Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
38 Cards in this Set
- Front
- Back
- 3rd side (hint)
|
PO
|
Plan & Organize
|
This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. A proper organisation as well as technological infrastructure should be put in place. This domain typically addresses the following management questions:• Are IT and the business strategy aligned?• Is the enterprise achieving optimum use of its resources?• Does everyone in the organisation understand the IT objectives?• Are IT risks understood and being managed?• Is the quality of IT systems appropriate for business needs?
|
|
|
AI
|
Acquire & Implement
|
To realise the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure the solutions continue to meet business objectives. This domain typically addresses the following management questions: • Are new projects likely to deliver solutions that meet business needs? • Are new projects likely to be delivered on time and within budget? • Will the new systems work properly when implemented? • Will changes be made without upsetting current business operations?
|
|
|
DS
|
Deliver & Support
|
This domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It typically addresses the followingmanagement questions: • Are IT services being delivered in line with business priorities? • Are IT costs optimised? • Is the workforce able to use the IT systems productively and safely? • Are adequate confidentiality, integrity and availability in place for information security?
|
|
|
ME
|
Monitor & Evaluate
|
All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance. It typically addresses the following management questions: • Is IT’s performance measured to detect problems before it is too late? • Does management ensure that internal controls are effective and efficient? • Can IT performance be linked back to business goals? • Are adequate confidentiality, integrity and availability controls in place for information security?
|
|
|
PO1
|
Define a Strategic IT Plan
|
IT strategic planning is required to manage and direct all IT resources in line with the business strategy and priorities. The IT function and business stakeholders are responsible for ensuring that optimal value is realised from project and service portfolios. The strategic plan should improve key stakeholders’ understanding of IT opportunities and limitations, assess current performance and clarify the level of investment required. The business strategy and priorities are to be reflected in portfolios and executed by the IT tactical plan(s), which establishes concise objectives, plans and tasks understood and accepted by both business and IT.
|
|
|
PO2
|
Define the Information Architecture
|
The information systems function should create and regularly update a business information model and define the appropriate systems to optimise the use of this information. This encompasses the development of a corporate data dictionary with the organisation’s data syntax rules, data classification scheme and security levels. This process improves the quality of management decision making by making sure that reliable and secure information is provided, and it enables rationalising information systems resources to appropriately match business strategies. This IT process is also needed to increase accountability for the integrity and security of data and to enhance the effectiveness and control of sharing information across applications and entities.
|
|
|
PO3
|
Determine Technological Direction
|
The information services function should determine the technology direction to support the business. This requires the creation of a technological infrastructure plan and an architecture board that sets and manages clear and realistic expectations of what technology can offer in terms of products, services and delivery mechanisms. The plan should be regularly updated and encompasses aspects such as systems architecture, technological direction, acquisitions plans, standards, migration strategies and contingency. This enables timely responses to changes in the competitive environment, economies of scale for information systems staffing and investments as well as improved interoperability of platforms and applications.
|
|
|
PO4
|
Define the IT Processes, Organisation and Relationships
|
An IT organisation must be defined considering requirements for staff, skills, functions, accountability, authority, roles and responsibilities, and supervision. This organisation is to be embedded into an IT process framework that ensures transparency and control as well as the involvement of senior executives and business management. A strategy committee should ensure board oversight of IT and one or more steering committees, in which business and IT participate, should determine prioritisation of IT resources in line with business needs. Processes, administrative policies and procedures need to be in place for all functions, with specific attention to control, quality assurance, risk management, information security, data and systems ownership, and segregation of duties. To ensure timely support of business requirements, IT is to be involved in relevant decision processes.
|
|
|
PO5
|
Manage the IT Investment
|
Establish and maintain a framework to manage IT-enabled investment programmes that encompasses cost, benefits, prioritisation within budget, a formal budgeting process and management against the budget. Work with stakeholders to identify and control the total costs and benefits within the context of the IT strategic and tactical plans, and initiate corrective action where needed. The process fosters partnership between IT and business stakeholders, enables the effective and efficient use of IT resources, and provides transparency and accountability into the total cost of ownership, the realisation of business benefits and the return on investment of IT-enabled investments.
|
|
|
PO6
|
Communicate Management Aims and Direction
|
Management should develop an enterprise IT control framework and define and communicate policies. An ongoing communication programme should be implemented to articulate the mission, service objectives, policies and procedures, etc., approved and supported by management. The communication supports achievement of IT objectives and ensures awareness and understanding of business and IT risks, objectives and direction. The process should ensure compliance with relevant laws and regulations.
|
|
|
PO7
|
Manage IT Human Resources
|
Acquire, maintain and motivate a competent workforce for creation and delivery of IT services to the business. This is achieved by following defined and agreed practices supporting recruiting, training, evaluating performance, promoting and terminating. This process is critical as people are important assets and governance and the internal control environment are heavily dependent on the motivation and competence of personnel.
|
|
|
PO8
|
Manage Quality
|
A quality management system should be developed and maintained, which includes proven development and acquisition processes and standards. This is enabled by planning, implementing and maintaining the quality management system by providing clear quality requirements, procedures and policies. Quality requirements should be stated and communicated in quantifiable and achievable indicators. Continuous improvement is achieved by ongoing monitoring, analysing and acting upon deviations, and communicating results to stakeholders. Quality management is essential to ensure that IT is delivering value to the business, continuous improvement and transparency for stakeholders.
|
|
|
PO9
|
Assess & Manage IT Risks
|
Create and maintain a risk management framework. The framework documents a common and agreed level of IT risks, mitigation strategies and agreed-upon residual risks. Any potential impact on the goals of the organisation caused by an unplanned event should be identified, analysed and assessed. Risk mitigation strategies should be adopted to minimise residual risk to an accepted level. The result of the assessment should be understandable to the stakeholders and expressed in financial terms, to enable stakeholders to align risk to an acceptable level of tolerance.
|
|
|
PO10
|
Manage Projects
|
Establish a programme and project management framework for the management of all IT projects. The framework should ensure the correct prioritisation and co-ordination of all projects. The framework should include a master plan, assignment of resources, definition of deliverables, approval by users, a phased approach to delivery, quality assurance, a formal test plan, and testing and post-implementation review after installation to ensure project risk management and value delivery to the business. This approach reduces the risk of unexpected costs and project cancellations, improves communications to and involvement of business and end users, ensures the value and quality of project deliverables, and maximises their contribution to IT-enabled investment programmes.
|
|
|
AI1
|
Identify Automated Solutions
|
The need for a new application or function requires analysis before acquisition or creation to ensure that business requirements are satisfied in an effective and efficient approach. This process covers the definition of the needs, consideration of alternative sources, review of technological and economic feasibility, execution of a risk analysis and cost-benefit analysis, and conclusion of a final decision to ‘make’ or ‘buy’. All these steps enable organisations to minimise the cost to acquire and implement solutions whilst ensuring they enable the business to achieve its objectives.
|
|
|
AI2
|
Acquire and Maintain Application Software
|
Applications have to be made available in line with business requirements. This process covers the design of the applications, the proper inclusion of application controls and security requirements, and the actual development and configuration according to standards. This allows organisations to properly support business operations with the correct automated applications.
|
|
|
AI3
|
Acquire and Maintain Technology Infrastructure
|
Organisations should have processes for the acquisition, implementation and upgrade of the technology infrastructure. This requires a planned approach to acquisition, maintainance and protection of infrastructure in line with with agreed technology strategies and the provision of development and test environments. This ensures that there is ongoing technological support for business applications.
|
|
|
AI4
|
Enable Operation and Use
|
Knowledge about new systems needs to be made available. This process requires the production of documentation and manuals for users and IT, and provides training to ensure proper use and operations of applications and infrastructure.
|
|
|
AI5
|
Procure IT Resources
|
IT resources, including people, hardware, software and services need to be procured. This requires the definition and enforcement of procurement procedures, the selection of vendors, the setup of contractual arrangements and the actual acquisition itself. Doing so ensures that the organisation has all required IT resources in a timely and cost-effective manner.
|
|
|
AI6
|
Manage Changes
|
All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment must be formally managed in a controlled manner. Changes (including procedures, processes, system and service parameters) must be logged, assessed and authorised prior to implementation and reviewed against planned outcomes following implementation. This assures mitigation of the risks of negatively impacting the stability or integrity of the production environment.
|
|
|
AI7
|
Install and Accredit Solutions and Changes
|
New systems need to be made operational once development is complete. This requires proper testing in a dedicated environment with relevant test data, definition of rollout and migration instructions, release planning and actual promotion to production, and a post-implementation review. This assures that operational systems are in line with the agreed expectations and outcomes.
|
|
|
DS1
|
Define and Manage Service Levels
|
Effective communication between IT management and business customers regarding services required is enabled by a documented definition and agreement of IT services and service levels. This process also includes monitoring and timely reporting to stakeholders on the accomplishment of service levels. This process enables alignment between IT services and the related business requirements.
|
|
|
DS2
|
Manage 3rd Party Services
|
The need to assure that services provided by third parties meet business requirements requires an effective third-party management process. This process is accomplished by clearly defining the roles, responsibilities and expectations in third-party agreements as well as reviewing and monitoring such agreements for effectiveness and compliance. Effective management of third-party services minimises business risk associated with non-performing suppliers.
|
|
|
DS3
|
Manage Performance & Capacity
|
The need to manage performance and capacity of IT resources requires a process to periodically review current performance and capacity of IT resources. This process includes forecasting future needs based on workload, storage and contingency requirements. This process provides assurance that information resources supporting business requirements are continually available.
|
|
|
DS4
|
Ensure Continuous Service
|
The need for providing continuous IT services requires developing, maintaining and testing IT continuity plans, offsite backup storage and periodic continuity plan training. An effective continuous service process minimises the probability and impact of a major IT service interruption on key business functions and processes.
|
|
|
DS5
|
Ensure Systems Security
|
The need to maintain the integrity of information and protect IT assets requires a security management process. This process includes establishing and maintaining IT security roles and responsibilties, policies, standards and procedures. Security management also includes performing security monitoring and periodic testing and implementing corrective actions for identified security weaknesses or incidents. Effective security management protects all IT assets to minimise the business impact of security vulnerabilities and incidents.
|
|
|
DS6
|
Identify and Allocate Costs
|
The need for a fair and equitable system of allocating IT costs to the business requires accurate measurement of IT costs and agreement with business users on fair allocation. This process includes building and operating a system to capture, allocate and report IT costs to the users of services. A fair system of allocation enables the business to make more informed decisions regarding use of IT services.
|
|
|
DS7
|
Educate and Train Users
|
Effective education of all users of IT systems, including those within IT, requires identifying the training needs of each user group. In addition to identifying needs, this process includes defining and executing a strategy for effective training and measuring the results. An effective training programme increases effective use of technology by reducing user errors, increasing productivity and increasing compliance with key controls such as user security measures.
|
|
|
DS8
|
Manage Service Desk and Incidents
|
Timely and effective response to IT user queries and problems requires a well-designed and well-executed service desk and incident management process. This process includes setting up a service desk function with registration, incident escalation, trend and root cause analysis, and resolution. The business benefits include increased productivity through quick resolution of user queries. In addition, the business can address root causes (such as poor user training) through effective reporting.
|
|
|
DS9
|
Manage the Configuration
|
Ensuring the integrity of hardware and software configurations requires establishment and maintenance of an accurate and complete configuration repository. This process includes collecting initial configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository as needed. Effective configuration management facilitates greater system availability, minimises production issues and resolves issues faster.
|
|
|
DS10
|
Manage Problems
|
Effective problem management requires the identification and classification of problems, root cause analysis and resolution of problems. The problem management process also includes identification of recommendations for improvement, maintenance of problem records and review of the status of corrective actions. An effective problem management process improves service levels, reduces costs and improves customer onvenience and satisfaction.
|
|
|
DS11
|
Manage Data
|
Effective data management requires identifying data requirements. The data management process also includes establishing effective procedures to manage the media library, backup and recovery of data, and proper disposal of media. Effective data management helps ensure the quality, timeliness and availability of business data.
|
|
|
DS12
|
Manage the Physical Environment
|
Protection for computer equipment and personnel requires well-designed and well-managed physical facilities. The process of managing the physical environment includes defining the physical site requirements, selecting appropriate facilities and designing effective processes for monitoring environmental factors and managing physical access. Effective management of the physical environment reduces business interruptions from damage to computer equipment and personnel.
|
|
|
DS13
|
Manage Operations
|
Complete and accurate processing of data requires effective management of data processing and maintenance of hardware. This process includes defining operations’ policies and procedures for effective management of scheduled processing, protection of sensitive output, monitoring infrastructure and preventative maintenance of hardware. Effective operations management helps maintain data integrity and reduces business delays and IT operating costs.
|
|
|
ME1
|
Monitor and Evaluate IT Performance
|
Effective IT performance management requires a monitoring process. This process includes defining relevant performance indicators, a systematic and timely reporting of performance, and prompt acting upon deviations. Monitoring is needed to make sure that the right things are done and are in line with the set directions and policies.
|
|
|
ME2
|
Monitor and Evaluate Internal Control
|
Establishing an effective internal control programme for IT requires a well-defined monitoring process. This process includes the monitoring and reporting of control exceptions, results of self-assessments and third-party reviews. A key benefit of internal control monitoring is to provide assurance regarding effective and efficient operations and compliance with applicable laws and regulations.
|
|
|
ME3
|
Ensure Regulatory Compliance
|
Effective regulatory oversight requires the establishment of an independent review process to ensure compliance with laws and regulations. This process includes defining an audit charter, auditor independence, professional ethics and standards, planning, performance of audit work, and reporting and follow-up of audit activities. The purpose of this process is to provide positive assurance related to IT compliance with laws and regulations.
|
|
|
ME4
|
Provide IT Governance
|
Establishing an effective governance framework includes defining organisational structures, processes, leadership, roles and responsibilities to ensure that enterprise IT investments are aligned and delivered in accordance with enterprise strategies and objectives.
|
