Question

1. You have been mandated to come up with an IT Governance Strategy
Document for your organization. Detail how you would use 3 IT
Governance Frameworks to come up with your IT Governance Strategy,
tailor made for your organization. Please provide your answer in the
form of a simplified project document.

Answer 1

How do you implement an IT governance program?

The easiest way is to start with a framework that's been created by industry experts and used by thousands of organizations. Many frameworks include implementation guides to help organizations phase in an IT governance program with fewer speedbumps.

The most commonly used frameworks are:

• COBIT: Published by ISACA, COBIT is a comprehensive framework of "globally accepted practices, analytical tools and models" (PDF) designed for governance and management of enterprise IT. With its roots in IT auditing, ISACA expanded COBIT's scope over the years to fully support IT governance. The latest version is COBIT 5, which is widely used by organizations focused on risk management and mitigation.
• ITIL: Formerly an acronym for Information Technology Infrastructure Library, ITIL focuses on IT service management. It aims to ensure that IT services support core processes of the business. ITIL comprises five sets of management best practices for service strategy, design, transition (such as change management), operation and continual service improvement.
• COSO: This model for evaluating internal controls is from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO's focus is less IT-specific than the other frameworks, concentrating more on business aspects like enterprise risk management (ERM) and fraud deterrence.
• CMMI: The Capability Maturity Model Integration method, developed by the Software Engineering Institute, is an approach to performance improvement. CMMI uses a scale of 1 to 5 to gauge an organization's performance, quality and profitability maturity level. According to Calatayud, "allowing for mixed mode and objective measurements to be inserted is critical in measuring risks that are qualitative in nature."
• FAIR: Factor Analysis of Information Risk (FAIR) is a relatively new model that helps organizations quantify risk. The focus is on cyber security and operational risk, with the goal of making more well-informed decisions. Although it's newer than other frameworks mentioned here, Calatayud points out that it's already gained a lot of traction with Fortune 500 companies.

How do I choose which framework to use?

Most IT governance frameworks are designed to help you determine how companies IT department is functioning overall, what key metrics management needs and what return IT is giving back to business from its investment.

• If organization mainly focuses on risk management then COBIT or COSO framework should be choice.
• If organization mainly focuses on its services and operations then ITIL framework should be choice,
• If organization mainly focuses on software engineering,hardware development, service delivery and purchasing then CMMI should be choice.
• If your want to choose "FAIR" then organization focus for assessing operational and cyber security risks.