IT Governance Blog

CobiTdefinition:

Analyse existing and emerging technologies, and plan which technological direction is appropriate to realise the IT strategy and the business systems architecture. Also identify in the plan which technologies have the potential to create business opportunities. The plan should address systems architecture, technological direction, migration strategies and contingency aspects of infrastructure components.

Bill says,

You have to give your team some context for your technical leadership direction. Are you the kind of leader, and hence your IT organization, who is a risk taker willing to implement the latest and greatest technology? Or are you more pragmatic, waiting for the other guys to take the risks on new technology first?

It is in the Technical Direction Planning CobiT control objective where you define this direction, and hence lay out the future for the direction your team will take from a technical standpoint.

Does Software as a Service make sense for your organization? What about mobile technologies? VOIP? Are there productivity improvements to be made there or are the risks too great? You need to map out these existing and emerging technologies and make clear what you as a leader are willing to accept.

From then on the details can be worked out.

The first step in Determining the Technological Direction is doing the necessary technological direction planning.

CobiT definition:

The information services function determines the technology direction to support the business. This requires the creation of a technological infrastructure plan and an architecture board that sets and manages clear and realistic expectations of what technology can offer in terms of products, services and delivery mechanisms. The plan is regularly updated and encompasses aspects such as systems architecture, technological direction, acquisition plans, standards, migration strategies and contingency. This enables timely responses to changes in the competitive environment, economies of scale for information systems staffing and investments, as well as improved interoperability of platforms and applications.

Control over the IT process of
Determine technological direction

that satisfies the business requirement for IT of
having stable, cost-effective, integrated and standard application systems, resources and capabilities
that meet current and future business requirements

by focusing on
defining and implementing a technology infrastructure plan, architecture and standards that
recognise and leverage technology opportunities

is achieved by
• Establishing a forum to guide architecture and verify compliance
• Establishing the technology infrastructure plan balanced against cost, risk and
requirements
• Defining the technology infrastructure standards based on information
architecture requirements

and is measured by
• Number and type of deviations from the technology
infrastructure plan
• Frequency of the technology infrastructure plan review/update
• Number of technology platforms by function across the enterprise

Control objectives:

PO3 Determine Technological Direction

PO3.1 Technological Direction Planning
PO3.2 Technology Infrastructure Plan
PO3.3 Monitor Future Trends and Regulations
PO3.4 Technology Standards
PO3.5 IT Architecture Board

Check out the links for details on the control objectives.

I’ve decided it was time that I get a little more serious about my IT Governance education and as such I have decided to pursue a couple of worthwhile certifications - ITIL Foundations (for a start) and CGEIT, which is Isaca’s Certified in the Governance of Enterprise IT certification.

For the Foundations’s certificate studying I purchased Introduction to the ITIL Service Lifecycle (ITIL Version 3) which does a very good job going over the highlight’s of ITIL and is their official introductory guide. I also signed up for some online education through HDI, which is an acreddited training organization, which also included a discunted exam fee. The online course is available for about 12 weeks, so sometime between now and then I’ll register and take the exam, which is multiple choice.

Going through the book and the online course together has been invaluable, I am really understanding the overall service lifecycle very well, and am actually looking forward to starting to purchase the core books and getting more in depth into studying ITIL and IT Governance.

Update - I passed the exam with a 90% score. Read more on how I did it by checking out How to Pass the ITIL Foundations Certification Exam.

This is what Isaca says about the CGEIT:

This certification will benefit the individual, through recognition of their professional knowledge and competencies; skill-sets; abilities and experiences, and will enhance their professional standing. It will also add value to the enterprises they support through the demonstration of a visible commitment to excellence in IT governance practices.

The certification process has been specifically developed for professionals who have a significant management, advisory, or assurance role relating to the governance of IT. The certification promotes the advancement of professionals who wish to be recognized for their IT governance-related experience and knowledge.

The exam for this is scheduled on December 12th. Just passing the exam is not enough to earn the certification To earn the CGEIT credential, an individual must:

1. Pass the CGEIT exam (first exam - December 2008)
2. Adhere to the ISACA Code of Professional Ethics
3. Agree to comply with the CGEIT Continuing Education Policy
4. Provide evidence of appropriate IT governance work experience as defined by the CGEIT Job Practice

Based on my work experience I should have no problem qualifying (as long as I pass the exam!). Reference materials for study are available as free downloads on their website. I did register as an Isaca member to get the discount, so now I am an official Isaca member.

It’s been awhile since I have studied like this but I like it! I look forward to sharing more about my experience in seeking these certifications.

CobiT definition:

Define and implement procedures to ensure the integrity and consistency of all data stored in electronic form, such as databases, data warehouses and data archives.

Bill says,

“All data stored in electronic form” is one hell of a big task, but if you are to implement the proper level of controls that is truly what you are on the hook for. Once you have classified your data you will have a list of what is important to your business and what you need to control. Now you have to design and implement the procedures that ensure that data is what you think it is and it has the visibility that you think it should have.

Integrity of the data is fairly simple for static data, you really just need to be able to maintain an archived version that you can compare it to proving it’s integrity, assuming of course that you have the security of that data established properly.

The biggest challenge to integrity management is in your transactional database where your staff, and perhaps even your customers, are responsible for maintain some aspect of that data. This is where you need to automate as much as possible so that you are not relying on human nature, but no matter how much of that you do you will still be on the heck for documenting those processes and controls.

Integrity management is difficult but important. If you have followed the steps within this control objective you should be well on your way to achieving a good level control.

The fourth step in Defining the Information Architecture is integrity management.