Domain 2: I.T.

Governance
Jimmy Ardiansyah
Arkansas – September 16, 2005
9 Tasks
„ Evaluate the effectiveness of IT governance
structure to ensure adequate board control over
the decisions, directions and performance of IT,
so it supports the organization's strategies and
objectives.
„ Evaluate IT organizational structure and human
resources (personnel) management to ensure that
they support the organization's strategies and
objectives.
„ Evaluate the IT strategy and the process for its
development, approval. implementation and
maintenance to ensure that it supports the
organization's strategies and objectives.
„ Evaluate the organization's 1T policies, standards,
procedures and processes for their development,
approval, implementation and maintenance to
ensure that they support the IT strategy and
comply with regulatory and legal requirements.
„ Evaluate management practices to ensure
compliance with the organization's IT strategy,
policies, standards and procedures.
„ Evaluate IT resource investment, use and
allocation practices to ensure alignment with the
organization's strategies and objectives.
„ Evaluate IT contracting strategies and policies
and contract management practices to ensure
that they support the organization's strategies and
objectives.
„ Evaluate risk management practices to ensure
that the organization's IT-related risks are
properly managed.
„ Evaluate monitoring and assurance practices to
ensure that the board and executive management
receive sufficient and timely information about IT
performance
15 Knowledge Statements
„ Knowledge of the purpose or IT strategies,
policies, standards and procedures for an
organizational and the essential elements of each
„ Knowledge of IT governance frameworks
„ Knowledge of the processes for the development,
implementation and maintenance of IT strategies,
policies, standards and procedures (e.g.,
protection of information assets, business
continuity and disaster recovery, systems and
infrastructure life cycle management, and IT
service delivery and support)
„ Knowledge of quality management strategies and
policies
„ Knowledge of organizational structure, roles and
responsibilities related to the use and
management of IT
„ Knowledge of generally accepted international IT
standards and guidelines
„ Knowledge of enterprise IT architecture and its
implications for setting long-term strategic directions
„ Knowledge of risk management methodologies and
tools
„ Knowledge of the use control frameworks (CobiT.
COSO, IS0 17799)
„ Knowledge of the use of maturity and process
improvement models (e.g., CMM, CobiT)
„ Knowledge of contracting strategies, processes
and contract management practices
„ Knowledge of practices for monitoring and
reporting of IT performance [e.g., balanced
scorecards, key performance indicators (KPI)]
„ Knowledge of relevant legislative and regulatory
issues (e.g., privacy. intellectual property,
corporate governance requirements)
„ Knowledge of IT human resources (personnel)
management
„ Knowledge of IT resource investment and
allocation practices [e.g.., portfolio management
return on investment (ROl)]
Corporate Governance
„ Ethical behavior of corporate executives toward
shareholders to maximize the return of financial
investment.
„ Distribution of rights and responsibilities among
different participants in the corporation such as
board, managers, shareholders; and it spells out
the rules and procedures for making decisions on
corporate affairs
Best Practice For I.T Gov’
Audit Role in IT Gov’
„ Audit plays a significant role in successful
implementation of IT Governance within an
organization; for example, Audit is best position
to provide leading practice recommendations to
senior management to help improve the quality
and effectiveness of the IT Governance initiative
I.S Strategy
„ Strategy Planning
Strategy Planning from IS standpoint relates to the
long term direction an org’ want to take to
leveraging IT for improving its business process

„ Steering Committees
SC for IT is important factor in ensuring that the IS
department is in harmony with the corporate
mission and objectives
Types of Policy
„ Advisory Policy – Optional
„ Regulatory Policy – Mandatory
„ Informational Policy - Complement
Risk Management
„ The process of identifying vulnerabilities an threts
to information resources used by an organization
in achieving business objective and deciding what
countermeasures to take in reducing risk to an
acceptable level.
Developing Risk Mgt
Program
„ Establish the purpose of the risk mgt program
To determine the organizational purpose for
creating risk mgt program

„ Assign responsibility for the risk mgt program.

To designate an individual or team responsible for
developing and implementing the organizations’
risk mgt program
Risk Mgt Process
„ Identification of IS resources or asset
„ Asses threats and vulnerabilities associate with IS
resources
„ Evaluate and prioritize risks
„ Select appropriate risk management strategies
and implement your plan
„ Establish control or evaluate existing control
„ Monitor and update the risk management program
Risk Analysis Method
„ Qualitative and Quantitative Method
Use word or descriptive rankings to describe the
impact.

„ Semiquantitative Analysis Method

The descriptive ranking are associate with
numerical scale.

„ Quantitative Analysis Method

Use numerical value to describe the impact of risk
using data from several types of resources.
IS Management Practices
„ Personal Management
* Hiring
* Employee Handbook
* Promotion Policies
* Termination Policies

„ Sourcing Practice
* Delivery of IS Function
> Insourced
> Outsourced
> Hybrid
* IS Function can be performed
> Onsite
> Offsite
> Offshore
„ Outsourcing Practices and Strategy
„ Globalization Practices and Strategy
„ Capacity and Growth Planning
„ Industry Standard/Benchmarking
„ Service Improvement and User Satisfaction
Organizational Change Mgt
„ Financial Management Practice
Critical element of all business functions

„ Quality Management
The tool by which IS Department-based control
are controlled, measured, and improved

„ Information Security Management

Provide the lead role to assure that organization
information resources are properly protected

„ Performance Optimization
IS Org Structure and
Responsibility
„ IS Role and Responsibilities
* Librarian
* Data Entry
* System Admin
* Security Admin
* QA
* DBA
* System Analysis
* Security Architect
* Application Dev and Maintenance
* Infrastructure Dev and Maintenance
* Network Management
„ Segregation of Duties within IS
„ Segregation of Duties Control
* Transaction Authorization
* Custody of Asset
* Access of Data
„ Compensating Control for Lack of SG
* Audit Trails
* Reconciliation
* Exception Reporting
* Transaction Logs
* Supervisory Review
* Independent Review
Potential Problem of I.T.
Governance Implementation
„ High staff turnover
„ Inexperience staff
„ Poor motivation
„ Lack of adequate training
„ Frequent H/W and S/F upgrade
„ Unfavorable end-user attitude
„ Frequent H/W and S/F error
References
„ WWW.ISACA.ORG
„ WWW.ITTG.ORG
„ CISA Review Manual
Information
„ Jimmy Ardiansyah, MS-IT
Solution Developer @Acxiom Corp.
Arkansas 72801
USA

„ To obtain the .ppt file please request to:

komputer-teknologi@yahoo.com
or please visit to:
http://komputer-teknologi.net