Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Governance of Enterprise IT
Overview
The Certified in the Governance of Enterprise IT certification is for experienced professional
individuals with responsibilities in the governance needs of an enterprise. The certification is based
on the intellectual property of the IT Governance Institute and ISACA.
The exam covers the following disciplines and percentage scope:
IT Governance Framework
25%
Strategic Alignment
15%
Value Delivery
15%
Risk Management
20%
Resource Management
13%
Performance Management
12%
Exam Specifics
CISA Exams are proctored by ISACA. Registration and location information can be found on the
www.isaca.org web site. The exam is administered twice a year: June and December.
Exams are delivered in a secure environment, proctored, and timed.
Specifics about the exam are:
Time Limit:
240 minutes
# of Questions:
120
Question Type:
Multiple Choice
Chapter 2: IT Governance
Framework
Strategies - the approaches or activities for fulfilling the organization's strategic goals.
Systems - the distinct operational parts of the organization which perform the duties
required to support the strategies of the organization. It this sense, systems are delineated
by function, such as department, programs, divisions, business lines, or product lines.
Processes - the plans, policies, and procedures which describe and control the activities of
the systems.
Input - the raw materials, money, technologies, and people provided to the system.
Processes - the alignment and coordination of inputs such that they can be transformed
into a desired output.
Outputs - the tangible results produced by the processes of a system.
Outcomes - another form of output which is not tangible but beneficial to the customer of
the system's process.
Feedback - information on and about the system which serves to improve the system's
performance.
2.1.3. Leadership
Within an organization, a leader is a person who is trusted with setting the direction of the
organization and influencing people. There are several theories surrounding leadership:
Great Man Theory - the concept behind this theory is that leaders are born not made and
rise up when a great need presents itself.
Trait Theory - asserts that people are born with inherited traits which are conducive to
leadership roles, specifically noting adaptability to situations, alertness to social
environment, ambitious, assertive, cooperative, decisive, dependability, dominant,
energetic, persistent, self-confident, tolerant, and responsible.
Participative Leadership - describes the leader who involves other people in the decisionmaking process.
Transformational Leadership - describes the inspiring leader who creates and markets a
vision for the future.
In addition to the theories surrounding leadership and leaders, different people may develop or
adopt a 'style' or approach.
2.1.4. Management
Leadership and management are now considered separate concepts in business. A person may be
a manager, but not a leader; while another person may be a leader, but not a manager. In the
simplest form, leadership is the characteristics embodied by a person from which to influence
others; management is the assigned role or position of the person from which to influence others.
Management concepts focus on four general activities: planning, organizing resources, leading, and
coordination.
Preferred Goals - defines the overall accomplishments of the organization which are
typically established through strategic planning.
Aligning Results - specific results to indicate alignment of a domain's goals with the
overall organization's goals.
Standards - defines the extent in which the preferred result should be achieved by the
domain.
Performance Plans - the structured activities for achieving results, obtaining alignment
and adopting standards.
Performance Gaps - defines the difference between actual performance and desired
performance.
Development Plans - describes the details of the decision that performance required
improvement and the actions required to improve that performance.
2.2.2. IT Governance
IT Governance is a subset of corporate governance which covers the alignment of IT and
enterprise objectives in the areas of:
Information systems
IT governance defined by ITGI as, a structure of relationships and processes to direct and control
the enterprise in order to achieve the enterprise's goals by adding value while balancing risk versus
return over IT and its processes. The purpose of IT governance ensures IT activities perform well
with respect to:
Controls provide certain assurances that enterprises are governed by accepted best practices.
From an IT perspective, this governance ensures the information and related technology support of
the organization supports the business objectives, resources to meet those objectives, and
appropriate risk management. Executive management will agree on the strategic alignment between
IT and enterprise objectives. IT governance serves this alignment by effectively and efficiently
deploying secure, reliable information and applied technology.
The practice of IT governance is concerns with delivery value to the business from IT and
mitigating IT risks. It is the responsibility of the board of directors and executive management.
The key practices are:
IT strategy committee
IT balanced scorecard.
Risk Management
While corporate governance is a set of responsibilities and practices used to provide strategic
direction, IT governance provides a relationship structure and processes for directing and controlling
the enterprise to meet its objectives by balancing risk and return on investment.
Different layers are typically found in the application of IT governance: with supervisors reporting
to managers, who report to executives,
who report to the board of directors. Reporting usually identify deviations from targets and
recommendations for action which must be endorsed by the governing body. Changes to strategic
direction and goals are communicated in the opposite direction down through the organization. The
process for IT governance can be summarized into five basic steps:
Set Objectives
Provide Direction
Perform IT Activities
Measure Performance.
Compare Environment
Optimization of IT costs
trusted. Integrity is different from confidentiality, in that integrity focuses on one's trust in the
information and not its security.
Availability speaks to the need to access the information when it is needed. Depending on the
information, availability may be restricted to users based on the confidentiality level of the
information. Traditional systems attributed higher integrity to lower availability; however open
sources have demonstrated that higher integrity is often found when greater availability is provided
to the user base.
The security objectives are typically met when:
Information is available and usable by customers when required and the systems
supporting the provision and delivery of this information can resist and recover from failure
or attack.
Stakeholder values
Industry practices.
The IT strategy developed through IT governance will drive the performance of IT process in
obtaining the necessary resources to deliver value. Each process is responsible for reporting on the
outcomes of the process, the performance of the process, the risks mitigated or accepted in the
environment, and the resources consumed. The purpose of the reports is to ensure the strategy is
being executed properly or further redirection is required.
IT strategic alignment ensures the strategic objectives of the enterprise are in line with the
investments in IT and are building the appropriate capabilities to deliver business need. IT
strategies must be aligned with the strategies of the overall enterprise. The question of strategic
alignment focuses on the current gap and the reduction of that gap in the near future and further
on. Also the operations of IT and the enterprise should be aligned to reduce the level of friction
between teams. Strategically, IT provides the enterprise:
Containment of costs
Business objectives
To support strategic objectives, the following elements of the IT environment must be clearly
understood:
Enterprise Strategy
Application Architecture
Technical Infrastructure
Sourcing/Staffing
Funding.
Business Functions
Implementation plans should be created for each element which is written clearly and reviewed by
the board of directors or a dedicated IT strategy committee representing the board.
IT value focuses on delivery of IT services which are on-time, within a defined budget, and meets
the business need as promised. The business perspective of delivering IT value sees the following
elements in place:
Competitive advantage
Customer satisfaction
Employee productivity
Employee profitability.
Order/service fulfillment
When the business set expectations on an IT deliverable; they generally look at:
Throughput
Response times
IT value can be viewed different by different users and different levels of management. The
higher the level of management, the further away from the activities providing actual value the
management becomes. Thus, the measuring of the impact an IT investment has is easier at the
bottom of the management hierarchy. The most successful IT investments have a positive impact on
all four levels of the business value hierarchy:
Firmware IT Infrastructure
Risk management is the capability to protect IT assets against vulnerabilities in the business, IT,
and from disasters. IT governance is especially important in providing the greatest level of risk
management across the enterprise, as enterprise risk comes in many forms. While financial risks
are important, regulators are concerns primarily with operational and systemic risks where
vulnerabilities in technology and information security are prevalent. Enterprise risk is managed by
the board of directors by:
Ascertaining the transparency of significant risks and clarifying the policies on taking and
avoiding risks
Taking final responsibility for risk management, but delegating actions to executive
management with clearly communicated constraints
Promoting the cost-efficiency possibilities of implementing a system of internal controls
Exploiting the competitive advantages derived from transparent and proactive risk
management
Ensuring the implementation of risk management into the operations of the enterprise.
Resource management works to optimize the knowledge and infrastructure of the enterprise
through proper allocation and use of resources available to the enterprise, including people,
applications, technology, facilities, and data. This may require understanding when to use resources
in-house to the enterprise or outsourcing resources from a different company. Despite where the
resources are obtained, the board of directors still has responsibilities in addressing the investments
in infrastructure and capabilities, particularly:
Identifying and addressing the needs for IT education, training and development
Performance management monitors IT services and tracks the delivery of project and operations
services. From a business perspective, performance management covers:
Finances
Internal processes
Staff education.
Customer satisfaction
The balanced scorecard delivers a quick overview of a business performance in respect to these
four areas.
difficult for a single person. Automation can allow redundant and unskilled tasks to be performed
without human intervention, usually at a higher level of quality.
From an enterprise perspective, IT:
Business drivers are the people, knowledge, and condition that identify and support efforts for
which the business was designed. The purpose of IT is to support the business. The business
identifies how IT must perform the support.
Despite the importance of IT to the business, understanding and governing IT requires more
technical insight than any other business area. Because of this, IT has historically been handled as a
separate entity to the business. IT solutions can be complex. The purpose of IT governance is to
ensure that the expectations of IT match the actual implementation of IT.
The board typically will set the expectations and communicate them to management.
Management will, in turn, implement IT solutions that will meet those expectations. Higher level
management, such as executive management, will usually address the expectations in the following
ways:
Optimizing IT costs to obtain the right value from It at the most reasonable cost
Measuring IT performance
The recommended IT governance process has the following steps in a repeated fashion:
1.
2.
3.
4.
5.
6.
7.
The IT Governance Institute (ITGI) has created a framework comprising the principles
and processes for IT portfolio management. It complements COBIT focusing on the
investment decision while COBIT focuses on the implementation of IT. The principles of
Val IT include:
IT investments are managed as a portfolio.
IT investments include a full scope of activities required to attain business value.
IT investments are managed through their entire economic life cycle.
Different categories of investments are evaluated and managed different.
Key metrics are defined and monitored by value delivery practices and any change or
deviations will have a quick response.
All stakeholders will be engaged in value delivery practices and appropriate
accountability assigned for delivery of capabilities and realization of benefits to the
business.
Value delivery practices will be monitored, evaluated and improved continuously.
The major processes of Val IT include:
Value Governance
VG1 Ensure informed and committed leadership
VG2 Define and implement processes
VG3 Define roles and responsibilities
VG4 Ensure appropriate and accepted accountability
VG5 Define information requirements
VG6 Establish reporting requirements
VG7 Establish organizational structures
VG8 Establish strategic direction
VG9 Define investment categories
VG10 Determine a target portfolio mix
VG11 Define evaluation criteria by category
Portfolio Management
PM1 Maintain a human resource inventory
PM2 Identify resource requirements
PM3 Perform a gap analysis
PM4 Develop a resource plan
PM5 Monitor resource requirements and utilization
PM6 Establish an investment threshold
PM7 Evaluate the initial program concept business case
PM8 Evaluate and assign a relative score to the program business case
PM9 Create an overall portfolio view
PM10 Make and communicate the investment decision
PM11 Stage-gate (and fund) selected programs
PM12 Re-prioritize the portfolio
PM14 Monitor and report on portfolio performance
Investment Management
IM1 Develop a high-level definition of investment opportunity
IM2 Develop an initial program concept business case
IM3 Develop a clear understanding of candidate programs
IM4 Perform alternatives analysis
Optimizing IT costs
Managing IT risks.
3.1.5. Policies
Policies are used to communicate the strategic thinking of senior management and business
processes. They are high-level documents which provide the blueprint for a control environment
over the achievement of goals and directives. Corporate policies are meant to set the tone of
business for the entire organization. Individual divisions and departments will define lower-level
policies that are consistent with the corporate policies.
The best approach to developing policies is using a top-down approach, though some
organizations will start with the lower-level policies because their development and implementation
is cost effective and most directly associated to risk assessments. The development of corporate
policies becomes a collaboration of existing lower-level policies and may induce some inconsistency
and conflict between policies.
A schedule should be in place to review all policies regularly. They policies should be updated
whenever new technologies are adopted or significant changes in business processes are made.
Information is available and usable by customers when required and the systems
supporting the provision and delivery of this information can resist and recover from failure
or attack.
These policies are the basis for creating an Information Security Management System framework,
which consists of five elements:
Control
Plan
Implement
Evaluate
Maintain.
Control of security relates to the management framework, organization structure, roles and
responsibilities, and documentation required to provide a foundation for other elements of the
framework to succeed.
Planning is any attempt to define and recommend security measures based on the organization's
requirements. These requirements are gathered from the plans, strategies, and risks of the business
and It services, and well as service level and objective level agreements and compliance to legal
and regulatory agencies. Measures can be proactive or reactive to known threats and vulnerabilities.
They fall into any of the following categories:
Repressive intended to reduce or stop the security incident from occurring again.
Disabling accounts after several sequential failed login attempts is an example of repressive
measures.
Corrective intended to repair the damage resulting from a security incident. Restoring,
roll-back, and back-out procedures are examples of corrective measures.
These measures eventually are implemented through a set of procedures, tools, and controls
needed to support the Information Security Policy, specifically in the areas of asset accountability
and classifying information. A number of factors determine successful implementation including:
3.1.7. Procedures
Policies are used to drive the formation of procedures. These documented must be clear, concise,
and detailed. They document business processes and the controls used in the environment. They
translate policies into effective work products. They can be more dynamic than policies and reflect
regular changes in business focus and environment. Embedded into the procedures are the controls
met to fulfill the objectives supported by the policies. The procedures are used by auditors to test
the controls in the environment by determining the difference between actual operational practices
and the practices documented in the procedures.
Used to represent a significant business need or problem and enabling vendors to understand the
value of the architectural solution, business scenarios are 'SMART':
Realistic solving the problem within the physical reality, time, and cost constraints
The set of requirements addressed by the business scenario can be confirmed accurate
and lead to better development of the architecture.
The business value for solving the problem is clear.
The relevancy of potential solutions can be determined clearly.
Identifying the human actors and their role in the business model.
The development of business scenarios involve several iterative phases of gathering, analyzing,
and reviewing information contained in the business scenario.
The Gathering phase focuses on collecting information in each of the steps of the process. The
techniques used to collect information will range from research and surveying to quantitative and
qualitative analysis.
The analyzing phase processes and documents the gathered information and models are created
to represent the information. Linkages between key elements of the business scenario are
maintained using matrices related to business processes and its:
Constituencies
Issues
Objectives.
The Reviewing phase feedback the results of analysis to the sponsors to gain shared
understanding of the problem and the depth of impact.
Increased budget
Decreased time-to-market
Decreased costs
Reduce Risk
Ease of implementation
Common development
Software re-use
Resource sharing.
Data sharing.
Integrated applications
Portability
Scalability.
Improve Interoperability
Common infrastructure
Standardization.
Interchangeable components
Non-proprietary specifications.
Reduced duplication
Incremental replacement
Improve Security
Security independence.
Improve Manageability
Diagrams
Data models
Class Models
Code.
Flowcharts
Strategy
Application
Technology
Organization
Data
Workflow.
Performance
Service
Technical
Data.
Business
Identifying powerful stakeholders early for their input to shape the architecture.
Obtaining support from powerful stakeholders to enable more resources to be available
during engagement of architectures.
Early and frequent communications with stakeholders allow better understanding of the
architecture process.
Reaction to architecture models and reports can be more effectively anticipated.
Stakeholder analysis is used in vision phase to identify the key players in the engagement and
updated with each subsequent phase of IT governance. The complexity of architecture can be
difficult to manage and obtain agreement from large numbers of stakeholders.
The following concepts can be used to address these issues:
Stakeholders
Views
Viewpoints.
Concerns
Tailor Engagement Deliverables Identify the viewpoints, matrices, and views that need
to be produced to support demonstrating the enterprise architecture's ability to address a
particular stakeholder's concerns.
Business Domain
o
People
Process
Tools
Information
Measurement
Financial
Facilities
Data Domain
Insufficient currency
Missing data
Wrong data
Data availability
Data relationships
Application domain
Impacted applications
Eliminated applications
Created applications
Technology domain
Impacted technologies
Eliminated technologies
Created technologies.
investments. Any activity requiring the use of shareholder funding is considered an investment. The
idea behind
an investment is a substantial and calculable return.
4.1.1. IT Investments
Investments in IT have historically provided greater returns in investment than other
opportunities. In many cases, the return is greater than originally proposed; however actual
realization of the proposed return can be elusive. Some IT investments can be rather disappointing
without proper governance.
To understand the significance of an investments return, the business and IT must work together
to understand costs and measure value. Business value from IT can be measured and achieved
using four strategies:
Manage business value to maximize benefits in profitability and growth for existing and
future IT investments.
Manage IT budget to enable cost reductions and flexibility to shift funds between
investments, specifically from low-yield investments to competitive high-yield investments.
Manage IT capability to enable sustainable capabilities which are competitive in the
marketplace.
Manage IT as a business to cultivate winning business practices.
Another recognized set of categories from Peter Weill of Sloan CISR are:
Infrastructure investment will not generate directly quantifiable financial benefits, but
rather prove beneficial to the business applications built upon the infrastructure.
The purpose of categorization is to enable the enterprise to create and monitor a balanced
portfolio of IT investments and better define risk and return targets for investments. An enterprise
with investments in all categories is deemed healthy and growing. Investments with a higher risk
generally will have a higher return on the investment.
Projects occur at all levels of the organizations. Every project has a definitive beginning and
definitive end, making them temporary. Other aspects of projects being temporary include:
Projects produce a unique project or service. The characteristics of a product or service are
considered progressively elaborate, or proceeding with thorough development in steps.
Project Management is the application of knowledge, skills, tools, and techniques used to meet
stakeholders needs and expectations.
Needs are loosely defined as identified requirements, while expectations are unidentified
requirements. Meeting, or exceeding, stakeholders needs and expectations require balancing
competitive demands such as:
Scope
Cost
Quality.
Time
A context
A set of processes.
The context for project management evolves within the environment from which projects operate,
such as the day-to-day activities.
The Project Management Book of Knowledge (PMBOK) presents 37 processes divided between 9
knowledge areas of project management. This collection encompasses the knowledge and best
practices of the discipline.
Initiation
Scope Planning
Scope Definition
Scope Verification
Activity Definition
Activity Sequencing
Schedule Development
Schedule Control
Resources Planning
Cost Estimating
Cost Budgeting
Cost Control
Quality Planning
Quality Assurance
Quality Control
Organizational Planning
Staff Acquisition
Team Development
Communications Planning
Information Distribution
Performance Reporting
Administrative Closure
Risk Identification
Risk Qualification
Procurement Planning
Solicitation Planning
Solicitation
Source Selection
Contract Administration
Contract Close-out
Technical elements
Industry groups
Management elements