Why choose the IT Governance Network?

Global leaders in the design and implementation of IT governance frameworks and mechanisms.

More than 10 years experience in the protection of personal information (POPIA).

Consulting services, software solutions and wide range of training available.

POPIA Compliance Framework and Monitoring System

POPI Compliance FrameworkThe Protection of Personal Information Act is technical and complex, it requires a wide range of technical and organisational measures to be implemented to protect the rights of natural and juristic persons to privacy.  To ensure compliance, the Information Regulator requires all organisations to develop and implement a compliance framework so that they can effectively monitor the protection afforded natural and juristic persons. 

A functionally rich POPIA Compliance Framework and Monitoring System supports small and large organisations effectively and efficiently achieve POPIA compliance. It enables organisations to jump start their POPIA programme by implementing an international standards-based POPIA compliance framework.   

More about the POPIA Compliace Framework and Monitoring System ...

IT Governance

King III

The IT Governance Network has produced an ebook looking at IT Governance and the issues in King III Report. The King Commission on Corporate Governance released its report on 2 September 2009. This report contains a chapter on IT Governance.

To download the FREE ebook "Executive Overview IT Governance aligned to King III" click here.


Other FREE Downloads:

pdf Getting started with King III

Pdf King III Essentials and the 43 Steps to Implementation

Pdf King III and the IT Governance Charter

pdf King III and the role of Internal vs External Audit

Pdf King III and Internal Controls

Pdf King III and the Status of IT Governance

Pdf King III and System Management for increased Productivity

pdf King III and Information Security

pdf King III and Developing an Information Security Management System

pdf King III and the Protection of Personal Information

pdf ITIL and Productivity Improvement

 

Orchestrating Activities into effective Processes

In most organisations it is expected that there will be a rapid and effective response to requests for service, particularly when these can deliver substantial business benefits.

To ensure that service levels are consistently high, management must be able plan and deploy personnel rapidly with pinpoint accuracy to the required locations. They must be able to orchestrate and communicate who has to perform what, where and when, as well as what task is next and where the next task is located. Planning of activities would be in accordance with a customised business process or using a streamlined IT process model (e.g. ITIL) that incorporates interfaces to related processes and which focuses attention on approval steps, cost, quality assurance, security and compliance checks applicable to the task at hand.

Processes should be defined for staff to execute assigned tasks at the designated locations, while regularly updating management and other stakeholders of the challenges encountered and progress at each location.

 

Governance is different from Management

The word "manager" normally refers to a person who provides technical and administrative direction and control to those performing tasks or activities within the manager’s area of responsibility.

The traditional functions of a manager include planning, organising, directing, and controlling work within an area of responsibility. If a manager does this, he/she is likely to be providing “good management”.

In many instances there isn’t sufficient time and resources for the manager to focus on anything other than the operational activities he/she is responsible for. Frequently the manager is “fighting fires” – managing an endless number of operational problems.

GOOD GOVERNANCE IS ABOUT FOCUSING ON THOSE ACTIVITIES THAT HAVE AN IMPACT ON ACHIEVING THE ORGANISATION’S STRATEGIC GOALS. IT IS ABOUT HOLDING PEOPLE ACCOUNTABLE FOR ACHIEVING THE STRATEGIC GOALS - this is about directing and controlling key activities to ensure the performance expected by the Business is delivered.

People accountable for good governance are responsible for making the changes necessary to deliver the performance expected by the Business.

A governance system comprises various governance mechanisms that enable multiple stakeholders in an enterprise, including management, to have an organised say in evaluating conditions and options; setting direction; and monitoring compliance, performance and progress against plans, to satisfy specific enterprise objectives. It is usually the CIO's responsibility to identify and implement the appropriate governance mechanisms for the use of information and technology. However, in doing so commonsense must prevail. Suitably appropriate structures, processes and governance mechanisms should deployed based on the size, complexity and nature of business activities that are necessary to achieve the organisation’s strategies and objectives.

Typical governance mechanisms, include:

  • frameworks and architecture
  • principles
  • goals and objectives
  • IT governance charters
  • IT policies
  • IT plans, schedules, deadlines
  • IT strategies
  • organisational structures
  • decision mechanisms, roles and responsibilities
  • processes and practices, registries
  • standards, contracts, SLAs, 
  • monitoring of compliance and managing
  • scorecards, bench-marking and reporting.

Although frameworks like COBIT provide important guidance about the required tasks that make up generally accepted best practice for IT processes, the actual process of implementing or modifying the recommended practices for a particular organisation can be challenging. Companies often struggle to define and implement the processes, controls and governance mechanisms recommended without expert consultation. Frequently there is considerable upfront investment in simply understanding the requirements of the selected frameworks with little real value actually being created.

With the ITGN's expert guidance, streamlined processes with clearly defined actionable tasks and governance mechanisms can be implemented to manage the risks, deliver the results expected and support regulatory compliance obligations.

To implement the ISO 38500 standard a system to direct and control the current and future use of IT is required. The system comprises controls and processes to achieve the strategic objectives set by the organisation's governing body. A few choices are available

COBIT is a popular IT management framework that defines both processes and controls. In many respects its purpose is similar to ISO 38500 as it also aims to enable better governance of information technology so that the organisational objectives are achieved.

iso 38500 modelAt the centre of ISO 38500 is a framework of 6 principles. To implement these principles it is easiest if they are mapped to the COBIT process model and through the execution of these processes ISO 38500 becomes effective.

The advantage of using a process framework like COBIT is that it groups related IT activities in processes that have a life-cycle and are focused on achieving specific outcomes. Through cascading the organisation's business objectives down to the IT processes you are able to align day to day activities with the organisation's stakeholder expectations.

Roles, responsibilities and decision-rights at the process level can be aligned with the business goals. Governance mechanisms such as job descriptions and contracts can be crafted to support the achievement of specific outcomes. Performance measures can be fine tuned to drive the required behaviour. Over time, controls are implemented to manage risk and capability is developed so the organisation is better able to perform as expected.

Definition of “Framework”:

A basic conceptual structure used to solve or address complex issues.

 

IT Governance Framework

An IT Governance Framework is a system by which the current and future use of IT is directed and controlled. At the centre of an IT Governance Framework is the assignment of decision-making authority and accountability of individuals for the decisions they make, particularly when these decisions impact on the organisations strategic goals. 

An IT governance framework comprises 3 tiers:

  • At the Board level: directors Evaluate, Direct and Monitor the performance of IT against plans, internal policies, external obligations and strategic objectives.
  • At the Management Level: management Plan, Supervise, Check and Act to effectively and efficiently leverage IT resources and to drive continuous improvement. (A management system that includes policies, plans, organisational structures, processes and governance mechanisms is used to enable the effective management of IT resources and ensure continuous improvement.)
  • At the Process Level: activities are performed, controlled and checked in alignment with business objectives.

 

Accountability Framework

Governance occurs at the strategic, tactical and operational levels through the assignment of decision‐making authority and accountability to encourage desirable behaviour in the use of IT. The Board approves the IT Charter and assigns responsibility to the CIO to implement IT Governance. The CIO uses the accountability framework to clarify who is assigned which responsibilities for the various roles in IT and the business.

An accountability framework is the first step to clarifying the assignment of responsibilities across a number of roles. Current role descriptions are mapped to the key tasks that underpin the IT services provided using process models (e.g. CobiT and ITIL) as a reference. Duplications are removed and gaps closed.

 

Authorisation Framework / RACI Workflow Chart

Further granularity in the assignment of responsibilities and decision‐making rights is established through the analysis of the workflow between individuals, and between the processes they use.

 

Process Framework

A structured set of activities that achieve a specific purpose is a process.There are a number of process frameworks that are useful reference sources for information about IT processes. Popular frameworks are ITIL, CobiT, ISO 12207 and ISO 15288. However the best process framework is the one that evolves internally.

 

IT Controls Framework

Control activities occur throughout the organisation, at all levels and in all functions. Put together in a generally accepted process model, they form a controls framework. Control activities are part of the processes by which an enterprise strives to achieve its business, financial reporting, operational, compliance, health, safety, social, environmental and sustainability objectives.

Control activities are the policies, procedures, general, application, user and company‐level responses that help ensure risk responses are properly executed.

 

A controls framework describes a single, holistic approach to mitigating risks through the selection and implementation of controls.

The Criteria for Certification

ISO certification can provide tremendous benefits, but these are often not realised. At the centre of the problem is dishonest auditors and incompetent certification bodies. Harsh words, but unfortunately very true! Certification bodies must comply with ISO 17021 and ISO auditors must comply with ISO 19011. Unfortunately some organisations choose to have their ISO certification from incompetent auditors and non-compliant certification bodies.

There are two fundamental requirements to ISO certification - the certification body must make public its criteria for certification and the auditor must make public, prior to the audit, the audit requirements you are expected to satisfy. ISO 17021 and ISO 19011 require that this information be publically available. Unfortunately this does not always happen. Before you seek ISO certification, request these two documents from the certification body and auditor respectively. If they are not available, you need to be concerned and you should change your auditors, your certification body, or both. ISO 19011 requires that ISO auditors develop a specific audit programme relevant to your processes, your management system and your stated objectives.

Certain certifications (i.e ISO 9001, ISO 14001, ISO 20000-1, ISO 27001, ISO 31000 and ISO 38500) require a management system, an integrated set of processes and most important of all, a clear set of business objectives to be achieved. A fundamental requirement for ISO certification is the actual achievement of the stated objectives. The three core requirements for ISO certification are 1) agreed business objectives, 2) a management system and 3) an integrated set of processes that will achieve the stated objectives. Without these, you cannot be certified as compliant!

'Auditors' of ISO standard implementations often lack the necessary skill and therefore the audit approach they follow is to simply examine the implemented controls, determine whether they have been documented and establish that they are working as described. For example, an ISO 27001 audit is usually (but incorrectly) based on ISO 27002 - a checklist of control objectives and controls. You don't need ISO 27002 (previously known as ISO 17799) at all! What you do need are processes to achieve the stated objectives and a management system to ensure this happens. Of course controls are required, but the purpose of controls is to place the processes under control, so they achieve the stated objectives. In other words, controls mitigate the process risks.

If you do not achieve the stated business objectives of your ISO implementation, if you do not have an effective and efficient management system and you do not have a set of integrated processes - you are not ISO compliant. Anyone who says you are is incompetent and/or dishonest!

IT Governance is hampered by poor Corporate Governance

Corporate governance of IT is intended to be for the benefit of all stakeholders. This is usually not understood by the business and it's leaders. Decisions to promote good IT governance are often undermined by the lack of corporate governance across the rest of the organisation. It is typical that business leaders are focused only on their own area of responsibility. Their own business unit's objectives are placed above the rest of the organisation's stakeholders. This behaviour is driven by poorly designed performance management systems that tend to drive the wrong behaviour and reward individuals for the wrong reasons. Unless there is an effective board of directors to keep business leaders in check, IT while have considerable difficulty in getting the necessary change in the behaviour from business leaders in their organisations, particularly when change will result in less benefits to the business units concerned.

The problem with business is that there isn't any understanding of corporate governance, and little motivation to change the way business currently operates. A competent board of directors is required to ensure that the interests of all stakeholders are taken into account and that the value proposition of an organisation takes into consideration the interests of all stakeholder groups.

Unfortunately for most organisations the dominant stakeholder groups are the incumbent senior managers and those providing the financial means for success. If senior managers produce the results the revenue providers desire, these senior managers are handsomely rewarded - regardless of how negatively other stakeholder groups may be affected. It is not surprising that senior managers undermine and are unwilling to implement effective corporate governance.

The purpose of IT governance is to establish accountability for decision-making and to communicate the established authority decision-makers have across the entire organisation. For IT governance to be of value, everyone needs to respect the decision-making authority assigned to the individuals concerned. But it is not unusual for business leaders to completely disregard the assignment of authority to others and to act on their own.

To prevent senior management undermining IT's effort to deliver real value to all stakeholders, the board of directors must actively oversee the behaviour of all business leaders and hold them accountable for both the positive and negatives consequences of the decisions business leaders take on the organisation as a whole and in particular, the IT organisation.

Building Capability

The first Capability Maturity Model was developed by the Software Engineering Institute of the Carnegie Mellon University. The aim is to assist organisations improve their processes by following an evolutionary path.

The maturity level of an organisation provides a way to predict the future performance of an organisation within a given discipline or set of disciplines. Experience has shown that organisations do their best when they focus their process-improvement efforts on a manageable number of process areas that require increasingly sophisticated effort as the organisation improves. A maturity level is a defined evolutionary plateau of process improvement. Each maturity level stabilizes an important part of the organisation's processes.

The maturity levels are measured by the achievement of the specific and generic goals that apply to each predefined set of process areas. There are five maturity levels, each a layer in the foundation for ongoing process improvement, designated by the numbers 1 through 5.

The first step in improving a process is to understand the boundaries of the process you are trying to improve. The process could be any process and it will be a combination of people, tools, technologies, and methods employed to accomplish a task.

Once the operational entity is defined, a clear understanding of the operational entity's purpose and objectives guides improvement efforts. Many times, the purpose and objectives are stated in strategic planning documents. A clear understanding of the purpose and objectives will keep improvement efforts aligned with strategic needs and will avoid expending critical resources on improvement efforts that don't contribute to those needs.

Along with understanding the operational entity's objectives, it's important to understand how to know if you achieve its objectives. It sounds good to say you intend to make your operation "world class", but how would you know when you're there? The objectives of an operational entity are stated first so that you can perform some level of verification to confirm that your improvement efforts move you closer to those objectives.

Once the operational entity requiring improvement is identified and its purpose is clearly understood, constraints and risks are more easily identified and addressed. The current state of the operational entity could be assessed against its objectives to identify current and potential barriers to meeting those objectives. Improvement plans would then be developed and implemented to address these barriers.

Operational process improvement using the COBIT framework enables an organised approach to identifying and addressing the constraints and risks, and helping the operational entity more effectively achieve its purpose.

Service Management

The IT Governance Network’s service management platform provides a new generation of managed services through a single, integrated, automated & mobile management solution that layers governance over IT and business processes. 

Current approaches to service management and regulatory compliance are labour intensive, static, inconsistent and arbitrary. The ITGN service management platform provides management with a real-time capability to view, track and manage all aspects of service delivery, across the entire organisation, from start to finish.

The ITGN service management platform is used to plan and co-ordinate multiple projects as well as individual tasks during the design and implementation phase for service management. The same platform continues to be used in responding to service related incidents and processing requests for changes to existing services.

The ITGN service management solution is modular and highly customisable. Any one of its components can operate standalone or be fully integrated. ‘Management’ can take the form of work and deadlines being assigned to an individual, a project or process owner. Alternatively, ‘management’ could comprise detailed instructions, orchestrated workflow and continuous monitoring. The mobile platform enables “management” to extend beyond the enterprise.

 

Mobilized Compliance Management

The ITGN privacy management platform can receive input from event logs, schedulers, triggers, process workflow and user interfaces. During the implementation phase many of the smaller initiatives and tasks can be organised and executed as part of normal operations without separate project management, but with similar control and audit trail being maintained throughout. 

Once operational, responses to service management issues are planned, authorised, coordinated, and either assigned to individuals directly or executed using predefined workflow (using BPMN) and if required, across a fully integrated mobile phone environment.

From planning to implementation and from incident to resolution, the ITGN service management platform will enable management to plan, choreograph and communicate the regular and ad hoc tasks required to implement and manage IT services in a cost effective manner while maintaining an audit trail from start to finish.

Management responsible for service related tasks, processes, and projects across the enterprise use the ITGN service management system as a central point of control to monitor progress in any one or all initiatives. The ITGN service management platform enables all staff to easily identify their responsibilities, respond and perform the required actions quickly, provide feedback at regular intervals and provide real-time status updates to the respective responsible parties.

 

The Benefits of Mobilization:

  • Managers are able to manage and take decisions from any location, at any time.
  • Personnel can check on the status of key issues at remote locations and at third parties
  • Technicians can respond to service issues quickly
  • Managers can track service incident responses closely
  • Technicians can pull records and information while working remotely
  • Progress is monitored and reported in real-time
  • Staff productivity levels can be monitored and managed
  • Compliance status is continuously reviewed in real-time and responses triggered automatically
  • Infrastructure configurations are verified automatically
  • Performance measures are updated regularly
  • IT costs are reduced and productivity increased
  • Document control can be established to:
  1. approve documents for adequacy prior to issue;
  2. review and update documents remotely;
  3. document changes and ensure current revision status updates to documents are authorised;
  4. deliver the relevant versions of applicable documents to the points of use;
  5. transfer, store and ultimately dispose of documentation in accordance with the procedures applicable to their classification;
  6. control the distribution of documents.

Subcategories

COBIT 5 Assessor mistakes!

Common mistakes by COBIT 5 assessors.

View video

King IV Corporate Governance Assessment

King IV assessmentAssess the current level of your organisation's corporate governance using this King IV assessment tool.

Read more...

COBIT Assessment as a Service

COBIT 5 AssessmentConduct a COBIT assessment using this COBIT Assessment-as-a-Service.

Read more...

POPIA Preliminary Assessments

it governance oversightPOPIA preliminary assessments provide an efficient and effective approach to determining the extent to which the requirements of the Protection of Personal Information Act have been addressed.

Read more...

Go to top