Understanding and Defining IT Governance

IT governance framework

Outlines how leadership accomplishes delivery of mission-critical business capabilities using IT strategies, goals, and objectives

Data governance policies

Focus on effective management of data, ensuring availability, integrity, usability, and security

Availability

Data should be available to the right employees at the right time

Integrity

Data must have proper integrity, with no missing, duplicate, or mismatched values

Usable format

Data must be in a usable format for easy interpretation and analysis

Security

Data must be secure, especially personally identifiable and regulatorily constrained information

Architecture

Job roles and IT applications designed to fulfill governance objectives

Metadata

Data describing other data, robust in terms of breadth and specificity

Policy

Translates management and governance objectives into practice

Quality

Ensures data has no anomalies, such as missing, duplicate, or mismatched values

Regulatory compliance and privacy

Secures personally identifiable and regulatorily constrained data

Security

Preserves, stores, and transmits data securely

COSO Internal Control--Integrated Framework

Governance framework with general controls over technology to achieve organizational objectives

Control activities

General controls over technology to achieve organizational objectives

Information and communication

Acquiring, creating, and using quality information to support internal controls

ISACA's Control Objectives for Information and Related Technology (COBIT) framework

Distinguishes between governance and management, recognizing them as two unique disciplines

Organizational governance

Responsibility of board of directors, focusing on organizational structure

Management

Responsible for daily planning and administration of operations

Aligning IT Governance with Organizational Objectives

Designing IT governance to facilitate the achievement of the company's vision and corporate strategy

Vision

Company's aspiration and goals, IT governance should support the achievement of that vision

Corporate strategy

The way in which an organization achieves its goals and objectives

IT strategy

Aligning IT strategy with corporate strategy objectives to optimize achievement of those objectives

Documentation

Strategy and architecture provide a strong understanding of the organization's capabilities

Virtual/physical network design

Companies choose between physical or virtual network design based on power needs and demand spikes

Centralized/decentralized network design

Companies choose between centralized or decentralized network design based on range of locations and control needs

Cybersecurity

More of a concern for companies with large regulatory burden or compliance

Disaster recovery and business continuity

Speed can vary greatly based on industry, ensuring business continuity and recovery plans

Available IT personnel

Staffing for IT needs can be insourced, outsourced, or a combination

Support functions

HR, marketing, legal, internal audit, determine IT strategy and expertise needed

Structuring and Executing IT Governance

Involves decision makers at all levels and various IT support staff

Board of directors

Evaluates IT governance policies and ensures they meet strategic and operational needs

Executive management

Makes key strategic decisions and ensures effective execution of IT governance

Middle management

Carries out governance policies and ensures subordinates follow them

IT support staff

Responsible for daily planning and execution of governance policies

Network engineers

Design and maintain a company's network infrastructure

Help desk and lower-level IT support

Provide troubleshooting and support for end users

Cybersecurity staff

Ensure safe and secure usage of company data and IT assets

Function-specific staff

Accountants, project development teams, testers, end users

External stakeholders

Customers, vendors, auditors, regulators influence IT governance structure

Processes for governance execution

Project development teams and steering committees oversee IT governance

Project development teams

Formed for new IT projects, responsible for planning, design, and monitoring

Steering committees

Oversee information systems function, set governing policies, provide guidance

Assessing IT Governance Risks

Performed through business impact analysis (BIA) to identify essential processes and resources

Business impact analysis (BIA)

Identifies essential business units, processes, resources, and required IT resources

Impact

High, moderate, or low impact of a risk on department or organization

Likelihood

High, medium, or low likelihood of a risk occurring

Evaluate outcomes

Take appropriate corrective action based on the impact and likelihood of risks

Implement the response

Identify and evaluate mitigation recommendations, choose, plan, and implement

System and Organization Controls (SOC)

Reports provide assurance on controls and information systems

SOC 1

Reports on controls for financial statements and operational needs

SOC 2

Reports on controls related to security, processing integrity, availability, and privacy

SOC 3

Similar to SOC 2, provides attestation on controls related to security, processing integrity, availability, and privacy

Data and Information Management

Storing, managing, and analyzing data for decision-making purposes

Relational databases

Efficient method to store and manage data with tables, attributes, records, and fields

Data queries and reports

Extracting data using SQL commands and generating reports

Extract, Transform, and Load (ETL)

Process of extracting, transforming, and loading data for analysis

Data storage

Operational data store, data warehouse, data mart, and data lake

Entity integrity

Each table must have a unique primary key as a record identifier

Referential integrity

Changes to primary keys must also cause changes to related foreign keys

Data analytics

Process of transforming raw data into insights for decision-making

Descriptive analytics

Summarizes and observes data to indicate what happened

Diagnostic analytics

Uncover correlations and patterns to explain why an event happened

Predictive analytics

Forecast future data points based on historical data

Prescriptive analytics

Recommends optimal actions to achieve desired outcomes

Data visualizations

Representing data in visual formats for easier understanding

Line chart

Shows quantitative trends over time

Column chart

Effective for comparisons

Scatter plot

Demonstrates relationships between variables

Pie chart

Shows proportions of a whole value

Flowchart

Maps out a process with steps and decision points

Waterfall chart

Shows cumulative effect of a series of data points

Data visualization considerations

Scale, legends, bias, time periods, colors, titles, labels