Define an IT process framework to execute the IT strategic plan. This framework should include an IT process structure and relationships (e.g., to manage process gaps and overlaps), ownership, maturity, performance measurement, improvement, compliance, quality targets and plans to achieve them. It should provide integration among the processes that are specific to IT, enterprise portfolio management, business processes and business change processes, and be integrated into a quality management system (QMS) and the internal control framework.

Establish an IT strategy committee at the board level. This committee should ensure that IT governance, as part of enterprise governance, is adequately addressed; advise on strategic direction; and review major investments on behalf of the full board.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish an IT steering committee (or equivalent) composed of executive, business and IT management to:

• Determine prioritization of IT-enabled investments in line with the enterprise’s business strategy and priorities
• Track status of projects and resolve resource conflict
• Monitor service levels and service improvements

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Place the IT function in the overall organizational structure so as to emphasize the importance of IT within the enterprise, specifically its criticality to business strategy and the level of operational dependence on IT. The reporting line of the CIO should be commensurate with the importance of IT within the enterprise.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish an internal and external IT organizational structure that reflects business needs. In addition, put a process in place for periodically reviewing the IT organizational structure to adjust staffing requirements and sourcing strategies to meet expected business objectives and changing circumstances.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish and communicate roles and responsibilities for IT personnel and end users that delineate between IT personnel and end-user authority, responsibilities and accountability for meeting the organization’s needs.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Assign responsibility for the performance of the quality assurance (QA) function and provide the QA group with appropriate QA systems, controls and communications expertise. Ensure that the organizational placement and the responsibilities and size of the QA group satisfy the requirements of the organization.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Embed ownership and responsibility for IT-related risks within the business at an appropriate senior level. Define and assign roles critical for managing IT risks, including the specific responsibility for information security, physical security and compliance. Establish risk and security management responsibility at the enterprise level to deal with organization-wide issues. Additional security management responsibilities may need to be assigned at a system-specific level to deal with related security issues. Obtain direction from senior management on the appetite for IT risk and approval of any residual IT risks.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Provide the business with procedures and tools, enabling it to address its responsibilities for ownership of data and information systems. Owners should make decisions about classifying information and systems and protecting them in line with this classification.

Implement adequate supervisory practices in the IT function to ensure that roles and responsibilities are properly exercised, to assess whether all personnel have sufficient authority and resources to execute their roles and responsibilities, and to generally review KPIs.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Implement a division of roles and responsibilities that reduces the possibility for a single individual to compromise a critical process. Make sure that personnel are performing only authorized duties relevant to their respective jobs and positions.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Evaluate staffing requirements on a regular basis or upon major changes to the business, operational or IT environments to ensure that the IT function has sufficient resources to adequately and appropriately support the business goals and objectives.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Define and identify key IT personnel, and minimize reliance on a single individual performing a critical job function.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Ensure that consultants and contract personnel who support the IT function know and comply with the organization’s policies for the protection of the organization’s information assets such that they meet agreed-upon contractual requirements.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.

Establish and maintain an optimal co-ordination, communication and liaison structure between the IT function and various other interests inside and outside the IT function, such as the board, executives, business units, individual users, suppliers, security officers, risk managers, the corporate compliance group, outsourcers and offsite management.

There are no PSGs published for this topic; however, the topic is under review for future PSGs.