During IT governance framework construction; personnel, structures, processes, and risk management integration are foundational. Nevertheless, professionals generally agree defining IT roles and responsibilities should be the first step when developing IT governance. Towards this ‘end,’ roles represent persons that are accountable based on the organizational structure; while responsibilities indicate activities with associated methodologies or processes for achieving organizational objectives and goals.
At the IT departmental level, precise organizational unit responsibilities should be documented. Correspondingly, utilizing a bottom-up approach can assist in clearly defining roles and responsibilities for each IT unit as well as the IT department, and assure IT structure understanding. Through this definitional understanding, gaps and over extensions in the control perimeter can be determined as well as potential risks to ensure deployment of suitable IT controls.
“View Part I of the Right-sizing IT Controls series here“