IT Governance, Risk, and Compliance » Roles and Responsibilities

Right-sizing IT Controls – Part VIII

Robert Davis — Tue, 03 May 2011 21:33:49 +0000

Deploying key IT governance practices enhance an entity’s ability to meet control objectives for cost, functionality, and quality. Yet, regardless of the IT control techniques and automated tools available, the best possible means of regulating entity activity is, and always has been, selection of high-quality employees that value ethical conduct. If entities are organizational formations providing good people a place to work, then the best path to right-sizing IT controls is supplying diligent subordinates with justified resources needed to achieve their specific IT control goals.

“View Part I of the Right-sizing IT Controls series here“

Right-sizing IT Controls – Part VII

Robert Davis — Fri, 29 Apr 2011 20:28:08 +0000

An entity’s controlling and monitoring activities should reflect management’s strategy for ensuring an adequate IT control system. Consequently, IT policies, directives, standards, procedures, and rules should have a one-to-one or one-to-many correspondence with the assessed effectiveness and efficiency in addressing managements risk appetite. Within this context, IT control policies and directives are commonly considered high-level governance documentation while standards, procedures, and rules are commonly considered detail-level governance documentation. Since IT managers plan, direct, and support technology deployments; an IT manager’s duties should include establishing departmental policies, procedures, and standards for ensuring the right-sizing of IT controls.

“View Part I of the Right-sizing IT Controls series here“

Right-sizing IT Controls – Part VI

Robert Davis — Tue, 26 Apr 2011 20:53:21 +0000

The risk management process introduces a systematic approach for identifying, assessing, and reducing risks as well as maintaining defined acceptable risk levels. An IT risk assessment should be considered a key risk management practice area. When management institutionalizes an IT governance risk assessment methodology, quantitative and/or qualitative factors effecting business processes should be considered, evaluated, and documented to enable suitable event responses. Management’s IT processes risk assessment determines IT potential opportunity cost and control implementation criticality.

“View Part I of the Right-sizing IT Controls series here“

Right-sizing IT Controls – Part V

Robert Davis — Fri, 22 Apr 2011 20:16:58 +0000

IT organization is implemented to prevent chaos and assist in identifying processes for objective achievement. The organizing process transforms the entity plan into controllable areas and includes:

Identification and classification of activities for departmentalization
Activities grouping based on efficient usage of available resources
Delegating authority necessary to perform defined activities
Aligning departmental groupings, horizontally and vertically, through authority-activity relationships and information systems

“View Part I of the Right-sizing IT Controls series here“

Right-sizing IT Controls – Part IV

Robert Davis — Tue, 19 Apr 2011 20:27:42 +0000

Processes modify system elements deployed to assist in achieving IT program goals. When pursuing identification, process maps are a standard method to document all pertinent system information. Developmentally, process maps should include data, timing, methods, personnel, material, equipment, environment, inputs, outputs, and other relevant factors. Subsequently, each identified IT process must be defined to enable event expectation and causation analysis.

While documenting entity processes, internal as well as external responsibilities should be examined for synchronization to the IT mission. Depending on the control environment; control processes can range from top-heavy responsibility concentration with inaccurate measurements and employee opposition to widespread responsibility with accurate measurements and no employee opposition. Entity-IT organizational alignment determination, with processes identified, permits inefficient or ineffective IT units consolidation and/or elimination.

“View Part I of the Right-sizing IT Controls series here“

Right-sizing IT Controls – Part III

Robert Davis — Fri, 15 Apr 2011 20:01:22 +0000

During IT governance framework construction; personnel, structures, processes, and risk management integration are foundational. Nevertheless, professionals generally agree defining IT roles and responsibilities should be the first step when developing IT governance. Towards this ‘end,’ roles represent persons that are accountable based on the organizational structure; while responsibilities indicate activities with associated methodologies or processes for achieving organizational objectives and goals.

At the IT departmental level, precise organizational unit responsibilities should be documented. Correspondingly, utilizing a bottom-up approach can assist in clearly defining roles and responsibilities for each IT unit as well as the IT department, and assure IT structure understanding. Through this definitional understanding, gaps and over extensions in the control perimeter can be determined as well as potential risks to ensure deployment of suitable IT controls.

“View Part I of the Right-sizing IT Controls series here“