The processes of IT working with the business to ensure that the enterprise portfolio of IT-enabled investments have solid business cases that provide for transparent, repeatable and comparable evaluation, including financial worth, the risk of not delivering a capability and the risk of not realizing the expected benefits.  Providing effective, efficient and accountable delivery of the IT services with early warning of any deviations from plan, including cost, schedule or functionality.

Establish bi-directional education and reciprocal involvement in strategic planning to achieve business and IT alignment and integration.  Mediate between business and IT imperatives so priorities can be mutually agreed.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish a baseline of capabilities and performance against which future requirements can be compared. Define performance in terms of IT’s contribution to business objectives, functionality, stability, complexity, costs, strengths and weaknesses.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Create a strategic plan that defines, in co-operation with relevant stakeholders, how IT goals will contribute to the enterprise’s strategic objectives and related costs and risks. The strategic plan should be sufficiently detailed to allow for the definition of tactical IT plans.

Create a portfolio of tactical IT plans describing IT-enabled investments that are derived from the IT strategic plan. Actively manage the set of tactical IT plans and initiatives through analysis of project and service portfolios.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Joint management of IT and the business of the portfolio of IT-enabled investments required to achieve specific strategic business objectives.  Processes include identifying, defining, evaluating, prioritizing, selecting, initiating, managing and controlling investments and projects.

Establish and maintain an enterprise information model to enable applications development and decision-supporting activities, consistent with business and IT plans. The model should facilitate the optimal creation, use and sharing of information by the business in a way that maintains integrity and is flexible, functional, cost-effective, timely, secure and resilient to failure.

Maintain an enterprise data dictionary that incorporates the organization’s data syntax rules. This dictionary should enable the sharing of data elements among applications and systems, promote a common understanding of data among IT and business users, and prevent incompatible data elements from being created.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish a classification scheme that applies throughout the enterprise, based on the criticality and of enterprise data. This scheme should include details about data ownership; definition of appropriate security levels and protection controls; and a brief description of data retention and destruction requirements, criticality and sensitivity. It should be used as the basis for applying controls such as access controls, archiving or encryption.

Define and implement procedures to ensure the integrity and consistency of all data stored in electronic form, such as databases, data warehouses and data archives.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Analyze existing and emerging technologies, and plan which technological direction is appropriate to realize the IT strategy and the business systems architecture. Also identify in the plan which technologies have the potential to create business opportunities. The plan should address systems architecture, technological direction, migration strategies and contingency aspects of infrastructure components.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Create and maintain a technology infrastructure plan that is in accordance with the IT strategic and tactical plans. The plan should be based on the technological direction and include contingency arrangements and direction for acquisition of technology resources. It should consider changes in the competitive environment, economies of scale for information systems staffing and investments, and improved interoperability of platforms and applications.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish a process to monitor the business sector, industry, technology, infrastructure, legal and regulatory environment trends. Incorporate the consequences of these trends into the development of the IT technology infrastructure plan.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

To provide consistent, effective and secure technological solutions enterprise-wide, establish a technology forum to provide technology guidelines, advice on infrastructure products and guidance on the selection of technology, and measure compliance with these standards and guidelines. This forum should direct technology standards and practices based on their business relevance, risks and compliance with external requirements.

Establish an IT architecture board to provide architecture guidelines and advice on their application, and to verify compliance. This entity should direct IT architecture design, ensuring that it enables the business strategy and considers regulatory compliance and continuity requirements.

Define an IT process framework to execute the IT strategic plan. This framework should include an IT process structure and relationships (e.g., to manage process gaps and overlaps), ownership, maturity, performance measurement, improvement, compliance, quality targets and plans to achieve them. It should provide integration among the processes that are specific to IT, enterprise portfolio management, business processes and business change processes, and be integrated into a quality management system (QMS) and the internal control framework.

Establish an IT strategy committee at the board level. This committee should ensure that IT governance, as part of enterprise governance, is adequately addressed; advise on strategic direction; and review major investments on behalf of the full board.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish an IT steering committee (or equivalent) composed of executive, business and IT management to:

• Determine prioritization of IT-enabled investments in line with the enterprise’s business strategy and priorities
• Track status of projects and resolve resource conflict
• Monitor service levels and service improvements

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Place the IT function in the overall organizational structure so as to emphasize the importance of IT within the enterprise, specifically its criticality to business strategy and the level of operational dependence on IT. The reporting line of the CIO should be commensurate with the importance of IT within the enterprise.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish an internal and external IT organizational structure that reflects business needs. In addition, put a process in place for periodically reviewing the IT organizational structure to adjust staffing requirements and sourcing strategies to meet expected business objectives and changing circumstances.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish and communicate roles and responsibilities for IT personnel and end users that delineate between IT personnel and end-user authority, responsibilities and accountability for meeting the organization’s needs.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Assign responsibility for the performance of the quality assurance (QA) function and provide the QA group with appropriate QA systems, controls and communications expertise. Ensure that the organizational placement and the responsibilities and size of the QA group satisfy the requirements of the organization.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Embed ownership and responsibility for IT-related risks within the business at an appropriate senior level. Define and assign roles critical for managing IT risks, including the specific responsibility for information security, physical security and compliance. Establish risk and security management responsibility at the enterprise level to deal with organization-wide issues. Additional security management responsibilities may need to be assigned at a system-specific level to deal with related security issues. Obtain direction from senior management on the appetite for IT risk and approval of any residual IT risks.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Provide the business with procedures and tools, enabling it to address its responsibilities for ownership of data and information systems. Owners should make decisions about classifying information and systems and protecting them in line with this classification.

Implement adequate supervisory practices in the IT function to ensure that roles and responsibilities are properly exercised, to assess whether all personnel have sufficient authority and resources to execute their roles and responsibilities, and to generally review KPIs.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Implement a division of roles and responsibilities that reduces the possibility for a single individual to compromise a critical process. Make sure that personnel are performing only authorized duties relevant to their respective jobs and positions.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Evaluate staffing requirements on a regular basis or upon major changes to the business, operational or IT environments to ensure that the IT function has sufficient resources to adequately and appropriately support the business goals and objectives.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Define and identify key IT personnel, and minimize reliance on a single individual performing a critical job function.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Ensure that consultants and contract personnel who support the IT function know and comply with the organization’s policies for the protection of the organization’s information assets such that they meet agreed-upon contractual requirements.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish and maintain an optimal co-ordination, communication and liaison structure between the IT function and various other interests inside and outside the IT function, such as the board, executives, business units, individual users, suppliers, security officers, risk managers, the corporate compliance group, outsourcers and offsite management.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish and maintain a financial framework to manage the investment and cost of IT assets and services through portfolios of IT- enabled investments, business cases and IT budgets.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Implement a decision-making process to prioritize the allocation of IT resources for operations, projects and maintenance to maximize IT’s contribution to optimizing the return on the enterprise’s portfolio of IT-enabled investments.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish and implement practices to prepare a budget reflecting the priorities established by the enterprise’s portfolio of IT-enabled investments, and including the ongoing costs of operating and maintaining the current infrastructure. The practices should support development of an overall IT budget as well as development of budgets for individual IT services. The practices should allow for ongoing review, refinement and approval of the overall budget and the budgets for individual IT services.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Implement a cost management process comparing actual costs to budgets. Costs should be monitored and reported. Where there are deviations, these should be identified in a timely manner and the impact of those deviations should be assessed. Together with the business sponsor of those costed services, appropriate remedial action should be taken and, if necessary, the service business case should be updated.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Implement a process to monitor the benefits from providing and maintaining appropriate IT capabilities. IT’s contribution to the business, either as a component of IT-enabled investments or as part of regular operational support, should be identified and documented in a business case, agreed to, monitored and reported. Reports should be reviewed and, where there are opportunities to improve IT’s contribution, appropriate actions should be defined and taken. Where changes in IT’s contribution impact the service or where changes to other related projects impact the service, the service business case should be updated.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Define the elements of a control environment for IT, aligned with the enterprise’s management philosophy and operating style. These elements should include expectations/requirements regarding delivery of value from IT investments, appetite for risk, integrity, ethical values, staff competence, accountability and responsibility. The control environment should be based on a culture that supports value delivery whilemanaging significant risks, encourages cross-divisional co-operation and teamwork, promotes compliance and continuous process improvement, and handles process deviations (including failure) well.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Develop and maintain a framework that defines the enterprise’s overall approach to IT risk and control and that aligns with the IT policy and control environment and the enterprise risk and control framework.

Develop and maintain a set of policies to support IT strategy. These policies should include policy intent; roles and responsibilities; exception process; compliance approach; and references to procedures, standards and guidelines. Their relevance should be confirmed and approved regularly.

Roll out and enforce IT policies to all relevant staff, so they are built into and are an integral part of enterprise operations.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Communicate awareness and understanding of business and IT objectives and direction to appropriate stakeholders and users throughout the enterprise.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Maintain IT personnel recruitment processes in line with the overall organization’s personnel policies and procedures (e.g., hiring, positive work environment, orienting). Implement processes to ensure that the organization has an appropriately deployed IT workforce with the skills necessary to achieve organizational goals.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Regularly verify that personnel have the competencies to fulfill their roles on the basis of their education, training and/or experience. Define core IT competency requirements and verify that they are being maintained, using qualification and certification program where appropriate.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Define, monitor and supervise roles, responsibilities and compensation frameworks for personnel, including the requirement to adhere to management policies and procedures, the code of ethics, and professional practices. The level of supervision should be in line with the sensitivity of the position and extent of responsibilities assigned.

Provide IT employees with appropriate orientation when hired and ongoing training to maintain their knowledge, skills, abilities, internal controls and security awareness at the level required to achieve organizational goals.

Minimize the exposure to critical dependency on key individuals through knowledge capture (documentation), knowledge sharing, succession planning and staff backup.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Include background checks in the IT recruitment process. The extent and frequency of periodic reviews of these checks should depend on the sensitivity and/or criticality of the function and should be applied for employees, contractors and vendors.

Require a timely evaluation to be performed on a regular basis against individual objectives derived from the organization’s goals, established standards and specific job responsibilities. Employees should receive coaching on performance and conduct whenever appropriate.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Take expedient actions regarding job changes, especially job terminations. Knowledge transfer should be arranged, responsibilities reassigned and access rights removed such that risks are minimized and continuity of the function is guaranteed.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish and maintain a QMS that provides a standard, formal and continuous approach regarding quality management that is aligned with business requirements. The QMS should identify quality requirements and criteria; key IT processes and their sequence and interaction; and the policies, criteria and methods for defining, detecting, correcting and preventing non-conformity. The QMS should define the organizational structure for quality management, covering the roles, tasks and responsibilities. All key areas should develop their quality plans in line with criteria and policies and record quality data. Monitor and measure the effectiveness and acceptance of the QMS, and improve it when needed.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Identify and maintain standards, procedures and practices for key IT processes to guide the organization in meeting the intent of the QMS. Use industry good practices for reference when improving and tailoring the organization’s quality practices.

Adopt and maintain standards for all development and acquisition that follow the life cycle of the ultimate deliverable, and include sign-off at key milestones based on agreed-upon sign-off criteria. Consider software coding standards; naming conventions; file formats; schema and data dictionary design standards; user interface standards; interoperability; system performance efficiency; scalability; standards for development and testing; validation against requirements; test plans; and unit, regression and integration testing.

Focus quality management on customers by determining their requirements and aligning them to the IT standards and practices. Define roles and responsibilities concerning conflict resolution between the user/customer and the IT organization.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Maintain and regularly communicate an overall quality plan that promotes continuous improvement.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Define, plan and implement measurements to monitor continuing compliance to the QMS, as well as the value the QMS provides. Measurement, monitoring and recording of information should be used by the process owner to take appropriate corrective and preventive actions.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish an IT risk management framework that is aligned to the organization’s (enterprise’s) risk management framework.

Establish the context in which the risk assessment framework is applied to ensure appropriate outcomes. This should include determining the internal and external context of each risk assessment, the goal of the assessment, and the criteria against which risks are evaluated.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify events (an important realistic threat that exploits a significant applicable vulnerability) with a potential negative impact on the goals or operations of the enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects. Determine the nature of the impact and maintain this information. Record and maintain relevant risks in a risk registry.

Assess on a recurrent basis the likelihood and impact of all identified risks, using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual risk should be determined individually, by category and on a portfolio basis.

Develop and maintain a risk response process designed to ensure that cost-effective controls mitigate exposure to risks on a continuing basis. The risk response process should identify risk strategies such as avoidance, reduction, sharing or acceptance; determine associated responsibilities; and consider risk tolerance levels.

Prioritize and plan the control activities at all levels to implement the risk responses identified as necessary, including identification of costs, benefits and responsibility for execution. Obtain approval for recommended actions and acceptance of any residual risks, and ensure that committed actions are owned by the affected process owner(s). Monitor execution of the plans, and report on any deviations to senior management.

Maintain the program of projects, related to the portfolio of IT-enabled investments.  Co-ordinate the activities and interdependencies of multiple projects, manage the contribution of all the projects within the program to expected outcomes, and resolve resource requirements and conflicts.

Establish and maintain a project management framework that defines the scope and boundaries of managing projects, as well as the method to be adopted and applied to each project undertaken. The framework and supporting method should be integrated with the program management processes.

Establish a project management approach commensurate with the size, complexity and regulatory requirements of each project. The project governance structure can include the roles, responsibilities and accountabilities of the program sponsor, project sponsors, steering committee, project office and project manager, and the mechanisms through which they can meet those responsibilities (such as reporting and stage reviews). Make sure all IT projects have sponsors with sufficient authority to own the execution of the project within the overall strategic program.

Obtain commitment and participation from the affected stakeholders in the definition and execution of the project within the context of the overall IT-enabled investment program.

Define and document the nature and scope of the project to confirm and develop amongst stakeholders a common understanding of project scope and how it relates to other projects within the overall IT-enabled investment program. The definition should be formally approved by the program and project sponsors before project initiation.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Approve the initiation of each major project phase and communicate it to all stakeholders. Base the approval of the initial phase on program governance decisions. Approval of subsequent phases should be based on review and acceptance of the deliverables of the previous phase, and approval of an updated business case at the next major review of the program. In the event of overlapping project phases, an approval point should be established by program and project sponsors to authorize project progression.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a formal, approved integrated project plan (covering business and information systems resources) to guide project execution and control throughout the life of the project. The activities and interdependencies of multiple projects within a program should be understood and documented. The project plan should be maintained throughout the life of the project. The project plan, and changes to it, should be approved in line with the program and project governance framework.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Define the responsibilities, relationships, authorities and performance criteria of project team members, and specify the basis for acquiring and assigning competent staff members and/or contractors to the project. The procurement of products and services required for each project should be planned and managed to achieve project objectives using the organization’s procurement practices.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Eliminate or minimize specific risks associated with individual projects through a systematic process of planning, identifying, analyzing, responding to, monitoring and controlling the areas or events that have the potential to cause unwanted change. Risks faced by the project management process and the project deliverable should be established and centrally recorded.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Prepare a quality management plan that describes the project quality system and how it will be implemented. The plan should be formally reviewed and agreed to by all parties concerned and then incorporated into the integrated project plan.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a change control system for each project, so all changes to the project baseline (e.g., cost, schedule, scope, quality) are appropriately reviewed, approved and incorporated into the integrated project plan in line with the program  and project governance framework.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify assurance tasks required to support the accreditation of new or modified systems during project planning, and include them in the integrated project plan. The tasks should provide assurance that internal controls and security features meet the defined requirements.

Measure project performance against key project performance scope, schedule, quality, cost and risk criteria. Identify any deviations from the plan. Assess the impact of deviations on the project and overall program, and report results to key stakeholders. Recommend, implement and monitor remedial action, when required, in line with the program and project governance framework.

Require that, at the end of each project, the project stakeholders ascertain whether the project delivered the planned results and benefits. Identify and communicate any outstanding activities required to achieve the planned results of the project and the benefits of the program, and identify and document lessons learned for use on future projects and programs.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify, prioritize, specify and agree on business functional and technical requirements covering the full scope of all initiatives required to achieve the expected outcomes of the IT-enabled investment program.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify, document and analyze risks associated with the business requirements and solution design as part of the organization’s process for the development of requirements.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Develop a feasibility study that examines the possibility of implementing the requirements. Business management, supported by the IT function, should assess the feasibility and alternative courses of action and make a recommendation to the business sponsor.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Verify that the process requires the business sponsor to approve and sign off on business functional and technical requirements and feasibility study reports at predetermined key stages. The business sponsor should make the final decision with respect to the choice of solution and acquisition approach.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Translate business requirements into a high-level design specification for software acquisition, taking into account the organization’s technological direction and information architecture. Have the design specifications approved by management to ensure that the high-level design responds to the requirements. Reassess when significant technical or logical discrepancies occur during development or maintenance.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Prepare detailed design and technical software application requirements. Define the criteria for acceptance of the requirements. Have the requirements approved to ensure that they correspond to the high-level design. Perform reassessment when significant technical or logical discrepancies occur during development or maintenance.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Implement business controls, where appropriate, into automated application controls such that processing is accurate, complete, timely, authorized and auditable.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Address application security and availability requirements in response to identified risks and in line with the organization’s data classification, information architecture, information security architecture and risk tolerance.

Configure and implement acquired application software to meet business objectives.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

In the event of major changes to existing systems that result in significant change in current designs and/or functionality, follow a similar development process as that used for the development of new systems.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Ensure that automated functionality is developed in accordance with design specifications, development and documentation standards, QA requirements, and approval standards. Ensure that all legal and contractual aspects are identified and addressed for application software developed by third parties.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Develop, resource and execute a software QA plan to obtain the quality specified in the requirements definition and the organization’s quality policies and procedures.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Track the status of individual requirements (including all rejected requirements) during the design, development and implementation, and approve changes to requirements through an established change management process.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Develop a strategy and plan for the maintenance of software applications.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Produce a plan for the acquisition, implementation and maintenance of the technological infrastructure that meets established business functional and technical requirements and is in accord with the organization’s technology direction.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defined and understood by those who develop and integrate infrastructure components. Their use should be monitored and evaluated.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Develop a strategy and plan for infrastructure maintenance, and ensure that changes are controlled in line with the organization’s change management procedure. Include periodic reviews against business needs, patch management, upgrade strategies, risks, vulnerabilities assessment and security requirements.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish development and test environments to support effective and efficient feasibility and integration testing of infrastructure components.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Develop a plan to identify and document all technical, operational and usage aspects such that all those who will operate, use and maintain the automated solutions can exercise their responsibility.

Transfer knowledge to business management to allow those individuals to take ownership of the system and data, and exercise responsibility for service delivery and quality, internal control, and application administration.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Transfer knowledge and skills to allow end users to effectively and efficiently use the system in support of business processes.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Transfer knowledge and skills to enable operations and technical support staff to effectively and efficiently deliver, support and maintain the system and associated infrastructure.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Develop and follow a set of procedures and standards that is consistent with the business organization’s overall procurement process and acquisition strategy to acquire IT-related infrastructure, facilities, hardware, software and services needed by the business.

Set up a procedure for establishing, modifying and terminating contracts for all suppliers. The procedure should cover, at a minimum, legal, financial, organizational, documentary, performance, security, intellectual property, and termination responsibilities and liabilities (including penalty clauses). All contracts and contract changes should be reviewed by legal advisers.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Select suppliers according to a fair and formal practice to ensure a viable best fit based on specified requirements. Requirements should be optimized with input from potential suppliers.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Protect and enforce the organization’s interests in all acquisition contractual agreements, including the rights and obligations of all parties in the contractual terms for the acquisition of software, development resources, infrastructure and services.

Set up formal change management procedures to handle in a standardized manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms.

Assess all requests for change in a structured way to determine the impact on the operational system and its functionality. Ensure that changes are categorized, prioritized and authorized.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a process for defining, raising, testing, documenting, assessing and authorizing emergency changes that do not follow the established change process.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a tracking and reporting system to document rejected changes, communicate the status of approved and in-process changes, and complete changes. Make certain that approved changes are implemented as planned.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Whenever changes are implemented, update the associated system and user documentation and procedures accordingly.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Train the staff members of the affected user departments and the operations group of the IT function in accordance with the defined training and implementation plan and associated materials, as part of every information systems development, implementation or modification project.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a test plan based on organization-wide standards that defines roles, responsibilities, and entry and exit criteria. Ensure that the plan is approved by relevant parties.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish an implementation and fallback/backout plan. Obtain approval from relevant parties.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Define and establish a secure test environment representative of the planned operations environment relative to security, internal controls, operational practices, data quality and privacy requirements, and workloads.

Plan data conversion and infrastructure migration as part of the organization’s development methods, including audit trails, rollbacks and fallbacks.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Test changes independently in accordance with the defined test plan prior to migration to the operational environment. Ensure that the plan considers security and performance.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Ensure that business process owners and IT stakeholders evaluate the outcome of the testing process as determined by the test plan. Remediate significant errors identified in the testing process, having completed the suite of tests identified in the test plan and any necessary regression tests. Following evaluation, approve promotion to production.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Following testing, control the handover of the changed system to operations, keeping it in line with the implementation plan. Obtain approval of the key stakeholders, such as users, system owner and operational management. Where appropriate, run the system in parallel with the old system for a while, and compare behavior and results.

Establish procedures in line with the organizational change management standards to require a post-implementation review as set out in the implementation plan.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Define a framework that provides a formalized service level management process between the customer and service provider. The framework should maintain continuous alignment with business requirements and priorities and facilitate common understanding between the customer and provider(s). The framework should include processes for creating service requirements, service definitions, SLAs, OLAs and funding sources. These attributes should be organized in a service catalogue. The framework should define the organizational structure for service level management, covering the roles, tasks and responsibilities of internal and external service providers and customers.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Base definitions of IT services on service characteristics and business requirements. Ensure that they are organized and stored centrally via the implementation of a service catalogue portfolio approach.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Define and agree to SLAs for all critical IT services based on customer requirements and IT capabilities. This should cover customer commitments; service support requirements; quantitative and qualitative metrics for measuring the service signed off on by the stakeholders; funding and commercial arrangements, if applicable; and roles and responsibilities, including oversight of the SLA. Consider items such as availability, reliability, performance, capacity for growth, levels of support, continuity planning, security and demand constraints.

Define OLAs that explain how the services will be technically delivered to support the SLA(s) in an optimal manner. The OLAs should specify the technical processes in terms meaningful to the provider and may support several SLAs.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Continuously monitor specified service level performance criteria. Reports on achievement of service levels should be provided in a format that is meaningful to the stakeholders. The monitoring statistics should be analyzed and acted upon to identify negative and positive trends for individual services as well as for services overall.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Regularly review SLAs and underpinning contracts (UCs) with internal and external service providers to ensure that they are effective, up to date and that changes in requirements have been taken into account.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify all supplier services, and categorize them according to supplier type, significance and criticality. Maintain formal documentation of technical and organizational relationships covering the roles and responsibilities, goals, expected deliverables, and credentials of representatives of these suppliers.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Formalize the supplier relationship management process for each supplier. The relationship owners should liaise on customer and supplier issues and ensure the quality of the relationship based on trust and transparency (e.g., through SLAs).

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify and mitigate risks relating to suppliers’ ability to continue effective service delivery in a secure and efficient manner on a continual basis. Ensure that contracts conform to universal business standards in accordance with legal and regulatory requirements. Risk management should further consider non-disclosure agreements (NDAs), escrow contracts, continued supplier viability, conformance with security requirements, alternative suppliers, penalties and rewards, etc.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a process to monitor service delivery to ensure that the supplier is meeting current business requirements and continuing to adhere to the contract agreements and SLAs, and that performance is competitive with alternative suppliers and market conditions.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a planning process for the review of performance and capacity of IT resources to ensure that cost-justifiable capacity and performance are available to process the agreed-upon workloads as determined by the SLAs. Capacity and performance plans should leverage appropriate modeling techniques to produce a model of the current and forecasted performance, capacity and throughput of the IT resources.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Assess current performance and capacity of IT resources to determine if sufficient capacity and performance exist to deliver against agreed-upon service levels.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Conduct performance and capacity forecasting of IT resources at regular intervals to minimize the risk of service disruptions due to insufficient capacity or performance degradation, and identify excess capacity for possible redeployment. Identify workload trends and determine forecasts to be input to performance and capacity plans.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Provide the required capacity and performance, taking into account aspects such as normal workloads, contingencies, storage requirements and IT resource life cycles. Provisions such as prioritizing tasks, fault-tolerance mechanisms and resource allocation practices should be made. Management should ensure that contingency plans properly address availability, capacity and performance of individual IT resources.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Continuously monitor the performance and capacity of IT resources. Data gathered should serve two purposes:

• To maintain and tune current performance within IT and address such issues as resilience, contingency, current and projected workloads, storage plans, and resource acquisition
• To report delivered service availability to the business, as required by the SLAs

Accompany all exception reports with recommendations for corrective action.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Develop a framework for IT continuity to support enterprise-wide business continuity management using a consistent process. The objective of the framework should be to assist in determining the required resilience of the infrastructure and to drive the development of disaster recovery and IT contingency plans. The framework should address the organizational structure for continuity management, covering the roles, tasks and responsibilities of internal and external service providers, their management and their customers, and the planning processes that create the rules and structures to document, test and execute the disaster recovery and IT contingency plans. The plan should also address items such as the identification of critical resources, noting key dependencies, the monitoring and reporting of the availability of critical resources, alternative processing, and the principles of backup and recovery.

Develop IT continuity plans based on the framework and designed to reduce the impact of a major disruption on key business functions and processes. The plans should be based on risk understanding of potential business impacts and address requirements for resilience, alternative processing and recovery capability of all critical IT services. They should also cover usage guidelines, roles and responsibilities, procedures, communication processes, and the testing approach.

Focus attention on items specified as most critical in the IT continuity plan to build in resilience and establish priorities in recovery situations. Avoid the distraction of recovering less-critical items and ensure response and recovery in line with prioritized business needs, while ensuring that costs are kept at an acceptable level and complying with regulatory and contractual requirements. Consider resilience, response and recovery requirements for different tiers, e.g., one to four hours, four to 24 hours, more than 24 hours and critical business operational periods.

Encourage IT management to define and execute change control procedures to ensure that the IT continuity plan is kept up to date and continually reflects actual business requirements. Communicate changes in procedures and responsibilities clearly and in a timely manner.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant. This requires careful preparation, documentation, reporting of test results and, according to the results, implementation of an action plan. Consider the extent of testing recovery of single applications to integrated testing scenarios to end-to-end testing and integrated vendor testing.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Provide all concerned parties with regular training sessions regarding the procedures and their roles and responsibilities in case of an incident or disaster. Verify and enhance training according to the results of the contingency tests.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Determine that a defined and managed distribution strategy exists to ensure that plans are properly and securely distributed and available to appropriately authorized interested parties when and where needed. Attention should be paid to making the plans accessible under all disaster scenarios.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Plan the actions to be taken for the period when IT is recovering and resuming services. This may include activation of backup sites, initiation of alternative processing, customer and stakeholder communication, and resumption procedures. Ensure that the business understands IT recovery times and the necessary technology investments to support business recovery and resumption needs.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Store offsite all critical backup media, documentation and other IT resources necessary for IT recovery and business continuity plans. Determine the content of backup storage in collaboration between business process owners and IT personnel. Management of the offsite storage facility should respond to the data classification policy and the enterprise’s media storage practices. IT management should ensure that offsite arrangements are periodically assessed, at least annually, for content, environmental protection and security. Ensure compatibility of hardware and software to restore archived data, and periodically test and refresh archived data.

Determine whether IT management has established procedures for assessing the adequacy of the plan in regard to the successful resumption of the IT function after a disaster, and update the plan accordingly.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Manage IT security at the highest appropriate organizational level, so the management of security actions is in line with business requirements.

Translate business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users.

Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person. Maintain user identities and access rights in a central repository. Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access rights.

Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. Include an approval procedure outlining the data or system owner granting the access privileges. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information should be contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.

Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise’s information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities that may need to be addressed.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Clearly define and communicate the characteristics of potential security incidents so they can be properly classified and treated by the incident and problem management process.

Make security-related technology resistant to tampering, and do not disclose security documentation unnecessarily.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Determine that policies and procedures are in place to organize the generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of cryptographic keys to ensure the protection of keys against modification and unauthorized disclosure.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Put preventive, detective and corrective measures in place (especially up-to-date security patches and virus control) across the organization to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).

Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorize access and control information flows from and to networks.

Exchange sensitive transaction data only over a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt and non-repudiation of origin.

Identify all IT costs, and map them to IT services to support a transparent cost model. IT services should be linked to business processes such that the business can identify associated service billing levels.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Capture and allocate actual costs according to the enterprise cost model. Variances between forecasts and actual costs should be analyzed and reported on, in compliance with the enterprise’s financial measurement systems.

Establish and use an IT costing model based on the service definitions that support the calculation of chargeback rates per service. The IT cost model should ensure that charging for services is identifiable, measurable and predictable by users to encourage proper use of resources.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Regularly review and benchmark the appropriateness of the cost/recharge model to maintain its relevance and appropriateness to the evolving business and IT activities.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish and regularly update a curriculum for each target group of employees considering:
• Current and future business needs and strategy
• Value of information as an asset
• Organizational values (ethical values, control and security culture, etc.)
• Implementation of new IT infrastructure and software (i.e., packages, applications)
• Current and future skills, competence profiles, and certification and/or credentialing needs as well as required reaccreditation
• Delivery methods (e.g., classroom, web-based), target group size, accessibility and timing

Based on the identified education and training needs, identify target groups and their members, efficient delivery mechanisms, teachers, trainers, and mentors. Appoint trainers and organize timely training sessions.  Record registration (including prerequisites), attendance and training session performance evaluations.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Evaluate education and training content delivery upon completion for relevance, quality, effectiveness, the retention of knowledge, cost and value. The results of this evaluation should serve as input for future curriculum definition and the delivery of training sessions.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a service desk function, which is the user interface with IT, to register, communicate, dispatch and analyze all calls, reported incidents, service requests and information demands. There should be monitoring and escalation procedures based on agreed-upon service levels relative to the appropriate SLA that allow classification and prioritization of any reported issue as an incident, service request or information request. Measure end users’ satisfaction with the quality of the service desk and IT services.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a function and system to allow logging and tracking of calls, incidents, service requests and information needs. It should work closely with such processes as incident management, problem management, change management, capacity management and availability management. Incidents should be classified according to a business and service priority and routed to the appropriate problem management team, where necessary. Customers should be kept informed of the status of their queries.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish service desk procedures, so incidents that cannot be resolved immediately are appropriately escalated according to limits defined in the SLA and, if appropriate, workarounds are provided. Ensure that incident ownership and life cycle monitoring remain with the service desk for user-based incidents, regardless which IT group is working on resolution activities.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish procedures for the timely monitoring of clearance of customer queries. When the incident has been resolved, ensure that the service desk records the resolution steps, and confirm that the action taken has been agreed to by the customer. Also record and report unresolved incidents (known errors and workarounds) to provide information for proper problem management.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Produce reports of service desk activity to enable management to measure service performance and service response times and to identify trends or recurring problems, so service can be continually improved.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a supporting tool and a central repository to contain all relevant information on configuration items. Monitor and record all assets and changes to assets. Maintain a baseline of configuration items for every system and service as a checkpoint to which to return after changes.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish configuration procedures to support management and logging of all changes to the configuration repository. Integrate these procedures with change management, incident management and problem management procedures.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Periodically review the configuration data to verify and confirm the integrity of the current and historical configuration. Periodically review installed software against the policy for software usage to identify personal or unlicensed software or any software instances in excess of current license agreements. Report, act on and correct errors and deviations.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Implement processes to report and classify problems that have been identified as part of incident management. The steps involved in problem classification are similar to the steps in classifying incidents; they are to determine category, impact, urgency and priority. Categorize problems as appropriate into related groups or domains (e.g., hardware, software, support software). These groups may match the organizational responsibilities of the user and customer base, and should be the basis for allocating problems to support staff.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Ensure that the problem management system provides for adequate audit trail facilities that allow tracking, analyzing and determining the root cause of all reported problems considering:

• All associated configuration items

• Outstanding problems and incidents

• Known and suspected errors

• Tracking of problem trends

Identify and initiate sustainable solutions addressing the root cause, raising change requests via the established change management process. Throughout the resolution process, problem management should obtain regular reports from change management on progress in resolving problems and errors. Problem management should monitor the continuing impact of problems and known errors on user services. In the event that this impact becomes severe, problem management should escalate the problem, perhaps referring it to an appropriate board to increase the priority of the (RFC or to implement an urgent change as appropriate. Monitor the progress of problem resolution against SLAs.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Put in place a procedure to close problem records either after confirmation of successful elimination of the known error or after agreement with the business on how to alternatively handle the problem.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Integrate the related processes of configuration, incident and problem management to ensure effective management of problems and enable improvements.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Verify that all data expected for processing are received and processed completely, accurately and in a timely manner, and all output is delivered in accordance with business requirements. Support restart and reprocessing needs.

Define and implement procedures for effective and efficient data storage, retention and archiving to meet business objectives, the organization’s security policy and regulatory requirements.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Define and implement procedures to maintain an inventory of stored and archived media to ensure their usability and integrity.

Define and implement procedures to ensure that business requirements for protection of sensitive data and software are met when data and hardware are disposed or transferred.

Define and implement procedures for backup and restoration of systems, applications, data and documentation in line with business requirements and the continuity plan.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organization’s security policy and regulatory requirements.

Define and select the physical sites for IT equipment to support the technology strategy linked to the business strategy. The selection and design of the layout of a site should take into account the risk associated with natural and man-made disasters, while considering relevant laws and regulations, such as occupational health and safety regulations.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Define and implement physical security measures in line with business requirements to secure the location and the physical assets. Physical security measures must be capable of effectively preventing, detecting and mitigating risks relating to theft, temperature, fire, smoke, water, vibration, terror, vandalism, power outages, chemicals or explosives.

Define and implement procedures to grant, limit and revoke access to premises, buildings and areas according to business needs, including emergencies. Access to premises, buildings and areas should be justified, authorized, logged and monitored. This should apply to all persons entering the premises, including staff, temporary staff, clients, vendors, visitors or any other third party.

Design and implement measures for protection against environmental factors. Install specialized equipment and devices to monitor and control the environment.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Manage facilities, including power and communications equipment, in line with laws and regulations, technical and business requirements, vendor specifications, and health and safety guidelines.

There are no PSGs published for this topic: however, the topic is under review for future PSGs.

Define, implement and maintain procedures for IT operations, ensuring that the operations staff members are familiar with all operations tasks relevant to them. Operational procedures should cover shift handover (formal handover of activity, status updates, operational problems, escalation procedures and reports on current responsibilities) to support agreed-upon service levels and ensure continuous operations.

Organize the scheduling of jobs, processes and tasks into the most efficient sequence, maximizing throughput and utilization to meet business requirements.

Define and implement procedures to monitor the IT infrastructure and related events. Ensure that sufficient chronological information is being stored in operations logs to enable the reconstruction, review and examination of the time sequences of operations and the other activities surrounding or supporting operations.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish appropriate physical safeguards, accounting practices and inventory management over sensitive IT assets, such as special forms, negotiable instruments, special purpose printers or security tokens.

There are no PSGs published for this topic;  however, the topic is under review for future PSGs

Define and implement procedures to ensure timely maintenance of infrastructure to reduce the frequency and impact of failures or performance degradation.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a general monitoring framework and approach to define the scope, methodology and process to be followed for measuring IT’s solution and service delivery, and monitor IT’s contribution to the business. Integrate the framework with the corporate performance management system.

Work with the business to define a balanced set of performance targets and have them approved by the business and other relevant stakeholders. Define benchmarks with which to compare the targets, and identify available data to be collected to measure the targets. Establish processes to collect timely and accurate data to report on progress against targets.

Deploy a performance monitoring method (e.g., balanced scorecard) that records targets; captures measurements; provides a succinct, all-around view of IT performance; and fits within the enterprise monitoring system.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Periodically review performance against targets, analyze the cause of any deviations, and initiate remedial action to address the underlying causes. At appropriate times, perform root cause analysis across deviations.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Develop senior management reports on IT’s contribution to the business, specifically in terms of the performance of the enterprise’s portfolio, IT-enabled investment programs, and the solution and service deliverable performance of individual programs. Include in status reports the extent to which planned objectives have been achieved, budgeted resources used, set performance targets met and identified risks mitigated. Anticipate senior management’s review by suggesting remedial actions for major deviations. Provide the report to senior management, and solicit feedback from management’s review.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify and initiate remedial actions based on performance monitoring, assessment and reporting. This includes follow-up of all monitoring, reporting and assessments through:

• Review, negotiation and establishment of management responses

• Assignment of responsibility for remediation

• Tracking of the results of actions committed.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Continuously monitor, benchmark and improve the IT control environment and control framework to meet organizational objectives.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Monitor and evaluate the efficiency and effectiveness of internal IT managerial review controls.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify control exceptions, and analyze and identify their underlying root causes. Escalate control exceptions and report to stakeholders appropriately. Institute necessary corrective action.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Evaluate the completeness and effectiveness of management’s control over IT processes, policies and contracts through a continuing program of self-assessment.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Obtain, as needed, further assurance of the completeness and effectiveness of internal controls through third-party reviews.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Assess the status of external service providers’ internal controls. Confirm that external service providers comply with legal and regulatory requirements and contractual obligations.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify, initiate, track and implement remedial actions arising from control assessments and reporting.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify, on a continuous basis, local and international laws, regulations, and other external requirements that must be complied with for incorporation into the organization’s IT policies, standards, procedures and methodologies.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Review and adjust IT policies, standards, procedures and methodologies to ensure that legal, regulatory and contractual requirements are addressed and communicated.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Confirm compliance of IT policies, standards, procedures and methodologies with legal and regulatory requirements.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Obtain and report assurance of compliance and adherence to all internal policies derived from internal directives or external legal, regulatory or contractual requirements, confirming that any corrective actions to address any compliance gaps have been taken by the responsible process owner in a timely manner.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Integrate IT reporting on legal, regulatory and contractual requirements with similar output from other business functions.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Define, establish and align the IT governance framework with the overall enterprise governance and control environment. Base the framework on a suitable IT process and control model and provide for unambiguous accountability and practices to avoid a breakdown in internal control and oversight. Confirm that the IT governance framework ensures compliance with laws and regulations and is aligned with, and confirms delivery of, the enterprise’s strategies and objectives. Report IT governance status

and issues.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Enable board and executive understanding of strategic IT issues, such as the role of IT, technology insights and capabilities. Ensure that there is a shared understanding between the business and IT regarding the potential contribution of IT to the business strategy. Work with the board and the established governance bodies, such as an IT strategy committee, to provide strategic direction to management relative to IT, ensuring that the strategy and objectives are cascaded into business units and IT functions, and that confidence and trust are developed between the business and IT. Enable the alignment of IT to the business in strategy and operations, encouraging co-responsibility between the business and IT for making strategic decisions and obtaining benefits from IT-enabled investments.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Manage IT-enabled investment programs and other IT assets and services to ensure that they deliver the greatest possible value in supporting the enterprise’s strategy and objectives. Ensure that the expected business outcomes of IT-enabled investments and the full scope of effort required to achieve those outcomes are understood; that comprehensive and consistent business cases are created and approved by stakeholders; that assets and investments are managed throughout their economic life cycle; and that there is active management of the realization of benefits, such as contribution to new services, efficiency gains and improved responsiveness to customer demands. Enforce a disciplined approach to portfolio, program and project management, insisting that the business takes ownership of all IT-enabled investments and IT ensures optimization of the costs of delivering IT capabilities and services.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Oversee the investment, use and allocation of IT resources through regular assessments of IT initiatives and operations to ensure appropriate resourcing and alignment with current and future strategic objectives and business imperatives.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Work with the board to define the enterprise’s appetite for IT risk, and obtain reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite. Embed risk management responsibilities into the organization, ensuring that the business and IT regularly assess and report IT-related risks and their impact and that the enterprise’s IT risk position is transparent to all stakeholders.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Confirm that agreed-upon IT objectives have been met or exceeded, or that progress toward IT goals meets expectations. Where agreed-upon objectives have been missed or progress is not as expected, review management’s remedial action. Report to the board relevant portfolios, program and IT performance, supported by reports to enable senior management to review the enterprise’s progress toward identified goals.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Obtain independent assurance (internal or external) about the conformance of IT with relevant laws and regulations; the organization’s policies, standards and procedures; generally accepted practices; and the effective and efficient performance of IT.

There are no PSGs published for this topic; however, the topic is under review for future PSGs