The processes of IT working with the business to ensure that the enterprise portfolio of IT-enabled investments have solid business cases that provide for transparent, repeatable and comparable evaluation, including financial worth, the risk of not delivering a capability and the risk of not realizing the expected benefits.  Providing effective, efficient and accountable delivery of the IT services with early warning of any deviations from plan, including cost, schedule or functionality.

Establish bi-directional education and reciprocal involvement in strategic planning to achieve business and IT alignment and integration.  Mediate between business and IT imperatives so priorities can be mutually agreed.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish a baseline of capabilities and performance against which future requirements can be compared. Define performance in terms of IT’s contribution to business objectives, functionality, stability, complexity, costs, strengths and weaknesses.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Create a strategic plan that defines, in co-operation with relevant stakeholders, how IT goals will contribute to the enterprise’s strategic objectives and related costs and risks. The strategic plan should be sufficiently detailed to allow for the definition of tactical IT plans.

Create a portfolio of tactical IT plans describing IT-enabled investments that are derived from the IT strategic plan. Actively manage the set of tactical IT plans and initiatives through analysis of project and service portfolios.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Joint management of IT and the business of the portfolio of IT-enabled investments required to achieve specific strategic business objectives.  Processes include identifying, defining, evaluating, prioritizing, selecting, initiating, managing and controlling investments and projects.

Establish and maintain an enterprise information model to enable applications development and decision-supporting activities, consistent with business and IT plans. The model should facilitate the optimal creation, use and sharing of information by the business in a way that maintains integrity and is flexible, functional, cost-effective, timely, secure and resilient to failure.

Maintain an enterprise data dictionary that incorporates the organization’s data syntax rules. This dictionary should enable the sharing of data elements among applications and systems, promote a common understanding of data among IT and business users, and prevent incompatible data elements from being created.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish a classification scheme that applies throughout the enterprise, based on the criticality and of enterprise data. This scheme should include details about data ownership; definition of appropriate security levels and protection controls; and a brief description of data retention and destruction requirements, criticality and sensitivity. It should be used as the basis for applying controls such as access controls, archiving or encryption.

Define and implement procedures to ensure the integrity and consistency of all data stored in electronic form, such as databases, data warehouses and data archives.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Analyze existing and emerging technologies, and plan which technological direction is appropriate to realize the IT strategy and the business systems architecture. Also identify in the plan which technologies have the potential to create business opportunities. The plan should address systems architecture, technological direction, migration strategies and contingency aspects of infrastructure components.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Create and maintain a technology infrastructure plan that is in accordance with the IT strategic and tactical plans. The plan should be based on the technological direction and include contingency arrangements and direction for acquisition of technology resources. It should consider changes in the competitive environment, economies of scale for information systems staffing and investments, and improved interoperability of platforms and applications.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish a process to monitor the business sector, industry, technology, infrastructure, legal and regulatory environment trends. Incorporate the consequences of these trends into the development of the IT technology infrastructure plan.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

To provide consistent, effective and secure technological solutions enterprise-wide, establish a technology forum to provide technology guidelines, advice on infrastructure products and guidance on the selection of technology, and measure compliance with these standards and guidelines. This forum should direct technology standards and practices based on their business relevance, risks and compliance with external requirements.

Establish an IT architecture board to provide architecture guidelines and advice on their application, and to verify compliance. This entity should direct IT architecture design, ensuring that it enables the business strategy and considers regulatory compliance and continuity requirements.

Define an IT process framework to execute the IT strategic plan. This framework should include an IT process structure and relationships (e.g., to manage process gaps and overlaps), ownership, maturity, performance measurement, improvement, compliance, quality targets and plans to achieve them. It should provide integration among the processes that are specific to IT, enterprise portfolio management, business processes and business change processes, and be integrated into a quality management system (QMS) and the internal control framework.

Establish an IT strategy committee at the board level. This committee should ensure that IT governance, as part of enterprise governance, is adequately addressed; advise on strategic direction; and review major investments on behalf of the full board.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish an IT steering committee (or equivalent) composed of executive, business and IT management to:

• Determine prioritization of IT-enabled investments in line with the enterprise’s business strategy and priorities
• Track status of projects and resolve resource conflict
• Monitor service levels and service improvements

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Place the IT function in the overall organizational structure so as to emphasize the importance of IT within the enterprise, specifically its criticality to business strategy and the level of operational dependence on IT. The reporting line of the CIO should be commensurate with the importance of IT within the enterprise.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish an internal and external IT organizational structure that reflects business needs. In addition, put a process in place for periodically reviewing the IT organizational structure to adjust staffing requirements and sourcing strategies to meet expected business objectives and changing circumstances.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish and communicate roles and responsibilities for IT personnel and end users that delineate between IT personnel and end-user authority, responsibilities and accountability for meeting the organization’s needs.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Assign responsibility for the performance of the quality assurance (QA) function and provide the QA group with appropriate QA systems, controls and communications expertise. Ensure that the organizational placement and the responsibilities and size of the QA group satisfy the requirements of the organization.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Embed ownership and responsibility for IT-related risks within the business at an appropriate senior level. Define and assign roles critical for managing IT risks, including the specific responsibility for information security, physical security and compliance. Establish risk and security management responsibility at the enterprise level to deal with organization-wide issues. Additional security management responsibilities may need to be assigned at a system-specific level to deal with related security issues. Obtain direction from senior management on the appetite for IT risk and approval of any residual IT risks.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Provide the business with procedures and tools, enabling it to address its responsibilities for ownership of data and information systems. Owners should make decisions about classifying information and systems and protecting them in line with this classification.

Implement adequate supervisory practices in the IT function to ensure that roles and responsibilities are properly exercised, to assess whether all personnel have sufficient authority and resources to execute their roles and responsibilities, and to generally review KPIs.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Implement a division of roles and responsibilities that reduces the possibility for a single individual to compromise a critical process. Make sure that personnel are performing only authorized duties relevant to their respective jobs and positions.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Evaluate staffing requirements on a regular basis or upon major changes to the business, operational or IT environments to ensure that the IT function has sufficient resources to adequately and appropriately support the business goals and objectives.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Define and identify key IT personnel, and minimize reliance on a single individual performing a critical job function.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Ensure that consultants and contract personnel who support the IT function know and comply with the organization’s policies for the protection of the organization’s information assets such that they meet agreed-upon contractual requirements.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish and maintain an optimal co-ordination, communication and liaison structure between the IT function and various other interests inside and outside the IT function, such as the board, executives, business units, individual users, suppliers, security officers, risk managers, the corporate compliance group, outsourcers and offsite management.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish and maintain a financial framework to manage the investment and cost of IT assets and services through portfolios of IT- enabled investments, business cases and IT budgets.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Implement a decision-making process to prioritize the allocation of IT resources for operations, projects and maintenance to maximize IT’s contribution to optimizing the return on the enterprise’s portfolio of IT-enabled investments.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish and implement practices to prepare a budget reflecting the priorities established by the enterprise’s portfolio of IT-enabled investments, and including the ongoing costs of operating and maintaining the current infrastructure. The practices should support development of an overall IT budget as well as development of budgets for individual IT services. The practices should allow for ongoing review, refinement and approval of the overall budget and the budgets for individual IT services.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Implement a cost management process comparing actual costs to budgets. Costs should be monitored and reported. Where there are deviations, these should be identified in a timely manner and the impact of those deviations should be assessed. Together with the business sponsor of those costed services, appropriate remedial action should be taken and, if necessary, the service business case should be updated.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Implement a process to monitor the benefits from providing and maintaining appropriate IT capabilities. IT’s contribution to the business, either as a component of IT-enabled investments or as part of regular operational support, should be identified and documented in a business case, agreed to, monitored and reported. Reports should be reviewed and, where there are opportunities to improve IT’s contribution, appropriate actions should be defined and taken. Where changes in IT’s contribution impact the service or where changes to other related projects impact the service, the service business case should be updated.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Define the elements of a control environment for IT, aligned with the enterprise’s management philosophy and operating style. These elements should include expectations/requirements regarding delivery of value from IT investments, appetite for risk, integrity, ethical values, staff competence, accountability and responsibility. The control environment should be based on a culture that supports value delivery whilemanaging significant risks, encourages cross-divisional co-operation and teamwork, promotes compliance and continuous process improvement, and handles process deviations (including failure) well.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Develop and maintain a framework that defines the enterprise’s overall approach to IT risk and control and that aligns with the IT policy and control environment and the enterprise risk and control framework.

Develop and maintain a set of policies to support IT strategy. These policies should include policy intent; roles and responsibilities; exception process; compliance approach; and references to procedures, standards and guidelines. Their relevance should be confirmed and approved regularly.

Roll out and enforce IT policies to all relevant staff, so they are built into and are an integral part of enterprise operations.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Communicate awareness and understanding of business and IT objectives and direction to appropriate stakeholders and users throughout the enterprise.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Maintain IT personnel recruitment processes in line with the overall organization’s personnel policies and procedures (e.g., hiring, positive work environment, orienting). Implement processes to ensure that the organization has an appropriately deployed IT workforce with the skills necessary to achieve organizational goals.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Regularly verify that personnel have the competencies to fulfill their roles on the basis of their education, training and/or experience. Define core IT competency requirements and verify that they are being maintained, using qualification and certification program where appropriate.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Define, monitor and supervise roles, responsibilities and compensation frameworks for personnel, including the requirement to adhere to management policies and procedures, the code of ethics, and professional practices. The level of supervision should be in line with the sensitivity of the position and extent of responsibilities assigned.

Provide IT employees with appropriate orientation when hired and ongoing training to maintain their knowledge, skills, abilities, internal controls and security awareness at the level required to achieve organizational goals.

Minimize the exposure to critical dependency on key individuals through knowledge capture (documentation), knowledge sharing, succession planning and staff backup.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Include background checks in the IT recruitment process. The extent and frequency of periodic reviews of these checks should depend on the sensitivity and/or criticality of the function and should be applied for employees, contractors and vendors.

Require a timely evaluation to be performed on a regular basis against individual objectives derived from the organization’s goals, established standards and specific job responsibilities. Employees should receive coaching on performance and conduct whenever appropriate.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Take expedient actions regarding job changes, especially job terminations. Knowledge transfer should be arranged, responsibilities reassigned and access rights removed such that risks are minimized and continuity of the function is guaranteed.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish and maintain a QMS that provides a standard, formal and continuous approach regarding quality management that is aligned with business requirements. The QMS should identify quality requirements and criteria; key IT processes and their sequence and interaction; and the policies, criteria and methods for defining, detecting, correcting and preventing non-conformity. The QMS should define the organizational structure for quality management, covering the roles, tasks and responsibilities. All key areas should develop their quality plans in line with criteria and policies and record quality data. Monitor and measure the effectiveness and acceptance of the QMS, and improve it when needed.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Identify and maintain standards, procedures and practices for key IT processes to guide the organization in meeting the intent of the QMS. Use industry good practices for reference when improving and tailoring the organization’s quality practices.

Adopt and maintain standards for all development and acquisition that follow the life cycle of the ultimate deliverable, and include sign-off at key milestones based on agreed-upon sign-off criteria. Consider software coding standards; naming conventions; file formats; schema and data dictionary design standards; user interface standards; interoperability; system performance efficiency; scalability; standards for development and testing; validation against requirements; test plans; and unit, regression and integration testing.

Focus quality management on customers by determining their requirements and aligning them to the IT standards and practices. Define roles and responsibilities concerning conflict resolution between the user/customer and the IT organization.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Maintain and regularly communicate an overall quality plan that promotes continuous improvement.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Define, plan and implement measurements to monitor continuing compliance to the QMS, as well as the value the QMS provides. Measurement, monitoring and recording of information should be used by the process owner to take appropriate corrective and preventive actions.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish an IT risk management framework that is aligned to the organization’s (enterprise’s) risk management framework.

Establish the context in which the risk assessment framework is applied to ensure appropriate outcomes. This should include determining the internal and external context of each risk assessment, the goal of the assessment, and the criteria against which risks are evaluated.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify events (an important realistic threat that exploits a significant applicable vulnerability) with a potential negative impact on the goals or operations of the enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects. Determine the nature of the impact and maintain this information. Record and maintain relevant risks in a risk registry.

Assess on a recurrent basis the likelihood and impact of all identified risks, using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual risk should be determined individually, by category and on a portfolio basis.

Develop and maintain a risk response process designed to ensure that cost-effective controls mitigate exposure to risks on a continuing basis. The risk response process should identify risk strategies such as avoidance, reduction, sharing or acceptance; determine associated responsibilities; and consider risk tolerance levels.

Prioritize and plan the control activities at all levels to implement the risk responses identified as necessary, including identification of costs, benefits and responsibility for execution. Obtain approval for recommended actions and acceptance of any residual risks, and ensure that committed actions are owned by the affected process owner(s). Monitor execution of the plans, and report on any deviations to senior management.

Maintain the program of projects, related to the portfolio of IT-enabled investments.  Co-ordinate the activities and interdependencies of multiple projects, manage the contribution of all the projects within the program to expected outcomes, and resolve resource requirements and conflicts.

Establish and maintain a project management framework that defines the scope and boundaries of managing projects, as well as the method to be adopted and applied to each project undertaken. The framework and supporting method should be integrated with the program management processes.

Establish a project management approach commensurate with the size, complexity and regulatory requirements of each project. The project governance structure can include the roles, responsibilities and accountabilities of the program sponsor, project sponsors, steering committee, project office and project manager, and the mechanisms through which they can meet those responsibilities (such as reporting and stage reviews). Make sure all IT projects have sponsors with sufficient authority to own the execution of the project within the overall strategic program.

Obtain commitment and participation from the affected stakeholders in the definition and execution of the project within the context of the overall IT-enabled investment program.

Define and document the nature and scope of the project to confirm and develop amongst stakeholders a common understanding of project scope and how it relates to other projects within the overall IT-enabled investment program. The definition should be formally approved by the program and project sponsors before project initiation.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Approve the initiation of each major project phase and communicate it to all stakeholders. Base the approval of the initial phase on program governance decisions. Approval of subsequent phases should be based on review and acceptance of the deliverables of the previous phase, and approval of an updated business case at the next major review of the program. In the event of overlapping project phases, an approval point should be established by program and project sponsors to authorize project progression.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a formal, approved integrated project plan (covering business and information systems resources) to guide project execution and control throughout the life of the project. The activities and interdependencies of multiple projects within a program should be understood and documented. The project plan should be maintained throughout the life of the project. The project plan, and changes to it, should be approved in line with the program and project governance framework.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Define the responsibilities, relationships, authorities and performance criteria of project team members, and specify the basis for acquiring and assigning competent staff members and/or contractors to the project. The procurement of products and services required for each project should be planned and managed to achieve project objectives using the organization’s procurement practices.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Eliminate or minimize specific risks associated with individual projects through a systematic process of planning, identifying, analyzing, responding to, monitoring and controlling the areas or events that have the potential to cause unwanted change. Risks faced by the project management process and the project deliverable should be established and centrally recorded.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Prepare a quality management plan that describes the project quality system and how it will be implemented. The plan should be formally reviewed and agreed to by all parties concerned and then incorporated into the integrated project plan.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Establish a change control system for each project, so all changes to the project baseline (e.g., cost, schedule, scope, quality) are appropriately reviewed, approved and incorporated into the integrated project plan in line with the program  and project governance framework.

There are no PSGs published for this topic; however, the topic is under review for future PSGs

Identify assurance tasks required to support the accreditation of new or modified systems during project planning, and include them in the integrated project plan. The tasks should provide assurance that internal controls and security features meet the defined requirements.

Measure project performance against key project performance scope, schedule, quality, cost and risk criteria. Identify any deviations from the plan. Assess the impact of deviations on the project and overall program, and report results to key stakeholders. Recommend, implement and monitor remedial action, when required, in line with the program and project governance framework.

Require that, at the end of each project, the project stakeholders ascertain whether the project delivered the planned results and benefits. Identify and communicate any outstanding activities required to achieve the planned results of the project and the benefits of the program, and identify and document lessons learned for use on future projects and programs.

There are no PSGs published for this topic; however, the topic is under review for future PSGs