A basic conceptual structure used to solve or address complex issues.
An IT Governance Framework is a system by which the current and future use of IT is directed and controlled. At the centre of an IT Governance Framework is the assignment of decision-making authority and accountability of individuals for the decisions they make, particularly when these decisions impact on the organisations strategic goals.
An IT governance framework comprises 3 tiers:
Governance occurs at the strategic, tactical and operational levels through the assignment of decision‐making authority and accountability to encourage desirable behaviour in the use of IT. The Board approves the IT Charter and assigns responsibility to the CIO to implement IT Governance. The CIO uses the accountability framework to clarify who is assigned which responsibilities for the various roles in IT and the business.
An accountability framework is the first step to clarifying the assignment of responsibilities across a number of roles. Current role descriptions are mapped to the key tasks that underpin the IT services provided using process models (e.g. CobiT and ITIL) as a reference. Duplications are removed and gaps closed.
Further granularity in the assignment of responsibilities and decision‐making rights is established through the analysis of the workflow between individuals, and between the processes they use.
A structured set of activities that achieve a specific purpose is a process.There are a number of process frameworks that are useful reference sources for information about IT processes. Popular frameworks are ITIL, CobiT, ISO 12207 and ISO 15288. However the best process framework is the one that evolves internally.
Control activities occur throughout the organisation, at all levels and in all functions. Put together in a generally accepted process model, they form a controls framework. Control activities are part of the processes by which an enterprise strives to achieve its business, financial reporting, operational, compliance, health, safety, social, environmental and sustainability objectives.
Control activities are the policies, procedures, general, application, user and company‐level responses that help ensure risk responses are properly executed.
A controls framework describes a single, holistic approach to mitigating risks through the selection and implementation of controls.