IT GOVERNANCE FRAMEWORK - gitoc.fs.gov.za

1 | P a g e I T G o v e r n a n c e F r a m e w o r k

Department of Police, Roads and Transport

FREE STATE PROVINCE

IT GOVERNANCE FRAMEWORK

DATE 7 March 2012

REVISION 1.0

Document ID ICT-006-032012


Index

1. Introduction Page 3

2. Various Definitions of Governance Page 4

3. Corporate Governance versus IT Governance Page 4

3.1 Corporate Governance Page 5

3.2 IT Governance Page 5

4 IT Governance Framework Page 6

5 What IT Governance will deliver & 5 Governance focus Page 8

6 Five IT Governance Decision Areas (Domain) Page 10

7 Decision Model and Governance Style Page 11

8 IT Governance Mechanism Page 12

8.1 Governance Matrix Page 13

8.2 Roles and Responsibility Page 13

8.3 Governance Map Page 15

9 IT Governance Process Page 15

10 IT Policies, Standards and Procedures 0

11 IT Process Page 20

12 IT Governance Page 21

13 Signatures Page 21


1. Introduction

This was compiled using the information that was prepared by Mr Gawie Wellemse as a

Provincial Strategy direction through the leadership of his CIO, Mr Tshepo Motiki, who is a

provincial Chairperson of the Provincial Government Information Technology Council.

From relative obscurity a few years ago, several factors have come together to make the

concept of formal Information Technology (IT) Governance a good idea for virtually every

organisation, both public and private. Key motivators include the need to comply with a

growing list of regulations related to financial and technological accountability, and pressure

from shareholders e.g. Department of Public Service and Administration (DPSA) and

customers.

IT Governance has been described by Gartner2 as an effective and efficient management of IT

resources to facilitate the achievement of business goals and objectives. Simply put, it’s putting

structure around how organisations align IT strategy with business strategy, ensuring that

organisations stay on track to achieve their strategies and goals and implementing good ways to

measure IT’s performance. It ensures that all stakeholders’ interests are taken into account and

that processes provide measurable results.

IT does not exist for its own sake within an organisation; it is there to ensure that business

achieves sustainable success. IT Governance becomes a management practice for governing

the processes and decisions related to the use of IT within the organisation. IT Governance has

risen in importance because of the widening gulf between what the business expects and what

IT is prepared to deliver. IT has grown to be seen as a cost centre with little direct benefits to

the organisation it serves. An IT Governance framework is meant to align IT functions to the

business, minimise the risk IT introduces and ensure that there is value in the investment made

in IT.

Organizations today are subject to many regulations governing data retention, confidential

information, financial accountability and recovery from disasters. While none of these

regulations requires an IT Governance framework, many have found it to be an excellent way

to ensure regulatory compliance. By implementing IT governance, the organisation will have

the internal controls needed to meet the core guidelines of many of these regulations, such as

the Public Services Act (PSA), 1994 (Proclamation Nr. 103 of 1994), the Public Financial

Management Act (PFMA), 1999 (Act 1 of 1999, as amended by Act 29 of 1999) and the State

Information Technology Agency (SITA) Act, 1998 (Act 88 of 1998 as amended by Act 38 of

2002).

1 Provincial Government of the Western Cape (2010). Information

Technology Governance Strategy. Pages 129 (main source). 2 The Gartner

Group is an international body that delivers technology research to global

technology business leaders to make informed decisions on key initiatives.


2. Various Definitions of IT Governance

a) The structure, oversight and management processes which ensure the delivery of the

expected benefits of IT in a controlled way to help enhance the long term sustainable

success of the enterprise.

b) IT governance is the responsibility of the board of directors and executive management.

It is an integral part of enterprise governance and consists of the leadership and

organisational structures and processes that ensure that the organisation’s IT sustains

and extends the organisation’s strategies and objectives.

c) A structure of relationships and processes to direct and control the enterprise in order to

achieve the enterprise’s goals by adding value while balancing risk versus return over

IT and its processes.

d) Specifying the decision rights and accountability framework to encourage desirable

behaviours in the use of IT.

e) Governance is not about what decisions get made – that is management – but it is about

who makes the decisions and how they are made.

f) IT governance is the term used to describe how those persons entrusted with

governance of an entity will consider IT in their supervision, monitoring, control and

direction of the entity. How IT is applied will have an immense impact on whether the

entity will attain its vision, mission or strategic goals.

3. Corporate Governance versus IT Governance

Corporate Governance is the set of processes, customs, policies, laws, management practices

and institutions affecting the way an entity is controlled and managed. It incorporates all the

relationships among the many stakeholders involved and aims to organize them to meet the

goals of the organization in the most effective and efficient manner possible. An effective

corporate governance strategy allows an organization to manage all aspects of its business in

order to meet its objectives.

Information technology governance, however, is a subset discipline of Corporate Governance.

Although it is sometimes mistaken as a field of study on its own, IT Governance is actually a

part of the overall Corporate Governance Strategy of an organization. IT Governance and

associated governance mechanisms provide the linkage between responsible Corporate

Governance and effective IT Management.

3 Brisebois R Boyd G & Shadid Z. (2010). What is IT Governance? Available:

http://www.intosaiitaudit.org/intoit_article /25_p30top35.pdf. Last accessed 28

January 2011.

http://www.intosaiitaudit.org/intoit_articles%20/25_p30top35.pdf.


3.1 Corporate Governance

The field of Corporate Governance is a multifaceted subject that includes several fields of

study. These fields include areas such as:

a) Accountability and fiduciary duty. These advocate the implementation of guidelines

and mechanisms to ensure management acts in good faith and that the public

organization is protected from wrongdoing or fraud.

b) Economic efficiency view. This involves how the corporate governance system intends

to optimize results, and meet its objectives.

c) Strategic efficiency view. This involves public policy objectives that are not directly

measurable in economic terms such as alleviation of poverty, access to markets, income

stabilization, health care and job creation. These are issues that are the main focus of

most public sector institutions and are not readily measured in economic terms.

d) Stakeholder view. This area of study focuses more attention and accountability on other

stakeholders such as citizens, employees, businesses and other levels of government

(i.e. provincial, municipal or local authorities).

3.2 IT Governance

IT Governance focuses specifically on information technology systems, their performance and

risk management. The primary goals of IT Governance are to assure that the investments in IT

generate business value, and to mitigate the risks that are associated with IT. This can be done

by implementing an organizational structure with well-defined roles for the responsibility of

information, business processes, applications and infrastructure.

IT governance should be viewed as how IT creates value that fits into the overall Corporate

Governance Strategy of the organization, and never be seen as a discipline on its own. In taking

this approach, all stakeholders would be required to participate in the decision making process.

This creates a shared acceptance of responsibility for critical systems and ensures that IT

related decisions are made and driven by the business and not vice versa.

IT governance is needed to ensure that the investments in IT generate value reward and

mitigate IT associated risks, avoiding failure. IT is central to organizational success – effective

and efficient delivery of services and goods – especially when the IT is designed to bring about

change in an organization. This change process commonly referred to as ’business

transformation’ is now the prime enabler of new business models both in the private and public

sectors. Business transformation offers many rewards, but it also has the potential for many

risks, which may disrupt operations and have unintended consequences. The dilemma becomes

how to balance risk and rewards when using IT to enable organizational change.


4. IT Governance Framework

IT Governance focuses specifically on information technology systems, their performance and

risk management. The primary goals of IT Governance are to assure that the investments in IT

generate business value, and to mitigate the risks that are associated with IT. This can be done

by implementing an organisational structure with well-defined roles for the responsibility of

information, business processes, applications and infrastructure.

IT Governance deals with how IT decisions are made and by whom detailing who has decision

making rights, who is supposed to provide the input to inform the decisions and who is

accountable for implementing the decisions. It is ultimately about making IT decisions the right

way. Governance of IT will help the Free State Provincial Government (FSPG) to integrate IT

with the business and improve the cost effectiveness of IT.

The IT Governance framework will deal with the following:

a) What key IT decisions are need to be made and by whom?

b) What decision models are to be used in these decisions?

c) What IT Governance structures, processes, strategy, policies, standards and procedures are

required for correct decision making?

d) What IT processes and procedures are required ensure that IT ultimately serves the

business?

The IT Governance framework is aligned with the King III Code of Practice for IT Governance

as well as best practice control and process frameworks in supporting business aligned use of

and investment in IT. The key frameworks that support this governance framework are the

following:

4 Brisebois R Boyd G & Shadid Z. (2010). What is IT Governance?

Available: http://www.intosaiitaudit.org/intoit_articles/25_p30top35.pdf.

Last accessed 28 January 2011.

http://www.intosaiitaudit.org/intoit_articles%20/25_p30top35.pdf


Framework Acronym Description

Control Objectives for Information

Technology

COBIT Provides comprehensive IT Governance Processes,

IT alignment and IT controls.

Projects in Controlled Environments PRINCE2 Managing IT projects an realizing value from IT.

Capability Maturity Model Integration CMMI Process improvement approach used in the

development of applications (software).

Information Technology Infrastructure

Libraries

ITIL Set of processes for managing IT services.

Information Technology Risk

Management

ITRM Framework for managing and mitigating risks

resultant from IT.

International Organization for

Standardization 27000

ISO 2700 Framework for information security.

Publicly Available Specifications 56 PAS 56 Guide to Business Continuity Management.

Publicly Available Specifications 77 PAS 77 Guide to IT Service Continuity Management

The Provincial Government Information Technology Officers Council (PGITOC) adopted

COBIT as the overall IT governance framework for the FSPG. The following diagram5

illustrates how the different frameworks (with COBIT as the overarching framework) work

unitedly to provide guidance in the governance of IT from strategic to process level:

Diagram illustrating how the different frameworks work unitedly (with COBIT overarching).

5

Sun Microsystems Inc. (2010). Positioning of Frameworks. Available:

http://www.isaca.org/Groups/ProfessionaEnglish/frameworks/

GroupDocuments/frameworks_v3_111908.pdf. Last accessed 27/01/2011.

http://www.isaca.org/Groups/Professional%1fEnglish/frameworks/%20GroupDocuments/frameworks_v3_111908.pdf

http://www.isaca.org/Groups/Professional%1fEnglish/frameworks/%20GroupDocuments/frameworks_v3_111908.pdf


5. What IT Governance will deliver and the five IT Governance focus areas

There are two major outcomes from IT Governance:

1. IT value delivery to departments.

2. Mitigating IT related risks.

Both the above-mentioned outcomes are achieved through

focusing on the five IT Governance areas6 as illustrated on the

image to the right and explained below.

IT GOVENANCE FOCUS AREAS

NR AREA DESCRIPTION

1 Strategic

Alignment

Focuses on ensuring the linkage of business and IT plans, on defining,

maintaining and validating the IT value proposition and on aligning IT

operations with the organization operations.

2 Value

Delivery

Is about executing the value proposition throughout the delivery cycle,

ensuring that IT delivers the promised benefits against the strategy,

concentrating on optimizing costs and proving value of IT.

3 Risk

Management

Requires risk awareness by senior management, a clear understanding

of the organization’s appetite for risk, transparency about the

significant risks to the organization and embedding of risk management

responsibilities into the organization.

4 Resource

Management

Is about the optimal investment in, and the proper management of,

critical IT resources: Processes, people, applications, infrastructure and

information. Key issues related to the optimization of knowledge and

infrastructure.

5 Performance

Measurement

Tracks and monitors strategy implementation, project completion,

resource usage, process performance and service delivery, using, for

example, balanced scorecards resource and usage dashboards that

translate strategy into action to achieve goals measureable beyond

conventional accounting.

Strategic Alignment: • Linking business and IT plan. • Defining, maintaining and validating the IT value proposition. • Aligning IT operations with the organization operations. • Provide collaborative solutions that contain costs while improving administrative efficiency and managerial effectiveness.

Best Practices: • Integrated approach to business/IT strategy. • Cascading strategy and objectives down into the organization. • Co-responsibility of business and IT. • Clearer objectives for IT investments. • IT Strategy and IT Standing Committees.


Value Delivery: •Executing the value proposition throughout the delivery cycle. •Ensuring that IT delivers the promised benefits against the strategy. •Concentrating on optimizing expenses and proving IT’s value. •Controlling projects and operational processes with practices that increase probability of success (budget, risk, quality etc.).

Best Practices: •Tracking of business value of IT. •Enabling effective value measurements (ROI, TCO etc.). •Disciplined approach to project management with a larger role for the business. •Commitment to formal methodologies/processes for application development and service delivery. •Enterprise architecture planning.

Risk Management: •Requires risk awareness of senior management, a clear understanding of the organization’, appetite for risk and transparency about the significant risks to the organization. •Embeds risk management responsibilities in the operation of the organization. •Addresses the safeguard of IT assets, disaster recovery and continuity of operations.

Best Practices: •Awareness of IT risks based on continuous assessment. •Transparency to all stakeholders. •Establishing responsibility and embedding risk management into the organization. •An integral part of compliance and assurance. •Use of formal IT risk and control frameworks. •Process management disciplines.

Resource Management: •Optimal investment, use and allocation of IT resources and capabilities (people, applications, infrastructure, and data). •Maximizing the efficiency of these assets and optimizing their costs. •Optimizing knowledge and the IT infrastructure. •Knowing where, when and how to outsource

Best Practices: •Supply/demand balancing. •Practices to train and sustain staff. •Consumption base chargeback. •Formalized vendor management disciplines.

Performance Measurement: • Using balanced scorecards that translate strategy into action to achieve goals measureable beyond conventional accounting. • Measuring relationships and assets necessary to compete (customer focus, process efficiency and the ability to learn and grow). • Tracking project delivery and monitoring IT services.

Best Practices: • IT balanced scorecard as emerging reporting system. • A management reporting system that feeds back into the strategy. • Use of benchmarking for performance comparison. • IT scorecard approval by the key stakeholders for alignment.

6

Saull, R. (2006). IT Governance. A Framework for Performance and

Compliance. Available: http://itgi.jp/conf200611/ronsaull.pdf. Last accessed

28 January 2011.

http://itgi.jp/conf200611/ronsaull.pdf


7 University of West Florida (2009). IT Governance. Available:

http://argowiki.com/index.php?title=IT_Governance. Last accessed

01February 2011.

6. Five IT Governance Decisions Areas (Domains)7

IT Governance necessitates key decisions regarding IT in the FSPG. Some of these decisions

must be made in conjunction with the business to get full value from the IT investment. It is

important to articulate these key decision areas (domains) in order for IT to perform according

to requirements. The following five key IT decision areas exist:

http://argowiki.com/index.php?title=IT_Governance


7. Decision Model and Governance Style

The FSPG has chosen a decentralised model (IT unit per department) for providing IT goods and

services to the various departments. Strategic IT matters are considered by the PGITOC that is

chaired by the Chief Information Officer (CIO) (Department of the Premier) with IT Managers of

the various departments as members. It is imperative to immerse IT into the business so that its

plans are aligned to the business and its decisions and the business decisions are concluded in the

right manner that advances the objectives of the departments.

There are generally six general governance styles for providing input or making decisions

regarding the five key IT decision areas (domains) mentioned in paragraphs 6.1 to 6.5. The styles

reflect a mix of shared responsibilities (for input and decision making) between IT and business in

governing the five decision areas.

The following six classic styles exist in a typical IT Governance structure: The FSPG IT

Governance uses a mix of governance styles across the five decision areas. The variety of styles

highlights different required roles for input and decision making in support of business needs. The

primary IT governance styles for the FSPG are the Business and IT Monarchy as well as the

Duopoly style.

Nr. Style Description

1. Business

Monarchy This is where the Head of the Department, the Chief Financial Officer (CFO) and the

Chief Information Officer (CIO)/ IT Manager (the so called C-level executives) make

the decisions. Recently the CIO/IT Manager has been more involved and has a more

active role in the decision making within the business monarchy level. At this level,

decisions are derived from input from many areas.

2. IT

Monarchy

The IT monarchy consists of IT executives (CIO and IT Managers). Within this

governance archetype, decisions could be made by way of an IT leadership committee

(for example the PGITOC). At this level, decision rights for both IT Infrastructure

Strategies and IT Architecture are the responsibility of the IT monarchy.

3. Feudal Feudal governance is characterized by delegated or otherwise dispersed governing

rights. The exercising of decision making is highly localized, and central leadership is

weak or at least unobtrusive. This model usually arises in organizations with highly

independent and incongruent business units.

4. Federal This governance archetype attempt to balance responsibilities in the decision making

process. Normally this form of decision making consists of the C-level executives and

representatives from one other tier within the organization (for example business

leaders tier, business process owners tier, IT leaders tier, etc.). The federal approach is

often used for input rights, but less often for decision rights. Given the breadth of

opinions under this structure, it is no surprise that there is a propensity for discord.

5. Duopoly This archetype is characterized by a two party involvement consisting of one IT group

and one business group. This archetype could be used by the business side to introduce

business objectives and by the IT side to introduce available technologies so both sides

can ultimately reach decisions on viable solutions.

6. Anarchy Business process owners and end users have decision rights under this archetype.

Surprisingly, most large firms display elements of anarchy. When optimization and

customization supersede sharing and standardization, it makes sense to delegate

decision rights to end-users.


8. IT Governance Mechanism

The FSPG has adopted formal governance mechanisms in order to implement the governance styles and decision model. These governance mechanisms and structures are there to ensure joint decision making where necessary, allocating accountability and responsibility for IT decisions. These formal governance mechanisms are the following:

Nr. Mechanism Acronym Description

1 Executive Council

EXCO Set the strategic objectives for the Province.

2 Head of

Department HoD Ensure that the DPRT has an appropriate IT

procurement and system which is fair, equitable, competitive and cost-effective.

3 Chief Financial Officer

CFO Ensure that the prescriptions of the Public Finance Management Act (PFMA), 1999, (Act 1of 1999) as amended by Act 29 of 1999 including the Framework for Supply Chain Management (SCM) are being adhered to.

4 Form of Heads of Department

FoHoD All the accounting officers (Heads of Department) in the FSPG. It acts as a forum responsible for guiding IT and extracting maximum strategic value out of IT.

5 Chief Information Officer

CIO Give practical effect to the responsibilities of the Head of

Department to keep departments updated on strategic IT matters and developments.

6 Provincial Government Information Technology Council

PGITOC Plan, coordinate, monitor and share Information Management and Information Technology between the departments. The PGITOC is ultimately responsible for IT Governance.

7 Standing Committees

SC Investigate, consider and make recommendations to PGITOC regarding IT matters.

8 Service Level Agreements

SLA Specify and measure IT services. SLAs also include Memoranda of Understanding (MOUs).

9 Business Unit Managers

BUM Determine business and IT requirements and relaying it to CIO/IT Managers.


8.1 Governance Matrix (Input and Decision Rights)

STYLE

DECISION AREA

IT Principles IT

Infrastructure

Strategies

IT Architecture Business IT

Application

Needs

IT Investment

and

Prioritization

Rights Rights Rights Rights Rights Input Decision Input Decision Input Decision Input Decision Input Decision

Business

Monarchy

DG

FoHoD

DG

FoHoD

DG

FoHoD

HoD

CFO

IT

Monarchy

PGITOC SC

CIO

PGITOC SC

CIO

PGITOC CIO CIO

Feudal

Federal

Duopoly SC,BUM,

CIO

BUM BUM

CIO

Anarchy

The net result from the governance mechanisms over the five key IT decision areas is the

following:

a) Collaborative decision making between the departments and IT leadership for IT

Principles, IT Investment and Prioritization.

b) IT leadership has the responsibility for finalising IT Infrastructure Strategies and IT

Architecture.

c) Departmental input in determining IT Application Needs.

8.2 Roles and Responsibilities (Accountability Framework)

8.2.1 Head of Department

In terms of Section 38 (1)(a)(iii) of the PFMA (Act 1 of 1999, as amended by Act 29 of

1999) the accounting officer (HoD) for a department (PRT) must ensure that the department

has and maintains an appropriate procurement and provisioning system which is fair, equitable,

transparent, competitive and cost-effective. Flowing from this the Director General (DG) is

accountable for IT Governance at Provincial level and this role is dispatched at a departmental

level to the Head of Department (HoD), in this case, HoD: Police, Roads and Transport. The

HoD has also delegated some of his responsibilities to the CIO, who among other things,

ensure that IT Governance is in place and that IT supports FSPG objectives. The HODs are

ultimately responsible for cultivating an understanding for the value of IT within their

departments.

8.2.2 Provincial Government Information Technology Officers Council

The PGITOC champions IT innovations in the FSPG. In so doing, the PGITOC considers

crosscutting IT related solutions proposed by departments for implementation and make

recommendations on their approval to FoHoD. The Council thus functions as a gatekeeper for

proposed crosscutting IT solutions. The PGITOC also makes recommendations on the adoption

of proposed IT strategies, policies, norms and standards.

The PGITOC also considers IT architecture variations and reviews IT risk strategy for

consistency with the architecture. The CITCOM is also responsible for defining multi

departmental and single departmental initiatives and approving IT standards. In sum, the


PGITOC is the de facto IT Strategy Committee and acts on behalf of FoHoD (to which it is

accountable) on how to best use IT within the organisation.

The PGITOC operations are regulated by the following:

a) Free State Growth and Development Strategy Plan.

b) Individual department’s strategic and IT plans.

c) Integrated Development Plan (IDP).

d) SITA Act, 1998 and Regulations.

e) Public Service Acts and Regulations

f) Public Finance Management Act, 1999 and Regulations.

The PGITOC is governed by a Charter approved by FoHoD and meets at least once every

month (and whenever circumstances so determine). The PGITOC is constituted by the

following:

a) CIO who is the Chairperson.

b) IT Managers from each department as appointed by the HODs.

c) Managers in the IT unit of the PRT.

d) Provincial representative of the State Information Technology Agency (SITA) as

Associate Members only on the standing committees.

e) Secretary – official from the IT unit, Department of Premier.

The following Standing Committees exist within the PGITOC:

a) Procurement and IT Economic Development

b) E-government and –governance.

c) Risk, Audit, Projects and Change Management

d) Security, Architecture and Free and Open Source Software (FOSS).

The Departmental Steering Committee (Steercom) is governed by a Charter approved by the

Department of Police, Roads and Transport and meets at least once every month (and whenever

circumstances so determine). The steercom is constituted by the following:

a) Chairperson: To be an Executive Manager appointed by the HoD.

b) Members: Departmental CIO and Business managers in accordance to the mandate the

HoD may decide with an aim to beef-up the decision making process.

c) Secretary: official from the Service Management division of the ICT Unit, PRT.

The CIO reports to the Corporate Service Executive, who reports to the Head of Department,

simultaneously, the CIO will report to the PGITOC that will report to FoHoD and the

Department of Public Service and Administration through the CIO and the office of the

Government Chief Information Officer (GCIO). Steercom members report to the HOD, who in

turn reports to their Member of EXCO.

8.2.3 Departmental Chief Information Officer

A Provincial IT Manager is responsible for the following:

a) Represent the department at the Government Information Technology Officers Council

on provincial level (PGITOC).

b) Interact regularly on matters of IT governance with the PGITOC.


c) Report on a regular basis to Senior Management (SM) in the department as well as to

the PGITOC in order to ensure transparency of IT operations and implementation.

d) Implement and monitor an IT Governance framework (COBIT) to deliver value and

manage risk.

e) Implement IT strategies, policies, standards and procedures.

f) Implement an organisational structure geared for getting value out of IT for

departments.

g) Implement governance structures (e.g. SLAs).

h) Create an awareness of the maturity levels of governance

i) Implement an IT planning process that is integrated with the departmental strategy

development process.

j) Align IT operations with departmental operations.

k) Translate business requirements into efficient and effective IT solutions.

8.3 Governance Map

9. IT Governance Process

Control Objectives for Information and related Technology (COBIT) provides comprehensive

good practices and processes for enforcing successful governance of IT – embedding IT and its

value within the FSPG.

COBIT contributes to IT governance by providing a framework to ensure that:

a) IT is aligned to Departments and their business;

b) IT enables departments and maximises benefits;

c) IT resources are used responsibly; and

d) IT risks are managed appropriately.

COBIT has four domains that contain control processes to be used in achieving governance

(primarily resource utilisation, business alignment of IT, value delivery and the management of

IT risk). The four COBIT domains are: Plan and Organise (PO), Acquire and Implement (AI),

Deliver and Support (DS) and Monitor and Evaluate (ME).


8

Albinowski, G. (2010). (COBIT) IT Governance + Risk IT Practitioner Guide.

Available:

http://www.goldenline.pl/forum/1318590/cobititgovernanceriskitpractitionerguid

e . Last accessed 08 February 2011.

Control Objectives for Information and related Technology (COBIT) provides comprehensive

good practices and processes for enforcing successful governance of IT – embedding IT and its

value within the FSPG.

COBIT contributes to IT governance by providing a

framework to ensure that

a) IT is aligned to Departments and their business;

b) IT enables departments and maximises benefits;

c) IT resources are used responsibly; and

d) IT risks are managed appropriately.

COBIT has four domains that contain control processes to be

used in achieving governance (primarily resource utilisation,

business alignment of IT, value delivery and the management

of IT risk). The four COBIT domains are: Plan and Organise (PO), Acquire and Implement

(AI), Deliver and Support (DS) and Monitor and Evaluate (ME). COBIT FRAMEWORK

COBIT is further complimented by two other IT governance frameworks that will be used in

the FSPGs governance of IT. These complementary frameworks are Val IT and Risk IT. The

two frameworks extend COBIT with more detail and processes for the two governance focus

areas of Value Delivery and Risk Management.

‘The links between COBIT and Val IT

are focussed on programme and portfolio

management and investment management, and

primarily the COBIT IT processes that

deal with strategy and portfolios (PO1),

Val IT and Risk IT8 investment and budgets

(PO5), solution delivery (PO10), service

management (DS1) and performance reporting

(ME1).The links between COBIT and Risk IT

are focussed on risks related to strategic

choices (PO1), roles and responsibilities for

risk related functions (PO4), risk related

policies and frameworks

http://www.goldenline.pl/forum/1318590/cobititgovernanceriskitpractitionerguide

http://www.goldenline.pl/forum/1318590/cobititgovernanceriskitpractitionerguide


PO6), risk management (PO9), business continuity (DS4) and various other specific risk

related service delivery activities in the DS

domain.9

The diagram10

to the right illustrates how COBIT

links the business requirements with the abilities or

value of IT.

IT Resources are those resources that were made

available by the IT units in the various

departments.

IT Processes are activities to organize IT units and

to respond to departments' needs.

Business requirements are departmental

expectations of IT. COBIT (Control Objectives for Information and related Technology) cover

the following four domains:11

1. Plan and Organize (PO).

2. Acquire and Implement (AI).

3. Deliver and Support (DS).

4. Monitor and Evaluate (ME).

The key to maintaining profitability in a technologically changing environment is how well

control is maintained. COBIT's Control Objectives provides the critical insight needed to

delineate a clear policy and good practice for IT controls. Included are the statements of

desired results or purposes to be achieved by implementing the 210 specific and detailed

control objectives throughout the 34 highlevel IT processes.

Overview of the COBIT’s 34 highlevel IT processes (some of this processes can further be

enhanced through the use of Val IT and Risk IT):

Plan and Organize (PO)

The Plan and Organization (PO) domain covers the use of IT and how best it can be used in an

organization to help achieve the organization’s goals and objectives. It also highlights the

organizational and infrastructural form IT is to take in order to achieve the optimal results and

to generate the most benefits from the use of IT. The following table lists the highlevel IT

processes for the Planning and Organization (PO) domain:

Process Description

PO1 Define a Strategic IT Plan

PO2 Define the Information Architecture

PO3 Determine Technological Direction

PO4 Define the IT Processes, Organization and Relationships

PO5 Manage the IT Investment

PO6 Communicate Management Aims and Direction

PO7 Manage IT Human Resources

PO8 Manage Quality

PO9 Assess and Manage IT Risks

PO10 Manage Projects


Acquire and Implement (AI)

The Acquire and Implement (AI) domain covers identifying IT requirements, acquiring the

technology, and implementing it within the organization’s current business processes. This

domain also addresses the development of a maintenance plan that an organization should

adopt in order to prolong the life of an IT system and its components. The following table lists

the high-level IT processes for the Acquisition and Implementation (AI) domain:

Process Description

AI1 Identify Automated Solutions

AI2 Acquire and Maintain Application Software

AI3 Acquire and Maintain Technology Infrastructure

AI4 Enable Operation and Use

AI5 Procure IT Resources

AI6 Manage Changes

AI7 Install and Accredit Solutions and Changes

Delivery and Support (DS)

The Delivery and Support (DS) domain focuses on the delivery aspects of the information

technology. It covers areas such as the execution of the applications within the IT system and

its results, as well as, the support processes that enable the effective and efficient execution of

these IT systems. These support processes include security issues and training. The following

table lists the high-level IT processes for the Delivery and Support (DS) domain:

Process Description

DS1 Define and Manage Service Levels

DS2 Manage Third-party Services

DS3 Manage Performance and Capacity

DS4 Ensure Continuous Service

DS5 Ensure Systems Security

DS6 Identify and Allocate Costs

DS7 Educate and Train Users

DS8 Manage Service Desk and Incidents

DS9 Manage the Configuration

DS10 Manage Problems

DS11 Manage Data

DS12 Manage the Physical Environment

DS13 Manage Operations

The Monitoring and Evaluation (ME) domain deals with an organization’s strategy in assessing

the needs of the organization and whether or not the current IT system still meets the objectives

for which it was designed and the controls necessary to comply with regulatory requirements.

Monitoring also covers the issue of an independent assessment of the effectiveness of IT

system in its ability to meet business objectives and the organization’s control processes by

internal and external auditors. The following table lists the high-level IT processes for the

Monitoring and Evaluate (ME) domain:


9

ISACA. (2011). Implementing and Continually Improving IT Governance.

Available: http://www.isaca.org/Knowledge

Center/Research/ResearchDeliverables/Pages/ImplementingandContinually-

ImprovingITGovernance1.aspx. Last accessed 08

February 2011.

10

Albinowski, G. (2010). (COBIT) IT Governance + Risk IT Practitioner Guide.

Available: http://www.goldenline.pl/forum/1318590/

cobititgovernanceriskitpractitionerguide. Last accessed 08 February 2011.

11

Palante, JP. (2010). CobiT domains and processes. Available:

http://www.qualifiedauditpartners.be/index.php?cont=463&lgn=3.

Last accessed 08 February 2011.

Process Description

ME1 Monitor and Evaluate IT Performance

ME2 Monitor and Evaluate Internal Control

ME3 Ensure Compliance with External Requirements

ME4 Provide IT Governance

COBIT Framework


10. IT Policies, Standards and Procedures

IT Policies will be established and enforced to govern the governance process requirements.

Policies will have, where necessary, accompanying standards and procedures to guide

implementation.

Goals will continuously be evaluated to determine possible risks. The impact of risks can be

evaluated by considering what might happen if the expectations surrounding that risk are not

made clear to everyone in the organization. If an identified risk and its impact stand in the way

of achieving a goal, then it will likely need to be addressed by a policy. In this way,

management establishes clear guidelines that help ensure desired performance, fitting checks

and balances and appropriate workplace interactions.

The following activities are involved in this process of identifying areas that require policies:

a) Documenting goals.

b) Assessing current state.

c) Envisioning future state.

d) Performing gap analysis.

Other sources to policy content will be some of the IT process specific frameworks that

complement COBIT such as ISO 27000 for security, ITIL (Information Technology

Infrastructure Library) for service management and CMMI (Capability Maturity Model

Integration) for software development.

Provincial IT Policies and Standards (impacting on the FSPG) are recommended by the

PGITOC and FoHoD and approved by the DG. Departmental IT Policies and Standards are

recommended by the CIO/IT Managers and approved by the Heads of Department.

11. IT Process

COBIT provides detailed IT Governance, IT Management and general IT Processes. It is

however, necessary to augment these with some industry recognised and domain specific

frameworks and their processes.

In the Plan and Organise domain TOGAF (The Open Group Framework) will be used in:

PO1: Define an IT strategic plan.

PO2: Define the Information Architecture.

In the same domain a process methodology based on PRINCE II will be used in:

PO10: Manage Projects.

In the Acquire and Implement domain CMMI will be used in

conjunction with ITIL in:

AI2: Acquire and Maintain Application Software.

AI3: Acquire and Maintain technology Infrastructure.

AI4: Enable Operation and Use.

AI6: Manage Changes.


In the Deliver and Support domain ITIL processes will be used in:

DS1: Define and Manage Service Levels.

DS3: Manage Performance and Capacity.

DS6: Identify and Allocate Costs.

DS8: Manage Service Desk Incidents.

DS9: Manage the Configuration.

DS10: Manage Problems.

DS13: Manage Operations.

Within the same Deliver and Support domain ISO 27000 with its processes will be used as the

security standard in:

DS5: Ensure System Security.

DS7: Educate and train users.

In the Monitor and Evaluate domain ISO 9000 with its processes will be used as the quality

standard in:

ME1: Monitor and Evaluate IT Performance.

ME2: Monitor and Evaluate Internal Control.

ME3: Ensure Compliance with External Requirements.

12. IT Governance Performance Matrix12

IT Governance also means that control

mechanisms are to be provided to senior

management. The Standard IT balanced

scorecard13

(BSC figure 1) is a good

illustration of how this control question can

be answered. The scorecard provides

accounting officers with crucial control

measures on IT expenses, user satisfaction,

efficiency of development and operations,

expertise of IT staff and may compare these

measures with benchmarking figures. This

avoids that IT reporting is restricted to

technical matters such as the selection of a

new voice communication network and

assures that inhibitors for new business

strategies can be detected and be acted upon.

The IT units will use BSCs to give

performance reports to accounting officers.

Figure 1 shows a standard IT balanced

scorecard. The User Orientation perspective

represents the user evaluation of IT. The

Operational Excellence perspective represents the IT processes employed to develop and

deliver the applications. The Future Orientation perspective represents the human and

technology resources needed by IT to deliver its services. The Business Contribution

perspective captures the business value of the IT investments. Each of these perspectives has to


13

The Balanced Scorecard (BSC) initially developed by Kaplan and Norton, is a

performance management system that should allow enterprises to drive their

strategies on measurement and follow-up. In recent years the BSC has been

applied to IT.

12

Van Grembergen, W. (2010). The Balanced Scorecard and IT Governance.

Available: http://www.isaca.org/Certification/CGEIT

CertifiedintheGovernanceofEnterpriseIT/PreparefortheExam/Study-

Materials/Documents/TheBalancedScorecardandIT

Governance.pdf. Last accessed 09 February 2011.

be translated into corresponding metrics and measures that assess the current situation.

These assessments have to be repeated periodically and have to be confronted with goals that

have to be set beforehand and with benchmarking figures. Very essential is that within an IT

BSC the cause and effect relationships are established and the connections between the two

types of measures, outcome measures and performance drivers, are clarified. A well-built IT

scorecard needs a good mix of these two types of measures. Outcome measures such as

developers’ productivity (e.g., number of function points per person per month) without

performance drivers such as IT staff education (e.g., number of educational days per person per

year) do not communicate how the outcomes are to be achieved.

Performance drivers without outcome measures may lead to significant investment without a

measurement whether this strategy is effective. These cause an defect relationships have to be

defined throughout the whole scorecard (Figure 2): More and better education of IT staff

(future perspective) is an enabler (performance driver) for a better quality of developed systems

(operational excellence perspective) that in turn is an enabler for increased user satisfaction

(user perspective) that eventually must lead to a higher business value of IT (business

contribution perspective).

IT Governance is part of corporate governance and

has to provide the organizational structures to

enable the creation of business value

through IT, the assurance that there are no IT

investments in bad projects and that there are

adequate IT control mechanisms. The

methodology of the balanced scorecard is a

measurement and management system that is very

suitable for supporting the IT Governance process

and the IT/business alignment process.

It is believed that in the near future many

organizations will use a cascade of a

business balanced scorecard and IT

balanced scorecards as a way of assuring

IT Governance and achieving the

integration of business and IT decisions.


13. Glossary

AI Acquire and Implement.

BSC Balanced Scorecards: Scorecard that provides accounting officers with crucial control

measures on IT expenses, user satisfaction, efficiency of development and operations,

expertise of IT staff and may compare these measures with benchmarking figures.

BUM Business Unit Managers.

CFO Chief Financial Officer.

CIO Chief Information Officer.

CMMI Capability Maturity Model Integration: Set of processes for managing IT services.

COBIT Control Objectives for Information Technology: Managing IT projects and realizing value

from IT.

Corporate

Governance

The set of processes, customs, policies, laws, management practices and institutions

affecting the way an entity is controlled and managed.

DG Director General.

DPSA Department of Public Service and Administration.

DS Deliver and Support.

EXCO Executive Council.

FoHoD Form of Heads of Department.

FSPG Free State Provincial Government.

ISO 2700 International Organization for Standardization 27000: Guide to Business Continuity

Management.

ISO 9000 International Organization for Standardization 9000: A family of standards related to

quality management systems and is designed to help organizations ensure they meet the

needs of customers and other stakeholders. ISO 9000 deals with the fundamentals of

quality management systems, including the eight management principles on which the

family of standards is based. ISO 9001 deals with the requirements that organizations

wishing to meet the standard have to meet.

IT Information Technology.

IT Governance

The structure, oversight and management processes which ensure the delivery of the

expected benefits of IT in a controlled way to help enhance the long term sustainable

success of the enterprise.

ITIL Information Technology Infrastructure Libraries: Framework for managing and mitigating

risks resultant from IT.

ITRM Information Technology Risk Management: Framework for information security.

HoD Head of Department

King III Code of

Practice for IT

Governance

IT Governance is a new issue introduced in the King III code. The King III code places IT

governance in the hands of the board and specifically states that the board should be

responsible for information technology (IT) governance ensuring that the business of IT is

properly managed in the company. Whereas King I and King II applied to public, listed

companies only, King III applies to all entities, regardless of the manner and form of

incorporation. The King III code of Governance became effective on 1st March 2010.

ME Monitor and Evaluate.

PAS 56 Publicly Available Specifications 56: Guide to IT Service Continuity

Management

PAS 77 Publicly Available Specifications 77: Provides comprehensive IT Governance Processes,

IT alignment and IT controls.

Performance

Measurement

Tracks and monitors strategy implementation, project completion, resource usage, process

performance and service delivery, using, for example, balanced scorecards resource and

usage dashboards that translate strategy into action to achieve goals measureable beyond

conventional accounting.

PFMA Public Financial Management Act, 1999 (Act 1 of 1999, as amended by Act 29 of 1999).

PGITOC Provincial Government Information Technology Officers Council.

PO Plan and Organise.

PRINCE2 Projects in Controlled Environments: Process improvement approach used in the

development of applications (software).

PSA Public Services Act, 1994 (Proclamation Nr. 103 of 1994).

Resource Is about the optimal investment in, and the proper management of, critical IT resources:


Management Processes, people, applications, infrastructure and information. Key issues related to the

optimization of knowledge and infrastructure.

Risk IT Provides an end to end, comprehensive view of all risks related to the use of IT and a

similarly thorough treatment of risk management, from the tone and culture at the top, to

operational issues.

Risk

Management

Requires risk awareness by senior management, a clear understanding of the organization’s

appetite for risk, transparency about the significant risks to the organization and embedding

of risk management responsibilities into the organization.

ROI Return On Investment: A performance measure used to evaluate the efficiency of an

investment or to compare the efficiency of a number of different investments. To calculate

ROI, the benefit (return) of an investment is divided by the cost of the investment; the

result is expressed as a percentage or a ratio

SC Standing Committees.

SITA Act State Information Technology Agency (SITA) Act, 1998 (Act 88 of 1998 as amended by

Act 38 of 2002).

SLA Service Level Agreements.

Strategic

Alignment

Focuses on ensuring the linkage of business and IT plans, on defining, maintaining and

validating the IT value proposition and on aligning IT operations with the organization

operations.

TCO Total Cost of Ownership: is a financial estimate whose purpose is to help consumers and

enterprise managers determine direct and indirect costs of a product or system. It is a

management accounting concept that can be used in full cost accounting or even ecological

economics where it includes social costs.

TOGAF The Open Group Framework: A framework for enterprise architecture which provides a

comprehensive approach to the design, planning, implementation, and governance of

enterprise information architecture.

Val IT A governance framework that can be used to create business value from IT investments. It

consists of a set of guiding principles and a number of processes and best practices that are

further defined as a set of key management practices to support and help executive

management and boards at an enterprise level.

Value Delivery Is about executing the value proposition throughout the delivery cycle, ensuring that IT

delivers the promised benefits against the strategy, concentrating on optimizing costs and

proving value of IT.

14. Signatures

IT GOVERNANCE FRAMEWORK - gitoc.fs.gov.za

Documents

Transcript of IT GOVERNANCE FRAMEWORK - gitoc.fs.gov.za