Clarify and maintain the governance of enterprise IT mission and vision. Implement and maintain mechanisms and authorities to manage information and the use of IT in the enterprise in support of governance objectives in line with guiding principles and policies.
Provide a consistent management approach to enable the enterprise governance requirements to be met, covering management processes, organisational structures, roles and responsibilities, reliable and repeatable activities, and skills and competencies.
- Decision-making model
- Enterprise Governance Guiding Principles
- Process Architecture Model
- Authority Levels
- Assigned Responsibilities for Resource Management
- Skill Development Plans
- Skills and Competencies Matrix
- Quality Management System (QMS) roles, responsibilities and decision rights
- Information Security Management System (ISMS) Scope Statement
- Allocated Levels of Authority
- Allocated Roles and Responsibilities
- Enterprise Governance Guiding Principles
- Strategic Road Map
- Emerging Risk Issues and Factors
- Risk Analysis Results
- Enterprise Governance Communication
- Principles for Safeguarding Resources
- Risk Impact Communication
- Communication on Value of Knowledge
- Policy and Objectives for Business Continuity
- Malicious Software Prevention Policy
- Connectivity Security Policy
- Security Policies for endpoint devices
- Feedback on Governance Effectiveness and Performance
- Updated Policies, Principles, Procedures ans Standards
- Environmental Policies
- Updated Policies, Principles, Procedures and Standards
- Definition of Organisational structure and functions
- Enterprise Operational Guidelines
- Communication Ground Rules
- Definition of IT-related Roles and Responsibilities
- IT-related Policies
- Communication on IT Objectives
- Evaluation of Options for IT Organisation
- Defined Operational Placement of IT Function
- Data Classification Guidelines
- Data Security and Control Guidelines
- Data Integrity Procedures
- Process Capability Assessments
- Process Improvement Opportunities
- Performance Goals and Metrics for Process Improvement Tracking
- Non-compliance Remedial Actions
- Enterprise Operating Model
- Enterprise Strategy
Define the Organizational Structure
- Define the scope, internal and external functions, internal and external roles, and capabilities and decision rights required, including those IT activities performed by third parties.
- Identify decisions needed for the achievement of enterprise outcomes and the IT strategy, and for the management and execution of IT services.
- Establish the involvement of stakeholders who are critical to decision making (accountable, responsible, consulted, or informed).
- Align the IT-related organization with enterprise architecture organizational models.
- Define the focus, roles, and responsibilities of each function within the IT-related organizational structure.
- Define the management structures and relationships to support the functions and roles of management and execution in alignment with the governance direction set.
- Establish an IT strategy committee (or equivalent) at the board level. This committee should ensure that governance of IT, as part of enterprise governance, is adequately addressed; advise on strategic direction, and review significant investments on behalf of the full board.
- Establish an IT steering committee (or equivalent) composed of executive, business, and IT management to determine prioritization of IT-enabled investment programs in line with the enterprise’s business strategy and priorities; track the status of projects and resolve resource conflicts, and monitor service levels and service improvements.
- Provide guidelines for each management structure (including mandate, objectives, meeting attendees, timing, tracking, supervision, and oversight) as well as required inputs for and expected outcomes of meetings.
- Define ground rules for communication by identifying communication needs, and implementing plans based on those needs, considering top-down, bottom-up, and horizontal communication.
- Establish and maintain optimal coordination, communication, and liaison structure between the business and IT functions within the enterprise and with entities outside the enterprise.
- Regularly verify the adequacy and effectiveness of the organizational structure.
Establish Roles and Responsibilities
- Establish, agree on, and communicate IT-related roles and responsibilities for all personnel in the enterprise, in alignment with business needs and objectives. Clearly delineate responsibilities and accountabilities, especially for decision making and approvals.
- Consider requirements from enterprise and IT service continuity when defining roles, including staff back-up and cross-training requirements.
- Provide input to the IT service continuity process by maintaining up-to-date contact information and role descriptions in the enterprise.
- Include in role and responsibility descriptions adherence to management policies and procedures, the code of ethics, and professional practices.
- Implement adequate supervisory practices to ensure that roles and responsibilities are properly exercised, to assess whether all personnel has sufficient authority and resources to execute their roles and responsibilities, and to generally review performance. The level of supervision should be in line with the sensitivity of the position and extent of responsibilities assigned.
- Ensure that accountability is defined through roles and responsibilities.
- Structure roles and responsibilities to reduce the possibility of a single role to compromise a critical process.
Maintain the Enablers of the Management System
- Obtain an understanding of the organization’s vision, direction, and strategy.
- Consider the enterprise’s internal environment, including management culture and philosophy, risk tolerance, security, ethical values, code of conduct, accountability, and requirements for management integrity.
- Derive and integrate IT principles with business principles.
- Align the IT control environment with the overall IT policy environment, IT governance and IT process frameworks, and existing enterprise-level risk and control frameworks. Assess industry-specific good practices or requirements (e.g., industry-specific regulations) and integrate them where appropriate.
- Align with any applicable national and international governance and management standards and codes of practice, and evaluate available good practices such as COSO’s Internal Control-Integrated Framework and COSO’s Enterprise Risk Management—Integrated Framework.
- Create a set of policies to drive the IT control expectations on relevant key topics such as quality, security, confidentiality, internal controls, usage of IT assets, ethics, and intellectual property rights.
- Evaluate and update the policies at least yearly to accommodate changing operating or business environments.
- Roll out and enforce IT policies to all relevant staff, so they are built into and are an integral part of enterprise operations.
- Ensure that procedures are in place to track compliance with policies and define the consequences of non-compliance.
Communicate Management Objectives and Direction
- Continuously communicate IT objectives and direction. Ensure that communications are supported by executive management in action and words, using all available channels.
- Ensure that the information communicated encompasses a clearly articulated mission, service objectives, security, internal controls, quality, code of ethics/conduct, policies and procedures, roles and responsibilities, etc. Communicate the information at the appropriate level of detail for the respective audiences within the enterprise.
- Provide sufficient and skilled resources to support the communication process.
Optimize the Placement of the IT function
- Understand the context for the placement of the IT function, including an assessment of the enterprise strategy and operating model (centralized, federated, decentralized, hybrid), the importance of IT, and sourcing situation and options.
- Identify, evaluate, and prioritize options for organizational placement, sourcing, and operating models.
- Define the placement of the IT function and obtain agreement.
Define Information (Data) and System Ownership
- Provide policies and guidelines to ensure the appropriate and consistent enterprisewide classification of information (data).
- Define, maintain, and provide appropriate tools, techniques, and guidelines to provide effective security and controls over information and information systems in collaboration with the owner.
- Create and maintain an inventory of information (systems and data) that includes a listing of owners, custodians, and classifications. Include systems that are outsourced and those for which ownership should stay within the enterprise.
- Define and implement procedures to ensure the integrity and consistency of all information stored in electronic forms such as databases, data warehouses, and data archives.
Manage Continual Improvement of Processes
- Identify business-critical processes based on performance and conformance drivers and related risk. Assess process capability and identify improvement targets. Analyze gaps in process capability and control. Identify options for improvement and redesign of the process. Prioritize initiatives for process improvement based on potential benefits and costs.
- Implement agreed-on improvements, operate as a normal business practice, and set performance goals and metrics to enable monitoring of process improvements.
- Consider ways to improve efficiency and effectiveness (e.g., through training, documentation, standardization, and automation of the process).
- Apply quality management practices to update the process.
- Retire outdated processes, process components, or enablers.
Maintain Compliance with Policies and Procedures
- Track compliance with policies and procedures.
- Analyze non-compliance and take appropriate action (this could include changing requirements).
- Integrate performance and accordance with individual staff members’ performance objectives.
- Regularly assess the performance of the framework’s enablers and take appropriate action.
- Analyze trends in production and compliance and take appropriate action.