IT Governance, Risk, and Compliance


June 25, 2011  12:10 AM

Governance and Managing IT Projects – Part VII

Robert Davis Robert Davis Profile: Robert Davis

Technological development and deployment is inextricably connected to the economic, social, political, and informational factors that prevail in the entity’s control environment. The system and infrastructure development life cycle is the process involving multiple stages utilized to convert a managerial need into an operational IT asset — which may be custom-developed, acquired, or a combination of both. To effectively and efficiently accomplish the conversion, project membership cohesion for achieving stated objectives and goals is imperative. Within this context, through aligned policies and procedures, an entity’s control environment can provide discipline and structure to processes ensuring operational, financial, and compliance requirements are adequately addressed for IT projects.

View Part I of the Governance and Managing IT Projects series here

June 21, 2011  8:54 PM

Governance and Managing IT Projects – Part VI

Robert Davis Robert Davis Profile: Robert Davis

Planning system and infrastructure deployments generally resides with upper level management. In particular, the chief information officer (CIO) or a manager possessing overall responsibility for IT commonly plans system and infrastructure deployments for the entity. Whereby, lower level IT management has an obligation to implement the entity’s strategic plan based on the entity’s long-term objectives.

Typical project constraints that must be managed are ambit, time and budget; wherefore the secondary — and more ambitious — challenge is optimizing the allocation and integration of resources necessary to meet pre-defined objectives and goals. Thus, considering this stated premise, the central dilemma of IT project management is achieving all project objectives, while honoring established project constraints.

View Part I of the Governance and Managing IT Projects series here


June 17, 2011  8:37 PM

Governance and Managing IT Projects – Part V

Robert Davis Robert Davis Profile: Robert Davis

To effectively report performance for a given investment, entities should utilize preconceived Systems and Infrastructure Life Cycle Management (SILCM) outcomes to enable multiple measurements so the positive impact that an investment contributes is visible. Though SILCM performance reporting can include many indicators, its value is not in the sheer number of indicators. As with other IT programs, the effective utilization of performance reporting requires identification of a critical few measurement indicators in each of the relevant measurement areas to draw the “line of sight” from the IT initiative to the processes and activities it supports (and, by extension, the user results and mission as well as business results it enables).

View Part I of the Governance and Managing IT Projects series here


June 14, 2011  8:46 PM

Governance and Managing IT Projects – Part IV

Robert Davis Robert Davis Profile: Robert Davis

IT project managers are typically individuals presumed to have in-depth technical skills. However, technical aptitude is not the primary key to successful project management. Specifically, IT projects generally will not succeed unless they are managed by professionals who have an adequate combination of business as well as technical communication skills.

Considering one project management model definition; Project Communications Management are the processes impacting timely and appropriate generation, collection, dissemination, storage and ultimate disposition of project information. Within this context, planning a formal communications network, with purpose clarity and policy distinctiveness, is essential for IT projects. Furthermore, disseminating IT project information is considered fundamental to practicing structured project management. Wherefore, providing effective and efficient information distribution and storage normally requires a technology-based project management information system.

View Part I of the Governance and Managing IT Projects series here


June 10, 2011  6:43 PM

Governance and Managing IT Projects – Part III

Robert Davis Robert Davis Profile: Robert Davis

Tactically, a project is a structured set of activities concerned with delivering a defined capability (that is necessary, but not sufficient, to achieve a required business outcome) to the entity; based on an agreed-upon schedule and budget. Additionally, a project is a temporary endeavor — having a defined beginning and end — undertaken to meet particular goals and objectives; usually to bring about beneficial change or added value.

The temporary nature of projects stands in contrast to on-going operations — which are repetitive, permanent or semi-permanent functional work to produce products or services. Consequently, in practice, the management of these two systems is often found to be quite different, and as such requires the development of distinct technical skills and the adoption of separate administration.

View Part I of the Governance and Managing IT Projects series here


June 7, 2011  9:31 PM

Governance and Managing IT Projects – Part II

Robert Davis Robert Davis Profile: Robert Davis

Managerially, oversight of IT-enabled investment portfolio assets should be performed throughout their life cycle. Operationally, portfolio management takes a holistic view of an entity’s overall IT strategy, while sustaining clear and active linkage between the entity’s strategy and the portfolio of IT-enabled investments. Whereby, when properly deployed, IT portfolio management can assist in gaining control of IT projects and deliver meaningful value to the entity’s lines of business.

The IT portfolio should be managed like a financial portfolio. Thus, riskier IT investments should be balanced with more conservative investments, and the mix constantly monitored to assess: which projects are on track, which need remediation and which should be shut down. Often portfolio management involves establishing scorecards for projects, infrastructure, and applications to enable decisions on a measurable basis.

View Part I of the Governance and Managing IT Projects series here


June 3, 2011  9:42 PM

Governance and Managing IT Projects – Part I

Robert Davis Robert Davis Profile: Robert Davis

Depending on the entity, accountability for defining IT project governance can reside within a single person or group. As with IT Governance and Information Security Governance, entity executives should provide quality leadership when defining and activating IT project governance. Whether a single person or a group, IT project governance leadership normally requires vision as well as a potent organizational structure to ensure an effective and efficient IT architecture.

In most situations, IT project governance responsibility and accountability can be enhanced through portfolio management. Theoretically, IT portfolio management encompasses at least three distinct, yet cross-dependent, concepts: project portfolio management, infrastructure portfolio management, and application portfolio management.


May 31, 2011  8:17 PM

Effective Employment Practices for Protecting IT – Part VIII

Robert Davis Robert Davis Profile: Robert Davis

Technology is an enabler, not a solution, for deploying and executing a sound information assets protection (IAP) strategy. Responsibility for executing IAP should be shared across the entity, making all employees accountable as part of a well defined and articulated information security risk management program. Derivatively, the IAP risk assessment objective is to enable recommendations maximizing confidentiality, integrity, and availability protection; while maintaining information functionality and usability. This objective addresses major risk management elements; therefore, key objective conveyance to and acceptance by an entity’s employees can increase the probability for an adequate IAP risk management program.

View Part I of the Effective Employment Practices for Protecting IT series here


May 27, 2011  9:33 PM

Effective Employment Practices for Protecting IT – Part VII

Robert Davis Robert Davis Profile: Robert Davis

Requiring periodic confirmation by employees of their safeguarding responsibilities will not only reinforce IT security policies, but potentially deter individuals from committing illegal acts and might identify problems before they become significant. Such confirmations should include statements that the individual understands the entity’s expectations, has complied with the conduct code, and is not aware of any conduct code violations other than those the individual lists in the response. Although individuals with low integrity and ethical values may not hesitate to sign a false confirmation, most people avoid written misrepresentations due to potential evidentiary utilization during an assertion veracity verification proceeding; whereas, honest individuals are more likely to return an information security confirmation and disclose noncompliant behavior. As a result, conformation response follow-up activities may reveal significant information assets protection issues.

View Part I of the Effective Employment Practices for Protecting IT series here


May 24, 2011  7:49 PM

Effective Employment Practices for Protecting IT – Part VI

Robert Davis Robert Davis Profile: Robert Davis

Formal, documented entity-centric job (position) descriptions should exist for each entity employee that clearly conveys duties, prohibitions, and reporting relationships. Typically, position descriptions are prepared based on job analyses — systematic procedures for observing work and determining what tasks should be accomplished to achieve organizational goals. Position descriptions should include definitions of technical knowledge, skills, and abilities required for successful performance in the relevant job and should be useful for hiring, promoting, and performance evaluation purposes. Furthermore, itemized duties should indicate responsibilities assumed during emergency situations. An entity’s human resources department should be accountable for ensuring all organizational positions are reviewed for assignment sensitivity level relative to security requirements. Individually, an approved position description should match an employee’s assigned duties.

View Part I of the Effective Employment Practices for Protecting IT series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: