【文章內容簡介】 res, policies ?Ensures shareholders interests are respected ?Overall IT decision making and accountability ?Ensures value is delivered to shareholders through IT investments and actions ?Creates business value through IT manages IT budgets, resources, projects, operations, vendors ?Runs IT as a business 38 SITC: Service Security Quality System IT Planning Project Mgmt IT Security AP. Dev. (SDLC) Service Mgmt. IT Operations IT Governance Model COSO COBIT SOX ISO SIX Sigma CMMI ISO 17799 PMI TSO IS Strategy ISO 20230 Quality Systems Mgmet. Frameworks ISO 38500 39 SITC: Service Security Compliance framework There are four patible frameworks, operating at different level of detail and scope, that provide a set of controls and governance for IT ? Level1: COSO ? Organization wide controls ? Level2:COBIT ? Can satisfy and extend COSO controls relating to IT ? Level3:ITIL ? Can satisfy and extend COBIT controls relating to IT ? Level4:ISO27002/17799 ? IT Security controls to meet and extend COBIT security 40 SITC: Service Security Key Findings of the Survey IT Governance Global Status Report— 2023. 1. Although championship for IT governance within the enterprise es from the Clevel, in daily practiceIT governance is still very much a CIO/IT director issue. The few nonIT people in the sample have a muchmore positive view of IT than do the IT professionals themselves. 2. The importance of IT continues to increase. 3. Selfassessment regarding IT governance has increased and is quite positive. 4. Communication between IT and users is improving, but slowly. 5. There is still substantial room for improvement in alignment between IT governance and corporate governance—as well as for IT strategy and business strategy. 6. ITrelated problems persist. While security/pliance is an issue, people are the most critical problem. 7. Good IT governance practices are known and applied, but not universally. 8. Organisations know who can help them implement IT governance, but appreciation for the available expertise and delivery capability is only average. 9. Action is being taken or plans are underway to implement IT governance activities. A large increase is evident when pared to the 2023 report. 10. Organisations use the wellknown frameworks and solutions. 11. COBIT awareness has exceeded 50 percent, and adoption and use remain around 30 percent. a. Twentyfive to 35 percent of respondents apply COBIT to the letter or are very strict. b. Fifty percent of respondents indicate that COBIT is ?one of the reference sources?. c. In general, there is high appreciation of COBIT, as has been seen in prior reports. 12. More than half of the respondents apply or plan to apply Val IT principles, but are not familiar with theVal IT brand itself. 13. Major obstacles to adoption and use of Val IT principles include uncertainty regarding the return on investment (ROI) and lack of knowledge/expertise. 41 SITC: Service Security Selected IT Governance Frameworks 42 SITC: Service Security Benefits of IT Governance ? Confidence of top management ? Responsiveness of IT to business ? Higher return on investment (ROI) ? More reliable services ? More transparency 43 SITC: Service Security IT Governance IT governance is an integral part of corporate governance and analogously bines leadership, anizational structures, and processes that ensure that IT sustains and extends the anization?s strategies and objectives IT governance provides guidelines, establishes criteria and standards for decision making, monitoring, measuring, and improving the performance of IT IT governance is the responsibility of the executive board and the executive management (incl. IT) and supports the interaction of all the anization39。s parties involved with IT What? How? Who? Though guided by it, daily operations or operative project management, are not core part of IT governance nor can IT governance substitute for a sound business strategy What not? Our Definition of IT Governance emphasizes the close Link of IT to the Organization as a whole ... 44 SITC: Service Security What is IT Governance? ? It?s about anization leadership ? Decision making that leads to better alignment of IT and the business ? IT delivering more business value ? IT resources are used responsibly ? IT risks are managed appropriately 45 SITC: Service Security Sample Questions ? Which of the following is a key benefit of IT governance? ? Improved business processes ? Greater awareness of available technical solutions ? Responsiveness of IT ? Greater use of technology ? Increased budget for IT projects 46 SITC: Service Security Sample Questions ? The COSO framework is a framework to help anizations establish and determine: ? Accounting standards ? Auditing standards ? Investment decisions ? The effectiveness of their internal controls 47 SITC: Service Security Sample Questions ? Which statement below best describes the Committee of Sponsoring Organisations of the Treadway Commission (COSO)’s Internal Control—Integrated Framework? ? A framework for internal auditing. ? A framework for systems management. ? A framework for risk management. ? A framework for information systems 48 SITC: Service Security Sample Questions ? Which of the following is an IT Governance concern of a trading partner? ? Confidential pany information is not given to petitors ? The IT systems are based on the latest technology ? System changes are not made without the partners approval ? The IT operation is cost effective and efficient 49 SITC: Service Security Sample Questions ? Which of the following is a principle of IT governance? ? Accountability