Discusión de los datos

• Defining an IT control framework • Developing and rolling out IT policies • Enforcing IT policies

• Defining and maintaining a communications plan

MANAGEMENT

GUIDELINES

Goals and Metrics

PO1 Strategic and tactical IT plans, IT project and service portfolios PO9 IT-related risk management guidelines ME2 Report on effectiveness of IT controls

Enterprise IT control framework ALL

IT policies ALL

• Frequency of policy review/update • Timeliness and frequency of

communication to users • Frequency of enterprise IT control

framework review/update • Number of instances where confidential

information was compromised • Number of business disruptions due to IT

service disruption

• Level of understanding of IT costs, benefits, strategy, policies and service levels

• Percent of stakeholders who understand IT policy

• Percent of stakeholders who understand the enterprise IT control framework • Percent of stakeholders who are non-

compliant with policy

Activities

IT Process

• Develop a common and comprehensive IT control framework.

• Develop a common and comprehensive set of IT policies.

• Communicate the IT strategy, policies and control framework.

• Ensure transparency and understanding of IT costs, benefits, strategy, policies and service levels.

• Ensure that automated business transactions and information exchanges can be trusted.

• Ensure that critical and confidential information is withheld from those who should not have access to it.

• Ensure minimum business impact in the event of an IT service disruption or change. • Ensure proper use and performance of

the applications and technology solutions. • Ensure that IT services and infrastructure

can properly resist and recover from failure due to error, delivered attack or disaster.

Establish and maintain an IT control environment and framework. I C I A/R I C C C C

Develop and maintain IT policies. I I I A/R C C C R C

Communicate the IT control framework and IT objectives and direction. I I I A/R R C A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed.

Activities

RACI Chart Functions

CEO CFO Business ExecutiveCIO Business Process OwnerHead Oper ations

Chief Ar chitect

Head DevelopmentHead IT Administr

ation

PMO Compliance, Audit,

Risk and Security

PO6 Communicate Management Aims and Direction

Plan and Organise

Communicate Management Aims and Direction

PO6

From Inputs

Outputs

To

From Inputs

Outputs

To

measure measure measure

drive drive

set set

Goals

PO6 Communicate Management Aims and Direction

Management of the process of Communicate management aims and direction that satisfies the business requirement for IT of supplying accurate and timely information on current and future IT services and associated risks and responsibilities is: 0 Non-existent when

Management has not established a positive IT control environment. There is no recognition of the need to establish a set of policies, plans and procedures, and compliance processes.

1 Initial/Ad Hocwhen

Management is reactive in addressing the requirements of the information control environment. Policies, procedures and standards are developed and communicated on an ad hoc basis as driven by issues. The development, communication and compliance processes are informal and inconsistent.

2 Repeatable but Intuitive when

The needs and requirements of an effective information control environment are implicitly understood by management, but practices are largely informal. The need for control policies, plans and procedures is communicated by management, but development is left to the discretion of individual managers and business areas. Quality is recognised as a desirable philosophy to be followed, but practices are left to the discretion of individual managers. Training is carried out on an individual, as-required basis.

3 Defined when

A complete information control and quality management environment is developed, documented and communicated by management and includes a framework for policies, plans and procedures. The policy development process is structured, maintained and known to staff, and the existing policies, plans and procedures are reasonably sound and cover key issues. Management addresses the importance of IT security awareness and initiates awareness programmes. Formal training is available to support the information control environment but is not rigorously applied. Whilst there is an overall development framework for control policies and procedures, there is inconsistent monitoring of compliance with these policies and procedures. There is an overall development framework. Techniques for promoting security awareness have been standardised and formalised.

4 Managed and Measurable when

Management accepts responsibility for communicating internal control policies and delegates responsibility and allocates sufficient resources to maintain the environment in line with significant changes. A positive, proactive information control environment, including a commitment to quality and IT security awareness, is established. A complete set of policies, plans and procedures is developed, maintained and communicated and is a composite of internal good practices. A framework for rollout and subsequent compliance checks is established.

5 Optimised when

The information control environment is aligned with the strategic management framework and vision and is frequently reviewed, updated and continuously improved. Internal and external experts are assigned to ensure that industry good practices are being adopted with respect to control guidance and communication techniques. Monitoring, self-assessment and compliance checking are pervasive within the organisation. Technology is used to maintain policy and awareness knowledge bases and to optimise

communication, using office automation and computer-based training tools.

MATURITY

MODEL

© 2007 IT Governance Institute. All rights reserved. www.itgi.org 54

Plan and Organise

Communicate Management Aims and Direction

PROCESS

DESCRIPTION

Control over the IT process of Manage IT human resources

that satisfies the business requirement for IT of

acquiring competent and motivated people to create and deliver IT services by focusing on

hiring and training personnel, motivating through clear career paths, assigning roles that correspond with skills, establishing a defined review process, creating position descriptions and ensuring awareness of dependency on individuals

is achieved by

• Reviewing staff performance

• Hiring and training IT personnel to support IT tactical plans • Mitigating the risk of overdependence on key resources

and is measured by

• Level of stakeholders’ satisfaction with IT personnel expertise and skills

• IT personnel turnover

• Percent of IT personnel certified according to job needs