PROCESS DESCRIPTIONPO6 Communicate

PROCESS DESCRIPTION
PO6 Communicate Management Aims and Direction
Management develops an enterprise information technology control framework and defines and communicates policies. An ongoing communication programme is implemented to articulate the mission, service objectives, policies and procedures, etc., approved and supported by management. The communication supports achievement of information technology objectives and ensures awareness and understanding of business and information technology risks, objectives and direction. The process ensures compliance with relevant laws and regulations.
Control over the information technology process of Communicate management aims and direction that satisfies the business requirement for information technology of supplying accurate and timely information on current and future information technology services and associated risks and responsibilities by focusing on providing accurate, understandable and approved policies, procedures, guidelines and other documentation to stakeholders, embedded in an information technology control framework is achieved by
• Defining an information technology control framework
• Developing and rolling out information technology policies
• Enforcing information technology policies
and is measured by
• Number of business disruptions due to information technology service disruption
• Percent of stakeholders who understand the enterprise information technology control framework
• Percent of stakeholders who are non-compliant with policy
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
P S
People
Information
Applications
Infrastructure
STRATEGIC
ALIGNMENT
PERFORMANCE
MEASUREMENT
VALUE
DELIVERY
RISK
MANAGEMENT
RESOURCE
MANAGEMENT
IT GOVERNANCE
Primary Secondary
Plan and Organise
CCONTROL OBJECTIVES
PO6 Communicate Management Aims and Direction
PO6.1 information technology Policy and Control Environment
Define the elements of a control environment for IT, aligned with the enterprise’s management philosophy and operating style.
These elements should include expectations/requirements regarding delivery of value from information technology investments, appetite for risk, integrity, ethical values, staff competence, accountability and responsibility. The control environment should be based on a culture that supports value delivery whilst managing significant risks, encourages cross-divisional co-operation and teamwork, promotes compliance and continuous process improvement, and handles process deviations (including failure) well.
PO6.2 Enterprise information technology Risk and Control Framework
Develop and maintain a framework that defines the enterprise’s overall approach to information technology risk and control and that aligns with the information technology policy and control environment and the enterprise risk and control framework.
PO6.3 information technology Policies Management
Develop and maintain a set of policies to support information technology strategy. These policies should include policy intent; roles and responsibilities;exception process; compliance approach; and references to procedures, standards and guidelines. Their relevance should be confirmed and approved regularly.
PO6.4 Policy, Standard and Procedures Rollout
Roll out and enforce information technology policies to all relevant staff, so they are built into and are an integral part of enterprise operations.
PO6.5 Communication of information technology Objectives and Direction
Communicate awareness and understanding of business and information technology objectives and direction to appropriate stakeholders and users throughout the enterprise.
PMANAGEMENT GUIDELINES
PO1 Strategic and tactical information technology plans,
IT project and service portfolios
PO9 IT-related risk management guidelines
ME2 Report on effectiveness of information technology controls
Enterprise information technology control framework ALL
IT policies ALL
IActivities
rocess Activities
Establish and maintain an information technology control environment and framework. I C I A/R I C C C C
Develop and maintain information technology policies. I I I A/R C C C R C
Communicate the information technology control framework and information technology objectives and direction. I I I A/R R C
A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed.
RACI Chart Functions
CEO
CFO
Business Executive
CIO
Business Process Owner
Head Operations
Chief Architect
Head Development
Head information technology Administration
PMO
Compliance, Audit,
Risk and Security

Goals and Metrics

• Ensure transparency and understanding of
IT costs, benefits, strategy, policies and service levels.
• Ensure that automated business transactions and information exchanges can be trusted.
• Ensure that critical and confidential information is withheld from those who should not have access to it.
• Ensure minimum business impact in the event of an information technology service disruption or change.
• Ensure proper use and performance of the applications and technology solutions.
• Ensure that information technology services and infrastructure can properly resist and recover from failure due to error, delivered attack or disaster.
• Develop a common and comprehensive information technology control framework.
• Develop a common and comprehensive set of information technology policies.
• Communicate the information technology strategy, policies and control framework.
Organise
• Defining an information technology control framework
• Developing and rolling out information technology policies
• Enforcing information technology policies
• Defining and maintaining a communications plan
• Number of instances where confidential information was compromised
• Number of business disruptions due to information technology service disruption
• Level of understanding of information technology costs, benefits, strategy, policies and service levels
• Percent of stakeholders who understand information technology policy
• Percent of stakeholders who understand the enterprise information technology control framework
• Percent of stakeholders who are noncompliant with policy
• Frequency of policy review/update
• Timeliness and frequency of communication to users
• Frequency of enterprise information technology control framework review/update
MATURITY MODEL

PO6 Communicate Management Aims and Direction
Management of the process of Communicate management aims and direction that satisfies the business requirement for information technology of supplying accurate and timely information on current and future information technology services and associated risks and responsibilities is:
0 Non-existent when
Management has not established a positive information technology control environment. There is no recognition of the need to establish a set of policies, plans and procedures, and compliance processes.
1 Initial/Ad Hoc when
Management is reactive in addressing the requirements of the information control environment. Policies, procedures and standards are developed and communicated on an ad hoc basis as driven by issues. The development, communication and compliance processes are informal and inconsistent.
2 Repeatable but Intuitive when
The needs and requirements of an effective information control environment are implicitly understood by management, but practices are largely informal. The need for control policies, plans and procedures is communicated by management, but development is left to the discretion of individual managers and business areas. Quality is recognised as a desirable philosophy to be followed, but practices are left to the discretion of individual managers. Training is carried out on an individual, as-required basis.
3 Defined when
A complete information control and quality management environment is developed, documented and communicated by management and includes a framework for policies, plans and procedures. The policy development process is structured, maintained and known to staff, and the existing policies, plans and procedures are reasonably sound and cover key issues. Management addresses the importance of information technology security awareness and initiates awareness programmes. Formal training is available to support the information control environment but is not rigorously applied. Whilst there is an overall development framework for control policies and procedures, there is inconsistent monitoring of compliance with these policies and procedures. There is an overall development framework. Techniques for promoting security awareness have been standardised and formalised.
4 Managed and Measurable when
Management accepts responsibility for communicating internal control policies and delegates responsibility and allocates sufficient resources to maintain the environment in line with significant changes. A positive, proactive information control environment, including a commitment to quality and information technology security awareness, is established. A complete set of policies, plans and procedures is developed, maintained and communicated and is a composite of internal good practices. A framework for rollout and subsequent compliance checks is established.
5 Optimised when
The information control environment is aligned with the strategic management framework and vision and is frequently reviewed, updated and continuously improved. Internal and external experts are assigned to ensure that industry good practices are being adopted with respect to control guidance and communication techniques. Monitoring, self-assessment and compliance checking are pervasive within the organisation. Technology is used to maintain policy and awareness knowledge bases and to optimise communication, using office automation and computer-based training tools.