IT Governance, Risk, and Compliance


February 4, 2011  11:07 PM

Governing IT: Setting Control Objectives – Part VII

Robert Davis Robert Davis Profile: Robert Davis

“An [entity's] Management Information System (MIS) represents the aggregation of personnel, computer hardware and software, as well as procedures that process data to generate utilizable information for decision-making. Management enables a MIS through control objectives implemented to comply with external and internal business requirements.” To ensure achievement of the IT control objectives supported by the MIS, among other techniques, Key Performance Indicators (KPIs), Critical Success Factors (CSFs), and Benchmarks are utilized for performance measurements, issues identification and gap analysis.

View Part I of the Governing IT: Setting Control Objectives series here

February 1, 2011  9:04 PM

Governing IT: Setting Control Objectives – Part VI

Robert Davis Robert Davis Profile: Robert Davis

Reflective of ensuring effective IT control objectives, undertaking IT risk management provides the framework that enables future activity to take place in a consistent and controlled manner. As a particular, prioritization enables appropriate resource allocation to prevent, avoid, detect, and/or correct potential risks to the entity’s IT architecture. Once management understands the degree of total risk to information assets, decisions can be made regarding accepting specific risks or conducting tests to verify the sufficiency of detail risk treatment measures. Thereafter, in descending sequential order, the IT risk points exceeding the IT risk tolerance level can be addressed through adoption or revision of the entity’s IT control objectives.

View Part I of the Governing IT: Setting Control Objectives series here


January 28, 2011  10:07 PM

Governing IT: Setting Control Objectives – Part V

Robert Davis Robert Davis Profile: Robert Davis

Using SWOT, each IT objectives analysis team member should have conversations with at least four other individuals from the entity to solicit their situational assessment of the current state of IT controls. At a minimum, the four individuals — queried independently by each team member involved in the SWOT exercise — should include: someone two levels senior from themselves, someone from a different functional area, someone known for creative thinking, and someone with a reputation for levelheaded decisions. Subsequently, in a group setting, IT team members should discuss and compare their individual perspectives to arbitrate and document IT control consensus.

View Part I of the Governing IT: Setting Control Objectives series here


January 25, 2011  9:53 PM

Governing IT: Setting Control Objectives – Part IV

Robert Davis Robert Davis Profile: Robert Davis

COBIT enables an entity to set clear control objectives for IT through the combining of previously discussed individual IT design and operational areas. Specifically, the eight IT managerial areas are grouped into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. Management can use these generally accepted domains with associated control objectives for deriving achievable IT goals.

When setting control objectives, Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis can be employed to organize IT control objectives and illuminate general agreement on the entity’s strategic situation. If the control environment dictates setting control objectives based on the COBIT framework, management can approve the presented control objectives as documented or, where it is appropriate, modify then approve the presented control objectives.

View Part I of the Governing IT: Setting Control Objectives series here


January 21, 2011  10:08 PM

Governing IT: Setting Control Objectives – Part III

Robert Davis Robert Davis Profile: Robert Davis

IT planning, organization, acquisition, implementation, delivery, support, monitoring, and evaluation are baseline IT subjects that embrace core managerial responsibilities as conceived by Henri Fayol. Categorically, IT related planning, organization, acquisition, and implementation can be considered design areas for defining compatibility and functionality of IT configurations; whereas, IT related delivery, support, monitoring, and evaluation can be considered operational areas for enabling consistency and accuracy of IT processing. Nevertheless, adopted control objectives should reflect the entity’s control environment.

View Part I of the Governing IT: Setting Control Objectives series here


January 18, 2011  5:52 PM

Governing IT: Setting Control Objectives – Part II

Robert Davis Robert Davis Profile: Robert Davis

General managerial objectives, such as maintaining satisfactory performance levels, can be translated into detail IT objectives defining acceptable IT configuration characteristics. The primary purpose of these detailed IT configuration objectives is to guide IT owners and designers in the selection of appropriate IT controls. Therefore, reflecting the COBIT framework, IT statements of objectives should address the following areas affecting the availability, compliance, confidentiality, effectiveness, efficiency, integrity and/or reliability of information:

· Planning

· Organization

· Acquisition

· Implementation

· Delivery

· Support

· Monitoring

· Evaluation

View Part I of the Governing IT: Setting Control Objectives series here


January 14, 2011  7:06 PM

Governing IT: Setting Control Objectives – Part I

Robert Davis Robert Davis Profile: Robert Davis

Reducing IT related errors, mistakes, omissions, irregularities, and illegal acts should be an explicit policy of every passive or active entity. Institutionalizing such a policy requires documenting and conveying “statements of objectives” for reducing these common IT risks to an acceptable level. Wherefore, considering the impact on an entity’s internal control system, “Setting objectives and establishing processes to accomplish designed objectives is a managerial responsibility. Tactically, the manager responsible for a plan’s implementation should set objectives with advice obtained from the entity’s planning committee, top-level executives and line subordinates.


January 11, 2011  5:07 PM

Governing IT: Policy Formulation and Enforcement – Part VIII

Robert Davis Robert Davis Profile: Robert Davis

Without clear policies that define acceptable IT related behavior, sustaining an effective and efficient internal control system is a remote possibility. Conversely, the formulation of clear IT policies is a mechanism for creating and propagating transparent plans for the achievement of adopted IT objectives at all organizational levels. Though deploying IT policies cannot guarantee errors, mistakes, omissions, irregularities, or illegal acts are prevented, detected and/or corrected in a timely manner; enforcement of policies addressing IT control issues can reduce unacceptable risks to an acceptable level. Where IT policies are deployed, management is empowered to ensure IT related activities are aligned with IT objectives, and employees are following IT related expectation guidelines. Specifically, if IT policy formulation and enforcement are based on a closed-loop system, there normally are provisions for the measurement and feedback of results as well as for corrective actions to be implemented wherever deemed appropriate.

View Part I of the Governing IT: Policy Formulation and Enforcement series here


January 8, 2011  12:26 AM

Governing IT: Policy Formulation and Enforcement – Part VII

Robert Davis Robert Davis Profile: Robert Davis

Due to the continuous adoption of new or improved hardware, firmware and software, IT threat vectors are likely to remain a business risk for the foreseeable future. Once an entity understands what information needs to be controlled and have developed a set of policies to address data protection, they can evaluate technology solutions enabled to both stop perceived threats and automatically enforce IT policies. Within this context, entities should acquire solutions that enforce IT policies while reducing risk exposure, controlling costs, and simplifying administration across the deployed IT architecture.

View Part I of the Governing IT: Policy Formulation and Enforcement series here


January 4, 2011  5:14 PM

Governing IT: Policy Formulation and Enforcement – Part VI

Robert Davis Robert Davis Profile: Robert Davis

Performance measurement is a control activity.” Measurement techniques are the means for achieving effective performance monitoring. Manually monitoring and evaluating the current state of implemented policies may take a variety forms, including: IT control self-assessments, IT quality assurance assessments and IT audits. These manually-based control systems assist in ensuring, or assuring, policy compliance within the entity. However, what should not differ from control system to control system utilized to assess compliance is top-level managements’ violation adminstration of adopted IT policies.

View Part I of the Governing IT: Policy Formulation and Enforcement series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: