 2. Improve company focus. Outsourcing lets you focus on your core competencies while another company focuses on theirs. 3. Gain access to exceptional capabilities. Your return on investment is so much greater when you outsource information technology to a firm that specializes in the areas you need. Instead of just the knowledge of one person, you benefit from the collective
CORPORATE ICT GOVERNANCE. 6 experience of a team of IT professionals. Outsourced IT companies usually require their IT staff to have proper industry training and certifications as well. 4. Free internal resources for other purposes. You may have someone in your office that is pretty good with computers or accounting, but most likely these were not the jobs he or she was hired to do. If they are spending time taking care of these things, who is doing what they were hired to do? Outsourcing allows you to retain employees for their highest and best use, rather than wasting their time on things that may take them longer than someone who is trained in these specific areas. 5. Resources are not available internally. On the flip side, maybe you don't have anyone in your company who can manage your IT needs, and hiring a new employee is not in the budget. Outsourcing can be a feasible alternative, both for the interim and for the long- term. 6. Maximize restructuring benefits. When you are restructuring your company to improve costs, quality, service, or speed, your non-core business functions may get pushed aside. They still need to be handled, however, and outsourcing is an optimal way to do this. Don't sabotage your restructuring efforts by failing to keep up with non-core needs. 7. Function difficult to manage or out of control. This is definitely a scenario when outsourcing to experts can make a big difference. But don't make the mistake of thinking you can forget about the problem now that it's being "handled." You still need to be involved even after control is regained. 8. Make capital funds available. By outsourcing non-core business functions, you can spend your capital funds on items that are directly related to your product or your customers. 9. Reduce Risk. Keeping up with technology required to run your business is expensive and time consuming. Because professional outsourced IT providers work with multiple clients and need to keep up on industry best practices, they typically know what is right and what is not. This kind of knowledge and experience dramatically reduces your risk of implementing a costly wrong decision. The Risks According to Yvonne Lederer Anotucci in an article "The Merits and Demerits of IT Outsourcing, business owners who consider outsourcing IT functions need to be aware of the following risks: 1. Some IT functions are not easily outsourced. IT affects an entire organization; from the simple tasks employees do everyday to the complex automated aspects. Be sure the outside vendor is qualified to take care of your greatest needs. 2. Control may be lost. Critics argue that an outside vendor will never be as effective as a full-time employee who is under the same management as other employees. Other concerns include confidentiality of data and disaster recovery. However, a supervisor that is knowledgeable in managing an IT staff member will usually be required. 3. Employee morale may be affected. This is particularly true if you will be laying off employees to replace their job functions with an outsourced firm. Other employees may wonder if their job is at risk, too.
CORPORATE ICT GOVERNANCE. 7 4. You may get "locked in." If the vendor does not document their work on your network and system, or if you've had to purchase their proprietary software, you may feel like you can't go anywhere else or take back your network. Many outsourced companies require you to sign a year to year contract which limits flexibility. The Rewards According to Anotucci, who provided the list of risks outlined above, there are many rewards you can expect when you outsource your company's IT functions as well: 1. Access to the latest and greatest in technology. You may have noticed how rapidly software and hardware becomes obsolete in this industry. How is one staff person going to keep up-to-date with everything? Outsourcing gives you the benefit of having more than just one IT professional. And since it's the core competency of the company, they can give you sound advice to put your IT dollars to work for you. 2. Cost savings. Outsourcing your IT services provides financial benefits such as leaner overhead, bulk purchasing and leasing options for hardware and software, and software licenses, as well as potential compliance with government regulations. 3. High quality of staff. Since it's their core competency, outsourced IT vendors look to hire staff with specific qualifications and certifications. You may not know what to look for if you're hiring someone to be on staff full-time, so you may hire the wrong person for the job. 4. Flexibility. Vendors have multiple resources available to them, while internal staff may have limited resources and capabilities. 5. Job security and burnout reduction for regular employees. Using an outsourced IT company removes the burden from your staff who has taken on more than he or she was hired for because "someone needs to do it." You will establish a better relationship with your employees when you let them do what they do best and what they were hired to do. IT Governance processes operateat three levels:  Information Systems Executive Committee (ISEC) – provides oversight of the governance process.  Information Systems Steering Committee (ISSC) – operates as the strategic enterprise level committee for IT Governance.  Other Committees and Working Groups The following are other committees that are established to deal with ICT matters. a) ICT strategic committee:-this committee should conceptualize and oversee the corporate governance of ICT and the strategic alignment of ICT to the core business of the departments. b) ICT steering committee:-this committee shall coordinate and oversee the planning, implementation and execution of the corporate governance of ICT and strategic alignment of ICT to the business of the department and monitor the implementation thereof.
CORPORATE ICT GOVERNANCE. 8 c) ICT Operation committee:-this committee shall keep track of the day to day ICT service management elements as well as reporting on a monthly basis to the ICT steering committee on the implementation of the ICT implementation plan. ICT compliance with professionalstandards and codes. In recognition of the importance of the Governance of ICT, a number of internationally recognized frameworks and standards, such as King III Code, ISO/IEC 38500, COBIT, Sarbanes-Oxley Act (SOX), CMM (the Capability Maturity Model) and ITIL (Information Technology Infrastructure Library) have been developed to provide context for the institutionalization of the Corporate Governance of ICT. 1. The King III Code: The most commonly accepted Corporate Governance Framework that is valid for the Public Service and was used to inform the Corporate Governance of ICT principles and practices in this document and to establish the relationship between Corporate Governance of and Governance of ICT. IT Governance Principles in King III i. The board should be responsible for information technology (IT) governance ii. IT should be aligned with the performance and sustainability objectives of the company iii. The board should delegate to management the responsibility for the implementation of an IT governance framework iv. The board should monitor and evaluate significant IT investments and expenditure v. IT should form an integral part of the company’s risk management vi. The board should ensure that information assets are managed effectively vii. A risk committee and audit committee should assist the board in carrying out its IT responsibilities 2. ISO/IEC 38500 (International Organization for Standardization and the International Electrotechnical Commission. Is an international standard created to guide corporate governance of information technology (IT). The standard provides broad guidelines and a framework of practices for IT oversight within an organization. The purpose of ISO/IEC 38500 is to make IT governance a critical component of corporate governance. Provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or others) on the effective, efficient, and acceptable use of IT within their organizations. This standard is applicable to all organizations, which include public and private companies, government entities and not-for-profit organizations. The standard is
CORPORATE ICT GOVERNANCE. 9 applicable to organizations of all sizes from the smallest to the largest, regardless of the extent of their IT usage. The standard's six principles for IT governance are: 1. Establish responsibilities. 2. Plan to best support the organization. 3. Acquire validly. 4. Ensure performance when required. 5. Ensure conformance with rules. 6. Ensure respect for human factors. 3. COBIT (Control Objectives for Information and Related Technology) Is a framework created by InformationSystemsAuditand Control Association (ISACA) for information technology (IT) management and IT governance It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. Or is a framework for developing, implementing, monitoring and improving information technology (IT) governance and management practices. COBIT 5 is based on five key principles for governance and management of enterprise IT: Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance from Management 4. Sarbanes-Oxley Act, commonly known as SOX, is a US federal law intended to improve the management and accounting practices. SOX contains 11 titles that describe specific mandates and requirements for financial reporting: 1) Public Company Accounting Oversight Board 2) Auditor Independence 3) Corporate Responsibility 4) Enhanced Financial Disclosures 5) Analyst Conflicts of Interest, and others. For the purpose of IT governance, SOX 404 is most important – it is concerned with IT operational control processes and change management. A great deal of information about SOX can be found at the SOX site 5. ITIL (Information Technology Infrastructure Library) is a set of concepts and technique for managing IT infrastructure, development, and operations.
CORPORATE ICT GOVERNANCE. 10 ITIL originated in the UK and is published in a series of books that cover a wide range of IT management topics. The latest version of ITIL v3, published in May 2007, comprises 5 key volumes: i. Service Strategy. ii. Service Design. iii. Service Transition. iv. Service Operation. v. Continual Service Improvement. NB: As compared to COBIT, ITIL is more oriented towards technologies and technical checklists. Conclusion: Now that you have seen the risks and rewards associated with ICT governance as per the standards and IT outsourcing the IT function of your business, there is a lot to think about. Whether you choose to outsource or hire internally and apply the ICT governance standards, one thing is certain, you must know how to manage successful working relationships with your IT service providers. Let's face it, they're not always the easiest people in the world to understand and deal with, right? Here are some tips: i. Clearly form and communicate the goals and objectives of your project or business relationship. ii. Have a strategic vision and plan for your project or relationship. iii. Select the right vendor or new hire through research and references. iv. Insist on a contract or plan that includes all the expectations of the relationship, especially the financial aspect. v. Keep open communication with all affected individuals/groups. vi. Rally support and involvement from decision makers involved.

More Related Content

Ict governance

  • 1. CORPORATE ICT GOVERNANCE. 1 Governance relates to management, policies, procedures, and decisions for a given area of enterprise responsibility (e.g., corporate operations, IT services). For example, corporate governance entails how the boards direct a corporation, and the regulations, policies and procedures that apply to that direction. IT governance is a subset discipline of corporate governance that is focused on IT systems and their performance and risk management. Corporate Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction ensuring that the objectives are achieved ascertaining that risks are managed appropriately and ensuring that the enterprise’s resources are used responsibly. Or they are the procedures and processes according to which an organization is directed and controlled. Corporate Governance of ICT it is the system by which the current and the future use of ICT is directed and controlled. Corporate Governance of ICT involves evaluating and directing the use of ICT to support the organization and monitoring this use to achieve plans. It includes the strategy and policies for using ICT within an organization. IT Governance focuses on:  IT principles – clarifying the institutional role of IT  IT investment and prioritization – choosing which initiatives to fund and how much to spend  IT architecture – defining integration and standardization requirements  IT infrastructure – determining and enabling shared services  Business application needs – specifying the business need for purchased or internally developed IT applications ICT Governance Benefits. If the Corporate Governance of ICT is effectively implemented and maintained , the following benefits will be realized: i. Improved achievement of Public Service-wide and departmental strategic goals ii. Improved effective public service delivery through ICT-enabled access to government information and services iii. Improved ICT enablement of business iv. Improved delivery of ICT service quality v. Improved stakeholder communication vi. Continuous improvement of business and ICT alignment vii. Improved trust between ICT, the business and citizens viii. Increased alignment of investment towards strategic goals. ix. Improved return on ICT-enabled investment
  • 2. CORPORATE ICT GOVERNANCE. 2 x. ICT risks managed in line with the priorities and appetite of the Public Service and the department xi. Appropriate security measures to protect the departmental and employee information xii. Improved management of business-related ICT projects xiii. Improved management of information as it is managed on the same level as other resources such as people, finance and material in the Public Service xiv. ICT pro-actively recognizes opportunities and guides departments and the Public Service in timeous adoption of appropriate technology xv. Improved ICT ability to learn and agility to adapt to changing circumstances, and xvi. ICT executed in line with legislative and regulatory requirements. Monitoring of controls and risks. Risk monitoring is the process of keeping track of identified risks, ensuring that risk response plans are implemented, evaluating the effectiveness of risk responses, monitoring residual risks, and identifying new risks. The purpose of monitoring is to determine whether:  Risk responses have been implemented.  Risk responses were effective (or new responses are needed).  Project assumptions are still valid.  Any risk triggers have occurred.  Risk exposure has changed.  Policies and procedures are being followed-  Any new risks have emerged. Monitor and Control Risks Inputs Tools Outputs 1. Risk register 2. Project management plan 3. Work performance information 4. Performance reports 1. Risk reassessment 2. Risk audits 3. Variance and trend analysis 4. Technical performance measurement 5. Reserve analysis 6. Status meetings 1. Risk register updates 2. OPA updates 3. Change requests 4. Project management plan updates 5. Project document updates Four Key Inputs for Monitor and Control Risks: 1. Risk Register: Provides the list of identified risks, risk owners, agreed responses, risk triggers (symptoms and warning signs), residual and secondary risks, watch list of low priority risks, and planned reserves- 2. ICT Management Plan: Contains the risk management plan which assigns people, risk owners, and the resources needed to carry out risk monitoring activities. 3. Work Performance Information: The status of the work is a major input to risk monitoring and control. Performance reports give insights into whether risks are occurring and whether response plans need to be implemented. Specific status of interest includes:
  • 3. CORPORATE ICT GOVERNANCE. 3  Deliverable status  Schedule progress  Costs incurred 4. Performance Reports: These reports analyze the work performance information just mentioned to create status reports and forecasts using various methods such as earned value. Six Key Tools for Monitor and Control Risks: 1. Risk Reassessment: The ICT team should regularly check for new risks as well as "reassessing" previously identified risks. At least three possible scenarios should be considered: a) new risks may have emerged and a new response plan must be devised, b) if a previously identified risk actually occurs, the effectiveness of the response plan should be evaluated for lessons learned, and c) if a risk does not occur, it should be officially closed out in the risk register. 2. Risk Audits: Evaluate and document the effectiveness of risk responses as well as the effectiveness of the processes being used. Risk audits may be incorporated into the agenda of regularly scheduled status meetings or may be scheduled as separate events. 3. Variance and Trend Analysis: Used to monitor overall project performance. These analyses are used to forecast future project performance and to determine if deviations from the plan are being caused by risks or opportunities. 4. Technical Performance Measurement: Using the results of testing, prototyping, and other techniques to determine whether planned technical achievements are being met. As with trend analysis, this information is also used to forecast the degree of technical success on the project. 5. Reserve Analysis: Compares the remaining reserves to the remaining risk to determine whether the remaining reserve is adequate to complete the project. 6. Status Meetings: Risk management should be a regular agenda item at the regular team meetings. Five Key Outputs for Monitor and Control Risks: 1. Risk RegisterUpdates: Records the outcomes of risk monitoring activities such as risk reassessment and risk audits. Also records which risk events have actually occurred and whether the responses were effective. 2. Organizational Process Assets Updates: Includes risk plan templates, the risk register, the risk breakdown structure, and lessons learned. 3. Change Requests: When contingency plans are implemented, it is sometimes necessary to change the project management plan. A classic example is the addition of extra money, time, or resources for contingency purposes. These change requests may lead to recommended corrective actions or recommended preventive actions. Corrective actions may include contingency plans (devised at the time a risk event is identified and used later if the risk actually occurs) and workarounds (passive acceptance of a risk where no action is taken until or unless the risk event actually occurs). The major distinction is that workaround responses are not planned in advance. 4. ICT Management Plan Updates: Again, if approved changes have an effect on risk information or processes, the project management plan should be revised accordingly. 5. Project Document Updates: Documents that may be updated include:  Assumptions log updates  Technical documentation updates
  • 4. CORPORATE ICT GOVERNANCE. 4 IT Audit ISACA (the Information Systems Audit and Control Association) is a global professional organization dedicated to audit, control and security of information systems. The key ISACA qualification for IT auditors is CISA (Certified Information Systems Auditor). An information technology (IT) audit or information systems (IS) audit is an examination of the controls within an entity's information technology infrastructure. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. An IT audit is the process of collecting and evaluating evidence of an organisation's information systems, practices, and operations. Obtained evidence evaluation can ensure whether the organisation's information systems safeguard assets, maintains data integrity, and is operating effectively and efficiently to achieve the organisation's goals or objectives Here are three types of reports; however, a SOC 2 & 3 report provide more information about the security, availability and data safeguards that a service organization has employed, such as what would be needed within a Cloud platform. Types of Reports: There are three types of reports; however (Service Organization Controls) a SOC 2 & 3 report provide more information about the security, availability and data safeguards that a service organisation has employed, such as what would be needed within a Cloud platform. Types of Reports:  A SOC 1 Report provides information to clients on the internal controls that affect your organization’s financial statements.  A SOC 2 Report provides information on non-financial controls that affect data security, privacy, availability, confidentially and processing integrity. The report verifies the application and implementation of controls.  A SOC 3 Report provides information on non-financial controls and verifies whether the controls that were applied and implemented are effective in achieving their objective How do internal audits add value to security governance? There are various ways in which auditing helps in assurance purposes:  Internal control assessment Systems audits are designed to assess the full scope of the organization���s financial and performance control systems and to identify deficiencies and recommend
  • 5. CORPORATE ICT GOVERNANCE. 5 corrective actions (IIA, 2006). Audits achieved through the implementation of proper IT controls mitigates IT risk and increases operational efficiency and effectiveness.  Process standardization Audits have the capability of creating a culture of change management which can transform low and medium-performing organizations into high performers, delivering more value to the business with less risk.  Risk mitigation Internal auditors are not just internal watchdogs but play an important role in assurance and consulting activity. Audit departments offer a variety of other services such as risk-based audit (identifying risks in various business processes) and pre- implementation review (participating in systems development or reviewing development stages).  Training Auditors also add value through educating employees about the benefits of certain security measures in an organization. These involve self assessment (workshop administration, collecting data to address Outsourcing of IS controls and impact on outsiders The institute of internal auditors (IIA) and Information Systems Audit and control Association (ISACA) have established a common set of guidelines for risk assessment in case of outside vendors. Impact of outsourcing services outside the organization requires a tab on the vendors operations as well, since the vendor can provide a potential gateway for security breaches. IT Outsourcing: The Reasons, Risks and Rewards In this the 3 R's of outsourcing: Reasons, Risks and Rewards, specifically as they relate to information technology (IT). And, as a bonus, we'll provide some tips to help you manage successful relationships with your IT service providers (whether they are full-time staff, or outsourced). The Reasons According to the Outsourcing Institute's Outsourcing Index 2000, there are many reasons why companies outsource. Here are some of the top reasons: 1. Reduce and control operating costs. When you outsource, you eliminate the costs associated with hiring an employee, such as management oversight, training, health insurance, employment taxes, retirement plans etc. 2. Improve company focus. Outsourcing lets you focus on your core competencies while another company focuses on theirs. 3. Gain access to exceptional capabilities. Your return on investment is so much greater when you outsource information technology to a firm that specializes in the areas you need. Instead of just the knowledge of one person, you benefit from the collective
  • 6. CORPORATE ICT GOVERNANCE. 6 experience of a team of IT professionals. Outsourced IT companies usually require their IT staff to have proper industry training and certifications as well. 4. Free internal resources for other purposes. You may have someone in your office that is pretty good with computers or accounting, but most likely these were not the jobs he or she was hired to do. If they are spending time taking care of these things, who is doing what they were hired to do? Outsourcing allows you to retain employees for their highest and best use, rather than wasting their time on things that may take them longer than someone who is trained in these specific areas. 5. Resources are not available internally. On the flip side, maybe you don't have anyone in your company who can manage your IT needs, and hiring a new employee is not in the budget. Outsourcing can be a feasible alternative, both for the interim and for the long- term. 6. Maximize restructuring benefits. When you are restructuring your company to improve costs, quality, service, or speed, your non-core business functions may get pushed aside. They still need to be handled, however, and outsourcing is an optimal way to do this. Don't sabotage your restructuring efforts by failing to keep up with non-core needs. 7. Function difficult to manage or out of control. This is definitely a scenario when outsourcing to experts can make a big difference. But don't make the mistake of thinking you can forget about the problem now that it's being "handled." You still need to be involved even after control is regained. 8. Make capital funds available. By outsourcing non-core business functions, you can spend your capital funds on items that are directly related to your product or your customers. 9. Reduce Risk. Keeping up with technology required to run your business is expensive and time consuming. Because professional outsourced IT providers work with multiple clients and need to keep up on industry best practices, they typically know what is right and what is not. This kind of knowledge and experience dramatically reduces your risk of implementing a costly wrong decision. The Risks According to Yvonne Lederer Anotucci in an article "The Merits and Demerits of IT Outsourcing, business owners who consider outsourcing IT functions need to be aware of the following risks: 1. Some IT functions are not easily outsourced. IT affects an entire organization; from the simple tasks employees do everyday to the complex automated aspects. Be sure the outside vendor is qualified to take care of your greatest needs. 2. Control may be lost. Critics argue that an outside vendor will never be as effective as a full-time employee who is under the same management as other employees. Other concerns include confidentiality of data and disaster recovery. However, a supervisor that is knowledgeable in managing an IT staff member will usually be required. 3. Employee morale may be affected. This is particularly true if you will be laying off employees to replace their job functions with an outsourced firm. Other employees may wonder if their job is at risk, too.
  • 7. CORPORATE ICT GOVERNANCE. 7 4. You may get "locked in." If the vendor does not document their work on your network and system, or if you've had to purchase their proprietary software, you may feel like you can't go anywhere else or take back your network. Many outsourced companies require you to sign a year to year contract which limits flexibility. The Rewards According to Anotucci, who provided the list of risks outlined above, there are many rewards you can expect when you outsource your company's IT functions as well: 1. Access to the latest and greatest in technology. You may have noticed how rapidly software and hardware becomes obsolete in this industry. How is one staff person going to keep up-to-date with everything? Outsourcing gives you the benefit of having more than just one IT professional. And since it's the core competency of the company, they can give you sound advice to put your IT dollars to work for you. 2. Cost savings. Outsourcing your IT services provides financial benefits such as leaner overhead, bulk purchasing and leasing options for hardware and software, and software licenses, as well as potential compliance with government regulations. 3. High quality of staff. Since it's their core competency, outsourced IT vendors look to hire staff with specific qualifications and certifications. You may not know what to look for if you're hiring someone to be on staff full-time, so you may hire the wrong person for the job. 4. Flexibility. Vendors have multiple resources available to them, while internal staff may have limited resources and capabilities. 5. Job security and burnout reduction for regular employees. Using an outsourced IT company removes the burden from your staff who has taken on more than he or she was hired for because "someone needs to do it." You will establish a better relationship with your employees when you let them do what they do best and what they were hired to do. IT Governance processes operateat three levels:  Information Systems Executive Committee (ISEC) – provides oversight of the governance process.  Information Systems Steering Committee (ISSC) – operates as the strategic enterprise level committee for IT Governance.  Other Committees and Working Groups The following are other committees that are established to deal with ICT matters. a) ICT strategic committee:-this committee should conceptualize and oversee the corporate governance of ICT and the strategic alignment of ICT to the core business of the departments. b) ICT steering committee:-this committee shall coordinate and oversee the planning, implementation and execution of the corporate governance of ICT and strategic alignment of ICT to the business of the department and monitor the implementation thereof.
  • 8. CORPORATE ICT GOVERNANCE. 8 c) ICT Operation committee:-this committee shall keep track of the day to day ICT service management elements as well as reporting on a monthly basis to the ICT steering committee on the implementation of the ICT implementation plan. ICT compliance with professionalstandards and codes. In recognition of the importance of the Governance of ICT, a number of internationally recognized frameworks and standards, such as King III Code, ISO/IEC 38500, COBIT, Sarbanes-Oxley Act (SOX), CMM (the Capability Maturity Model) and ITIL (Information Technology Infrastructure Library) have been developed to provide context for the institutionalization of the Corporate Governance of ICT. 1. The King III Code: The most commonly accepted Corporate Governance Framework that is valid for the Public Service and was used to inform the Corporate Governance of ICT principles and practices in this document and to establish the relationship between Corporate Governance of and Governance of ICT. IT Governance Principles in King III i. The board should be responsible for information technology (IT) governance ii. IT should be aligned with the performance and sustainability objectives of the company iii. The board should delegate to management the responsibility for the implementation of an IT governance framework iv. The board should monitor and evaluate significant IT investments and expenditure v. IT should form an integral part of the company’s risk management vi. The board should ensure that information assets are managed effectively vii. A risk committee and audit committee should assist the board in carrying out its IT responsibilities 2. ISO/IEC 38500 (International Organization for Standardization and the International Electrotechnical Commission. Is an international standard created to guide corporate governance of information technology (IT). The standard provides broad guidelines and a framework of practices for IT oversight within an organization. The purpose of ISO/IEC 38500 is to make IT governance a critical component of corporate governance. Provides guiding principles for directors of organizations (including owners, board members, directors, partners, senior executives, or others) on the effective, efficient, and acceptable use of IT within their organizations. This standard is applicable to all organizations, which include public and private companies, government entities and not-for-profit organizations. The standard is
  • 9. CORPORATE ICT GOVERNANCE. 9 applicable to organizations of all sizes from the smallest to the largest, regardless of the extent of their IT usage. The standard's six principles for IT governance are: 1. Establish responsibilities. 2. Plan to best support the organization. 3. Acquire validly. 4. Ensure performance when required. 5. Ensure conformance with rules. 6. Ensure respect for human factors. 3. COBIT (Control Objectives for Information and Related Technology) Is a framework created by InformationSystemsAuditand Control Association (ISACA) for information technology (IT) management and IT governance It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. Or is a framework for developing, implementing, monitoring and improving information technology (IT) governance and management practices. COBIT 5 is based on five key principles for governance and management of enterprise IT: Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to-End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance from Management 4. Sarbanes-Oxley Act, commonly known as SOX, is a US federal law intended to improve the management and accounting practices. SOX contains 11 titles that describe specific mandates and requirements for financial reporting: 1) Public Company Accounting Oversight Board 2) Auditor Independence 3) Corporate Responsibility 4) Enhanced Financial Disclosures 5) Analyst Conflicts of Interest, and others. For the purpose of IT governance, SOX 404 is most important – it is concerned with IT operational control processes and change management. A great deal of information about SOX can be found at the SOX site 5. ITIL (Information Technology Infrastructure Library) is a set of concepts and technique for managing IT infrastructure, development, and operations.
  • 10. CORPORATE ICT GOVERNANCE. 10 ITIL originated in the UK and is published in a series of books that cover a wide range of IT management topics. The latest version of ITIL v3, published in May 2007, comprises 5 key volumes: i. Service Strategy. ii. Service Design. iii. Service Transition. iv. Service Operation. v. Continual Service Improvement. NB: As compared to COBIT, ITIL is more oriented towards technologies and technical checklists. Conclusion: Now that you have seen the risks and rewards associated with ICT governance as per the standards and IT outsourcing the IT function of your business, there is a lot to think about. Whether you choose to outsource or hire internally and apply the ICT governance standards, one thing is certain, you must know how to manage successful working relationships with your IT service providers. Let's face it, they're not always the easiest people in the world to understand and deal with, right? Here are some tips: i. Clearly form and communicate the goals and objectives of your project or business relationship. ii. Have a strategic vision and plan for your project or relationship. iii. Select the right vendor or new hire through research and references. iv. Insist on a contract or plan that includes all the expectations of the relationship, especially the financial aspect. v. Keep open communication with all affected individuals/groups. vi. Rally support and involvement from decision makers involved.