Samenvatting IT in Control
Inhoudsopgave
Strategy............................................................................................................................................................ 3
Selig - Chapter 1: Introduction to IT/Business Alignment, Planning, Execution and Governance ...................... 3
1.2 Overview .................................................................................................................................................. 3
1.3 Definition, purpose and scope of IT governance ..................................................................................... 4
1.5 Overview of the integrated IT governance framework, major components and prerequisites .............. 5
1.6 Steps in making IT governance real ......................................................................................................... 6
Selig - Chapter 3 ................................................................................................................................................. 7
3.2.3 The changing role of the CIO ................................................................................................................ 7
3.2.4 Components of effective alignment ..................................................................................................... 7
3.2.7 Overcoming business/ IT alignment obstacles and constraints ........................................................... 7
3.3.1 Principles of aligning it to the business more effectively ..................................................................... 8
3.3.2 Management control practices ............................................................................................................ 8
3.3.3 Supplementary practices ...................................................................................................................... 9
Henderson, J.C.; Venkatraman, N. (1993). Strategic Alignment, Leveraging Information technology for
transforming organizations .............................................................................................................................. 10
Sabherwal, R.; Hirschheim, R.; Goles, T. (2001). The Dynamics of Alignment, Insights from a Punctuated
Equilibrium Model ............................................................................................................................................ 15
Governance .................................................................................................................................................... 17
Selig - Charter 2 ................................................................................................................................................ 17
2.2 Overview ................................................................................................................................................ 17
2.4.14 COBIT – Control Objectives for Information and Related Technology ............................................. 17
2.4.29 BiSL ................................................................................................................................................... 18
2.4.30 ASL .................................................................................................................................................... 19
2.4.14 ITIL – IT Infrastructure Library .................................................................................................. 19
BiSL, ASL and ITIL combined. ....................................................................................................................... 19
2.4.16 Information Security Management System (ISMS) .......................................................................... 19
2.4.23 AIM – Amsterdam Information Management Model....................................................................... 20
IT Governance and Management Framework ............................................................................................. 20
Selig - Chapter 6 ............................................................................................................................................... 21
6.3.1 Top concerns of CIOs .......................................................................................................................... 21
6.4.2 ITIL value propositions – leading company examples ........................................................................ 21
6.5.2 Summary of ITIL 2011 Edition service lifecycle, core guides, processes, objectives, and related
activities ....................................................................................................................................................... 22
Hardy, G. (2006). Using IT Governance and COBIT to deliver Value with IT and respond to Legal, Regulatory
and Compliance Challenges.............................................................................................................................. 23
Kerr, D.; Murthy, U.S. (2013). The importance of the CobiT Framework IT Processes for Effective Internal
Control over Financial Reporting in Organizations: an International Survey ................................................... 25
Haes, de S.; Grembergen, van W. (2013). Improving Enterprise Governance of IT in Major Airline: a Teaching
Case .................................................................................................................................................................. 26
Outsourcing.................................................................................................................................................... 29
Selig chapter 7 .................................................................................................................................................. 29
7.2.1 Strategic sourcing and outsourcing definitions .................................................................................. 29
7.2.2 Major outsourcing drivers and challenges ......................................................................................... 30
, 7.2.3 Why do organizations outsource? ...................................................................................................... 30
7.2.4 What do organizations outsource? .................................................................................................... 31
7.2.6 Outsourcing – barriers and risks ......................................................................................................... 31
Selig chapter 9 .................................................................................................................................................. 32
9.3 Cloud computing ................................................................................................................................... 32
Julisch, K.; Hall, M. (2010). Security and Control in the Cloud .......................................................................... 35
Cybercrime ..................................................................................................................................................... 39
Romney & Steinbart chapter 8 Frauds and Errors ............................................................................................ 39
Natural and Political Disasters ..................................................................................................................... 39
Software Errors and Equipment Malfunctions ............................................................................................ 39
Unintentional acts (computer crimes) ......................................................................................................... 39
Intentional acts ............................................................................................................................................ 39
The fraud triangle ........................................................................................................................................ 40
Computer Fraud .......................................................................................................................................... 40
Preventing and Detecting Fraud and Abuse ................................................................................................ 41
Romney & Steinbart chapter 9 computer fraud and abuse techniques............................................................ 42
Security .......................................................................................................................................................... 45
Romney & Steinbart chapter 10 ....................................................................................................................... 45
Overview of control concepts ...................................................................................................................... 45
Management’s philosophy, operating style, and risk appetite ................................................................... 45
Employ a computer security officer and a chief compliance officer. .......................................................... 46
Romney & Steinbart chapter 11 ....................................................................................................................... 47
The trust service framework........................................................................................................................ 47
The time-based model of information security ........................................................................................... 47
Fanning, K.; Centers, D.P. (2016). Blockchain and Its Coming Impact on Financial Services ............................ 49
Privacy ........................................................................................................................................................... 51
Romney & Steinbart – chapter 12 .................................................................................................................... 51
Protecting Confidentiality and Privacy ........................................................................................................ 51
Identify and classify information to be protected ....................................................................................... 51
Privacy concerns .......................................................................................................................................... 51
Encryption.................................................................................................................................................... 52
Hashing ........................................................................................................................................................ 53
Romney & Steinbart – chapter 13 .................................................................................................................... 54
Availability ................................................................................................................................................... 54
Project management ...................................................................................................................................... 56
Cerpa, N.; Verner, J.M. (2009). Why did your project fail? Communications of the ACM, 52(12), 130-134..... 56
Venkatesh, V.; Morris, M.G.; Davis, G.B.; Davis, F.D. (2003). User Acceptance of Information Technology:
Toward a Unified View. MIS Quarterly, 27(3), 425–478 ................................................................................... 57
,Strategy
Selig - Chapter 1: Introduction to IT/Business Alignment, Planning, Execution and
Governance
1.2 Overview
The issues, opportunities and challenges of aligning information technology more closely with an
organization and effectively governing and managing an organization’s Information Technology (IT)
investments, resources, major initiatives and superior uninterrupted service are becoming a major
concern of the board and executive management in enterprises on a global basis.
1.2.1 Today’s business challenges and drivers
Pressures for reducing costs, increasing speed to
market, continuous improvements, greater innovation
and creativity, more compliance, more effective
accountability, globalization, and more demanding and
sophisticated customers are some of the pressures
facing business and IT executives.
1.2.2 Scope and definition of enterprise
governance and its relationship to business and IT
governance
Enterprise governance deals with the separation of ownership and control of an organization (e.g.
board members represent the stockholders), while business governance focuses on the direction,
control and execution of the business plan and strategies by the CEO and his/her team and IT
governance focuses on the direction, control and execution of IT plans and strategies (e.g. CIO and
his/her team). Figure 1.2 compares and differentiates the key characteristics of enterprise
governance versus business governance versus IT governance.
1.2.3 The board’s role in IT governance
Based on a report by the IT Governance Institute, “IT governance is the responsibility of the board of
directors and executive management. It is an integral part of enterprise governance and consists of
the leadership and organizational structures and processes that ensure that the organization’s IT
function sustains and extends the organization’s strategies and objectives.”
, 1.1.1. Major challenges and issues faced by IT
1.3 Definition, purpose and scope of IT governance
Definition of IT governance
It is a collection of management, planning and performance review policies, practices and processes
with associated decision rights, which establish authority, sponsorship, controls, a baseline and
performance metrics over investments, plans, budgets, commitments, services, major changes,
security, privacy, business continuity, risk assessment and compliance with laws and organizational
policies.
1.3.2 Value propositions from best-in-class companies on business and/ or IT governance
Based on primary and secondary market research, the author identified several benefits attributed to
major organizations relating to improved governance business and/or IT structures and
environments (Selig, 2008):
• Lowers cost of operations by accomplishing more work consistently in less time and with
fewer resources without sacrificing quality (General Motors);
• Provides better control and more consistent approach to governance, prioritization,
development funding and operations (Xerox);
• Develops a better working relationship and communications with the customer (Sikorsky);
• Provides for a consistent process for more effectively tracking progress, solving problems,
escalating issues and gate reviews (Cigna);
• Aligns initiatives and investments more directly with business strategy (GE);
• Improves governance, communications, visibility and risk mitigation for all constituents
(Robbins Gioia);
• Facilitates business and regulatory compliance with documentation and traceability as
evidence (Purdue Pharma);
• Increases our customer satisfaction by listening proactively to the customers and validating
requirements on an iterative and frequent basis (Johnson and Johnson);
• Reuse of consistent and repeatable processes helps to reduce time and costs and speeds up
higher-quality deliverables (IBM).
Inhoudsopgave
Strategy............................................................................................................................................................ 3
Selig - Chapter 1: Introduction to IT/Business Alignment, Planning, Execution and Governance ...................... 3
1.2 Overview .................................................................................................................................................. 3
1.3 Definition, purpose and scope of IT governance ..................................................................................... 4
1.5 Overview of the integrated IT governance framework, major components and prerequisites .............. 5
1.6 Steps in making IT governance real ......................................................................................................... 6
Selig - Chapter 3 ................................................................................................................................................. 7
3.2.3 The changing role of the CIO ................................................................................................................ 7
3.2.4 Components of effective alignment ..................................................................................................... 7
3.2.7 Overcoming business/ IT alignment obstacles and constraints ........................................................... 7
3.3.1 Principles of aligning it to the business more effectively ..................................................................... 8
3.3.2 Management control practices ............................................................................................................ 8
3.3.3 Supplementary practices ...................................................................................................................... 9
Henderson, J.C.; Venkatraman, N. (1993). Strategic Alignment, Leveraging Information technology for
transforming organizations .............................................................................................................................. 10
Sabherwal, R.; Hirschheim, R.; Goles, T. (2001). The Dynamics of Alignment, Insights from a Punctuated
Equilibrium Model ............................................................................................................................................ 15
Governance .................................................................................................................................................... 17
Selig - Charter 2 ................................................................................................................................................ 17
2.2 Overview ................................................................................................................................................ 17
2.4.14 COBIT – Control Objectives for Information and Related Technology ............................................. 17
2.4.29 BiSL ................................................................................................................................................... 18
2.4.30 ASL .................................................................................................................................................... 19
2.4.14 ITIL – IT Infrastructure Library .................................................................................................. 19
BiSL, ASL and ITIL combined. ....................................................................................................................... 19
2.4.16 Information Security Management System (ISMS) .......................................................................... 19
2.4.23 AIM – Amsterdam Information Management Model....................................................................... 20
IT Governance and Management Framework ............................................................................................. 20
Selig - Chapter 6 ............................................................................................................................................... 21
6.3.1 Top concerns of CIOs .......................................................................................................................... 21
6.4.2 ITIL value propositions – leading company examples ........................................................................ 21
6.5.2 Summary of ITIL 2011 Edition service lifecycle, core guides, processes, objectives, and related
activities ....................................................................................................................................................... 22
Hardy, G. (2006). Using IT Governance and COBIT to deliver Value with IT and respond to Legal, Regulatory
and Compliance Challenges.............................................................................................................................. 23
Kerr, D.; Murthy, U.S. (2013). The importance of the CobiT Framework IT Processes for Effective Internal
Control over Financial Reporting in Organizations: an International Survey ................................................... 25
Haes, de S.; Grembergen, van W. (2013). Improving Enterprise Governance of IT in Major Airline: a Teaching
Case .................................................................................................................................................................. 26
Outsourcing.................................................................................................................................................... 29
Selig chapter 7 .................................................................................................................................................. 29
7.2.1 Strategic sourcing and outsourcing definitions .................................................................................. 29
7.2.2 Major outsourcing drivers and challenges ......................................................................................... 30
, 7.2.3 Why do organizations outsource? ...................................................................................................... 30
7.2.4 What do organizations outsource? .................................................................................................... 31
7.2.6 Outsourcing – barriers and risks ......................................................................................................... 31
Selig chapter 9 .................................................................................................................................................. 32
9.3 Cloud computing ................................................................................................................................... 32
Julisch, K.; Hall, M. (2010). Security and Control in the Cloud .......................................................................... 35
Cybercrime ..................................................................................................................................................... 39
Romney & Steinbart chapter 8 Frauds and Errors ............................................................................................ 39
Natural and Political Disasters ..................................................................................................................... 39
Software Errors and Equipment Malfunctions ............................................................................................ 39
Unintentional acts (computer crimes) ......................................................................................................... 39
Intentional acts ............................................................................................................................................ 39
The fraud triangle ........................................................................................................................................ 40
Computer Fraud .......................................................................................................................................... 40
Preventing and Detecting Fraud and Abuse ................................................................................................ 41
Romney & Steinbart chapter 9 computer fraud and abuse techniques............................................................ 42
Security .......................................................................................................................................................... 45
Romney & Steinbart chapter 10 ....................................................................................................................... 45
Overview of control concepts ...................................................................................................................... 45
Management’s philosophy, operating style, and risk appetite ................................................................... 45
Employ a computer security officer and a chief compliance officer. .......................................................... 46
Romney & Steinbart chapter 11 ....................................................................................................................... 47
The trust service framework........................................................................................................................ 47
The time-based model of information security ........................................................................................... 47
Fanning, K.; Centers, D.P. (2016). Blockchain and Its Coming Impact on Financial Services ............................ 49
Privacy ........................................................................................................................................................... 51
Romney & Steinbart – chapter 12 .................................................................................................................... 51
Protecting Confidentiality and Privacy ........................................................................................................ 51
Identify and classify information to be protected ....................................................................................... 51
Privacy concerns .......................................................................................................................................... 51
Encryption.................................................................................................................................................... 52
Hashing ........................................................................................................................................................ 53
Romney & Steinbart – chapter 13 .................................................................................................................... 54
Availability ................................................................................................................................................... 54
Project management ...................................................................................................................................... 56
Cerpa, N.; Verner, J.M. (2009). Why did your project fail? Communications of the ACM, 52(12), 130-134..... 56
Venkatesh, V.; Morris, M.G.; Davis, G.B.; Davis, F.D. (2003). User Acceptance of Information Technology:
Toward a Unified View. MIS Quarterly, 27(3), 425–478 ................................................................................... 57
,Strategy
Selig - Chapter 1: Introduction to IT/Business Alignment, Planning, Execution and
Governance
1.2 Overview
The issues, opportunities and challenges of aligning information technology more closely with an
organization and effectively governing and managing an organization’s Information Technology (IT)
investments, resources, major initiatives and superior uninterrupted service are becoming a major
concern of the board and executive management in enterprises on a global basis.
1.2.1 Today’s business challenges and drivers
Pressures for reducing costs, increasing speed to
market, continuous improvements, greater innovation
and creativity, more compliance, more effective
accountability, globalization, and more demanding and
sophisticated customers are some of the pressures
facing business and IT executives.
1.2.2 Scope and definition of enterprise
governance and its relationship to business and IT
governance
Enterprise governance deals with the separation of ownership and control of an organization (e.g.
board members represent the stockholders), while business governance focuses on the direction,
control and execution of the business plan and strategies by the CEO and his/her team and IT
governance focuses on the direction, control and execution of IT plans and strategies (e.g. CIO and
his/her team). Figure 1.2 compares and differentiates the key characteristics of enterprise
governance versus business governance versus IT governance.
1.2.3 The board’s role in IT governance
Based on a report by the IT Governance Institute, “IT governance is the responsibility of the board of
directors and executive management. It is an integral part of enterprise governance and consists of
the leadership and organizational structures and processes that ensure that the organization’s IT
function sustains and extends the organization’s strategies and objectives.”
, 1.1.1. Major challenges and issues faced by IT
1.3 Definition, purpose and scope of IT governance
Definition of IT governance
It is a collection of management, planning and performance review policies, practices and processes
with associated decision rights, which establish authority, sponsorship, controls, a baseline and
performance metrics over investments, plans, budgets, commitments, services, major changes,
security, privacy, business continuity, risk assessment and compliance with laws and organizational
policies.
1.3.2 Value propositions from best-in-class companies on business and/ or IT governance
Based on primary and secondary market research, the author identified several benefits attributed to
major organizations relating to improved governance business and/or IT structures and
environments (Selig, 2008):
• Lowers cost of operations by accomplishing more work consistently in less time and with
fewer resources without sacrificing quality (General Motors);
• Provides better control and more consistent approach to governance, prioritization,
development funding and operations (Xerox);
• Develops a better working relationship and communications with the customer (Sikorsky);
• Provides for a consistent process for more effectively tracking progress, solving problems,
escalating issues and gate reviews (Cigna);
• Aligns initiatives and investments more directly with business strategy (GE);
• Improves governance, communications, visibility and risk mitigation for all constituents
(Robbins Gioia);
• Facilitates business and regulatory compliance with documentation and traceability as
evidence (Purdue Pharma);
• Increases our customer satisfaction by listening proactively to the customers and validating
requirements on an iterative and frequent basis (Johnson and Johnson);
• Reuse of consistent and repeatable processes helps to reduce time and costs and speeds up
higher-quality deliverables (IBM).
