Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
79 Cards in this Set
- Front
- Back
Governance
|
making decisions that define expectations, grant authority, or ensure performance.
aligning behavior with business goals through empowerment and monitoring. |
|
Empowerment
|
granting the right to make decisions.
Monitoring comes from evaluating performance. |
|
decision rights
|
it indicates who in the organization has the
responsibility to initiate, supply information for, approve, implement, and control various types of decisions. |
|
centralized IS organizations
|
bring together all staff, hardware, software, data, and
processing into a single location |
|
Decentralized IS organizations
|
Scatter staff, hardware, software, data, and
processing to different locations to address local business needs |
|
Federalism IS organizations
|
a combination of centralized and decentralized structures.
|
|
Companies with high level of governance maturity
|
have need for control made possible by Centralized IS structures
|
|
1960s
|
more Centralized IS structure
|
|
1970s
|
Remained Centralized IS structure
|
|
1980s
|
Gave rise to decentralized IS structure due to the PC
|
|
Federalism
|
is a structuring approach that distributes power, hardware, software, data, and personnel between a central IS group and IS in business units.
|
|
hybrid
|
approach enables organizations to benefit from both structural approaches
|
|
IT governance
|
specifying the decision rights and
accountability framework to encourage desirable behavior in using IT. not about what decisions are actually made. Who is making the decisions (i.e., who holds the decision rights) and how the decision makers are held accountable for them. Match the manager’s decision rights with his or her accountability for a decision |
|
Mismatches
|
result in either an oversupply of IT resources or the inability of IT to meet business demand
|
|
Technocentric Gap
|
Danger of overspending on IT creating
an oversupply- IT assets may not be utilized to meet business demand- Business group frustration with IT group- low accountabi, high decision rights |
|
Strategic Norm
(Level 3 balance) |
Works where IT is viewed as
competent and strategic to business - high accounta. high decision rights |
|
Support Norm
(Level 1 balance) |
Works for organizations where IT is
viewed as a support function; focus is on business efficiency- Low accounta. low decision rights |
|
Business Gap
|
- Cost considerations dominate IT decision- IT assets may not utilize internal competencies to meet business demand- IT group frustration with business group - high accounta. low decision rights
|
|
Good IT governance
|
provides a structure to make good decisions
|
|
two major components of IT governance
|
assignment of decision-making authority and decision-making responsibility.
|
|
decision-making mechanisms
|
steering committees, review boards, policies
|
|
5 categories of IT decisions
|
IT principles, IT architecture, IT infrastructure strategies, business application needs, and IT investment and prioritization
|
|
archetype
|
Proposed by Weill and Ross, a pattern for decision rights allocation; a way of labeling the combinations of people who either input information or have decision rights for key IT decisions.
|
|
Enterprise-wide, business unit, and region/group within a business unit
|
Decisions can be made at several levels in the organization
|
|
Examples of archetypes
|
Business monarchy, IT monarchy, feudal, federal, IT duopoly, and anarchy
|
|
IT Principles
|
High-level statements about how IT
is used in the business |
|
IT Architecture
|
An integrated set of technical choices to guide the organization in satisfying business needs. a set of policies and rules for the use of IT and plots a migration path to the way business will be done.
|
|
IT Infrastructure Strategies
|
Strategies for the base foundation of budgeted-for IT capability (both technical and human) shared throughout the firm as reliable services and centrally coordinated.
|
|
Business Application Needs
|
Specification of the business need for purchased or internally-developed IT applications.
|
|
IT Investment & Prioritization
|
Decision about how much and where to invest in IT, including project approvals and justification techniques.
|
|
Business monarchy
|
A group of, or individual, business executives Includes committees comprised of senior busing. executives Excludes IT executives acting separately
|
|
IT monarchy
|
Individual or groups of IT excutives
|
|
Feudal
|
Business unit leaders, key process owners or their delegates
|
|
Federal
|
C level executives and at least one other business group. IT executives may be an additional participant. Equivalent to country and states
|
|
IT Duopoly
|
IT executives and one other group
|
|
Anarchy
|
Each individual user
|
|
Information security strategy
|
Business leaders have the knowledge of the company's strategies, on which security strategy should be based. No detailed technical knowledge is required
|
|
Information security policies
|
Technical and security implications of behaviors and processes need to be analyzed and trade-offs between security and productivity need to be made. Need to know the particularities of company's IT infrastructure.
|
|
Information security infrastructure
|
In-depth technical knowledge and expertise is needed
|
|
Information security education/training/ awareness
|
Business buy-in and understanding are needed. Technical expertise and knowledge of critical security s issues is needed in building programs
|
|
Information security investments
|
Requires financial (quantitative) and qualitative evaluation of business impacts of security investments. business case has to be presented for rivaling projects
|
|
Policies
|
Are useful for the decision making process in certain situations
|
|
A review board
|
committee formally designated to approve, monitor, and review specific topics—can be an effective governance mechanism.
� |
|
IT Steering Committee
|
an advisory committee of key stakeholders or experts can provide guidance on important IT issues. Works well with federal archetypes
|
|
IT Governance council
|
a steering committee at the highest level.
Reports to the board of the directors or the CEO� |
|
Governance frameworks
|
Have been employed recently to define responsibility for control decisions
|
|
Sarbanes-Oxley act of 2002 (Sox)
|
was enacted to increase regulatory visibility and accountability of public companies and their financial health.
� |
|
CEOs and CFOs
|
must personally certify and be accountable for their firms financial records and accounting
|
|
IT
|
Plays a major role in ensuring the accuracy of the financial data
|
|
one of the 5 IT control weaknesses
|
Failure to segregate duties within applications as well as failure to set up new accounts and terminate old ones in a timely manner.
� |
|
one of the 5 IT control weaknesses
|
Lack of proper oversight for making application changes, including appointing a person to make a change and another to perform quality assurance on it.
� |
|
one of the 5 IT control weaknesses
|
Inadequate review of audit logs to ensure that systems were running smoothly and that there was an audit log of the audit log.
� |
|
one of the 5 IT control weaknesses
|
failure to identify abnormal transactions in a timely manner.
|
|
one of the 5 IT control weaknesses
|
Lack of understanding of key system configurations
|
|
Auditors
|
must certify the underlying controls and processes that are used to compile a company's financial results
|
|
Treadway commission
|
National commission on fraud reporting created as a result of fin. scandals of 1980s. Created 3 control objectives for managers and auditors
|
|
Operations
Compliance Financial reporting |
3 control objectives created by treadway commission
|
|
COSO developed essential control components for auditors and managers
|
Control environment, Risk assessment, control process, Info and communic. of procedures, Monitoring
|
|
Control environment
|
addresses the overall culture of the company
|
|
Risk assessment
|
most critical risks to internal controls
|
|
Control processes
|
outline important processes and guidelines.
|
|
monitoring
|
done by management of the internal controls
|
|
COBIT
|
provides guidelines about who in the organ. should be making decisions about the IT processes, resources, and information
|
|
Domain
|
4 areas of risk: plan and organize, acquire and implement, deliver and support, monitor and evaluate; each consists of multiple processes
|
|
Control objective
|
focuses on control of a process associated with risk; there are 34 processes
|
|
Key goal indicator
|
specific measures of the extent to which the goals of the system in regard to a control objective have been met
|
|
Key performance indicator
|
Actual, highly specific measures for measuring accomplishment of a goal
|
|
Critical success factor
|
Describes the steps that a company must take to accomplish a control objective. there are 318 critical success factors
|
|
Maturity model
|
a uniquely defined six-point ranking of a company's readiness for each control objective made in comparison with other companies in the industry
|
|
Advantages of COBIT
|
Well-suited to organ. focused on risk management and mitigation, designated clear ownership and responsibility for key processes in such way that is understood by all stakeholders
|
|
Disadvantages of COBIT
|
very detailed, costly and time consuming
|
|
Knowledge building (CIO tactic)
|
Establishing a knowledge base to implement SoX
|
|
Knowledge Development (CIO tactic)
|
Disseminating knowledge about SoX and developing an understanding of this knowledge among management and other organizational members
|
|
Innovation directive
|
Organizing for implementing SoX and announcing the approach
|
|
Mobilization (CIO tactic)
|
Persuading decentralized players and subsidiaries to participate in SoX implementation
|
|
Standardization
|
negotiating agreements between organizational members to facilitate the SoX implementation
|
|
Business Continuity Plan
|
an approved set of
preparations and sufficient procedures for responding to a variety of disaster events. |
|
COBIT (Control Objectives for Information and Related Technology)
� |
an IT governance framework that is consistent with COSO
controls. |
|
ITIL
|
set of concepts and techniques for managing IT infrastructure, development, and operations that was developed in the United Kingdom.
� |