You are previewing IT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT.
O'Reilly logo
IT Governance: Implementing Frameworks and Standards for the Corporate Governance of IT

Book Description

Use an IT Governance strategy to reduce risk

An Introduction for Directors and IT professionals

The modern organisation is increasingly working within the context of corporate governance. The subject dictates their day-to-day and strategic activities, especially corporate information asset risk management and investment, and the ICT infrastructure within which those information assets are collected, manipulated, stored and deployed.

But what is corporate governance, and why is it important to the IT professional? Why is IT governance important to the company director, and what do directors of companies - both quoted and unquoted - need to know?

The Calder-Moir Framework

The book also explains how to integrate each standard and framework using The Calder-Moir Framework (download for free from www.itgovernance.co.uk/calder_moir.aspx), which was developed specifically to help organisations manage and govern their IT operations more effectively, and to coordinate the sometimes wide range of overlapping and competing frameworks and standards. It also specifically supports implementation of ISO/IEC 38500, the international standard for best practice IT governance.

Practical IT Governance guidance

Board executives and IT professionals can learn to maximise their use of the numerous IT management and IT governance frameworks and standards - particularly ISO/IEC 38500 - to best corporate and commercial advantage.

Build an IT Governance Framework

Within a 'super framework', or 'meta -framework', you can integrate each of these standards and frameworks whilst making sure that each can deliver what it was designed to do. Developing an overarching framework will enable your organisation to design IT governance to meet your own needs.

Table of Contents

  1. FOREWORD
  2. PREFACE
  3. ABOUT THE AUTHOR
  4. ACKNOWLEDGEMENTS
  5. CONTENTS
  6. INTRODUCTION: CORPORATE GOVERNANCE CONTEXT
    1. Background
    2. Governance
    3. Fiduciary duties
    4. Governance frameworks
    5. Emergence of IT governance
  7. CHAPTER 1: IT GOVERNANCE DEFINED
  8. CHAPTER 2: INTELLECTUAL CAPITAL AND THE INFORMATION ECONOMY
  9. CHAPTER 3: STRATEGY: THE SEARCH FOR COMPETITIVE ADVANTAGE
    1. Development of IT strategy
      1. Business, information and IT strategies
      2. Information strategy
      3. IS strategy
      4. Application strategy
    2. IT strategy
    3. The six-step IT strategy process
    4. Measurement and quality
      1. The IT Balanced Scorecard
        1. Perspectives
        2. Balanced Scorecard implementation
  10. CHAPTER 4: GOVERNANCE AND RISK MANAGEMENT
    1. Enterprise risk management31
    2. Operational risk management
    3. IT risk management
  11. CHAPTER 5: IT REGULATORY COMPLIANCE
    1. Information security law: the emerging standard for corporate compliance34
  12. CHAPTER 6: INFORMATION AND CONTINUITY RISK
    1. Information risks and ISO27001
    2. Continuity risks and BS25999, ISO/IEC 24762
    3. Civil contingencies and business continuity planning
  13. CHAPTER 7: INTERNAL CONTROL FRAMEWORKS
    1. UK Combined Code and Turnbull Guidance
    2. Sarbanes-Oxley
    3. COSO and internal control
    4. COBIT
    5. Val IT
  14. CHAPTER 8: PROJECT GOVERNANCE
    1. Project failure
    2. Project governance objectives
    3. Execution risk
    4. Executive-level project governance
    5. Board-level project governance
    6. Project management frameworks
    7. Agile project management
    8. OPM3®
    9. Conclusions
  15. CHAPTER 9: COMPONENTS OF IT GOVERNANCE
    1. Key decision areas
      1. 1: IT governance principles and decision-making hierarchy (see Chapter 10: ISO/IEC 38500)
      2. 2: Information strategy (see Chapter 3: Strategy: The Search for Competitive Advantage)
      3. 3: IT strategy (see Chapter 3: Strategy: The Search for Competitive Advantage)
      4. 4: IT risk management see (see Chapter 6: Information and Continuity Risk)
      5. 5: IT architecture (see Chapter 16: Enterprise IT Architecture Committee)
      6. 6: IT investment and project governance (see Chapter 8: Project Governance)
      7. 7: Regulatory compliance and information security (see Chapter 5: IT Regulatory Compliance)
  16. CHAPTER 10: ISO/IEC 38500
    1. Scope
    2. Application
    3. Objectives
    4. Benefits
    5. Definitions
    6. The six principles of IT governance
      1. 1: Responsibility
      2. 2: Strategy
      3. 3: Acquisition
      4. 4: Performance
      5. 5: Conformance
      6. 6: Human behaviour
    7. The IT governance model in ISO/IEC38500
      1. Evaluate
      2. Direct
      3. Monitor
    8. Accountability
    9. Applying the six principles
      1. 1: Responsibility
      2. 2: Strategy
      3. 3: Acquisition
      4. 4: Performance
      5. 5: Conformance
      6. 6: Human behaviour
    10. Alignment between ISO/IEC 38500 and the Calder-Moir Framework
  17. CHAPTER 11: IT GOVERNANCE FRAMEWORKS AND STANDARDS
    1. Frameworks
      1. COBIT™
      2. ISO/IEC 2 7002:2005 and ISO/IEC 2 7001:2005
      3. ISO/IEC 27005:2008 and BS3110
      4. Payment Card Industry Data Security Standard
      5. ITIL®
      6. BS25999
      7. PMBoK™ and PRINCE2™
      8. The Zachman Framework and TOGAF
    2. Conformance
    3. Convergence
      1. COBIT-linked initiatives
      2. Management standard convergence
    4. IT governance starting point
    5. End-to-end IT governance process
  18. CHAPTER 12: THE CALDER-MOIR FRAMEWORK
    1. Navigating the framework
      1. 1: Business Strategy
      2. 2: Risk, Conformance and Compliance
      3. 3: IT Strategy
      4. 4: Change
      5. 5: Information and Technology
      6. 6: Operations
    2. Evaluate, direct, monitor
    3. Plan, Do, Check, Act
    4. Some subtleties
  19. CHAPTER 13: IMPLEMENTING IT GOVERNANCE
    1. Maturity models
      1. What is a maturity model?
      2. CMMI
    2. The IT governance implementation process
      1. Pre-requisites
        1. Strand 1
        2. Strand 2
      2. Initial completion
    3. Issues that must be resolved
      1. The problem of silo management
    4. Obtaining the board’s buy-in
      1. Identify symptoms
      2. Organisational politics and IT governance
    5. Conclusions
  20. CHAPTER 14: DECISION MAKING AND THE IT ORGANISATION
    1. The CEO
    2. The CIO
      1. The CIO: role description
      2. Key CIO challenges
        1. Culture
        2. Innovation
        3. Asset leverage
        4. Strategy
        5. Operations
        6. Staffing
        7. Processes and quality
        8. Compliance and security
    3. IT management structure
    4. IT organisational structure
    5. Outsourcing
      1. Supplier selection
      2. Outsourcing contracts
  21. CHAPTER 15: IT STEERING COMMITTEE AND EXECUTIVE COMMITTEE
    1. IT steering committee
      1. Composition of the IT steering committee
    2. Executive IT committee
  22. CHAPTER 16: ENTERPRISE IT ARCHITECTURE COMMITTEE
    1. Centralised or decentralised IT?
    2. Enterprise IT architecture committee
    3. The Zachman Framework
    4. The Open Group Architecture Framework
    5. Service-oriented architecture
    6. Conclusion
  23. CHAPTER 17: IT AUDIT
  24. CHAPTER 18: THE ITIL/COBIT/ISO27002 JOINT FRAMEWORK
    1. New Joint Framework
    2. Benefits of using the Joint Framework
  25. CHAPTER 19: THE IT MANAGEMENT SYSTEM OF TOMORROW
    1. PAS99
    2. The integrated management system
    3. A single PDCA model
    4. What are the differences between the two PDCA models?
    5. Aspects of integrating ISO/IEC 27001 and ISO/IEC 20000
      1. Management commitment
      2. A single documentation framework
      3. Document control requirements
      4. Record control requirements
      5. Electronic records and e-discovery
      6. Hierarchy of documentation
      7. Single monitoring, review and audit framework
        1. Monitoring
        2. Auditing
    6. Audit programme
    7. Management responsibilities
      1. Reviewing
  26. CHAPTER 20: CALDER-MOIR IMPLEMENTATION —#8212;A 15-STEP PROCESS
    1. 1. Initial IT governance assessment
    2. 2. IT governance road map
    3. 3. Principles—drawing on ISO38500
    4. 4. Develop organisational momentum (commitment, governance mandate)
    5. 5. Initial risk assessment
    6. 6. Plan changes (see Chapter 13: Implementing IT Governance)
    7. 7. Build on existing capabilities
    8. 8. Business strategy
    9. 9. Risk, governance and compliance framework (see Chapter 4: Governance and Risk Management)
    10. 10. IT architecture and strategy
    11. 11. Change
    12. 12. Information and technology lifecycles
    13. 13. IT operations
    14. 14. Reporting
    15. 15. Evolution and management of IT governance
    16. The Calder-Moir IT Governance Framework Toolkit
  27. CHAPTER 21: MAKING THE BUSINESS CASE FOR IT GOVERNANCE
  28. ITG RESOURCES
    1. Pocket guides
    2. Toolkits
    3. Best practice reports
    4. Training and consultancy
    5. Newsletter