IT Governance, Risk, and Compliance


December 10, 2009  8:49 PM

An Ounce of Disaster Prevention is Worth a Pound of Disaster Remediation – Part II

Robert Davis Robert Davis Profile: Robert Davis

Organizational resilience imposes proactive preparation for potential incidents in order to avoid suspension of critical operations and services, or if operations and services are disrupted, resuming processing as rapidly as required for those who rely on them. Typically, an IT department’s success depends upon satisfying end user processing and service requirements. Hence, IT operational resiliency should be considered an overarching organizational priority that can be resolved through disaster recovery planning efforts assisting in ensuring an entity is better prepared for crisis situations. To enable continuity in delivery of IT services in accordance with the entity’s stated objectives and goals; management should develop strategies, tactics, policies, procedures, standards and rules designed to ensure continuity of operations.

Correspondingly, other aspects of continuity planning which should also be addressed during development are the means whereby business users can be re-located and connected to standby technologies; if necessary. In addition, adequate continuity planning normally requires considering needs for: alternative voice and data communications, storing copies of important paper documents off-site as well as procedures permitting clerical processing of data until the standby service is available.

View Part I of the An Ounce of Disaster Prevention is Worth a Pound of Disaster Remediation series here

December 7, 2009  7:01 PM

An Ounce of Disaster Prevention is Worth a Pound of Disaster Remediation – Part I

Robert Davis Robert Davis Profile: Robert Davis

“Attention all personnel! Attention all personnel! We are now experiencing an emergency code red condition. This requires following current crisis management procedures. Please, immediately proceed to your designated evacuation area and await further instructions…”

As we all should be aware, this type of occupational notification can occur at anytime and anyplace in the world that employees perform their assigned duties. Compounding the aforementioned scenario is the fact that some entities now rely on IT services to the extent that if key services are unavailable for a matter of hours the entity’s business can be severely affected. Substantively, this situation can manifest because it is generally impossible to fallback on manual methods, either because it is not technically feasible to substitute current procedures, or there are insufficient personnel to process the volume of work associated with a function, or employees no longer have the necessary skills to perform a key task; or a combination of these factors.


December 3, 2009  9:07 PM

Safeguarding Assets is an IT Project Management Issue – Part IV

Robert Davis Robert Davis Profile: Robert Davis

Systems and infrastructure design effects the controls relied on by an entity’s management, therefore, effecting control processes. Because systems and infrastructure are critical to an entity’s success, control processes should be designed and implemented to achieve specific control objectives. Consequently, within the potential control objectives for an entity, defining project management expectations for safeguarding assets is a necessity.

From an IT governance, risk, and/or compliance perspective; planning and development phases of a system or infrastructure asset are important times to emphasize controls. It makes sense to build in controls before a new IT asset becomes operational, so the deployable item will be reliable from the onset. It is also certainly easier, and less costly, to do it right the first time than to go back and add controls after implementation. In fact, it may not be feasible to add systems and/or infrastructure controls after implementation due to the major architectural revisions often required to ensure an acceptable risk level.

View Part I of the Safeguarding Assets is an IT Project Management Issue series here


November 30, 2009  7:22 PM

Safeguarding Assets is an IT Project Management Issue – Part III

Robert Davis Robert Davis Profile: Robert Davis

An adequate IT infrastructure permits the continuance and growth of technology-based systems. Considering the Control Objectives for Information and related Technology (COBIT) classification scheme, the infrastructure includes hardware, operating systems, configuration systems, facilities, and support structure enabling objective achievement. Normally, an entity’s infrastructure integrates diverse software and hardware solutions, each designed to achieve a specific function. For an entity’s IT, infrastructure management (IM) is the administration of essential operation components that enable obtaining IT architecture effectiveness and efficiency. As a critical ingredient to designing, implementing and sustaining efficiency as well as effectiveness, the entity’s IT infrastructure requires in-depth controls.

View Part I of the Safeguarding Assets is an IT Project Management Issue series here


November 25, 2009  7:59 PM

Safeguarding Assets is an IT Project Management Issue – Part II

Robert Davis Robert Davis Profile: Robert Davis

As a foundational definition; a system is an assembly of procedures, processes, methods, and/or techniques united by regulated interaction conventions to form an organized whole in support of the entity’s objectives. A key term to this definition is “regulated.” Specifically, for anything to be systematic there must be a process conducted according to some orderly method whereby a control exists that gauges the process against a previously established standard. Thus, systems need not necessarily be technology-based, although basing a system on electronically encoded procedures will tend to provide the regulation necessary for processes to be called systematic.

Even if technology is not utilized as a tool for providing control, a system that executes business processes with the same degree of regulation can be constructed, less, the technologies’ time compression capabilities. Nonetheless, within the context of development projects, under most circumstances, systems refer to IT applications. A new application’s life cycle begins when the inadequacy of the old application leads to a decision to develop a new or improved application. The most common methodology applied to the development of large applications is a system development life cycle (SDLC) approach that incorporates various aspects of application development activities. Customarily, application development life cycle approaches are based on the idea that an information system has a finite lifespan that is analytically divisible into stages. Whereupon, the development life cycle generally includes: planning, systems analysis, systems design, implementation, and operating stages.

View Part I of the Safeguarding Assets is an IT Project Management Issue series here


November 23, 2009  6:26 PM

Safeguarding Assets is an IT Project Management Issue – Part I

Robert Davis Robert Davis Profile: Robert Davis

Technology-based systems and infrastructure do not occur accidentally. They come into being only after appropriate planning, comprehensive organizing, judicious resource expenditures, and effective managerial support. Top management usually delegates responsibility for analyzing and developing technology-based systems and infrastructure to a designated technology-oriented function. Where top management has not done so; typically, few IT assets have been deployed.


November 19, 2009  9:16 PM

Second-Tier Governance Deployment – Part V

Robert Davis Robert Davis Profile: Robert Davis

Governance usually occurs at different organizational strata, with procedures tailored for processes, with processes linking up to systems, and programs receiving objectives from the entity’s oversight committee through established reporting lines. Alternatively or simultaneously, designated technological resources may provide information directly to the entity’s oversight committee for critical programs, systems, or processes. Summarily, these connectivity approaches will not be effective unless approved plans as well as organized strategic objectives and goals have first been conveyed within the entity’s organizational structure. Therefore, management should govern safeguarding information assets through an ‘objectives-based’ security program or risk excessive incidents that may impact financial stability, customer loyalty and/or employee morale.

View Part I of the Second-Tier Governance Development series here


November 16, 2009  8:13 PM

Second-Tier Governance Deployment – Part IV

Robert Davis Robert Davis Profile: Robert Davis

Abstraction levels are developed based on perceived usefulness. Second-tier Governance Tree information nodes can be viewed in the context of programs, systems, and processes. Pragmatically, establishment of entity-level governance is a second-tier concentrator within the Governance Tree model that focuses on creating an adequate control environment, institutionalizing risk assessments, providing fluid information and communication, ensuring performance monitoring and evaluation, as well as designing and implementing necessary activities. Governance Tree understanding enables abstraction for superior information security program deployment.

View Part I of the Second-Tier Governance Development series here


November 12, 2009  9:10 PM

Second-Tier Governance Deployment – Part III

Robert Davis Robert Davis Profile: Robert Davis

Entity tonal and nodal associations create powerful decision making structures that enable achieving objectives and goals. Information is generally considered the primal basis for decision making. However, to affect decision making information must be communicated through an acceptable medium. Communication is the key for formulating, implementing, organizing, and controlling entity-centric purpose. Effective communication unifies and simultaneously permits environment, risk, information, and activity stratification. Organizational information characteristically flows through multiplexed communication networks to ensure appropriate employee direction and participation. Conceptually, considering the data tree structure, formal information and communication flows to and from various horizontally linked and vertically aligned nodes. Within this framework, second-tier ‘Governance Tree’ nodes reflect entity-level hubs that collect, analyze, evaluate and disseminate information.

View Part I of the Second-Tier Governance Development series here


November 9, 2009  6:34 PM

Second-Tier Governance Deployment – Part II

Robert Davis Robert Davis Profile: Robert Davis

Governance definitional phrases typically embrace language explaining relationships and incentives among ‘oversight committee’ members, senior executives, and ‘stakeholders’ resulting in financial accountability, transparent responsibility, and assertion reliability. Exercising effective governance throughout an entity requires the top level oversight committee and senior executives have an unambiguous understanding of what to expect from programs, systems, and processes. An entity’s oversight committee and senior executives’ should be equipped to direct resource deployments, evaluate the entity’s status regarding existing plans and determine strategies as well as objectives for effective and efficient programs. Foundationally, organizational information and communication relies on a hierarchical data structure, with the parent node (commonly designated as an entity’s ‘Tone at the Top’) connecting to offspring to drive cohesiveness.

View Part I of the Second-Tier Governance Development series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: