IT governance is the primary way that stakeholders can ensure that investments in IT create business value and contribute toward meeting business objectives.⁴ This strategic align- ment of IT with the business is challenging yet essential. IT governance programs go further and aim to “improve IT performance, deliver optimum business value and ensure regulatory compliance.” ⁵

Although the CIO typically has line responsibility for implementing IT gover- nance, the CEO and board of directors must receive reports and updates to discharge their responsibilities for IT governance and to see that the program is functioning well and providing business benefi ts.

Typically, in past decades, board members did not get involved in overseeing IT governance. But today it is a critical and unavoidable responsibility. According to the IT Governance Institute’s Board Briefi ng on IT Governance , “IT governance is the re- sponsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organiza- tion’s strategies and objectives.” ⁶

The focus is on the actual software development and maintenance activities of the IT department or function, and IT governance efforts focus on making IT effi cient and effective. That means minimizing costs by following proven software develop- ment methodologies and best practices, principles of data governance and information quality, and project management best practices while aligning IT efforts with the busi- ness objectives of the organization.

IT Governance Frameworks

Several IT governance frameworks can be used as a guide to implementing an IT governance program. (They are introduced in this chapter in a cursory way; detailed discussions of them are best suited to books focused solely on IT governance.)

IT governance seeks to align business objectives with IT strategy to deliver business value.

Although frameworks and guidance like CobiT® and ITIL have been widely adopted, there is no absolute standard IT governance framework; the combination that works best for an organization depends on business factors, corporate culture, IT maturity, and staffi ng capability. The level of implementation of these frameworks will also vary by organization.

CobiT®

CobiT (Control Objectives for Information and related Technology) is a process-T based IT governance framework that represents a consensus of experts worldwide.

Codeveloped by the IT Governance Institute and ISACA (previously known as the Information Systems Audit and Control Association), CobiT addresses business risks, control requirements, compliance, and technical issues. ⁷

CobiT offers IT controls that:

■ Cut IT risks while gaining business value from IT under an umbrella of a glob- ally accepted framework.

■ Assist in meeting regulatory compliance requirements.

■ Utilize a structured approach for improved reporting and management deci- sion making.

■ Provide solutions to control assessments and project implementations to im- prove IT and information asset control. ⁸

CobiT consists of detailed descriptions of processes required in IT and also tools to measure progress toward maturity of the IT governance program. It is industry agnostic and can be applied across all vertical industry sectors, and it continues to be revised and refi ned. ⁹

CobiT is broken out into three basic organizational levels and their responsibili- ties: (1) board of directors and executive management; (2) IT and business manage- ment; and (3) line-level governance, and security and control knowledge workers. ¹⁰

The CobiT model draws on the traditional “plan, build, run, monitor” paradigm of traditional IT management, only with variations in semantics. The CobiT framework is divided into four IT domains—(1) plan and organize, (2) acquire and implement, (3) deliver and support, and (4) monitor and evaluate—which contain 34 IT processes and 210 control objectives. Specifi c goals and metrics are assigned, and responsibilities and accountabilities are delineated.

The CobiT framework maps to the international information security standard, ISO 17799, and is also compatible with IT Infrastructure Library (ITIL) and other y

“accepted practices” in IT development and operations.¹¹ ValIT®

ValIT is a newer value-oriented framework that is compatible with and complemen- tary to CobiT. Its principles and best practices focus is on leveraging IT investments to gain maximum value. Forty key ValIT essential management practices (analogous to CobiT’s control objectives) support three main processes: value governance, portfolio management, and investment management. ValIT and CobiT “provide a full frame- work and supporting tool set” to help managers develop policies to manage business risks and deliver business value while addressing technical issues and meeting control objectives in a structured, methodic way. ¹²

ITIL

ITIL (Information Technology Infrastructure Library) is a set of process-oriented best practices and guidance originally developed in the United Kingdom to standard- ize delivery of IT service management. ITIL is applicable to both the private and public sectors and is the “most widely accepted approach to IT service management in the world.”¹³ As with other IT governance frameworks, ITIL provides essential guidance for delivering business value through IT, and it “provides guidance to or- ganizations on how to use IT as a tool to facilitate business change, transformation and growth.”¹⁴

ITIL best practices form the foundation for ISO/IEC 20000 (previously BS15000), the International Service Management Standard for organizational certifi cation and compliance. ¹⁵ ITIL 2011 is the latest revision (as of this printing), and it consists of fi ve core published volumes that map the IT service cycle in a systematic way:

1. ITIL Service Strategy 2. ITIL Service Design 3. ITIL Service Transition 4. ITIL Service Operation

5. ITIL Continual Service Improvement ¹⁶ ISO 38500

ISO/IEC 38500:2008 is an international standard that provides high-level principles and guidance for senior executives and directors, and those advising them, for the effective and effi cient use of IT. ¹⁷ Based primarily on AS 8015, the Australian IT gov- ernance standard, it “applies to the governance of management processes” that are performed at the IT service level, but the guidance assists executives in monitoring IT and ethically discharging their duties with respect to legal and regulatory compliance of IT activities.

The ISO 38500 standard comprises three main sections:

1. Scope, Application and Objectives

2. Framework for Good Corporate Governance of IT 3. Guidance for Corporate Governance of IT

CobiT is process-oriented and has been widely adopted as an IT governance framework. ValIT is value-oriented and compatible and complementary with CobiT, yet focuses on value delivery.

ITIL is the “most widely accepted approach to IT service management in the world.”

It is largely derived from AS 8015, the guiding principles of which were:

■ Establish responsibilities

■ Plan to best support the organization

■ Acquire validly

■ Ensure performance when required

■ Ensure conformance with rules

■ Ensure respect for human factors

The standard also has relationships with other major ISO standards, and embraces the same methods and approaches. ¹⁸