Survey of IT Governance Instruments, Standards, Guides, Regulations, Laws and Frameworks

Last update February 2008 Marghanita da Cruz

Background to this paper

Frameworks for IT Management, September 2006 provides an invaluable description of a plethora of instruments organisations can use to help them deal with Information Technology including:

• AS8015-2005 The Australian Standard for the Corporate Governance of Information and Communication Technology, provides a model and principles for organisations to adopt to ensure all levels of the organisation are engaged in effectively governing IT.(Authored by Marghanita da Cruz)

• The IT Balanced Scorecard (IT BSC) is an adaptation of the Kaplan and Norton Balanced Scorecard. In the process of establishing metrics, measuring and reporting on the performance of ICT, you set its direction. (Authored by Wim van Grembergen)

• GFIM Generic Framework for Information Management (Authored by Rolf Akker);

• Other Frameworks

  • CoBit Control Objectives for Information and related Technology;
  • M_o_R Management of Risk; ISO 27001/BS17799 International Standard for Information Security Management Systems;
  • TQM Total Quality Management;
  • ISO 9000 International Standard fro Quality Management;
  • TickIT Software Quality Management;
  • ISO 20000 International Standard for Service Management. This is based on BS15000 and published in December 2005; ITIL IT infrastructure library which underpins ISO 20000;
  • ITS-CMM IT Service Capability Maturity Model;
  • Six Sigma approach to process improvement;
  • eSCM-SPv2 - eSourcing Capability Model for Service Providers version 2;
  • BiSL Business Information Services Library; eTM enhanced Telecom Operations Map;
  • ASL Application Services Library; MSP Managing Successful Programmes;
  • Prince2 Projects in Controlled Environments - Project Management methodology;
  • PMBOK Project Management Body of Knowledge; and
  • IPMA International Project Management Association Competance Baseline

While Frameworks for IT Management provides an invaluable overview and description of the relationship between a number of instruments, it is by no means a definitive list or mapping. Other aspects of ICT governance include:

• Technology aspects
  • Apache Foundation www.apache.org/foundation/how-it-works.html
  • Enterprise Architecture frameworks such as Open Group Architecture Framework (TOGAF) are instruments - for developing an enterprise architectures around ICT.
  • Function Point Analysis
  • CMMI, IFIP, the IEEE and Software Engineering Institute standards
  • IS/IT Investment Evaluation and Benefits Realization Issues in Australia,Chad Lin, Graham Pervan, and Donald McDermid
  • Validation of a Computer User Satisfaction Questionnaire to Measure IS Success in Small Business, Bruce Armstrong, Gerard Fogarty, Don Dingsdag and Julian Dimbleby
  • Strategy-Oriented Alignment in Requirements Engineering: Linking Business Strategy to Requirements of e-Business Systems using the SOARE Approach, Steven J. Bleistein, Aybuke Aurum, Karl Cox and Pradeep K. Ray
  • Book Review of e-Business Innovations and Change Management, Edited by Mohini Singh and Dianne Waddell
• Regulation & Legislation relating/dependent on ICT
  • Section 38, Subsection 314(1) of Corporations Legislation Amendment (Simpler Regulatory System) Act 2007 describes how companies can provide members with Annual reports on websites, in lieu of paper reports. The legislation specifies accessibility, advice on location and option for paper reports. More about Accessibility and User Interfaces
  • Auditing/Certification Conformance
  • Software licensing/open source
  • Outsourcing/offshoring/partnerships/contracts
  • Mergers and Acquisitions Due Diligence should include analysis of the integration of ICT systems eg websites, billing systems and infrastructure to ensure the risk to the value (customers are not lost/compliance is not deminished) in the acquisition/merger is assessed and managed.
  • ISO/IEC 16085:2004 which defines a process for the management of risk during software acquisition, supply, development, operations and maintenance.
  • Selling ICT TO GOVERNMENT - A Guide for SMEs, 2003, ISBN: 0 642 75198 6 Online ISBN: 0 642 75204 4
  • Contracts, Insurance, Risk Management, Intellectual Property
  • compliance to sox, basel II, IFRS, HACCP,....
  • The Australian eMarketing Code of Practice: rules and guidelines for the sending of commercial electronic messages in compliance with the Spam Act 2003.
• Environmental Impact
  • ISO 14000 Environmental Management Standards cover manufacture/recycling/disposal of Computer Hardware and Power Usage.
  • Recycling & IT Governance - Tom Cleary, August 2006
  • [ictgov] Environment snapshot: recycling up, but e-waste a looming issue
  • Environmental effects of leaving computers on
• Record Keeping
  • "The OpenDocument format (ODF, ISO/IEC 26300, full name: OASIS Open Document Format for Office Applications) is a file format for electronic office documents, such as spreadsheets, charts, presentations, databases and word processing documents (e.g.: memos, reports, letters)." - en.wikipedia.org/wiki/OpenDocument
  • Legal requirements for Record Keeping explained by Tom Worthington in Electronic Document Management
  • (ISO 15489);
  • Coping when everything is digital? - Documents and Issues in Document Retention, White Paper by Julian Gillespie, Patrick fair, Adrian Lawrence, David Vaille.
• Security
  • ISO/IEC 18028-4:2005 Information technology - Security techniques - IT network security - Part 4: Securing remote access
  • ISO/IEC 18028-3:2005 Information technology - Security techniques - IT network security - Part 3: Securing communications between networks using security gateways
  • AS 4590-2006 : Interchange of client information - This Standard sets out requirements for data elements for the interchange of client information. The data elements covered comprise party identification, person details, organization details, addressing, and electronic contact details.
  • Banking on six pillars of safety; and
  • Identifying Critical Components During Information Security Evaluations,Andrew Rae and Colin Fidge
  • CIO, CISO and Practitioner Guidance IT Security Governance July 2006 - IT_Security_Governance_CIO_Executive_Summary.pdf
  • Security - data/information - to complement (ISO 15489) records management and encompass ISO2701 - see Banking on six pillars of safety
• Professional Standards and Ethics
  • Ethics, Mike Bowern, Information Age 14/02/2006
  • The ethics of making robots that can kill, Mike Bowern, Information Age, 15/02/2007 12:14:35
  • Role of committees/boards charged with overseeing ICT Projects and others whose business operations rely on ICT
  • Human Factors - see Warne, L. (1997). "Conflict as a Factor in Information Systems Failure". The 8th Australasian Conference on Information Systems (ACIS 97) 29th-2nd October, 1997. School of Information Systems, University of South Australia, Adelaide, South Australia. ISBN 868032581: 387-391. - http://www.acs.org.au/governance/LWarne-ACIS97.html
  • Roles and Responsibilities/Accountabilities - more than titles - IT Manager/IT Director/CIO/CTO/product management/Quality Manager (ISO 9000)/strategic analysis, others to be identified in particular frameworks such as for Information Security in ISO 2701, encompases professional ethics.

www.ramin.com.au/itgovernance/IT-Governance-Survey.html copyright Ramin Communications 2008. Last Update 25 February 2008