Upload
rudolf-andrews
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Vernon Poole
ISACA London Chapter26 September 2002
Information Governance Information Governance & the IT Auditor& the IT Auditor
Information GovernanceInformation GovernancePresentation ObjectivePresentation Objective
« This session will show how the Information Governance framework has developed and howthe IT Governance Institute is now working on ways to best convince organisations to adopt best practice & the role the IT auditors need to play»
Information GovernanceInformation Governance
THE CURRENT IT DILEMMA
IT’S RECORD OF ACHIEVEMENT
INFORMATION GOVERNANCE BENEFITS
GOVERNANCE FOCUS BY :-
BOARD
MANAGEMENT
IT AUDITOR
CONCLUSIONS
Are they doing the right things?Are they being done well?Are we getting benefits?
What IT Problem?
Ask tough questionsFocus on risk and valueDirect IT strategy
What does the Board do?
Cascading strategy and goals Organisational alignmentAn IT control frameworkBalanced Business Scorecard
How does management
react? How is Governance being addressed? Are Regulatory rules being followed? Can we benefit from recent case-studies? Is IT governance considered by the
Board?
What should auditors
consider?
1. CURRENT IT DILEMMA1. CURRENT IT DILEMMA
Information GovernanceInformation Governance
THE CURRENT IT DILEMMA
IT’S RECORD OF ACHIEVEMENT
INFORMATION GOVERNANCE BENEFITS
GOVERNANCE FOCUS BY :-
BOARD
MANAGEMENT
IT AUDITOR
CONCLUSIONS
15%15%
85%85%
TANGIBLETANGIBLEASSETSASSETS
INTANGIBLEINTANGIBLEASSETSASSETS
(INC INFORMATION)(INC INFORMATION)
23%28%
49%
SUCCESSFUL SUCCESSFUL CHALLENGED CHALLENGED
FAILED FAILED
CLIENTCLIENTSUPPLIER SUPPLIER PARTNER PARTNER
CEO/CIOCEO/CIO
0.0%
20.0%
40.0%
60.0%
80.0%
100.0%
(B) IT RELATIONSHIPS(B) IT RELATIONSHIPS
ABILITY TO MEASUREABILITY TO MEASURE
ABOVEEXPECTATIONS
APPROPRIATE
BELOWEXPECTATIONS
ONE IN EIGHTONE IN EIGHT
2. IT ’S RECORD OF ACHIEVEMENT ?2. IT ’S RECORD OF ACHIEVEMENT ?
From 2001 surveys by Brookings Institute, Standish Group and AcadysFrom 2001 surveys by Brookings Institute, Standish Group and Acadys
(A) MARKET VALUE(A) MARKET VALUE
PROJECTSPROJECTS
(C) PROJECT MANAGEMENT(C) PROJECT MANAGEMENT (D) PERFORMANCE MEASUREMENT(D) PERFORMANCE MEASUREMENT
“IT has been the longest running disappoinment in business in the last 30
Years!”Jack Welch, Chairman General Electric,Jack Welch, Chairman General Electric,World Economic Forum, Davos, 1997World Economic Forum, Davos, 1997
Personal & visualPersonal & visualcontactcontact
Uncertainty,Uncertainty,Complexity &Complexity &
GrowthGrowth
2. IT ’S RECORD OF ACHIEVEMENT (CONTD)2. IT ’S RECORD OF ACHIEVEMENT (CONTD)
Information GovernanceInformation Governance
THE CURRENT IT DILEMMA
IT’S RECORD OF ACHIEVEMENT
INFORMATION GOVERNANCE BENEFITS
GOVERNANCE FOCUS BY :-
BOARD
MANAGEMENT
IT AUDITOR
CONCLUSIONS
RELIABLE INFORMATION & RELIABLE INFORMATION & TRUSTED SYSTEMSTRUSTED SYSTEMS
Guarantee of QualityGuarantee of Quality Trading Partner ‘Assurance’ Trading Partner ‘Assurance’ Customer LoyaltyCustomer Loyalty Security Assurance Security Assurance Reputation EnhancementReputation Enhancement Sustainable GrowthSustainable Growth
3. INFORMATION GOVERNANCE BENEFITS3. INFORMATION GOVERNANCE BENEFITS
GOVERNANCE/CONTROL=GOVERNANCE/CONTROL=TAKE STAKEHOLDER VALUE INTO ACCOUNTGIVE DIRECTION TO THE PROCESSESENSURE THEY PROVIDE RESULTSENSURE THEY ACT ON THE RESULTSGET RESULTS AND CHALLENGE THEM
DIRECTSDIRECTS
PROCESSESPROCESSES
REPORTREPORT
RESULTSRESULTS
CONFIRMCONFIRMOROR
CHANGECHANGE
ASSETS
RISKS
OUTCOME
PERFORMANCE
IMPROVEIMPROVE
StakeholderValues
STRATEGYSTRATEGY
DRIVEDRIVE
Resources- knowledge- information- capability- …...
USEUSE
MEASUREMEASURE
Information GovernanceInformation Governance
3. INFORMATION GOVERNANCE BENEFITS3. INFORMATION GOVERNANCE BENEFITS
Information GovernanceInformation Governance
THE CURRENT IT DILEMMA
IT’S RECORD OF ACHIEVEMENT
INFORMATION GOVERNANCE BENEFITS
GOVERNANCE FOCUS BY :-
BOARD
MANAGEMENT
IT AUDITOR
CONCLUSIONS
WHAT SHOULD BOARDS DO ABOUT ITWHAT SHOULD BOARDS DO ABOUT IT
Be driven by stakeholder value Adopt an information governance framework Ask the right questions Focus on it’s
Strategic alignmentValue deliveryIt asset managementRisk management
Measure results
IT Value Delivery
Stakeholder Value Drivers
Performance Measurement
Risk Management
ITStrategic
Alignment
4. INFORMATION GOVERNANCE FOCUS :4. INFORMATION GOVERNANCE FOCUS :
1. Strategic Alignment1. Strategic Alignment
“ALIGNING WITH THE BUSINESS AND COLLABORATIVE SOLUTIONS”
Aligning IT with the business and its goalsAligning IT with the business and its goals Providing a flexible, integrated information infrastructure to Providing a flexible, integrated information infrastructure to
support the business strategysupport the business strategy Instituting cross-functional collaborative information systemsInstituting cross-functional collaborative information systems Be an agent of change enabling business transformationBe an agent of change enabling business transformation Educating and connecting with the BoardroomEducating and connecting with the Boardroom Effectively communicating with IS users.Effectively communicating with IS users.
MARKET ANALYSTS VIEW OF IT PRIORITIES MARKET ANALYSTS VIEW OF IT PRIORITIES 20022002
2. Value Delivery2. Value Delivery
“FOCUS ON COSTS & BENEFITS AND PROOF OF VALUE”
Cost-optimisationCost-optimisation ROI for IT and its bottom-line impactROI for IT and its bottom-line impact Total cost of ownership (TCO) of IT servicesTotal cost of ownership (TCO) of IT services Quality and effectiveness of enterprise-wide service Quality and effectiveness of enterprise-wide service
deliverydelivery Keeping users and managers satisfiedKeeping users and managers satisfied Proving the value of IT.Proving the value of IT.
MARKET ANALYSTS VIEW OF IT PRIORITIES MARKET ANALYSTS VIEW OF IT PRIORITIES 20022002
3. IT Asset Management3. IT Asset Management
“KNOWLEDGE, INFRASTRUCTURE AND PARTNERS”
Selective outsourcing of non-core processes to trusted Selective outsourcing of non-core processes to trusted supplierssuppliers
Leveraging knowledge and skillsLeveraging knowledge and skills Providing an integrated economical IT infrastructure Providing an integrated economical IT infrastructure
where new technology is judiciously introduced and where new technology is judiciously introduced and obsolete systems updated or replacedobsolete systems updated or replaced
Availability, training, retention and competence of key Availability, training, retention and competence of key IT personnelIT personnel
MARKET ANALYSTS VIEW OF IT PRIORITIES MARKET ANALYSTS VIEW OF IT PRIORITIES 20022002
4. Risk Management4. Risk Management
“SAFEGUARDING ASSETS AND DISASTER RECOVERY”
Establishing IT security to safeguard assets and Establishing IT security to safeguard assets and enabling business recovery from IT failuresenabling business recovery from IT failures
Providing privacy and resilienceProviding privacy and resilience Establishing trust in services and partnersEstablishing trust in services and partners Managing internal threats of misuse and errors Managing internal threats of misuse and errors
and external threats from deliberate attacks as and external threats from deliberate attacks as well as from market volatility and the pace of well as from market volatility and the pace of change.change.
MARKET ANALYSTS VIEW OF IT PRIORITIES MARKET ANALYSTS VIEW OF IT PRIORITIES 20022002
“NONE OF THESE DOMAINS
Strategic AlignmentStrategic Alignment Value DeliveryValue Delivery IT Asset ManagementIT Asset Management Risk ManagementRisk Management
CAN BE PROPERLY MANAGED WITHOUT
OUR VIEW OF IT PRIORITY NO. 5OUR VIEW OF IT PRIORITY NO. 5
5. Performance Measurement5. Performance Measurement
2.2.CEO Guide 2002CEO Guide 2002
1.1.Board Briefing 2001Board Briefing 2001
35,000 downloads35,000 downloadsin 7 monthsin 7 months
IT GOVERNANCE INSTITUTE OFFERINGSIT GOVERNANCE INSTITUTE OFFERINGS
3.3.IT Strategy IT Strategy Committe Guide 2002Committe Guide 2002
WHAT SHOULD MANAGEMENT DO ABOUT IT ?WHAT SHOULD MANAGEMENT DO ABOUT IT ? Align it strategy with business goals Cascade strategy and goals down into the organization Set up organizational structures that facilitate strategy
implementation Adopt a control and security governance framework Provide it infrastructures that facilitate creation and sharing
of business information Embed responsibilities for risk management in the
organization Focus on important it processes and core it competencies Measure performance (balanced business scorecard)
4. INFORMATION GOVERNANCE FOCUS :4. INFORMATION GOVERNANCE FOCUS :
1.CobiT3 & CobiT4 An IT Control Framework
WHAT SHOULD MANAGEMENT DO ABOUT IT ?WHAT SHOULD MANAGEMENT DO ABOUT IT ?: ADOPT GLOBAL BEST PRACTICE
Starts from the premise that IT needs to deliver the information that organisations needs to achieve its objectives.
Promotes process focus and process ownership
Divides IT into 34 processes belonging to 4 domains and provides a high level control objective for each domain
Looks at fiduciary, quality and security needs ,and provides 7 information criteria that can be used to define what the organisation requires from IT
Supported by 300+ detailed control objectives
EffectivenessEfficiencyAvailability,IntegrityConfidentialityReliabilityCompliance.
PlanningAcquiring & ImplementingDelivery & SupportMonitoring
CobiT : An IT control frameworkCobiT : An IT control framework
CobiT3 : AchievementsCobiT3 : Achievements- added a governance layer - added a governance layer
Key Goal Indicators Key Goal Indicators : a measure of the outcome of the process; a measure of « what »; indicator of business contribution
Key Performance Indicators Key Performance Indicators : a measure of « how well » the process is performing; must help in improving the process
Critical Success Factors Critical Success Factors : the most important things to do; observable and measureable; leverage capability, skills and behaviour
00 11 22 33 44 55
Non-ExistentNon-Existent InitialInitial RepeatableRepeatable DefinedDefined ManagedManaged OptimisedOptimised
Maturity Models Maturity Models : a generic scale for pragmatic comparison; a “profile” of the enterprise on IT governance and control to determine As-Is and To-Be positions; basis for gap analysis
Through a simple product set, support an expanding target audience with on-line (continuously updated) knowledge on IT control, assurance and governance
MissionMission
To be the global standard for best practice in control over IT, and to assist users from assessment to implementation
VisionVision
•Sharing knowledge•Leveraging expertise•Influencing best practices
ValuesValues
CobiT4 StrategyCobiT4 Strategy
executives & boards executives & boards management management professionalsprofessionals
monitormonitorassessassessimplementimplement
Target AudienceTarget Audience
WHO WHAT
CobiT4 - Product StructureCobiT4 - Product Structure
PracticesResponsibilities
Executives & BoardsExecutives & Boards
Business and Technology ManagementBusiness and Technology Management
Performance measures Critical success factors Maturity models
Audit, control and security professionalAudit, control and security professional
IT Control Practices Self-assessment Tool
MaturityBenchmark
IT GovernanceSurvey
Value AssessmentRisk Analysis
ControlObjectives
AuditGuidelines
ImplementationGuide
PracticesResponibilitiesExecutives & Executives &
BoardsBoards
Business and Technology Business and Technology ManagementManagement
Performance measures Critical success factors Maturity models
Audit, control and security Audit, control and security professional professional
ControlObjectives
AuditGuidelines
ImplementationGuide
What is the ITWhat is the ITControl Framework ?Control Framework ?
How to assess the ITHow to assess the ITControl Framework ?Control Framework ?
How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
IT Control Practices
Self-assessmen Tool
Value assessment
Risk Analysis
CobiTCobiT‘‘lite’lite’
BOARD HAS IT STRATEGY COMMITTEE AND APPROVES IT STRATEGY
BOARD APPROVES IT STRATEGY OR HAS AN IT STRATEGY CTTEE
BOARD IS REGULARLY INFORMED
BOARD OCCASIONALLY ASKS QUESTIONS
BOARD DOES NOT ADDRESS IT1
2
3
4
0
5
The Maturity LevelsThe Maturity Levels
Most senior officers (in ISACA’s database), from 800 Fortune500 and Most senior officers (in ISACA’s database), from 800 Fortune500 and significant government entitiessignificant government entities
146 responses for 205 entities =17.5%146 responses for 205 entities =17.5%
CobiT4 - CobiT4 - Maturity BenchmarkMaturity BenchmarkDRIVERSDRIVERS Compliance with law, standards and regulationsCost reductionMission and goalsPerformance improvementRisk reductionReputation and trustCompetitive environmentCorporate valuesPolitic/economic environment
INHIBITORSINHIBITORSBudget limitationsAvailability of skilled staffManagement awareness/commitmentLack of ownershipExisting architectureNo easy solutionResource conflicts/prioritiesLack of toolsPolitic/economic environment
Average IT Governance Maturity LevelsAverage IT Governance Maturity Levels
PO1PO1 define a strategic IT plan
PO3PO3 determine technological direction
PO5PO5 manage the IT investment
PO9PO9 assess risks
PO10PO10 manage projects
AI1AI1 identify solutions
AI2AI2 acquire & maintain applications
AI5AI5 install and accredit systems
AI6AI6 manage changes
DS1DS1 define service levels
DS4DS4 ensure continuous service
DS5DS5 ensure system security
DS10DS10 manage problems and incidents
DS11DS11 manage data
M1M1 monitor the processes
0 1 2 3 4 5
012345Po1
Po3
Po5
Po9
Po10
A11
A12A15A16
DS1
DS4
DS5
DS10
DS11
M1
Testing / QA
Final Design and Approach
Needs AnalysisNeeds Analysis
PlanningPlanning
DevelopmentDevelopment
InitialRelease
Final QA
Trade-Off Review
Milestone Reviews
0 2 6 10 14 18 22
Schedule in weeks
Data implementation
IT CONTROLIT CONTROLDIAGNOSTICDIAGNOSTIC
MATURITYMATURITYPROFILEPROFILE
GAP ANALYSISGAP ANALYSIS
ROADMAPROADMAP
CobiT4 - CobiT4 - Implementation GuideImplementation Guide
Asses
smen
t &
Asses
smen
t &
com
paris
on
com
paris
on
Browsing &
Browsing &
searching
searching
Comm
unity
Comm
unity
Services
Services
Know
ledg
e &
Know
ledg
e &
use
r man
agem
ent
user
man
agem
ent
CobiTCobiT
KnowledgeKnowledge
BaseBase
CobiT4 - CobiT4 - CobiTCobiTOnlineOnline
what ITGI needs to build, own & operate
downloadsexchange of experiencediscussion forumsknowledge capturing
value added tools available on a commercial basis
By year-end 2002, six or more vendors will offer packaged “smart By year-end 2002, six or more vendors will offer packaged “smart enterprise” portfolios of portal, content and document enterprise” portfolios of portal, content and document management, KM and collaboration products (0.8 probability). management, KM and collaboration products (0.8 probability). Many will also include e-learning.Many will also include e-learning.
Predictor Predictor (Gartner - 7 January 2002)(Gartner - 7 January 2002)
CobiT4 - CobiT4 - CobiTCobiTOnlineOnline
Outcome MeasuresOutcome MeasuresVolume of usage and size of benchmark databaseVolume of usage and size of benchmark databaseNumber of user-suggestions to knowledge baseNumber of user-suggestions to knowledge baseFavorable reviews in professional publicationsFavorable reviews in professional publicationsFrequency, timeliness and cost-efficiency of CobiT releasesFrequency, timeliness and cost-efficiency of CobiT releases
Asses
smen
t &
Asses
smen
t &
com
paris
on
com
paris
on
Browsing &
Browsing &
searching
searching
Comm
unity
Comm
unity
Services
Services
Know
ledg
e &
Know
ledg
e &
use
r m
anag
emen
t
user
man
agem
ent
CobiTCobiT
KnowledgeKnowledge
BaseBase
CobiT4 - CobiT4 - CobiTCobiTlitelite difference in control environment preselection of processes & objectives
15 most important processes 318 CO’s down to 90 plus 15 simplified
simple presentation form brainstorm approach
Early stagesEarly stagesPO1 define strategic IT planPO3 determine technological directionPO5 manage the IT investmentPO9 assess risksPO10manage projectsAI1 identify solutionsAI2 acquire & maintain applications s/wAI5 install and accredit systemsAI6 manage changesDS1 define service levelsDS4 ensure continuous serviceDS5 ensure system securityDS10 manage problems and incidentsDS11 manage dataM1 monitor the processes
short communications path effective span of control simple command structure less build, more buy less complex IT infrastructure less ‘savvy’ about IT take more risk strong profit orientation less segregation less IT capabilities
pro
cess
con
trol
When employees are given their account, they should be provided with initial or refresh- er training and awareness on computer security issues. They should be asked to review the rules and regulations for system access and confirm they have understood.
DS5.5.4effectiveness
cost-efficiency
expedience
• Ignorance of compliance requirements and sanctions leading to rules not being respected.
• Ignoring rules that are too generic or descriptive
• Absence of awareness leading to weak discipline
Practice Risk/Value
CobiT4 - CobiT4 - IT Control PracticesIT Control PracticesDeliverabDeliverablele
Integration with Integration with CobiTCobiTlitelite
and Implementation and Implementation GuideGuide
80/20 - ‘smart things to do’80/20 - ‘smart things to do’
impact
cost
H
H
xEarly stagesEarly stages
CobiT4 - CobiT4 - CobiTCobiTlitelite
high effectiveness, low cost and expedienthigh effectiveness, low cost and expedient
Initial1
2
3
4
0
5
Non-existant
Repeatable
Defined
Managed
Optimised
‘‘mini’ minimum baseline approachmini’ minimum baseline approach maximise at level 3maximise at level 3 simple presentation fromsimple presentation from
2.ISO 17799An Information Security
Framework
WHAT SHOULD MANAGEMENT DO ABOUT IT ?WHAT SHOULD MANAGEMENT DO ABOUT IT ?: ADOPT GLOBAL BEST PRACTICE
ISO 17799 - IS Best PracticeISO 17799 - IS Best Practice
1.Became an ISO Standard in December 2000
2.Adopted by IT Governance Institute in its ‘Information Security Governance booklet - 2001
3.It is the second best selling ISO Standard - gaining global appeal
4.The standard is becoming a contractual obligation - included in ‘service level’ agreements
Therefore it is essential to ‘doing business’
ISO 17799 - IS Best PracticeISO 17799 - IS Best Practice
Standard consists of two parts :-
1.Part 1 : Code of Practice - referred to as ISO 17799 - consists of 10 Guiding Principles covering strategic, operational & human issues
2. Part 2 : Information Security Management System (ISMS) - BS7799-2 :requires organisations to select which of the 127 controls are appropriate to them based on risk assessment (currently being revised)
ISO 17799 - IS Best PracticeISO 17799 - IS Best Practice
1.Information Security Policy2.Security Organisation3.Asset Classification/Control4.Personnel Security5.Physical/Environmental Security6.Communications & Operations Management7.System Access Control8.Systems Development/Maintenance9.Business Continuity Management10.Compliance
ISO 17799 - IS Best PracticeISO 17799 - IS Best Practice
It is therefore imperative that organisations ‘benchmark’ themselves against best practiceand assess any gaps in their Information Security to protect against either internal or external threats that could jeopardise the reliability of information.
The standard also ensures that detailed policiesand procedures are established & creates an ‘Information Security culture’
ISO 17799 - IS Best PracticeISO 17799 - IS Best Practice
Current studies show that organisations whoobtain 7799 certification are being respected as reputable & trusted. Future transactions can be conducted in the knowledge that information security risks are being effectively managed.
Information Security is therefore an essential ingredient to sustainable growth & acts as a market differentiator.
WHAT SHOULD IT AUDITORS CONSIDER?WHAT SHOULD IT AUDITORS CONSIDER?
Obtain an understanding about IT Governance Get the Board and Management to focus on the issues
and their responsibilities Recommend the adoption of an IT control and
governance framework, such as CobIT & ISO 17799 Set up organizational structures that facilitate a
strategic implementation of such framework Measure your own performance (Balanced Business
Scorecard)
4. INFORMATION GOVERNANCE FOCUS :4. INFORMATION GOVERNANCE FOCUS :
WHY SHOULD IT AUDITORS CARE?WHY SHOULD IT AUDITORS CARE?
IT is integral and critical to the businessIT is integral and critical to the business
Shareholders are holding Boards accountableShareholders are holding Boards accountable
Boards are holding management responsibleBoards are holding management responsible
An immense shift from tangible to intangible An immense shift from tangible to intangible assets, the majority of the latter being assets, the majority of the latter being informationinformation
Boards and management will look for support to Boards and management will look for support to obtain assurance about the cost, return and risk obtain assurance about the cost, return and risk of IT to the business of IT to the business
IT GovernanceIT Governance
THE CURRENT IT DILEMMA
IT’S RECORD OF ACHIEVEMENT
INFORMATION GOVERNANCE BENEFITS
IT GOVERNANCE FOCUS BY :-
BOARD
MANAGEMENT
IT AUDITOR
CONCLUSIONS
“Due diligence” IT involves huge investments and large risk Expectations and reality don’t match IT is critical & strategic to the business IT does not get the attention it deserves Information Governance driven by IT will
give you ‘Competitive Advantage’
Why get into Information GovernanceWhy get into Information Governance
If so, don’t you want to know if your If so, don’t you want to know if your IT Department is:IT Department is:
Likely to achieve its objectives? Resilient enough to learn and
adapt? Judiciously managing the risks it
faces? Appropriately recognising
opportunities and acting upon them?
IT is strategic to most organisationsIT is strategic to most organisations
Why has IT not been Why has IT not been addressed :addressed : requires more
technical insight treated as separate
entity IT is complex
• # of IT customers• Cost per IT customer• Cost-efficiency of IT
processes up• Delivery of IT value per
employee
INFORMATION
• Availability of systems & services
• Developments on schedule & budget
• Throughput & response times
• Amount of errors/rework
• Level of service delivery up• Satisfaction of existing
customers• # of new customers
reached• # of new service delivery
channels
FFINANCIAL
CCUSTOMER
• Staff productivity & morale• # of staff trained in new
techno/services• Value delivery per
employee up• Increased availability
knowledge systems
LLEARNING
PPROCESS
IT Balanced ScorecardIT Balanced Scorecard
IT Balanced ScorecardIT Balanced Scorecard ObjectivesObjectives
Demonstrate the value added by the IT OrganizationDemonstrate the value added by the IT Organization Determine the effectiveness of the IT OrganizationDetermine the effectiveness of the IT Organization Set guidelines for the IT Strategic plan Set guidelines for the IT Strategic plan Communicate and motivate about IT performanceCommunicate and motivate about IT performance Establish IT Management reportingEstablish IT Management reporting
Key resultKey result The most effective means to achieve IT and Business The most effective means to achieve IT and Business
alignmentalignment
Critical success factorCritical success factor Approval of the IT Scorecard by key stakeholdersApproval of the IT Scorecard by key stakeholders
Information Governance FrameworkInformation Governance Framework
Provide Direction
Compare
Measure Performance
IT Activities Increase automation
(make the business effective) Decrease cost (make the enterprise
efficient) Manage risks (security, reliability and
compliance)
IT is aligned with the business, enables the business and maximises benefits IT resources are used responsibly IT related risks are managed
appropriately
Set Objectives
Best Practices
Subjects of attention
IT & Business Objectives
Core IT competencies
Business/Technology Developments
MeasurementPerformance
MeasurementResults
Activities
Critical Success Factors
WHO HOW
V A R P
V = IT Value Delivery A = IT Strategic Alignment R = Risk Management P = Performance Measurement
Information Governance ToolkitInformation Governance Toolkit
Alignment
Value
Delivery
Manag
emen
t
of R
isk
Monitoring &Reporting
Eval
uatio
n
Information Governance LifecycleInformation Governance Lifecycle
ENVIRONMENTEthics & CultureLaws & RegulationsMission & VisionRole ModelsIndustry Practices…...
Alignment
Value
Delivery
Manag
emen
t
of R
isk
Monitoring &Reporting
Eval
uatio
n
Increasedmarket share
Competitiveadvantage
Improveservice delivery
Reputation fortrust & reliability
Increased revenues & reduced costs
Legal & RegulatoryCompliance
IT Governance InstituteIT Governance Institute3701 Algonquin Road, Suite 10103701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USARolling Meadows, IL 60008 [email protected]@isaca.orgwww.isaca.orgwww.isaca.orgwww.ITgovernance.orgwww.ITgovernance.org
Information GovernanceInformation Governance
Thank you! Any Questions ?Vernon Poole