admin
管理员
 
UID 1
精华
0
积分 0
帖子 184
阅读权限 200
注册 2006-7-25
状态 离线
|
CoBIT学习资料(34个高层目标,306个具体目标)
CoBIT学习资料(34个高层目标,306个具体目标)
For IT to be successful in delivering against business requirements, management should put an internal control system or framework in place. The COBIT control framework contributes to these needs by:
• Making a link to the business requirements
• Organizing IT activities into a generally accepted process model
• Identifying the major IT resources to be leveraged
• Defining the management control objectives to be considered
The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners. The process focus of COBIT is illustrated by a process model, which subdivides IT into 34 processes in line with the responsibility areas of plan, build, run and monitor, providing an end-to-end view of IT. Enterprise architecture concepts help identify those resources essential for process success, i.e., applications, information, infrastructure and people.
In summary, to provide the information that the enterprise needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.
COBIT thus supports IT governance by providing a framework to ensure that:
• IT is aligned with the business
• IT enables the business and maximizes benefits
• IT resources are used responsibly
• IT risks are managed appropriately
COBIT is focused on what is required to achieve adequate management and control of IT, and is positioned at a high level. COBIT has been aligned and harmonized with other, more detailed, IT standards and best practices (see appendix IV). COBIT acts as an integrator of these different guidance materials, summarizing key objectives under one umbrella framework that also links to governance and business requirements.
COSO (and similar compliant frameworks) is generally accepted as the internal control framework for enterprises. COBIT is the generally accepted internal control framework for IT.
The COBIT products have been organized into three levels designed to support:
• Executive management and boards
• Business and IT management
• Governance, assurance, control and security professionals
An IT control objective is a statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. COBIT’s control objectives are the minimum requirements for effective control of each IT process.
Guidance can be obtained from the standard control model shown in figure 8.
It follows the principles evident in this analogy: when the room temperature
(standard) for the heating system (process) is set, the system will constantly
check (compare) ambient room temperature (control information) and will signal (act) the heating system to provide more or less heat.
Operational management uses processes to organize and manage ongoing IT activities. COBIT provides a generic process model that represents all the processes normally found in IT functions, providing a common reference model understandable to operational IT and business managers. To achieve effective governance, controls need to be implemented by operational managers within a defined control framework for all IT processes. Since COBIT’s IT control objectives are organized by IT process, the framework provides clear links among IT governance requirements, IT processes and IT controls. Each of COBIT’s IT processes has a high-level control objective and a number of detailed control objectives. As a whole, they are the characteristics of a well-managed process. The detailed control objectives are identified by a two-character domain reference plus a process number and a control objective
number. In addition to the detailed control objectives, each COBIT process has generic control requirements that are identified by PCn, for Process Control number. They should be considered together with the detailed process control objectives to have a complete view of control requirements.
In addition, COBIT provides examples for each process that are illustrative, but not prescriptive or exhaustive, of:
• Generic inputs and outputs
• Activities and guidance on roles and responsibilities in a RACI chart
• Key activity goals (the most important things to do)
• Metrics
In addition to appreciating what controls are required, process owners need to understand what inputs they require from others and what others require from their process. COBIT provides generic examples of the key inputs and outputs for each process including external IT requirements. There are some outputs that are input to all other processes, marked as ‘ALL’ in the output tables, but they are not mentioned as inputs in all processes, and typically include quality standards and metrics requirements, the IT process framework, documented roles and responsibilities, the enterprise IT control framework, IT policies, and personnel roles and responsibilities.
Understanding the roles and responsibilities for each process is key to effective governance. COBIT provides a RACI chart (who is Responsible, Accountable, Consulted and Informed) for each process. Accountable means ‘the buck stops here’—this is the person who provides direction and authorizes an activity. Responsibility means the person who gets the task done. The other two roles
(consulted and informed) ensure that everyone who needs to be is involved and supports the process.
IT GENERAL CONTROLS AND APPLICATION CONTROLS
General controls are those controls embedded in IT processes and services. Examples include:
• Systems development
• Change management
• Security
• Computer operations
Controls embedded in business process applications are commonly referred to as application controls. Examples include:
• Completeness
• Accuracy
• Validity
• Authorisation
• Segregation of duties
COBIT assumes the design and implementation of automated application controls to be the responsibility of IT, covered in the Acquire and Implement domain, based on business requirements defined using COBIT’s information criteria. The operational
management and control responsibility for application controls is not with IT, but with the business process owner.
IT delivers and supports the applications services and the supporting information databases and infrastructures.
Therefore, the COBIT IT processes cover general IT controls, but not application controls, because these are the responsibility of business process owners and, as described previously, are integrated into business processes.
The following list provides a recommended set of application control objectives identified by ACn, for Application Control number.
Data Origination/Authorization Controls
AC1 Data Preparation Procedures
Data preparation procedures are in place and followed by user departments. In this context, input form design helps ensure that errors and omissions are minimized. Error-handling procedures during data origination reasonably ensure that errors and
irregularities are detected, reported and corrected.
AC2 Source Document Authorization Procedures
Authorized personnel who are acting within their authority properly prepare source documents and an adequate segregation of duties is in place regarding the origination and approval of source documents.
AC3 Source Document Data Collection
Procedures ensure that all authorized source documents are complete and accurate, properly accounted for and transmitted in a timely manner for entry.
AC4 Source Document Error Handling
Error-handling procedures during data origination reasonably ensure detection, reporting and correction of errors and irregularities.
AC5 Source Document Retention
Procedures are in place to ensure original source documents are retained or are reproducible by the organization for an adequate amount of time to facilitate retrieval or reconstruction of data as well as to satisfy legal requirements.
Data Input Controls
AC6 Data Input Authorization Procedures
Procedures ensure that only authorized staff members perform data input.
AC7 Accuracy, Completeness and Authorization Checks
Transaction data entered for processing (people-generated, system-generated or interfaced inputs) are subject to a variety of controls to check for accuracy, completeness and validity. Procedures also assure that input data are validated and edited as close to the point of origination as possible.
AC8 Data Input Error Handling
Procedures for the correction and resubmission of data that were erroneously input are in place and followed.
Data Processing Controls
AC9 Data Processing Integrity
Procedures for processing data ensure that separation of duties is maintained and work performed is routinely verified. The procedures ensure that adequate update controls such as run-to-run control totals and master file update controls are in place.
AC10 Data Processing Validation and Editing
Procedures ensure that data processing validation, authentication and editing are performed as close to the point of origination as possible. Individuals approve vital decisions that are based on artificial intelligence systems.
AC11 Data Processing Error Handling
Data processing error-handling procedures enable erroneous transactions to be identified without being processed and without undue disruption of the processing of other valid transactions.
Data Output Controls
AC12 Output Handling and Retention
Handling and retention of output from IT applications follow defined procedures and consider privacy and security requirements.
AC13 Output Distribution
Procedures for the distribution of IT output are defined, communicated and followed.
AC14 Output Balancing and Reconciliation
Output is routinely balanced to the relevant control totals. Audit trails facilitate the tracing of transaction processing and the reconciliation of disrupted data.
AC15 Output Review and Error Handling
Procedures assure that the provider and relevant users review the accuracy of output reports. Procedures are also in place for identification and handling of errors contained in the output.
AC16 Security Provision for Output Reports
Procedures are in place to assure that the security of output reports is maintained for those awaiting distribution as well as those already distributed to users.
Boundary Controls
AC17 Authenticity and Integrity
The authenticity and integrity of information originated outside the organization, whether received by telephone, voice mail, paper document, fax or e-mail, are appropriately checked before potentially critical action is taken.
AC18 Protection of Sensitive Information During Transmission and Transport
Adequate protection against unauthorized access, modification and misaddressing of sensitive information is provided during transmission and transport.
The maturity levels are designed as profiles of IT processes that an enterprise would recognize as descriptions of possible current and future states. They are not designed for use as a threshold model, where one cannot move to the next higher level without
having fulfilled all conditions of the lower level. Using the maturity models developed for each of COBIT’s 34 IT processes, management can identify:
• The actual performance of the enterprise—Where the enterprise is today
• The current status of the industry—The comparison
• The enterprise’s target for improvement—Where the enterprise wants to be
P L A N A N D O R G A N I S E(74)
PO1 Define a Strategic IT Plan(6)
PO2 Define the Information Architecture(4)
PO3 Determine Technological Direction(5)
PO4 Define the IT Processes, Organization and Relationships(15)
PO5 Manage the IT Investment(5)
PO6 Communicate Management Aims and Direction(5)
PO7 Manage IT Human Resources(8)
PO8 Manage Quality(6)
PO9 Assess and Manage IT Risks(6)
PO10 Manage Projects(14)
A C Q U I R E A N D I M P L E M E N T(45)
AI1 Identify Automated Solutions(4)
AI2 Acquire and Maintain Application Software(10)
AI3 Acquire and Maintain Technology Infrastructure(4)
AI4 Enable Operation and Use(4)
AI5 Procure IT Resources(6)
AI6 Manage Changes(5)
AI7 Install and Accredit Solutions and Changes(12)
D E L I V E R A N D S U P P O R T(72)
DS1 Define and Manage Service Levels(6)
DS2 Manage Third-party Services(4)
DS3 Manage Performance and Capacity(5)
DS4 Ensure Continuous Service(10)
DS5 Ensure Systems Security(11)
DS6 Identify and Allocate Costs(4)
DS7 Educate and Train Users(3)
DS8 Manage Service Desk and Incidents(5)
DS9 Manage the Configuration(3)
DS10 Manage Problems(4)
DS11 Manage Data(6)
DS12 Manage the Physical Environment(5)
DS13 Manage Operations(5)
M O N I T O R A N D E VA L U A T E(25)
ME1 Monitor and Evaluate IT Performance(6)
ME2 Monitor and Evaluate Internal Control(7)
ME3 Ensure Regulatory Compliance(5)
ME4 Provide IT Governance(7)
PO1 Define a Strategic IT Plan
IT strategic planning is required to manage and direct all IT resources in line with the business strategy and priorities. The IT function and business stakeholders are responsible for ensuring that optimal value is realized from project and service portfolios.
The strategic plan should improve key stakeholders’ understanding of IT opportunities and limitations, assess current performance and clarify the level of investment required. The business strategy and priorities are to be reflected in portfolios and executed by the IT tactical plan(s), which establishes concise objectives, plans and tasks understood and accepted by both business and IT.
PO1.1 IT Value Management
Work with the business to ensure that the enterprise portfolio of IT-enabled investments contains programs that have solid business cases. Recognize that there are mandatory, sustaining and discretionary investments that differ in complexity and degree of freedom in allocating funds. IT processes should provide effective and efficient delivery of the IT components of programs and early warning of any deviations from plan, including cost, schedule or functionality, that might impact the expected outcomes of the programs. IT services should be executed against equitable and enforceable service level agreements. Accountability for achieving the benefits and controlling the costs is clearly assigned and monitored. Establish fair, transparent, repeatable and comparable evaluation of business cases including financial worth, the risk of not delivering a capability and the risk of not realizing the expected benefits.
PO1.2 Business-IT Alignment
Educate executives on current technology capabilities and future directions, the opportunities that IT provides, and what the business has to do to capitalize on those opportunities. Make sure the business direction to which IT is aligned is understood. The business and IT strategies should be integrated, clearly linking enterprise goals and IT goals and recognizing opportunities as well as current capability limitations, and broadly communicated. Identify where the business (strategy) is critically dependent on IT and mediate between imperatives of the business and the technology, so agreed priorities can be established.
PO1.3 Assessment of Current Performance
Assess the performance of the existing plans and information systems in terms of contribution to business objectives, functionality, stability, complexity, costs, strengths and weaknesses.
PO1.4 IT Strategic Plan
Create a strategic plan that defines, in co-operation with the relevant stakeholders, how IT will contribute to the enterprise’s strategic objectives (goals) and related costs and risks. It includes how IT will support IT-enabled investment programs and operational service delivery. It defines how the objectives will be met and measured and will receive formal sign-off from the stakeholders. The IT strategic plan should cover investment/operational budget, funding sources, sourcing strategy, acquisition strategy, and legal and regulatory requirements. The strategic plan should be sufficiently detailed to allow the definition of tactical IT plans.
PO1.5 IT Tactical Plans
Create a portfolio of tactical IT plans that are derived from the IT strategic plan. These tactical plans describe required IT initiatives, resource requirements, and how the use of resources and achievement of benefits will be monitored and managed. The tactical plans should be sufficiently detailed to allow the definition of project plans. Actively manage the set tactical IT plans and initiatives through analysis of project and service portfolios. This encompasses balancing requirements and resources on a regular basis, comparing them to achievement of strategic and tactical goals and the expected benefits, and taking appropriate action on deviations.
PO1.6 IT Portfolio Management
Actively manage with the business the portfolio of IT-enabled investment programs required to achieve specific strategic business objectives by identifying, defining, evaluating, prioritizing, selecting, initiating, managing and controlling programs. This
includes clarifying desired business outcomes, ensuring that program objectives support achievement of the outcomes, understanding the full scope of effort required to achieve the outcomes, assigning clear accountability with supporting measures,
defining projects within the program, allocating resources and funding, delegating authority, and commissioning required projects at program launch.
PO2 Define the Information Architecture
The information systems function should create and regularly update a business information model and define the appropriate systems to optimize the use of this information. This encompasses the development of a corporate data dictionary with the organization’s data syntax rules, data classification scheme and security levels. This process improves the quality of management decision making by making sure that reliable and secure information is provided, and it enables rationalizing information systems resources to appropriately match business strategies. This IT process is also needed to increase accountability for the integrity and
security of data and to enhance the effectiveness and control of sharing information across applications and entities.
PO2.1 Enterprise Information Architecture Model
Establish and maintain an enterprise information model to enable applications development and decision-supporting activities, consistent with IT plans as described in PO1. The model facilitates the optimal creation, use and sharing of information by the business and in a way that maintains integrity and is flexible, functional, cost-effective, timely, secure and resilient to failure.
PO2.2 Enterprise Data Dictionary and Data Syntax Rules
Maintain an enterprise data dictionary that incorporates the organization’s data syntax rules. This dictionary enables the sharing of data elements amongst applications and systems, promotes a common understanding of data amongst IT and business users, and prevents incompatible data elements from being created.
PO2.3 Data Classification Scheme
Establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public, confidential, top secret) of enterprise data. This scheme includes details about data ownership, definition of appropriate security
levels and protection controls, and a brief description of data retention and destruction requirements, criticality and sensitivity. It is used as the basis for applying controls such as access controls, archiving or encryption.
PO2.4 Integrity Management
Define and implement procedures to ensure integrity and consistency of all data stored in electronic form, such as databases, data warehouses and data archives.
PO3 Determine Technological Direction
The information services function should determine the technology direction to support the business. This requires the creation of a technological infrastructure plan and an architecture board that sets and manages clear and realistic expectations of what technology can offer in terms of products, services and delivery mechanisms. The plan should be regularly updated and encompasses aspects such as systems architecture, technological direction, acquisitions plans, standards, migration strategies and contingency. This enables timely responses to changes in the competitive environment, economies of scale for information systems staffing and
investments as well as improved interoperability of platforms and applications.
PO3.1 Technological Direction Planning
Analyze existing and emerging technologies and plan which technological direction is appropriate to realize the IT strategy and the business systems architecture. Also identify in the plan which technologies have the potential to create business opportunities. The plan should address systems architecture, technological direction, migration strategies and contingency aspects of infrastructure components.
PO3.2 Technological Infrastructure Plan
Create and maintain a technological infrastructure plan that is in accordance with the IT strategic and tactical plans. The plan is based on the technological direction and includes contingency arrangements and direction for acquisition of technology resources. It considers changes in the competitive environment, economies of scale for information systems staffing and investments, and improved interoperability of platforms and applications.
PO3.3 Monitoring of Future Trends and Regulations
Establish a process to monitor business sector/industry, technology, infrastructure, legal and regulatory environment trends. Incorporate the consequences of these trends into the development of the IT technology infrastructure plan.
PO3.4 Technology Standards
To provide consistent, effective and secure technological solutions enterprisewide, establish a technology forum to provide technology guidelines, advice on infrastructure products and guidance on the selection of technology, and measure compliance with these standards and guidelines. This forum directs technology standards and practices based on their business relevance, risks and compliance with external requirements.
PO3.5 IT Architecture Board
Establish an IT architecture board to provide architecture guidelines and advice on their application and to verify compliance. This entity directs IT architecture design ensuring it enables the business strategy and considers regulatory compliance and continuity requirements. This is related/linked to the information architecture.
PO4 Define the IT Processes, Organization and Relationships
An IT organization must be defined considering requirements for staff, skills, functions, accountability, authority, roles and responsibilities, and supervision. This organization is to be embedded into an IT process framework that ensures transparency and control as well as the involvement of senior executives and business management. A strategy committee should ensure board oversight of IT and one or more steering committees, in which business and IT participate, should determine prioritization of IT resources in line with business needs. Processes, administrative policies and procedures need to be in place for all functions, with specific attention to control, quality assurance, risk management, information security, data and systems ownership, and segregation of duties. To ensure timely support of business requirements, IT is to be involved in relevant decision processes.
PO4.1 IT Process Framework
Define an IT process framework to execute the IT strategic plan. This framework includes an IT process structure and relationships (e.g., to manage process gaps and overlaps), ownership, maturity, performance measurement, improvement, compliance, quality targets and plans to achieve them. It provides integration among the processes that are specific to IT, enterprise portfolio management, business processes and business change processes. The IT process framework should be integrated in a quality management system and the internal control framework.
PO4.2 IT Strategy Committee
Establish an IT strategy committee at the board level. This committee ensures that IT governance, as part of corporate governance, is adequately addressed, advises on strategic direction and reviews major investments on behalf of the full board.
PO4.3 IT Steering Committee
Establish an IT steering committee (or equivalent) composed of executive, business and IT management to:
• Determine prioritization of IT-enabled investment programs in line with the enterprise’s business strategy and priorities
• Track status of projects and resolve resource conflict
• Monitor service levels and service improvements
PO4.4 Organizational Placement of the IT Function
Place the IT function in the overall organizational structure with a business model contingent on the importance of IT within the
enterprise, specifically its criticality to business strategy and the level of operational dependence on IT. The reporting line of the
CIO is commensurate with the importance of IT within the enterprise.
PO4.5 IT Organizational Structure
Establish an internal and external IT organizational structure that reflects business needs. In addition, put a process in place for
periodically reviewing the IT organizational structure to adjust staffing requirements and sourcing strategies to meet expected
business objectives and changing circumstances.
PO4.6 Roles and Responsibilities
Define and communicate roles and responsibilities for all personnel in the organization in relation to information systems to allow
sufficient authority to exercise the role and responsibility assigned to them. Create role descriptions and update them regularly.
These descriptions delineate both authority and responsibility, include definitions of skills and experience needed in the relevant
position, and are suitable for use in performance evaluation. Role descriptions should contain the responsibility for internal control.
PO4.7 Responsibility for IT Quality Assurance
Assign responsibility for the performance of the quality assurance function and provide the quality assurance group with appropriate
quality assurance systems, controls and communications expertise. The organizational placement and the responsibilities and size of
the quality assurance group satisfy the requirements of the organization.
PO4.8 Responsibility for Risk, Security and Compliance
Embed ownership and responsibility for IT-related risks within the business at an appropriate senior level. Define and assign roles
critical for managing IT risks including the specific responsibility for information security, physical security and compliance.
Establish risk and security management responsibility at the organizationwide level to deal with organizationwide issues. Additional
security management responsibilities may need to be assigned at a system-specific level to deal with related security issues. Obtain
direction from senior management on the appetite for IT risk and approval of any residual IT risks.
PO4.9 Data and System Ownership
Provide the business with procedures and tools enabling it to address its responsibilities for ownership of data and
information systems. Owners make decisions about classifying information and systems and protecting them in line
with this classification.
PO4.10 Supervision
Implement adequate supervisory practices in the IT function to ensure that roles and responsibilities are properly exercised, to assess
whether all personnel have sufficient authority and resources to execute their roles and responsibilities, and to generally review key
performance indicators.
PO4.11 Segregation of Duties
Implement a division of roles and responsibilities that reduces the possibility for a single individual to subvert a critical process.
Management also makes sure that personnel are performing only authorised duties relevant to their respective jobs and positions.
PO4.12 IT Staffing
Evaluate staffing requirements on a regular basis or upon major changes to the business, operational or IT environments to ensure
that the IT function has a sufficient number of competent IT staff. Staffing takes into consideration co-location of business/IT staff,
cross-functional training, job rotation and outsourcing opportunities.
PO4.13 Key IT Personnel
Define and identify key IT personnel and minimise overreliance on them. A plan for contacting key personnel in case of emergency
should exist.
PO4.14 Contracted Staff Policies and Procedures
Define and implement policies and procedures for controlling the activities of consultants and other contract personnel by the IT
function to assure the protection of the organization’s information assets and meet agreed contractual requirements.
PO4.15 Relationships
Establish and maintain an optimal co-ordination, communication and liaison structure between the IT function and various other
interests inside and outside the IT function, such as the board, executives, business units, individual users, suppliers, security
officers, risk managers, the corporate compliance group, outsourcers and offsite management.
PO5 Manage the IT Investment
Establish and maintain a framework to manage IT-enabled investment programs that encompasses cost, benefits, prioritisation
within budget, a formal budgeting process and management against the budget. Work with stakeholders to identify and control the
total costs and benefits within the context of the IT strategic and tactical plans, and initiate corrective action where needed. The
process fosters partnership between IT and business stakeholders, enables the effective and efficient use of IT resources, and
provides transparency and accountability into the total cost of ownership, the realisation of business benefits and the return on
investment of IT-enabled investments
PO5.1 Financial Management Framework
Establish a financial framework for IT that drives budgeting and cost/benefit analysis, based on investment, service and asset
portfolios. Maintain the portfolios of IT-enabled investment programs, IT services and IT assets, which form the basis for the
current IT budget. Provide input to business cases for new investments, taking into account current IT asset and service portfolios.
New investments and maintenance to service and asset portfolios will influence the future IT budget. Communicate the cost and
benefit aspects of these portfolios to the budget prioritisation, cost management and benefit management processes.
PO5.2 Prioritisation Within IT Budget
Implement a decision-making process to prioritise the allocation of IT resources for operations, projects and maintenance to
maximise IT’s contribution to optimising the return on the enterprise’s portfolio of IT-enabled investment programs and
other IT services and assets.
PO5.3 IT Budgeting Process
Establish a process to prepare and manage a budget reflecting the priorities established by the enterprise’s portfolio of IT-enabled
investment programs, and including the ongoing costs of operating and maintaining the current infrastructure. The process should
support development of an overall IT budget as well as development of budgets for individual programs, with specific emphasis
on the IT components of those programs. The process should allow for ongoing review, refinement and approval of the overall
budget and the budgets for individual programs.
PO5.4 Cost Management
Implement a cost management process comparing actual costs to budgets. Costs should be monitored and reported. Where there are
deviations, these should be identified in a timely manner and the impact of those deviations on programs should be assessed and,
together with the business sponsor of those programs, appropriate remedial action should be taken and, if necessary, the
program business case should be updated.
PO5.5 Benefit Management
Implement a benefit monitoring process. IT’s expected contribution to business results, either as a component of IT-enabled
investment programs or as part of regular operational support, should be identified, agreed to, monitored and reported on.
Reports should be reviewed and, where there are opportunities to improve IT’s contribution, appropriate actions should be defined
and taken. Where changes in IT’s contribution impact the program, or where changes to other related projects impact the
program, the program business case should be updated.
PO6 Communicate Management Aims and Direction
Management should develop an enterprise IT control framework and define and communicate policies. An ongoing communication
program should be implemented to articulate the mission, service objectives, policies and procedures, etc., approved and
supported by management. The communication supports achievement of IT objectives and ensures awareness and understanding of
business and IT risks, objectives and direction. The process should ensure compliance with relevant laws and regulations.
PO6.1 IT Policy and Control Environment
Define the elements of a control environment for IT, aligned with the enterprise’s management philosophy and operating style.
These elements include expectations/requirements regarding delivery of value from IT investments, appetite for risk, integrity,
ethical values, staff competence, accountability and responsibility. The control environment is based on a culture that supports value
delivery while managing significant risks, encourages cross-divisional co-operation and teamwork, promotes compliance and
continuous process improvement, and handles process deviations (including failure) well.
PO6.2 Enterprise IT Risk and Internal Control Framework
Develop and maintain a framework that establishes the enterprise’s overall approach to risks and internal control to deliver value
while protecting IT resources and systems. The framework should be integrated with the IT process framework and the quality
management system, and comply with overall business objectives. It should be aimed at maximising success of value delivery while
minimising risks to information assets through preventive measures, timely identification of irregularities, limitation of losses and
timely recovery of business assets.
PO6.3 IT Policies Management
Develop and maintain a set of policies to support IT strategy. These policies should include policy intent, roles and responsibilities,
exception process, compliance approach and references to procedures, standards and guidelines. The policies should address key
topics such as quality, security, confidentiality, internal controls and intellectual property. Their relevance should be confirmed and
approved regularly.
PO6.4 Policy Rollout
Ensure that IT policies are rolled out to all relevant staff and enforced, so they are built into and are an integral part of enterprise
operations. Rollout methods should address resource and awareness needs and implications.
PO6.5 Communication of IT Objectives and Direction
Ensure that awareness and understanding of business and IT objectives and direction are communicated throughout the enterprise.
The information communicated should encompass a clearly articulated mission, service objectives, security, internal controls,
quality, code of ethics/conduct, policies and procedures, etc., and be included within a continuous communication program,
supported by top management in action and words. Management should give specific attention to communicating IT security
awareness and the message that IT security is everyone’s responsibility.
PO7 Manage IT Human Resources
Acquire, maintain and motivate a competent workforce for creation and delivery of IT services to the business. This is achieved by
following defined and agreed practices supporting recruiting, training, evaluating performance, promoting and terminating. This
process is critical as people are important assets and governance and the internal control environment are heavily dependent on the
motivation and competence of personnel.
PO7.1 Personnel Recruitment and Retention
Ensure that IT personnel recruitment processes are in line with the overall organization’s personnel policies and procedures (e.g.,
hiring, positive work environment and orienting). Management implements processes to ensure that the organization has an
appropriately deployed IT workforce that has the skills necessary to achieve organizational goals.
PO7.2 Personnel Competencies
Regularly verify that personnel have the competencies to fulfil their roles on the basis of their education, training and/or experience.
Define core IT competency requirements and verify that they are being maintained, using qualification and certification
programs where appropriate.
PO7.3 Staffing of Roles
Define, monitor and supervise roles, responsibilities and compensation frameworks for personnel, including the requirement to
adhere to management policies and procedures and the code of ethics and professional practices. The terms and conditions of
employment should stress the employee’s responsibility for information security, internal control and regulatory compliance. The
level of supervision should be in line with the sensitivity of the position and extent of responsibilities assigned.
PO7.4 Personnel Training
Provide IT employees with appropriate orientation when hired and ongoing training to maintain their knowledge, skills, abilities,
internal controls and security awareness at the level required to achieve organizational goals.
PO7.5 Dependence Upon Individuals
Minimise the exposure to critical dependency on key individuals through knowledge capture (documentation), knowledge sharing,
succession planning and staff backup.
PO7.6 Personnel Clearance Procedures
Include background checks in the IT recruitment process. The extent and frequency of period review of these checks depend on the
sensitivity and/or criticality of the function and should be applied for employees, contractors and vendors.
PO7.7 Employee Job Performance Evaluation
Require timely evaluation to be performed on a regular basis against individual objectives derived from the organization’s goals,
established standards and specific job responsibilities. Employees should receive coaching on performance and conduct whenever
appropriate.
PO7.8 Job Change and Termination
Take expedient actions regarding job changes, especially job terminations. Knowledge transfer needs to be arranged, responsibilities
reassigned and access rights removed such that risks are minimised and continuity of the function is guaranteed.
PO8 Manage Quality
A quality management system should be developed and maintained, which includes proven development and acquisition processes
and standards. This is enabled by planning, implementing and maintaining the quality management system by providing clear
quality requirements, procedures and policies. Quality requirements should be stated and communicated in quantifiable and
achievable indicators. Continuous improvement is achieved by ongoing monitoring, analysing and acting upon deviations, and
communicating results to stakeholders. Quality management is essential to ensure that IT is delivering value to the business,
continuous improvement and transparency for stakeholders.
PO8.1 Quality Management System
Establish and maintain a QMS that provides a standard, formal and continuous approach regarding quality management that is
aligned with the business requirements. The QMS identifies quality requirements and criteria, key IT processes and their sequence
and interaction, and the policies, criteria and methods for defining, detecting, correcting and preventing nonconformity. The QMS
should define the organizational structure for quality management, covering the roles, tasks and responsibilities. All key areas
develop their quality plans in line with criteria and policies and record quality data. Monitor and measure the effectiveness and
acceptance of the QMS and improve it when needed.
PO8.2 IT Standards and Quality Practices
Identify and maintain standards, procedures and practices for key IT processes to guide the organization in meeting the intent of the
QMS. Use industry best practices for reference when improving and tailoring the organization’s quality practices.
PO8.3 Development and Acquisition Standards
Adopt and maintain standards for all development and acquisition that follow the life cycle of the ultimate deliverable and include
sign-off at key milestones based on agreed sign-off criteria. Issues to consider include software coding standards; naming
conventions; file formats; schema and data dictionary design standards; user interface standards; interoperability; system
performance efficiency; scalability; standards for development and testing; validation against requirements; test plans; and unit,
regression and integration testing.
PO8.4 Customer Focus
Ensure that quality management focuses on customers by determining their requirements and aligning them to the IT standards and
practices. Roles and responsibilities concerning conflict resolution between the user/customer and the IT organization are defined.
PO8.5 Continuous Improvement
An overall quality plan that promotes continuous improvement is maintained and communicated regularly.
PO8.6 Quality Measurement, Monitoring and Review
Define, plan and implement measurements to monitor continuing compliance to the QMS, as well as the value the QMS provides.
Measurement, monitoring and recording of information should be used by the process owner to take appropriate corrective and
preventive actions.
PO9 Assess and Manage IT Risks
Create and maintain a risk management framework. The framework documents a common and agreed level of IT risks, mitigation
strategies and agreed-upon residual risks. Any potential impact on the goals of the organization caused by an unplanned event
should be identified, analyzed and assessed. Risk mitigation strategies should be adopted to minimise residual risk to an accepted
level. The result of the assessment should be understandable to the stakeholders and expressed in financial terms, to enable
stakeholders to align risk to an acceptable level of tolerance.
PO9.1 IT and Business Risk Management Alignment
Integrate the IT governance, risk management and control framework with the organization’s (enterprise’s) risk management
framework. This includes alignment with the organization’s risk appetite and risk tolerance level.
PO9.2 Establishment of Risk Context
Establish the context in which the risk assessment framework is applied to ensure appropriate outcomes. This includes determining
the internal and external context of each risk assessment, the goal of the assessment and the criteria against which risks are evaluated.
PO9.3 Event Identification
Identify any event (threat and vulnerability) with a potential impact on the goals or operations of the enterprise, including business,
regulatory, legal, technology, trading partner, human resources and operational aspects. Determine the nature of the impact—
positive, negative or both—and maintain this information.
PO9.4 Risk Assessment
Assess on a recurrent basis the likelihood and impact of all identified risks, using qualitative and quantitative methods. The
likelihood and impact associated with inherent and residual risk should be determined individually, by category and on a portfolio
basis.
PO9.5 Risk Response
Identify a risk owner and affected process owners, and develop and maintain a risk response to ensure that cost-effective controls and
security measures mitigate exposure to risks on a continuing basis. The risk response should identify risk strategies such as avoidance,
reduction, sharing or acceptance. In developing the response, consider the costs and benefits and select responses that constrain
residual risks within the defined risk tolerance levels.
PO9.6 Maintenance and Monitoring of a Risk Action Plan
Prioritise and plan the control activities at all levels to implement the risk responses identified as necessary, including identification
of costs, benefits and responsibility for execution. Seek approval for recommended actions and acceptance of any residual risks, and
ensure that committed actions are owned by the affected process owner(s). Monitor execution of the plans, and report on any
deviations to senior management.
PO10 Manage Projects
Establish a program and project management framework for the management of all IT projects. The framework should ensure the
correct prioritisation and co-ordination of all projects. The framework should include a master plan, assignment of resources,
definition of deliverables, approval by users, a phased approach to delivery, quality assurance, a formal test plan, and testing and
post-implementation review after installation to ensure project risk management and value delivery to the business. This approach
reduces the risk of unexpected costs and project cancellations, improves communications to and involvement of business and end
users, ensures the value and quality of project deliverables, and maximises their contribution to IT-enabled investment programs.
PO10.1 Program Management Framework
Maintain the program of projects, related to the portfolio of IT-enabled investment programs, by identifying, defining,
evaluating, prioritising, selecting, initiating, managing and controlling projects. Ensure that the projects support the program’s
objectives. Co-ordinate the activities and interdependencies of multiple projects, manage the contribution of all the projects within
the program to expected outcomes, and resolve resource requirements and conflicts.
PO10.2 Project Management Framework
Establish and maintain a project management framework that defines the scope and boundaries of managing projects, as well as the
methodologies to be adopted and applied to each project undertaken. The methodologies should cover, at a minimum, the initiating,
planning, executing, controlling and closing project stages, as well as checkpoints and approvals. The framework and supporting
methodologies should be integrated with the enterprise portfolio management and program management processes.
PO10.3 Project Management Approach
Establish a project management approach commensurate with the size, complexity and regulatory requirements of each project. The
project governance structure can include the roles, responsibilities and accountabilities of the program sponsor, project sponsors,
steering committee, project office and project manager, and the mechanisms through which they can meet those responsibilities
(such as reporting and stage reviews). Make sure all IT projects have sponsors with sufficient authority to own the execution of the
project within the overall strategic program.
PO10.4 Stakeholder Commitment
Obtain commitment and participation from the affected stakeholders in the definition and execution of the project within the context
of the overall IT-enabled investment program.
PO10.5 Project Scope Statement
Define and document the nature and scope of the project to confirm and develop among stakeholders a common understanding of
project scope and how it relates to other projects within the overall IT-enabled investment program. The definition should be
formally approved by the program and project sponsors before project initiation.
PO10.6 Project Phase Initiation
Ensure that initiation of major project phases is formally approved and communicated to all stakeholders. Approval of the initial
phase should be based on program governance decisions. Approval of subsequent phases should be based on review and
acceptance of the deliverables of the previous phase, and approval of an updated business case at the next major review of the
program. In the event of overlapping project phases, an approval point should be established by program and project sponsors
to authorise project progression.
PO10.7 Integrated Project Plan
Establish a formal, approved integrated project plan (covering business and information systems resources) to guide project
execution and project control throughout the life of the project. The activities and interdependencies of multiple projects within a
program should be understood and documented. The project plan should be maintained throughout the life of the project. The
project plan, and changes to it, should be approved in line with the program and project governance framework.
PO10.8 Project Resources
Define the responsibilities, relationships, authorities and performance criteria of project team members and specify the basis
for acquiring and assigning competent staff members and/or contractors to the project. The procurement of products and
services required for each project should be planned and managed to achieve project objectives using the organization’s
procurement practices.
PO10.9 Project Risk Management
Eliminate or minimise specific risks associated with individual projects through a systematic process of planning, identifying,
analysing, responding to, monitoring and controlling the areas or events that have the potential to cause unwanted change. Risks
faced by the project management process and the project deliverble should be established and centrally recorded.
PO10.10 Project Quality Plan
Prepare a quality management plan that describes the project quality system and how it will be implemented. The plan should be
formally reviewed and agreed to by all parties concerned and then incorporated into the integrated project plan.
PO10.11 Project Change Control
Establish a change control system for each project, so all changes to the project baseline (e.g., cost, schedule, scope and quality) are
appropriately reviewed, approved and incorporated into the integrated project plan in line with the program and project
governance framework.
PO10.12 Project Planning of Assurance Methods
Identify assurance tasks required to support the accreditation of new or modified systems during project planning and include
them in the integrated project plan. The tasks should provide assurance that internal controls and security features meet the
defined requirements.
PO10.13 Project Performance Measurement, Reporting and Monitoring
Measure project performance against key project criteria (e.g., scope, schedule, quality, cost and risk); identify any deviations from
plan; assess their impact on the project and overall program; report results to key stakeholders; and recommend, implement and
monitor remedial action, when required, in line with the program and project governance framework.
PO10.14 Project Closure
Require that, at the end of each project, the project stakeholders ascertain whether the project delivered the planned results and
benefits. Identify and communicate any outstanding activities required to achieve the planned results of the project and the benefits
of the program, and identify and document lessons learned for use on future projects and programs.
AI1 Identify Automated Solutions
The need for a new application or function requires analysis before acquisition or creation to ensure that business requirements are
satisfied in an effective and efficient approach. This process covers the definition of the needs, consideration of alternative sources,
review of technological and economic feasibility, execution of a risk analysis and cost-benefit analysis, and conclusion of a final
decision to ‘make’ or ‘buy’. All these steps enable organizations to minimise the cost to acquire and implement solutions whilst
ensuring they enable the business to achieve its objectives.
AI1.1 Definition and Maintenance of Business Functional and Technical Requirements
Identify, prioritise, specify and agree business functional and technical requirements covering the full scope of all initiatives required
to achieve the expected outcomes of the IT-enabled investment program. Define the criteria for acceptance of the requirements.
These initiatives should include any changes required to the nature of the enterprise’s business, business processes, people skills and
competencies, organization structure, and the enabling technology.
Requirements take into account the business functional needs, the enterprise’s technological direction, performance, cost, reliability,
compatibility, auditability, security, availability and continuity, ergonomics, usability, safety and legislation. Establish processes to
ensure and manage the integrity, accuracy and currency of business requirements as a basis for control of ongoing system
acquisition and development. These requirements should be owned by the business sponsor.
AI1.2 Risk Analysis Report
Identify, document and analyze risks associated with the business processes as part of the organization’s process for the development
of requirements. Risks include threats to data integrity, security, availability, privacy, and compliance with laws and regulations.
Required internal control measures and audit trails should be identified as part of these requirements.
AI1.3 Feasibility Study and Formulation of Alternative Courses of Action
Develop a feasibility study that examines the possibility of implementing the requirements. It should identify alternative courses of
action for software, hardware, services and skills that meet established business functional and technical requirements, and evaluate
the technological and economic feasibility (potential cost and benefit analysis) of each of the identified courses of action in the
context of the IT-enabled investment program. There may be several iterations in developing the feasibility study, as the effect of
factors such as changes to business processes, technology and skills are assessed. Business management, supported by the IT
function, should assess the feasibility and alternative courses of action and make a recommendation to the business sponsor.
AI1.4 Requirements and Feasibility Decision and Approval
The business sponsor approves and signs off on business functional and technical requirements and feasibility study reports at
predetermined key stages. Each sign-off follows successful completion of quality reviews. The business sponsor has the final
decision with respect to choice of solution and acquisition approach.
AI2 Acquire and Maintain Application Software
Applications have to be made available in line with business requirements. This process covers the design of the applications, the
proper inclusion of application controls and security requirements, and the actual development and configuration according to
standards. This allows organizations to properly support business operations with the correct automated applications.
AI2.1 High-level Design
Translate business requirements into a high-level design specification for software development, taking into account the
organization’s technological directions and information architecture, and have the design specifications approved to ensure that the
high-level design responds to the requirements.
AI2.2 Detailed Design
Prepare detailed design and technical software application requirements. Define the criteria for acceptance of the requirements.
Have the requirements approved to ensure they correspond to the high-level design. Items to consider include, but are not limited to,
input requirement definition and documentation, interface definition, user interface, source data collection design, program
specification, file requirements definition and documentation, processing requirements, output requirement definition, control and
auditability, security and availability, and testing. Perform reassessment when significant technical or logical discrepancies occur
during development or maintenance.
AI2.3 Application Control and Auditability
Ensure that business controls are properly translated into application controls such that processing is accurate, complete, timely,
authorised and auditable. Issues to consider especially are authorisation mechanisms, information integrity, access control, backup
and design of audit trails.
AI2.4 Application Security and Availability
Address application security and availability requirements in response to identified risks, in line with data classification, the
organization’s information security architecture and risk profile. Issues to consider include access rights and privilege management,
protection of sensitive information at all stages, authentication and transaction integrity, and automatic recovery.
AI2.5 Configuration and Implementation of Acquired Application Software
Customise and implement acquired automated functionality using configuration, acceptance and testing procedures. Issues to
consider include validation against contractual terms, the organization’s information architecture, existing applications,
interoperability with existing application and database systems, system performance efficiency, documentation and user manuals,
integration and system test plans.
AI2.6 Major Upgrades to Existing Systems
Follow a similar development process as for the development of new systems in the event of major changes to existing systems that
result in significant change in current designs and/or functionality. Issues to consider include impact analysis, cost/benefit
justification and requirements management.
AI2.7 Development of Application Software
Ensure that automated functionality is developed in accordance with design specifications, development and documentation
standards and quality requirements. Approve and sign off on each key stage of the application software development process
following successful completion of functionality, performance and quality reviews. Issues to be considered include approval that
design specifications meet business, functional and technical requirements; approval of change requests; and confirmation that
application software is compatible with production and ready for migration. In addition, ensure that all legal and contractual aspects
are identified and addressed for application software developed by third parties.
AI2.8 Software Quality Assurance
Develop, resource and execute a software quality assurance plan to obtain the quality specified in the requirements definition and
the organization’s quality policies and procedures. Issues to consider in the quality assurance plan include specification of quality
criteria and validation and verification processes, including inspection, walkthroughs and testing.
AI2.9 Applications Requirements Management
Ensure that during design, development and implementation the status of individual requirements (including all rejected
requirements) is tracked and changes to requirements are being approved through an established change management process.
AI2.10 Application Software Maintenance
Develop a strategy and plan for the maintenance and release of software applications. Issues to consider include release planning
and control, resource planning, bug fixing and fault correction, minor enhancements, maintenance of documentation, emergency
changes, interdependencies with other applications and infrastructure, upgrade strategies, contractual conditions such as support
issues and upgrades, periodic review against business needs, risks and security requirements.
AI3 Acquire and Maintain Technology Infrastructure
Organizations should have processes for the acquisition, implementation and upgrade of the technology infrastructure. This requires
a planned approach to acquisition, maintainance and protection of infrastructure in line with with agreed technology strategies and
the provision of development and test environments. This ensures that there is ongoing technological support for business
applications.
AI3.1 Technological Infrastructure Acquisition Plan
Produce a plan for the acquisition, implementation and maintenance of the technological infrastructure that meets established business
functional and technical requirements and is in accord with the organization’s technology direction. The plan should consider future
flexibility for capacity additions, transition costs, technical risks and the lifetime of the investment for technology upgrades. Assess
the complexity costs and the commercial viability of the vendor and product when adding new technical capability.
AI3.2 Infrastructure Resource Protection and Availability
Implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and
infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure
components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use
should be monitored and evaluated.
AI3.3 Infrastructure Maintenance
Develop a strategy and plan for infrastructure maintenance and ensure that changes are controlled in line with the organization’s
change management procedure. Include periodic review against business needs, patch management and upgrade strategies, risks,
vulnerabilities assessment and security requirements.
AI3.4 Feasibility Test Environment
Establish development and test environments to support effective and efficient feasibility and integration testing of applications and
infrastructure in the early stages of the acquisition and development process. Consider functionality, hardware and software
configuration, integration and performance testing, migration between environments, version control, test data and tools, and
security.
AI4 Enable Operation and Use
Knowledge about new systems needs to be made available. This process requires the production of documentation and manuals for
users and IT, and provides training to ensure proper use and operations of applications and infrastructure.
AI4.1 Planning for Operational Solutions
Develop a plan to identify and document all technical aspects, operational capability and required service levels, so all stakeholders
can take timely responsibility for the production of management, user and operational procedures, as a result of the introduction or
upgrade of automated systems or infrastructure.
AI4.2 Knowledge Transfer to Business Management
Transfer knowledge to business management to allow them to take ownership of the system and data and exercise responsibility for
service delivery and quality, internal control, and application administration processes. The knowledge transfer should include
access approval, privilege management, segregation of duties, automated business controls, backup/recovery, physical security and
source document archival.
AI4.3 Knowledge Transfer to End Users
Transfer knowledge and skills to allow end users to effectively and efficiently use the application system to support business
processes. The knowledge transfer should include the development of a training plan to address initial and ongoing training and
skills development, training materials, user manuals, procedure manuals, online help, service desk support, key user identification,
and evaluation.
AI4.4 Knowledge Transfer to Operations and Support Staff
Transfer knowledge and skills to enable operations and technical support staff to effectively and efficiently deliver, support and
maintain the application system and associated infrastructure according to required service levels. The knowledge transfer should
include initial and ongoing training and skills development, training materials, operations manuals, procedure manuals, and service
desk scenarios.
AI5 Procure IT Resources
IT resources, including people, hardware, software and services need to be procured. This requires the definition and enforcement of
procurement procedures, the selection of vendors, the setup of contractual arrangements and the actual acquisition itself. Doing so
ensures that the organization has all required IT resources in a timely and cost-effective manner.
AI5.1 Procurement Control
Develop and follow a set of procedures and standards that is consistent with the business organization’s overall procurement process
and acquisition strategy to ensure that the acquisition of IT-related infrastructure, facilities, hardware, software and services satisfies
business requirements.
AI5.2 Supplier Contract Management
Set up a procedure for establishing, modifying and terminating contracts for all suppliers. The procedure should cover, at a
minimum, legal, financial, organizational, documentary, performance, security, intellectual property and termination responsibilities
and liabilities (including penalty clauses). All contracts and contract changes should be reviewed by legal advisors.
AI5.3 Supplier Selection
Select suppliers according to a fair and formal practice to ensure a viable best fit based on requirements that have been developed
with input from the potential suppliers and agreed between the customer and the supplier(s).
AI5.4 Software Acquisition
Ensure that the organization’s interests are protected in all acquisition contractual agreements. Include and enforce the rights and
obligations of all parties in the contractual terms for the acquisition of software involved in the supply and ongoing use of software.
These rights and obligations may include ownership and licensing of intellectual property, maintenance, warranties, arbitration
procedures, upgrade terms, and fitness for purpose including security, escrow and access rights.
AI5.5 Acquisition of Development Resources
Ensure that the organization’s interests are protected in all acquisition contractual agreements. Include and enforce the rights and
obligations of all parties in the contractual terms for the acquisition of development resources. These rights and obligations may
include ownership and licensing of intellectual property, fitness for purpose including development methodologies, languages,
testing, quality management processes including required performance criteria, performance review, basis for payment, warranties,
arbitration procedures, human resource management and compliance with the organization’s policies.
AI5.6 Acquisition of Infrastructure, Facilities and Related Services
Include and enforce the rights and obligations of all parties in the contractual terms, including acceptance criteria, for the acquisition
of infrastructure, facilities and related services. These rights and obligations may include service levels, maintenance procedures,
access controls, security, performance review, basis for payment and arbitration procedures.
AI6 Manage Changes
All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production
environment must be formally managed in a controlled manner. Changes (including procedures, processes, system and service
parameters) must be logged, assessed and authorised prior to implementation and reviewed against planned outcomes following
implementation. This assures mitigation of the risks of negatively impacting the stability or integrity of the production environment.
AI6.1 Change Standards and Procedures
Set up formal change management procedures to handle in a standardised manner all requests (including maintenance and patches)
for changes to applications, procedures, processes, system and service parameters, and the underlying platforms.
AI6.2 Impact Assessment, Prioritisation and Authorisation
Ensure that all requests for change are assessed in a structured way for impacts on the operational system and its functionality.
This assessment should include categorisation and prioritisation of changes. Prior to migration to production, changes are authorised
by the appropriate stakeholder.
AI6.3 Emergency Changes
Establish a process for defining, raising, assessing and authorising emergency changes that do not follow the established change
process. Documentation and testing should be performed, possibly after implementation of the emergency change.
AI6.4 Change Status Tracking and Reporting
Establish a tracking and reporting system for keeping change requestors and relevant stakeholders up to date about the status of the
change to applications, procedures, processes, system and service parameters, and the underlying platforms.
AI6.5 Change Closure and Documentation
Whenever system changes are implemented, update the associated system and user documentation and procedures accordingly.
Establish a review process to ensure complete implementation of changes.
AI7 Install and Accredit Solutions and Changes
New systems need to be made operational once development is complete. This requires proper testing in a dedicated environment
with relevant test data, definition of rollout and migration instructions, release planning and actual promotion to production, and a
post-implementation review. This assures that operational systems are in line with the agreed expectations and outcomes.
AI7.1 Training
Train the staff of the affected user departments and the operations group of the IT function in accordance with the defined training
and implementation plan and associated materials, as part of every information systems development, implementation or
modification project.
AI7.2 Test Plan
Establish a test plan and obtain approval from relevant parties. The test plan is based on organizationwide standards and defines
roles, responsibilities and success criteria. The plan considers test preparation (including site preparation), training requirements,
installation or update of a defined test environment, planning/performing/documenting/retaining test cases, error handling and
correction, and formal approval. Based on assessment of the risk of system failure and faults on implementation, the plan should
include requirements for performance, stress, usability, pilot and security testing.
AI7.3 Implementation Plan
Establish an implementation plan and obtain approval from relevant parties. The plan defines release design, build of release
packages, rollout procedures/installation, incident handling, distribution controls (including tools), storage of software, review of the
release and documentation of changes. The plan should also include fallback/backout arrangements.
AI7.4 Test Environment
Establish a separate test environment for testing. This environment should reflect the future operations environment (e.g., similar
security, internal controls and workloads) to enable sound testing. Procedures should be in place to ensure that the data used in the
test environment are representative of the data (sanitised where needed) that will eventually be used in the production environment.
Provide adequate measures to prevent disclosure of sensitive test data. The documented results of testing should be retained.
AI7.5 System and Data Conversion
Ensure that the organization’s development methods provides for all development, implementation or modification projects, that all
necessary elements such as hardware, software, transaction data, master files, backups and archives, interfaces with other systems,
procedures, system documentation, etc., be converted from the old system to the new according to a pre-established plan. An audit
trail of pre- and post-conversion results should be developed and maintained. A detailed verification of the initial processing of the
new system should be performed by the system owners to confirm a successful transition.
AI7.6 Testing of Changes
Ensure that changes are tested in accordance with the defined acceptance plan and based on an impact and resource assessment that
includes performance sizing in a separate test environment by an independent (from builders) test group before use in the regular
operational environment begins. Parallel or pilot testing should be considered as part of the plan. The security controls should be
tested and evaluated prior to deployment, so the effectiveness of security can be certified. Fallback/backout plans should also be
developed and tested prior to promotion of the change to production.
AI7.7 Final Acceptance Test
Ensure that procedures provide for, as part of the final acceptance or quality assurance testing of new or modified information
systems, a formal evaluation and approval of the test results by management of the affected user department(s) and the IT function.
The tests should cover all components of the information system (e.g., application software, facilities, technology and user
procedures) and ensure that the information security requirements are met by all components. The test data should be saved for audit
trail purposes and for future testing.
AI7.8 Promotion to Production
Implement formal procedures to control the handover of the system from development to testing to operations in line with the
implementation plan. Management should require that system owner authorisation be obtained before a new system is moved into
production and that, before the old system is discontinued, the new system has successfully operated through all daily, monthly,
quarterly and year-end production cycles.
AI7.9 Software Release
Ensure that the release of software is governed by formal procedures ensuring sign-off, packaging, regression testing, distribution,
handover, status tracking, backout procedures and user notification.
AI7.10 System Distribution
Establish control procedures to ensure timely and correct distribution and update of approved configuration items. This involves
integrity controls; segregation of duties among those who build, test and operate; and adequate audit trails of all actions.
AI7.11 Recording and Tracking of Changes
Automate the system used to monitor changes to application systems to support the recording and tracking of changes made to
applications, procedures, processes, system and service parameters, and the underlying platforms.
AI7.12 Post-implementation Review
Establish procedures in line with the enterprise development and change standards that require a post-implementation review of the
operational information system to assess and report on whether the change met customer requirements and delivered the benefits
envisioned in the most cost-effective manner.
DS1 Define and Manage Service Levels
Effective communication between IT management and business customers regarding services required is enabled by a documented
definition and agreement of IT services and service levels. This process also includes monitoring and timely reporting to
stakeholders on the accomplishment of service levels. This process enables alignment between IT services and the related business
requirements.
DS1.1 Service Level Management Framework
Define a framework that provides a formalised service level management process between the customer and service provider. The
framework maintains continuous alignment with business requirements and priorities and facilitates common understanding between
the customer and provider(s). The framework includes processes for creating service requirements, service definitions, service level
agreements (SLAs), operating level agreements (OLAs) and funding sources. These attributes are organised in a service catalogue.
The framework defines the organizational structure for service level management, covering the roles, tasks and responsibilities of
internal and external service providers and customers.
DS1.2 Definition of Services
Base definitions of IT services on service characteristics and business requirements, organised and stored centrally via the
implementation of a service catalogue/portfolio approach.
DS1.3 Service Level Agreements
Define and agree to service level agreements for all critical IT services based on customer requirements and IT capabilities. This
covers customer commitments, service support requirements, quantitative and qualitative metrics for measuring the service signed
off on by the stakeholders, funding and commercial arrangements if applicable, and roles and responsibilities, including oversight of
the SLA. Items to consider are availability, reliability, performance, capacity for growth, levels of support, continuity planning,
security and demand constraints.
DS1.4 Operating Level Agreements
Ensure that operating level agreements explain how the services will be technically delivered to support the SLA(s) in an optimal
manner. The OLAs specify the technical processes in terms meaningful to the provider and may support several SLAs.
DS1.5 Monitoring and Reporting of Service Level Achievements
Continuously monitor specified service level performance criteria. Reports are provided in a format meaningful to the stakeholders
on achievement of service levels. The monitoring statistics are analyzed and acted upon to identify negative and positive trends for
individual services as well as for services overall.
DS1.6 Review of Service Level Agreements and Contracts
Regularly review service level agreements and underpinning contracts with internal and external service providers to ensure that
they are effective, up to date, and that changes in requirements have been accounted for.
DS2 Manage Third-party Services
The need to assure that services provided by third parties meet business requirements requires an effective third-party management
process. This process is accomplished by clearly defining the roles, responsibilities and expectations in third-party agreements as
well as reviewing and monitoring such agreements for effectiveness and compliance. Effective management of third-party services
minimises business risk associated with non-performing suppliers.
DS2.1 Identification of All Supplier Relationships
Identify all supplier services and categorise them according to supplier type, significance and criticality. Maintain formal
documentation of technical and organizational relationships covering the roles and responsibilities, goals, expected deliverables and
credentials of representatives of these suppliers.
DS2.2 Supplier Relationship Management
Formalise the supplier relationship management process for each supplier. The relationship owners must liaise on customer and
supplier issues and ensure the quality of the relationship based on trust and transparency (e.g., through service level agreements).
DS2.3 Supplier Risk Management
Identify and mitigate risks relating to suppliers’ ability to continue effective service delivery in a secure and efficient manner on a
continual basis. Ensure contracts conform to universal business standards in accordance with legal and regulatory requirements.
Risk management should further consider non-disclosure agreements (NDAs), escrow contracts, continued supplier viability,
conformance with security requirements, alternative suppliers, penalties and rewards, etc.
DS2.4 Supplier Performance Monitoring
Establish a process to monitor service delivery to ensure the supplier is meeting current business requirements and is continuing to
adhere to the contract agreements and service level agreements, and that performance is competitive with alternative suppliers and
market conditions.
DS3 Manage Performance and Capacity
The need to manage performance and capacity of IT resources requires a process to periodically review current performance and
capacity of IT resources. This process includes forecasting future needs based on workload, storage and contingency requirements.
This process provides assurance that information resources supporting business requirements are continually available.
DS3.1 Performance and Capacity Planning
Establish a planning process for the review of performance and capacity of IT resources to ensure that cost-justifiable capacity and
performance are available to process the agreed-upon workloads as determined by the service level agreements. Capacity and
performance plans should leverage appropriate modelling techniques to produce a model of the current and forecasted performance,
capacity and throughput of the IT resources.
DS3.2 Current Capacity and Performance
Review current performance and capacity of IT resources to determine if sufficient capacity and performance exist to deliver against
service level agreements.
DS3.3 Future Capacity and Performance
Conduct performance and capacity forecasting of IT resources at regular intervals to minimise the risk of service disruptions due to
insufficient capacity or performance degradation. Also identify excess capacity for possible redeployment. Identify workload trends
and determine forecasts to be input to performance and capacity plans.
DS3.4 IT Resources Availability
Provide the required capacity and performance taking into account aspects such as normal workloads, contingencies, storage
requirements and IT resource life cycles. Provisions should be made when performance and capacity are not up to the required level
such as prioritising tasks, fault tolerance mechanisms and resource allocation practices. Management should ensure that contingency
plans properly address availability, capacity and performance of individual IT resources.
DS3.5 Monitoring and Reporting
Continuously monitor the performance and capacity of IT resources. Data gathered serve two purposes:
• To maintain and tune current performance within IT and address such issues as resilience, contingency, current and projected
workloads, storage plans and resource acquisition
• To report delivered service availability to the business as required by the SLAs. Accompany all exception reports with
recommendations for corrective action.
DS4 Ensure Continuous Service
The need for providing continuous IT services requires developing, maintaining and testing IT continuity plans, offsite backup
storage and periodic continuity plan training. An effective continuous service process minimises the probability and impact of a
major IT service interruption on key business functions and processes.
DS4.1 IT Continuity Framework
Develop a framework for IT continuity to support enterprisewide business continuity management with a consistent process. The
objective of the framework is to assist in determining the required resilience of the infrastructure and to drive the development of
disaster recovery and IT contingency plans. The framework should address the organizational structure for continuity management,
covering the roles, tasks and responsibilities of internal and external service providers, their management and their customers, and
the rules and structures to document, test and execute the disaster recovery and IT contingency plans. The plan should also address
items such as the identification of critical resources, the monitoring and reporting of the availability of critical resources, alternative
processing, and the principles of backup and recovery.
DS4.2 IT Continuity Plans
Develop IT continuity plans based on the framework, designed to reduce the impact of a major disruption on key business functions
and processes. The plans should address requirements for resilience, alternative processing and recovery capability of all critical IT
services. They should also cover usage guidelines, roles and responsibilities, procedures, communication processes, and the testing
approach.
DS4.3 Critical IT Resources
Focus attention on items specified as most critical in the IT continuity plan to build in resilience and establish priorities in recovery
situations. Avoid the distraction of recovering less critical items and ensure response and recovery in line with prioritised business
needs, while ensuring that costs are kept at an acceptable level and complying with regulatory and contractual requirements.
Consider resilience, response and recovery requirements for different tiers, e.g., one to four hours, four to 24 hours, more than 24
hours and critical business operational periods.
DS4.4 Maintenance of the IT Continuity Plan
Encourage IT management to define and execute change control procedures to ensure that the IT continuity plan is kept up to date
and continually reflects actual business requirements. It is essential that changes in procedures and responsibilities be communicated
clearly and in a timely manner.
DS4.5 Testing of the IT Continuity Plan
Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and
the plan remains relevant. This requires careful preparation, documentation, reporting test results and, according to the results,
implementing an action plan. Consider the extent of testing recovery of single applications to integrated testing scenarios to end-toend
testing and integrated vendor testing.
DS4.6 IT Continuity Plan Training
Ensure that all concerned parties receive regular training sessions regarding the procedures and their roles and responsibilities in
case of an incident or disaster. Verify and enhance training according to the results of the contingency tests.
DS4.7 Distribution of the IT Continuity Plan
Determine that a defined and managed distribution strategy exists to ensure that the plans are properly and securely distributed and
available to appropriately authorised interested parties when and where needed. Attention should be paid to making the plans
accessible under all disaster scenarios.
DS4.8 IT Services Recovery and Resumption
Plan the actions to be taken for the period when IT is recovering and resuming services. This may include activation of backup sites,
initiation of alternative processing, customer and stakeholder communication, resumption procedures, etc. Ensure the business
understands IT recovery times and the necessary technology investments to support business recovery and resumption needs.
DS4.9 Offsite Backup Storage
Store offsite all critical backup media, documentation and other IT resources necessary for IT recovery and business continuity
plans. Content of backup storage needs to be determined in collaboration between business process owners and IT personnel.
Management of the offsite storage facility should respond to the data classification policy and the enterprise’s media storage
practices. IT management should ensure that offsite arrangements are periodically assessed, at least annually, for content,
environmental protection and security. Ensure compatibility of hardware and software to restore archived data and periodically test
and refresh archived data.
DS4.10 Post-resumption Review
On successful resumption of the IT function after a disaster, determine whether IT management has established procedures for
assessing the adequacy of the plan and update the plan accordingly.
DS5 Ensure Systems Security
The need to maintain the integrity of information and protect IT assets requires a security management process. This process
includes establishing and maintaining IT security roles and responsibilties, policies, standards and procedures. Security management
also includes performing security monitoring and periodic testing and implementing corrective actions for identified security
weaknesses or incidents. Effective security management protects all IT assets to minimise the business impact of security
vulnerabilities and incidents.
DS5.1 Management of IT Security
Manage IT security at the highest appropriate organizational level, so the management of security actions is in line with
business requirements.
DS5.2 IT Security Plan
Translate business information requirements, IT configuration, information risk action plans and information security culture into an
overall IT security plan. The plan is implemented in security policies and procedures together with appropriate investments in
services, personnel, software and hardware. Security policies and procedures are communicated to stakeholders and users.
DS5.3 Identity Management
All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development
and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and
documented business needs and job requirements. User access rights are requested by user management, approved by system owner
and implemented by the security-responsible person. User identities and access rights are maintained in a central repository.
Cost-effective technical and procedural measures are deployed and kept current to establish user identification, implement
authentication and enforce access rights.
DS5.4 User Account Management
Ensure that requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are
addressed by user account management. An approval procedure outlining the data or system owner granting the access privileges
should be included. These procedures should apply for all users, including administrators (privileged users), internal and external
users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information are
contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.
DS5.5 Security Testing, Surveillance and Monitoring
Ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically to ensure
the approved security level is maintained. A logging and monitoring function enables the early detection of unusual or abnormal
activities that may need to be addressed. Access to the logging information is in line with business requirements in terms of access
rights and retention requirements.
DS5.6 Security Incident Definition
Ensure that the characteristics of potential security incidents are clearly defined and communicated so security incidents can be
properly treated by the incident or problem management process. Characteristics include a description of what is considered a
security incident and its impact level. A limited number of impact levels are defined and for each the specific actions required and
the people who need to be notified are identified.
DS5.7 Protection of Security Technology
Ensure that important security-related technology is made resistant to tampering and security documentation is not disclosed
unnecessarily, i.e., it keeps a low profile. However, do not make security of systems reliant on secrecy of security specifications.
DS5.8 Cryptographic Key Management
Determine that policies and procedures are in place to organise the generation, change, revocation, destruction, distribution,
certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and
unauthorised disclosure.
DS5.9 Malicious Software Prevention, Detection and Correction
Ensure that preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control)
across the organization to protect information systems and technology from malware (viruses, worms, spyware, spam, internally
developed fraudulent software, etc.).
DS5.10 Network Security
Ensure that security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation and
intrusion detection) are used to authorise access and control information flows from and to networks.
DS5.11 Exchange of Sensitive Data
Ensure sensitive transaction data are exchanged only over a trusted path or medium with controls to provide authenticity of content,
proof of submission, proof of receipt and non-repudiation of origin.
DS6 Identify and Allocate Costs
The need for a fair and equitable system of allocating IT costs to the business requires accurate measurement of IT costs and
agreement with business users on fair allocation. This process includes building and operating a system to capture, allocate and
report IT costs to the users of services. A fair system of allocation enables the business to make more informed decisions regarding
use of IT services.
DS6.1 Definition of Services
Identify all IT costs and map them to IT services to support a transparent cost model. IT services should be linked to business
processes such that the business can identify associated service billing levels.
DS6.2 IT Accounting
Capture and allocate actual costs according to the defined cost model. Variances between forecasts and actual costs should be
analyzed and reported on, in compliance with the enterprise’s financial measurement systems.
DS6.3 Cost Modelling and Charging
Based on the service definition, define a cost model that includes direct, indirect and overhead costs of services and supports the
calculation of chargeback rates per service. The cost model should be in line with the enterprise’s cost accounting procedures. The
IT cost model should ensure that the charging for services is identifiable, measurable and predictable by users to encourage proper
use of resources. User management should be able to verify actual usage and charging of services.
DS6.4 Cost Model Maintenance
Regularly review and benchmark the appropriateness of the cost/recharge model to maintain its relevance and appropriateness to the
evolving business and IT activities.
DS7 Educate and Train Users
Effective education of all users of IT systems, including those within IT, requires identifying the training needs of each user group.
In addition to identifying needs, this process includes defining and executing a strategy for effective training and measuring the
results. An effective training program increases effective use of technology by reducing user errors, increasing productivity and
increasing compliance with key controls such as user security measures.
DS7.1 Identification of Education and Training Needs
Establish and regularly update a curriculum for each target group of employees considering:
• Current and future business needs and strategy
• Corporate values (ethical values, control and security culture, etc.)
• Implementation of new IT infrastructure and software (packages and applications)
• Current skills, competence profiles and certification and/or credentialing needs
• Delivery methods (e.g., classroom, web-based), target group size, accessibility and timing
DS7.2 Delivery of Training and Education
Based on the identified education and training needs, identify target groups and their members, efficient delivery mechanisms,
teachers, trainers and mentors. Appoint trainers and organise training sessions on a timely basis. Registration (including
prerequisites), attendance and performance evaluations should be recorded.
DS7.3 Evaluation of Training Received
Evaluate education and training content delivery upon completion for relevance, quality, effectiveness, capturing and retention of
knowledge, cost and value. The results of this evaluation should serve as input for future curriculum definition and training sessions.
DS8 Manage Service Desk and Incidents
Timely and effective response to IT user queries and problems requires a well-designed and well-executed service desk and incident
management process. This process includes setting up a service desk function with registration, incident escalation, trend and root
cause analysis, and resolution. The business benefits include increased productivity through quick resolution of user queries. In
addition, the business can address root causes (such as poor user training) through effective reporting.
DS8.1 Service Desk
Establish a service desk function, which is the user interface with IT, to register, communicate, dispatch and analyze all calls,
reported incidents, service requests and information demands. There should be monitoring and escalation procedures based on
agreed-upon service levels relative to the appropriate SLA that allow classification and prioritisation of any reported issue as an
incident, service request or information request. Measure end users’ satisfaction with the quality of the service desk and IT services.
DS8.2 Registration of Customer Queries
Establish a function and system to allow logging and tracking of calls, incidents, service requests and information needs. It should
work closely with such processes as incident management, problem management, change management, capacity management and
availability management. Incidents should be classified according to a business and service priority and routed to the appropriate
problem management team, and customers kept informed of the status of their queries.
DS8.3 Incident Escalation
Establish service desk procedures, so incidents that cannot be immediately resolved are appropriately escalated according to limits
defined in the SLA and, if appropriate, workarounds are provided. Ensure that incident ownership and life cycle monitoring remain
with the service desk for user-based incidents regardless of which IT group is working on resolution activities.
DS8.4 Incident Closure
Establish procedures for timely monitoring of clearance of customer queries. When the incident has been resolved, the service desk
should record the root cause, if known, and confirm that the action taken has been agreed with the customer.
DS8.5 Trend Analysis
Produce reports of service desk activity to enable management to measure service performance and service response times and to
identify trends or recurring problems, so service can be continually improved.
DS9 Manage the Configuration
Ensuring the integrity of hardware and software configurations requires establishment and maintenance of an accurate and complete
configuration repository. This process includes collecting initial configuration information, establishing baselines, verifying and
auditing configuration information, and updating the configuration repository as needed. Effective configuration management
facilitates greater system availability, minimises production issues and resolves issues faster.
DS9.1 Configuration Repository and Baseline
Establish a central repository to contain all relevant information on configuration items. This repository includes hardware,
application software, middleware, parameters, documentation, procedures and tools for operating, accessing and using the systems
and services. Relevant information to consider is naming, version numbers and licensing details. A baseline of configuration items
should be kept for every system and service as a checkpoint to which to return after changes.
DS9.2 Identification and Maintenance of Configuration Items
Put procedures in place to:
• Identify configuration items and their attributes
• Record new, modified and deleted configuration items
• Identify and maintain the relationships among configuration items in the configuration repository
• Update existing configuration items into the configuration repository
• Prevent the inclusion of unauthorised software
These procedures should provide proper authorisation and logging of all actions on the configuration repository and be properly
integrated with change management and problem management procedures.
DS9.3 Configuration Integrity Review
Review and verify on a regular basis, using, where necessary, appropriate tools, the status of configuration items to confirm the
integrity of the current and historical configuration data and to compare against the actual situation. Review periodically against the
policy for software usage the existence of any personal or unlicensed software or any software instances in excess of current license
agreements. Errors and deviations should be reported, acted on and corrected.
DS10 Manage Problems
Effective problem management requires the identification and classification of problems, root cause analysis and resolution of
problems. The problem management process also includes identification of recommendations for improvement, maintenance of
problem records and review of the status of corrective actions. An effective problem management process improves service levels,
reduces costs and improves customer convenience and satisfaction.
DS10.1 Identification and Classification of Problems
Implement processes to report and classify problems that have been identified as part of incident management. The steps involved in
problem classification are similar to the steps in classifying incidents; they are to determine category, impact, urgency and priority.
Problems should be categorised as appropriate into related groups or domains (e.g., hardware, software, support software). These
groups may match the organizational responsibilities or the user and customer base, and are the basis for allocating problems to
support staff.
DS10.2 Problem Tracking and Resolution
The problem management system should provide for adequate audit trail facilities that allow tracking, analysing and determining the
root cause of all reported problems considering:
• All associated configuration items
• Outstanding problems and incidents
• Known and suspected errors
Identify and initiate sustainable solutions addressing the root cause, raising change requests via the established change management
process. Throughout the resolution process, problem management should obtain regular reports from change management on
progress in resolving problems and errors. Problem management should monitor the continuing impact of problems and known
errors on user services. In the event that this impact becomes severe, problem management should escalate the problem, perhaps
referring it to an appropriate board to increase the priority of the request for change (RFC) or to implement an urgent change as
appropriate. The progress of problem resolution should be monitored against SLAs.
DS10.3 Problem Closure
Put in place a procedure to close problem records either after confirmation of successful elimination of the known error or after
agreement with the business on how to alternatively handle the problem.
DS10.4 Integration of Change, Configuration and Problem Management
To ensure effective management of problems and incidents, integrate the related processes of change, configuration and problem
management. Monitor how much effort is applied to firefighting rather than enabling business improvements and, where necessary,
improve these processes to minimise problems.
DS11 Manage Data
Effective data management requires identifying data requirements. The data management process also includes establishing effective
procedures to manage the media library, backup and recovery of data, and proper disposal of media. Effective data management
helps ensure the quality, timeliness and availability of business data.
DS11.1 Business Requirements for Data Management
Establish arrangements to ensure that source documents expected from the business are received, all data received from the business
are processed, all output required by the business is prepared and delivered, and restart and reprocessing needs are supported.
DS11.2 Storage and Retention Arrangements
Define and implement procedures for data storage and archival, so data remain accessible and usable. The procedures should
consider retrieval requirements, cost-effectiveness, continued integrity and security requirements. Establish storage and retention
arrangements to satisfy legal, regulatory and business requirements for documents, data, archives, programs, reports and
messages (incoming and outgoing) as well as the data (keys, certificates) used for their encryption and authentication.
DS11.3 Media Library Management System
Define and implement procedures to maintain an inventory of onsite media and ensure their usability and integrity. Procedures
should provide for timely review and follow-up on any discrepancies noted.
DS11.4 Disposal
Define and implement procedures to prevent access to sensitive data and software from equipment or media when they are disposed
of or transferred to another use. Such procedures should ensure that data marked as deleted or to be disposed cannot be retrieved.
DS11.5 Backup and Restoration
Define and implement procedures for backup and restoration of systems, data and documentation in line with business requirements
and the continuity plan. Verify compliance with the backup procedures, and verify the ability to and time required for successful and
complete restoration. Test backup media and the restoration process.
DS11.6 Security Requirements for Data Management
Establish arrangements to identify and apply security requirements applicable to the receipt, processing, physical storage and output
of data and sensitive messages. This includes physical records, data transmissions and any data stored offsite.
DS12 Manage the Physical Environment
Protection for computer equipment and personnel requires well-designed and well-managed physical facilities. The process of
managing the physical environment includes defining the physical site requirements, selecting appropriate facilities and designing
effective processes for monitoring environmental factors and managing physical access. Effective management of the physical
environment reduces business interruptions from damage to computer equipment and personnel.
DS12.1 Site Selection and Layout
Define and select the physical sites for IT equipment to support the technology strategy linked to the business strategy. The selection
and design of the layout of a site should take into account the risk associated with natural and man-made disasters, while
considering relevant laws and regulations, such as occupational health and safety regulations.
DS12.2 Physical Security Measures
Define and implement physical security measures in line with business requirements. Measures should include, but are not limited
to, the layout of the security perimeter, security zones, location of critical equipment, and shipping and receiving areas. In particular,
keep a low profile about the presence of critical IT operations. Responsibilities for monitoring and procedures for reporting and
resolving physical security incidents need to be established.
DS12.3 Physical Access
Define and implement procedures to grant, limit and revoke access to premises, buildings and areas according to business needs,
including emergencies. Access to premises, buildings and areas should be justified, authorised, logged and monitored. This applies
to all persons entering the premises, including staff, temporary staff, clients, vendors, visitors or any other third party.
DS12.4 Protection Against Environmental Factors
Design and implement measures for protection against environmental factors. Specialised equipment and devices to monitor and
control the environment should be installed.
DS12.5 Physical Facilities Management
Manage facilities, including power and communications equipment, in line with laws and regulations, technical and business
requirements, vendor specifications, and health and safety guidelines.
DS13 Manage Operations
Complete and accurate processing of data requires effective management of data processing and maintenance of hardware. This
process includes defining operations’ policies and procedures for effective management of scheduled processing, protection of
sensitive output, monitoring infrastructure and preventative maintenance of hardware. Effective operations management helps
maintain data integrity and reduces business delays and IT operating costs.
DS13.1 Operations Procedures and Instructions
Define, implement and maintain standard procedures for IT operations and ensure the operations staff is familiar with all operations
tasks relevant to them. Operational procedures should cover shift handover (formal handover of activity, status updates, operational
problems, escalation procedures and reports on current responsibilities) to ensure continuous operations.
DS13.2 Job Scheduling
Organise the scheduling of jobs, processes and tasks into the most efficient sequence, maximising throughput and utilisation to meet
business requirements. The initial schedules as well as changes to these schedules should be authorised. Procedures should be in
place to identify, investigate and approve departures from standard job schedules.
DS13.3 IT Infrastructure Monitoring
Define and implement procedures to monitor the IT infrastructure and related events. Ensure sufficient chronological information is
being stored in operations logs to enable the reconstruction, review and examination of the time sequences of operations and the
other activities surrounding or supporting operations.
DS13.4 Sensitive Documents and Output Devices
Establish appropriate physical safeguards, accounting practices and inventory management over sensitive IT assets such as special
forms, negotiable instruments, special-purpose printers or security tokens.
DS13.5 Preventive Maintenance for Hardware
Define and implement procedures to ensure timely maintenance of infrastructure to reduce the frequency and impact of failures or
performance degradation.
ME1 Monitor and Evaluate IT Performance
Effective IT performance management requires a monitoring process. This process includes defining relevant performance
indicators, a systematic and timely reporting of performance, and prompt acting upon deviations. Monitoring is needed to make sure
that the right things are done and are in line with the set directions and policies.
ME1.1 Monitoring Approach
Ensure that management establishes a general monitoring framework and approach that define the scope, methodology and process
to be followed for monitoring IT’s contribution to the results of the enterprise’s portfolio management and program management
processes and those processes that are specific to the delivery of IT capability and services. The framework should integrate with the
corporate performance management system.
ME1.2 Definition and Collection of Monitoring Data
Ensure that IT management, working with the business, defines a balanced set of performance objectives, measures, targets and
benchmarks, and has them signed off on by the business and other relevant stakeholders. Performance indicators should include:
• Business contribution including, but not limited to financials
• Performance against the strategic business and IT plan
• Risk and compliance with regulations
• Internal and external user satisfaction
• Key IT processes including development and service delivery
• Future-oriented activities, for example, emerging technology, reusable infrastructure, business and IT personnel skill sets
Processes should be established to collect timely and accurate data to report on progress against targets.
ME1.3 Monitoring Method
Ensure that the monitoring process deploys a method (e.g., balanced scorecard) that provides a succinct, all-around view of IT
performance and fits within the enterprise monitoring system.
ME1.4 Performance Assessment
Periodically review the performance against targets, perform root cause analysis and initiate remedial action to address the
underlying causes.
ME1.5 Board and Executive Reporting
Provide management reports for senior management’s review of the organization’s progress toward identified goals, specifically in
terms of the performance of the enterprise’s portfolio of IT-enabled investment programs, service levels of individual
programs and IT’s contribution to that performance. Status reports should include the extent to which planned objectives have
been achieved, deliverables obtained, performance targets met and risks mitigated. Upon review, any deviations from expected
performance should be identified, and appropriate management action should be initiated and reported.
ME1.6 Remedial Actions
Identify and initiate remedial actions based on the performance monitoring, assessment and reporting. This includes follow-up of all
monitoring, reporting and assessments with:
• Review, negotiation and establishment of management responses
• Assignment of responsibility for remediation
• Tracking of the results of actions committed
ME2 Monitor and Evaluate Internal Control
Establishing an effective internal control program for IT requires a well-defined monitoring process. This process includes the
monitoring and reporting of control exceptions, results of self-assessments and third-party reviews. A key benefit of internal control
monitoring is to provide assurance regarding effective and efficient operations and compliance with applicable laws and regulations.
ME2.1 Monitoring of Internal Control Framework
Continuously monitor the IT control environment and control framework. Assessment using industry best practices and
benchmarking should be used to improve the IT control environment and control framework.
ME2.2 Supervisory Review
Monitor and report the effectiveness of internal controls over IT through supervisory review including, for example, compliance
with policies and standards, information security, change controls and controls established in service level agreements.
ME2.3 Control Exceptions
Record information regarding all control exceptions and ensure that it leads to analysis of the underlying cause and to corrective
action. Management should decide which exceptions should be communicated to the individual responsible for the function and
which exceptions should be escalated. Management is also responsible to inform affected parties.
ME2.4 Control Self-assessment
Evaluate the completeness and effectiveness of management’s internal controls over IT processes, policies and contracts through a
continuing program of self-assessment.
ME2.5 Assurance of Internal Control
Obtain, as needed, further assurance of the completeness and effectiveness of internal controls through third-party reviews. Such
reviews may be conducted by the corporate compliance function or, at management’s request, by internal audit or commissioned to
external auditors and consultants or certification bodies. Qualifications of individuals performing the audit, e.g., Certified
Information Systems AuditorTM (CISA ) certification, must be ensured.
ME2.6 Internal Control at Third Parties
Assess the status of each external service provider’s internal controls. Confirm that external service providers comply with legal and
regulatory requirements and contractual obligations. This can be provided by a third-party audit or obtained from a review by
management’s internal audit function and the results of the audits.
ME2.7 Remedial Actions
Identify and initiate remedial actions based on the control assessments and reporting. This includes follow-up of all assessments and
reporting with:
• Review, negotiation and establishment of management responses
• Assignment of responsibility for remediation (can include risk acceptance)
• Tracking of the results of actions committed
ME3 Ensure Regulatory Compliance
Effective regulatory oversight requires the establishment of an independent review process to ensure compliance with laws and
regulations. This process includes defining an audit charter, auditor independence, professional ethics and standards, planning,
performance of audit work, and reporting and follow-up of audit activities. The purpose of this process is to provide positive
assurance related to IT compliance with laws and regulations.
ME3.1 Identification of Laws and Regulations Having Potential Impact on IT
Define and implement a process to ensure timely identification of local and international legal, contractual, policy and regulatory
requirements related to information, information service delivery—including third-party services—and the IT organization,
processes and infrastructure. Consider laws and regulations for electronic commerce, data flow, privacy, internal controls, financial
reporting, industry-specific regulations, intellectual property and copyright, and health and safety.
ME3.2 Optimisation of Response to Regulatory Requirements
Review and optimise IT policies, standards and procedures to ensure that legal and regulatory requirements are covered efficiently.
ME3.3 Evaluation of Compliance With Regulatory Requirements
Efficiently evaluate compliance with IT policies, standards and procedures, including legal and regulatory requirements, based on
business and IT management’s governance oversight and operation of internal controls.
ME3.4 Positive Assurance of Compliance
Define and implement procedures to obtain and report positive assurance of compliance and, where necessary, that corrective
actions have been taken by the responsible process owner on a timely basis to address any compliance gaps. Integrate IT reporting
on compliance progress and status with similar output from other business functions.
ME3.5 Integrated Reporting
Integrate IT reporting on regulatory requirements with similar output from other business functions.
ME4 Provide IT Governance
Establishing an effective governance framework includes defining organizational structures, processes, leadership, roles and
responsibilities to ensure that enterprise IT investments are aligned and delivered in accordance with enterprise strategies and
objectives.
ME4.1 Establishment of an IT Governance Framework
Work with the board to define and establish an IT governance framework including leadership, processes, roles and responsibilities,
information requirements, and organizational structures to ensure that the enterprise’s IT-enabled investment programs are aligned
with and deliver on the enterprise’s strategies and objectives. The framework should provide clear linkage among the enterprise
strategy, the portfolio of IT-enabled investment programs that execute the strategy, the individual investment programs, and the
business and IT projects that make up the programs. The framework should provide for unambiguous accountabilities and
practices to avoid breakdown in internal control and oversight. The framework should be consistent with the overall enterprise
control environment and generally accepted control principles, and be based on the IT process and control framework.
ME4.2 Strategic Alignment
Enable board and executive understanding of strategic IT issues such as the role of IT, technology insights and capabilities. Make
sure there is a shared understanding between the business and IT of the potential contribution of IT to the business strategy. Make
sure that there is a clear understanding that value is achieved from IT only when IT-enabled investments are managed as a portfolio
of programs that include the full scope of changes that the business has to make to optimise the value from IT capabilities in
delivering on the strategy. Work with the board to define and implement governance bodies, such as an IT strategy committee, to
provide strategic direction to management relative to IT, ensuring that the strategy and objectives are cascaded down into business
units and IT functions, and that confidence and trust are developed between the business and IT. Enable the alignment of IT to the
business in strategy and operations, encouraging co-responsibility between business and IT for making strategic decisions and
obtaining benefits from IT-enabled investments.
ME4.3 Value Delivery
Manage IT-enabled investment programs and other IT assets and services to ensure that they deliver the greatest possible value in
supporting the enterprise’s strategy and objectives. Ensure that the expected business outcomes of IT-enabled investments and the
full scope of effort required to achieve those outcomes is understood, that comprehensive and consistent business cases are created
and approved by stakeholders, that assets and investments are managed throughout their economic life cycle, and that there is active
management of the realisation of benefits, such as contribution to new services, efficiency gains and improved responsiveness to
customer demands. Enforce a disciplined approach to portfolio, program and project management, insisting that the business
takes ownership of all IT-enabled investments and IT ensures optimisation of the costs of delivering IT capabilities and services.
Ensure that technology investments are standardised to the greatest extent possible to avoid the increased cost and complexity of a
proliferation of technical solutions.
ME4.4 Resource Management
Optimise the investment, use and allocation of IT assets through regular assessment, making sure that IT has sufficient, competent
and capable resources to execute the current and future strategic objectives and keep up with business demands. Management should
put clear, consistent and enforced human resources policies and procurement policies in place to ensure that resource requirements
are fulfilled effectively and to conform to architecture policies and standards. The IT infrastructure should be assessed on a periodic
basis to ensure that it is standardised wherever possible and interoperability exists where required.
ME4.5 Risk Management
Work with the board to define the enterprise’s appetite for IT risk. Communicate IT risk appetite into the enterprise and agree on an
IT risk management plan. Embed risk management responsibilities into the organization, ensuring that the business and IT regularly
assess and report IT-related risks and the impact on the business. Make sure IT management follows up on risk exposures, paying
special attention to IT control failures and weaknesses in internal control and oversight, and their actual and potential business
impact. The enterprise’s IT risk position should be transparent to all stakeholders.
ME4.6 Performance Measurement
Report relevant portfolio, program and IT performance to the board and executives in a timely and accurate manner.
Management reports should be provided for senior management’s review of the enterprise’s progress toward identified goals. Status
reports should include the extent to which planned objectives have been achieved, deliverables obtained, performance targets met
and risks mitigated. Integrate reporting with similar output from other business functions. The performance measures should be
approved by key stakeholders. The board and executive should challenge these performance reports and IT management should be
given an opportunity to explain deviations and performance problems. Upon review, appropriate management action should be
initiated and controlled.
ME4.7 Independent Assurance
Ensure that the organization establishes and maintains a function that is competent and adequately staffed and/or seeks external
assurance services to provide the board—this will occur most likely through an audit committee—with timely independent
assurance about the compliance of IT with its policies, standards and procedures, as well as with generally accepted practices.
|
|
