IT Governance, Risk, and Compliance » Planning

Governing IT: Policy Formulation and Enforcement – Part VIII

Robert Davis — Tue, 11 Jan 2011 17:07:37 +0000

Without clear policies that define acceptable IT related behavior, sustaining an effective and efficient internal control system is a remote possibility. Conversely, the formulation of clear IT policies is a mechanism for creating and propagating transparent plans for the achievement of adopted IT objectives at all organizational levels. Though deploying IT policies cannot guarantee errors, mistakes, omissions, irregularities, or illegal acts are prevented, detected and/or corrected in a timely manner; enforcement of policies addressing IT control issues can reduce unacceptable risks to an acceptable level. Where IT policies are deployed, management is empowered to ensure IT related activities are aligned with IT objectives, and employees are following IT related expectation guidelines. Specifically, if IT policy formulation and enforcement are based on a closed-loop system, there normally are provisions for the measurement and feedback of results as well as for corrective actions to be implemented wherever deemed appropriate.

“View Part I of the Governing IT: Policy Formulation and Enforcement series here“

Governing IT: Policy Formulation and Enforcement – Part VII

Robert Davis — Sat, 08 Jan 2011 00:26:05 +0000

Due to the continuous adoption of new or improved hardware, firmware and software, IT threat vectors are likely to remain a business risk for the foreseeable future. Once an entity understands what information needs to be controlled and have developed a set of policies to address data protection, they can evaluate technology solutions enabled to both stop perceived threats and automatically enforce IT policies. Within this context, entities should acquire solutions that enforce IT policies while reducing risk exposure, controlling costs, and simplifying administration across the deployed IT architecture.

“View Part I of the Governing IT: Policy Formulation and Enforcement series here“

Governing IT: Policy Formulation and Enforcement – Part VI

Robert Davis — Tue, 04 Jan 2011 17:14:08 +0000

“Performance measurement is a control activity.” Measurement techniques are the means for achieving effective performance monitoring. Manually monitoring and evaluating the current state of implemented policies may take a variety forms, including: IT control self-assessments, IT quality assurance assessments and IT audits. These manually-based control systems assist in ensuring, or assuring, policy compliance within the entity. However, what should not differ from control system to control system utilized to assess compliance is top-level managements’ violation adminstration of adopted IT policies.

“View Part I of the Governing IT: Policy Formulation and Enforcement series here“

Governing IT: Policy Formulation and Enforcement – Part V

Robert Davis — Fri, 31 Dec 2010 18:10:46 +0000

Management’s intentions for IT can be implemented manually and/or technologically. Nevertheless, effective IT policy enforcement ultimately depends on the actions of individuals and control systems responsible for monitoring assigned activities. IT policy enforcement is commonly based on monitoring activities considered critical to achieving the stated objective. An entity’s monitoring personnel rely on established and maintained activity-authority relationships to enforce management’s intentions conveyed in adopted policies. As potential legal consequences, various criminal and civil charges as well as fines and penalties could confront an entity as well as employees, if there are deviations from established IT policies.

“View Part I of the Governing IT: Policy Formulation and Enforcement series here“

Governing IT: Policy Formulation and Enforcement – Part IV

Robert Davis — Tue, 28 Dec 2010 19:33:50 +0000

IT policies should be deployed based on assessed effectiveness and efficiency in addressing managements’ risk appetite for an adopted strategy. As previously suggested in this article, control policies can be considered high-level governance documentation guiding operational activities. Therefore, logically, deployed controlling activities should reflect management’s strategy for ensuring an adequate entity-centric control system.

Operationally, an IT control system is a process or set of processes that manage, command, direct or regulate the behavior of other systems, processes, activities, and/or tasks. Whereby, according to Wikipedia, “[t]here are two common classes of control systems, with many variations and combinations: logic or sequential controls, and feedback or linear controls.” For instance, fuzzy logic attempts to combine some of the design simplicity of logic based control with the utility of linear based control.

“View Part I of the Governing IT: Policy Formulation and Enforcement series here“

Governing IT: Policy Formulation and Enforcement – Part III

Robert Davis — Fri, 24 Dec 2010 15:11:52 +0000

Developing and implementing IT Governance design effectiveness and efficiency can be a multidirectional, interactive, iterative, and adaptive process. Normally, oversight committees and executive management utilize high-level governance documents to provide general control direction. Whereby, lower-level management converts high-level governance documents into detail-level IT Governance documents assisting in ensuring control objective achievement.

From a systems perspective, the design, deployment, maintenance, and disposal of policies is a control objective development life cycle item. Operationally, this control objective development life cycle item is an available management tool utilized to obtain desired business results; while preventing, detecting, and/or conditionally correcting errors, mistakes, omissions, irregularities and illegal acts.

“View Part I of the Governing IT: Policy Formulation and Enforcement series here“

Governing IT: Policy Formulation and Enforcement – Part II

Robert Davis — Tue, 21 Dec 2010 18:42:55 +0000

After completion of governance planning and organizing; policies direct employee activity to ensure management’s intentions are implemented throughout the entity. Strategically; IT policies are definite courses or methods of action selected by management from alternatives, considering the environment, to guide as well as determine present and future decisions.

Internal control systems are designed and operated in order to achieve the goals set in adopted governance policies or to comply with adopted governance policies. As a result, implementing an internal control system enables continuous as well as static monitoring to determine the rate of noncompliance with expected behavior.

“View Part I of the Governing IT: Policy Formulation and Enforcement series here“