Control over the IT process of Communicate Management Aims and Direction that satisfies the business requirement for IT of
- supplying accurate and timely information on current and future IT services and associated risks and responsibilities
- providing accurate, understandable and approved policies, procedures, guidelines and other documentation to stakeholders, embedded in an IT control framework
- Defining an IT control framework
- Developing and rolling out IT policies
- Enforcing IT policies
- Number of business disruptions due to IT service disruption
- Percent of stakeholders who understand the enterprise IT control framework
- Percent of stakeholders who are non-compliant with policy
1 Non-existent
2 Initial/Ad Hoc
3 Repeatable but Intuitive
4 Defined
5 Managed and Measurable
6 Optimized
Benchmarks/Guidelines for Scoring
1 Non-existent when
Management has not established a positive IT control environment. There is no recognition of the need to establish a set of policies, plans and procedures, and compliance processes.
2 Initial/Ad Hoc when
Management is reactive in addressing the requirements of the information control environment. Policies, procedures and standards are developed and communicated on an ad hoc basis as driven by issues. The development, communication and compliance processes are informal and inconsistent.
3 Repeatable but Intuitive when
The needs and requirements of an effective information control environment are implicitly understood by management, but practices are largely informal. The need for control policies, plans and procedures is communicated by management, but development is left to the discretion of individual managers and business areas. Quality is recognised as a desirable philosophy to be followed, but practices are left to the discretion of individual managers. Training is carried out on an individual, as-required basis.
4 Defined when
A complete information control and quality management environment is developed, documented and communicated by management and includes a framework for policies, plans and procedures. The policy development process is structured, maintained and known to staff, and the existing policies, plans and procedures are reasonably sound and cover key issues. Management addresses the importance of IT security awareness and initiates awareness programs. Formal training is available to support the information control environment but is not rigorously applied. While there is an overall development framework for control policies and procedures, there is inconsistent monitoring of compliance with these policies and procedures. There is an overall development framework. Techniques for promoting security awareness have been standardised and formalized.
5 Managed and Measurable when
Management accepts responsibility for communicating internal control policies and delegates responsibility and allocates sufficient resources to maintain the environment in line with significant changes. A positive, proactive information control environment, including a commitment to quality and IT security awareness, is established. A complete set of policies, plans and procedures is developed, maintained and communicated and is a composite of internal good practices. A framework for roll-out and subsequent compliance checks is established.
6 Optimized when
The information control environment is aligned with the strategic management framework and vision and is frequently reviewed, updated and continuously improved. Internal and external experts are assigned to ensure that industry good practices are being adopted with respect to control guidance and communication techniques. Monitoring, self-assessment and compliance checking are pervasive within the organization. Technology is used to maintain policy and awareness knowledge bases and to optimize communication, using office automation and computer-based training tools.