ISDS 351 Ch. 5
The two primary goals of effective information technology (IT) governance
-are ensuring that an organization achieves good value from its investments in IT and mitigating IT-related risks. -Achieving good value from IT investments requires a close alignment between business objectives and IT initiatives. -Mitigating IT-related risks means embedding accountability and internal controls in the organization.
Disaster Recovery
Emergency procedures define the steps to be taken during a disaster and immediately following it. A little planning and practice of such procedures can minimize loss of life and injuries as well as reduce the impact on a business and its operations. The control group provides direction and control during a disaster and operates from a secure emergency operations center equipped with emergency communications gear. The group gathers and analyzes data needed to make decisions and direct the work of the emergency response team and business recovery team. For most organizations, the emergency response team includes members of the fire department, police department, and other first responders. Some large organizations have their own emergency firefighting department. Their role is to help save lives and contain the impact of the disaster. The business recovery group includes employees and nonemployee specialists who assess the situation once it is safe to do so. They assess the extent of the damage and decide if or when it may be safe to reenter the affected work area. It is a good practice to identify "floor wardens" who are responsible for evacuating a given floor or work area. These floor wardens receive additional training in crowd control, first aid, CPR, operation of defibrillators, and helping handicapped workers evacuate.
Information Technology Infrastructure Library (ITIL) provides a proven and practical framework for planning and delivering IT services based on a synthesis of the best ideas from international practitioners. It also provides best practices and criteria for effective IT services such as help desk, network security, and IT operation
ITIL advocates that IT services be aligned with the objectives of the business and support the core business processes. Service strategy involves understanding who the information technology (IT) customers are, the service offerings required to meet their needs. It also analyzes IT capabilities and resources required to develop and successfully execute these offerings. Service transition involves following the design to build, test, and move into production the services that will meet customer expectations. It is the phase next to the service design phase. Service design ensures that the new and/or changed services are designed effectively to meet customer expectations. The designed service is then built, tested, and moved in the service transition phase. Service operation delivers information technology services on an ongoing basis while monitoring the overall quality of the service. The delivered services are the built in the service transition phase. Continual process improvement provides a means for an information technology organization to measure and improve the service levels, the technology. It also improves the efficiency and effectiveness of processes used in the overall management of services.
Review Table 5-8 - Business function classification The "AA" business function is critical to the operation of a firm and cannot be unavailable for more than a few hours without causing severe problems. Accounts receivable and accounts payable can be examples of this business function. Employee recruiting is a business function that can be unavailable for several days in times of a major disaster without causing major problems. Thus it belongs to the "B" priority business function.
Review Table 5-8 - Business function classification The "AA" business function is critical to the operation of a firm and cannot be unavailable for more than a few hours without causing severe problems. Accounts receivable and accounts payable can be examples of this business function. Employee recruiting is a business function that can be unavailable for several days in times of a major disaster without causing major problems. Thus it belongs to the "B" priority business function.
Information technology (IT) value delivery and risk management are the goals of effective IT governance.
Strategic alignment and IT resource management are the methods for achieving these goals.
Recommended Data Backup Approach:
The recommended and widely implemented approach for data backup is to use online databases to update the data; as online databases are updated, companies can have these changes mirrored on a backup database hundreds of miles away. This approach is expensive, but it provides rapid access to current data in the event of a disaster. Every company has key electronic records and hard copy data that are essential to manage and control the cash flow and other tangible assets of the organization. These records include customer data, contracts, current order information, accounts payable data, accounts receivable data, inventory records, and payroll information. Companies must identify vital records and data and then determine where and how they are being stored and backed up. The recommended and widely implemented approach for data backup is to use online databases to update the data; as online databases are updated, companies can have these changes mirrored on a backup database hundreds of miles away. This approach is expensive, but it provides rapid access to current data in the event of a disaster. An inexpensive yet safe approach to backup vital data is to copy online databases every night to high-volume, inexpensive magnetic storage devices and ship them off-site to a data storage facility in another state. This low-cost solution minimizes the potential for losing more than one day of data.
For information technology projects to be aligned with business goals and properly staffed, funded, and executed, the projects must deliver expected business results on time and within budget. This process involves
applying good project management principles to ensure that work is done efficiently and that results can be achieved with a high degree of predictability.
executives and board of directors
are responsible for governance. They carry out this duty through committees that oversee critical areas such as audits, compensation, and acquisitions
business continuity plan
defines the people and procedures required to ensure the timely and orderly resumption of an organization's essential, time-sensitive processes with minimal interruption. Having a business continuity plan in place before the business interruption occurs is critical.
Foreign Account Tax Compliance Act
identifies U.S. taxpayers who hold financial assets in non-U.S. financial institutions and offshore accounts. This is done so that the taxpayers cannot avoid their U.S. tax obligations.
Governance
includes defining the decision-making process itself, as well as defining who makes the decisions; who is held accountable for results; and how the results of decisions are communicated, measured, and monitored.
Only information technology projects that are consistent with the business strategy and that support business goals and objectives should be considered for staffing and funding. Such projects will deliver the organization's strategic goals, whether they have
increased revenues decreased costs improved customer service increased market share decreased time to market
Information technology governance
is a framework that ensures that information technology decisions are made while taking into account the goals and objectives of the business.
Separation of duties
is essential for any process that involves the handling of financial transactions so that fraud requires the collusion of two or more parties.
A fundamental concept of good internal controls
is the careful separation of duties associated with a key process so that the duties must be performed by more than one person.
Due diligence
is the effort made by an ordinarily prudent or reasonable party to avoid harm to another party. Failure to make this effort may be considered negligence.
Internal control
is the process established by an organization's board of directors, managers, and information technology systems to provide reasonable assurance for the effectiveness and efficiency of operations, the reliability of financial reporting, and compliance with applicable laws and regulations. A fundamental concept of good internal controls is the careful separation of duties associated with a key process so that the duties must be performed by more than one person.
Information technology governance is similar to financial portfolio management,
n which a manager weighs the rate of return and balances it against the risks associated with each investment. The manager then makes choices to achieve a good rate of return at an acceptable level of risk.
Enlightened organizations
recognize that information technology (IT) governance is not the responsibility of IT management but of executive management, including the board of directors.
In the Plan-Do-Check-Act (PDCA) model:
the Plan step requires the improvement team to identify its target improvement area, analyze how things work currently, and identify opportunities for improvement. This step is followed by a Do step that implements the change decided in the Plan step. In the Do step, the change decided in the Plan step is implemented, often on a pilot or limited basis to assess the potential impact of the proposed change(s). This step is followed by a Check step that measures the results of change. In the Check step, the results of a change are measured. This step is followed by an Act step, where an improvement team considers whether it is worth continuing the process with the recently implemented change. In the Act step, the improvement team considers whether it is worth continuing a process with a recently implemented change. If the change is too complicated for people to follow or if it led to insignificant improvements, then the change may be aborted. At this point the team would go back to the Do step and start over. Thus, the completion of one cycle of improvement flows into the beginning of the next cycle.
The scope of a full business continuity plan addresses
the health and safety of all workers. It minimizes financial loss, including damages to facilities, critical data, records, finished products, and raw materials; minimizes the interruption to critical business processes; and provides for effective communications to customers, business partners, and shareholders.