IT Governance, Risk, and Compliance


July 29, 2011  8:34 PM

An Overview of IT Service Delivery and Support – Part I

Robert Davis Robert Davis Profile: Robert Davis

IT service delivery and support is an activity hive requiring appropriate resource allocations to satisfy managerial agreements and expectations. Within this context, the success of IT commonly depends upon the extent to which its services satisfy customer initial requirements and requested modifications. Thus, to sustain this relationship, delivery of services needs to occur through the implementation of programs, systems, and processes. Whereby, responsibility for satisfying customers must reside with each member of the entity’s IT operational units.

Aligning with the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 20000 process areas, IT service delivery should focus on providing the best possible service levels to meet entity-centric business needs with ‘pervasive controls’ that encompass service level management, availability management, capacity management, financial management, continuity management, information security management and service reporting.

Post Note: An Overview of IT Service Delivery and Support is a redacted article based on the subject matter introduction presented in IT Auditing: IT Service Delivery and Support training material.

July 26, 2011  8:04 PM

Business Continuity and IT Availability – Part VIII

Robert Davis Robert Davis Profile: Robert Davis

Directly, an entity’s DRP has a significant affect on the viability of IT and information security governance programs. Indirectly, IT and information security governance programs may impact stakeholder assessed entity value. Regardless of organizational formation — corporation, partnership, co-operative, or agency — management has a generally accepted duty to plan and enact strategies permitting the entity’s survival under less than idealistic conditions. Literally, adequate business continuity management (BCM) requires securing assets that offset catastrophic events. Therefore, management should ensure ‘best practices’ DRP is deployed within the IT and information security governance frameworks as well as visibly communicate commitment expectations for sustaining a sound and effective continuity program.

View Part I of the Business Continuity and IT Availability series here


July 22, 2011  5:35 PM

Business Continuity and IT Availability – Part VII

Robert Davis Robert Davis Profile: Robert Davis

Through establishment and deployment of an emergency management program, top-level personnel can send a clear message to everyone in the entity that business continuity and disaster recovery control responsibilities are taken seriously. If properly institutionalized, lower-level personnel will endeavor to understand germane aspects of the entity’s continuity systems, and how they operate, as well as their own roles and responsibilities within the control program.

Within the confidentiality, integrity, and availability (C-I-A) triad; pertinent financial and non-financial information relating to external or internal events, as well as daily activities, should be identified, captured, and communicated properly and in a timely manner to decision makers. When required, established entity communication channels should permit authorized information flows throughout the organizational structure, with all relevant internal and external data reliably conveyed to intended recipients.

View Part I of the Business Continuity and IT Availability series here


July 19, 2011  8:04 PM

Business Continuity and IT Availability – Part VI

Robert Davis Robert Davis Profile: Robert Davis

Considering the interconnectivity of national economies through computer networks, entities are more vulnerable than ever to the possibility of technical difficulties disrupting business at any point in the communication chain. From flood or fire to computer-virus or denial-of-service, disasters can affect information assets crucial to conducting business locally, regionally, and globally.

To enable beneficial IT and information security service delivery and support (as with all processes) appropriate objectives, goals, policies, procedures, standards and rules are required. Specifically, utilizing standards for ITSM usually generates benefits the moment an entity decides to rely on a business continuity service provider. For example, using a publicly available, generally accepted, standard as the basis for a SLA between the entity and disaster recovery service partners will normally generate fewer disputes and lower costs.

View Part I of the Business Continuity and IT Availability series here


July 15, 2011  2:44 AM

Business Continuity and IT Availability – Part V

Robert Davis Robert Davis Profile: Robert Davis

Managerial concerns normally include: excessive business costs, forgone business opportunities, and potential revenue losses. When a business interruption occurs, restored information assets may affect operational effectiveness and efficiency. Potentially, the IT function’s costs could escalate beyond tolerable limits, while user departments experience a general productivity and/or critical resource loss disabling pursuing business opportunities as well as economical revenue generation. Specifically, errors in data back-up, storage, maintenance, retention and restoration may interfere with fulfilling organizational continuity and availability objectives. For example, many entities rely on available information to provide feedback on divisional and departmental performance. Errors in restored information could reduce management’s ability to evaluate performance and take appropriate corrective action; thus diminishing program, system and process monitoring effectiveness.

View Part I of the Business Continuity and IT Availability series here


July 12, 2011  9:32 PM

Business Continuity and IT Availability – Part IV

Robert Davis Robert Davis Profile: Robert Davis

Where accepted as a managerial responsibility, an adequate ISG program should have security professionals participating in system life cycle design, acquisition, testing, and maintenance phases to ensure business continuity as well as availability requirements are appropriately incorporated, that selected contingency configuration items function as intended and that deployed service restoration features are not compromised during maintenance.

As synthesized sub-frameworks, Information Technology Service Management (ITSM) and Information Security Service Management (ISSM) promote entity information technology and information security units actively identifying services customers need; then focusing on planning and delivering defined services to meet availability as well as continuity requirements. Internally and externally; IT and/or information security units should manage accepted service-level agreements (SLAs) to meet agreed-upon service restoration targets.

View Part I of the Business Continuity and IT Availability series here


July 8, 2011  10:25 PM

Business Continuity and IT Availability – Part III

Robert Davis Robert Davis Profile: Robert Davis

Governance usually occurs at different organizational strata, with activities flowing from processes, with processes linking up to systems, and programs receiving objectives from the entity’s oversight committee through established reporting lines. Alternatively or simultaneously, designated technological resources may provide information directly to the entity’s oversight committee for critical programs, systems, or processes. Nevertheless, IT availability is generally accepted as an information security governance (ISG) domain. Therefore, the ISG program should provide guidelines aiding management in understanding the importance of, and promote the development of, an entity-wide BCP. Proactively, an ISG program should address business continuity and availability requirements integration during system development projects.

View Part I of the Business Continuity and IT Availability series here


July 5, 2011  8:24 PM

Business Continuity and IT Availability – Part II

Robert Davis Robert Davis Profile: Robert Davis

Minimally, an entity’s IT governance program should address business continuity and IT availability requirements within the context of ensuring continuous service. As suggested by ISACA, a business continuity plan (BCP) assumes the role for advance planning and preparations necessary to minimize loss and ensure continuity of critical business functions in the event of a disaster. Whereby, disaster recovery planning is a key BCP component referring to the technological aspects of a BCP that encompasses consistent actions to be undertaken before, during and after a catastrophe. Sound disaster recovery preparation is forged through a comprehensive planning system, involving all of the entity’s business processes.

View Part I of the Business Continuity and IT Availability series here


July 1, 2011  10:07 PM

Business Continuity and IT Availability – Part I

Robert Davis Robert Davis Profile: Robert Davis

Organizational units exist for various reasons. Governance focusing on business perpetuity and reliability should address strategic to operational transformations enabling adequate continuity management. Threading from the first-tier ‘Governance Tree’ level, linked leaves are inextricably affected by external forces. Consequently, an organizational formation’s continuity depends on relevant, accurate and timely external environment information assessments to drive appropriate governance. Management, especially information security management, cannot establish an adequate safeguarding posture unless root expectations are understood and potential threats, weaknesses as well as opportunities are appropriately addressed. Towards this end, entity oversight committee members — particularly non-executive directors — should ensure they are satisfied that effective, efficient, as well as compliant processes are deployed for business continuity and IT availability.


June 28, 2011  8:26 PM

Governance and Managing IT Projects – Part VIII

Robert Davis Robert Davis Profile: Robert Davis

In group situations, decisions on what should be included in the portfolio of active IT investments may be fragmented between the chief information officer (CIO) and business executives; who may each make assumptions regarding how, and by whom, decisions should be made. However, both IT and business leaders should vet project proposals by matching them with the entity’s strategic objectives. Directly, SILCM has a significant effect on the viability of an IT project governance program. Indirectly, IT project governance may impact stakeholder assessed entity value. Therefore, management should ensure ‘best practices’ IT project governance is deployed, within the IT governance framework, to enable increased valuation by stakeholders.

View Part I of the Governance and Managing IT Projects series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: