1) The document discusses seven enablers for managing risk: principles, policies and frameworks; processes; organizational structures; culture, ethics and behavior; information; services, infrastructure and applications; and people, skills and competencies.
2) It provides examples of how each enabler contributes to governance and management of the risk function, such as defining risk processes or establishing an enterprise risk committee.
3) The seven enablers also apply to managing IT risk, with examples given for how each enabler supports risk governance and management over enterprise IT.
The new draft of ISO14001 makes some fundamental changes to the current standard. This presentation explores the key strategic changes and legal compliance aspects.
19600 compliance management system guidelinesNimonik
Most organizations have a siloed approach to compliance with environmental, safety, quality, community engagement and other departments managing their compliance issues separately. Increasing fines, penalties and criminal proceedings for non-compliance are driving organizations around the world to change their approach to compliance management. ISO recently introduced a unified compliance management system, 19600. This standard has not yet been widely adopted, but there is a clear trend to try and centralize compliance obligations.
In this webinar, we discuss the best practices and guidelines for compliance management as described in the standard.
You will learn:
- the 7 elements that make up an effective compliance management system - Context of the organization, Leadership, Planning, Support, Operations, Performance Evaluation and Improvement
- In-depth details of each of the 7 elements
- Examples of how you can apply the recommendations at your organization
Presenter - Jonathan Brun, CEO Nimonik
The new draft of ISO14001 makes some fundamental changes to the current standard. This presentation explores the key strategic changes and legal compliance aspects.
19600 compliance management system guidelinesNimonik
Most organizations have a siloed approach to compliance with environmental, safety, quality, community engagement and other departments managing their compliance issues separately. Increasing fines, penalties and criminal proceedings for non-compliance are driving organizations around the world to change their approach to compliance management. ISO recently introduced a unified compliance management system, 19600. This standard has not yet been widely adopted, but there is a clear trend to try and centralize compliance obligations.
In this webinar, we discuss the best practices and guidelines for compliance management as described in the standard.
You will learn:
- the 7 elements that make up an effective compliance management system - Context of the organization, Leadership, Planning, Support, Operations, Performance Evaluation and Improvement
- In-depth details of each of the 7 elements
- Examples of how you can apply the recommendations at your organization
Presenter - Jonathan Brun, CEO Nimonik
ISO 45001 will be the new standard concerning Occupational Health and Safety. As its publication date is approaching, the main aim of this webinar will be to provide insights on some of the key implementation steps. Additionally, the webinar explores some possible ways of transitioning from OHSAS 18001 to ISO 45001.
Main points covered:
• Understanding the organizations objectives
• Identification of requirements for ISO 45001 implementation
• The role of top management in ISO 45001implementation
• The establishment of a positive and an effective safety culture within your organization
• Actions to be undertaken in case of hazard identification
Presenter:
Eldeen Pozniak is the Director of Pozniak Safety Associates Inc. and an International Management Consultant specializing in Occupational Health and Safety. She has provided a variety of ground to executive – level multi-project management and oversight and direction of the safety management systems, program elements and organizational culture from strategic and action plans to on-site implementation. Moreover, she has a unique blend of high level strategic, business, and safety management system understanding, and specific technical safety knowledge.
Link of the recorded session published on YouTube: https://youtu.be/xF5ejJFdUdw
The COBIT 5 framework describes seven categories of enablers
• Principles, policies and frameworks are the vehicle to translate the desired behaviour into practical guidance for
day-to-day management.
• Processes describe an organised set of practices and activities to achieve certain objectives and produce a set of
outputs in support of achieving overall IT-related goals.
• Organisational structures are the key decision-making entities in an enterprise.
• Culture, ethics and behaviour of individuals and of the enterprise are very often underestimated as a success factor
in governance and management activities.
• Information is pervasive throughout any organisation and includes all information produced and used by the
enterprise. Information is required for keeping the organisation running and well governed, but at the operational
level, information is very often the key product of the enterprise itself.
• Services, infrastructure and applications include the infrastructure, technology and applications that provide the
enterprise with information technology processing and services.
• People, skills and competencies are linked to people and are required for successful completion of all activities and
for making correct decisions and taking corrective actions.
A compilation of Strategic Management chapter into PPT in alliance with SME. The intended idea was distribute the PPT as online resource with institute to promote online learning as well as quick sheet sheet for teachers/educators.
In this presentation you will learn:
- The 4 key documents and the benefits of the ISO 55000 standard
- To develop an Asset Management Policy & associated communication plan
- To identify the value of stakeholder analysis & leadership alignment
- To explain the critical foundational concepts in asset management systems
CHAPTER
5
Security Policies, Standards, Procedures, and
Guidelines
The four components of security documentation are policies, standards,
procedures, and guidelines. Together, these form the complete definition of a
mature security program. The Capability Maturity Model (CMM), which measures
how robust and repeatable a business process is, is often applied to security
programs. The CMM relies heavily on documentation for defining repeatable,
optimized processes. As such, any security program considered mature by CMM
standards needs to have well-defined policies, procedures, standards, and
guidelines.
• Policy is a high-level statement of requirements. A security policy is the primary
way in which management’s expectations for security are provided to the
builders, installers, maintainers, and users of an organization’s information
systems.
• Standards specify how to configure devices, how to install and configure
software, and how to use computer systems and other organizational assets, to be
compliant with the intentions of the policy.
• Procedures specify the step-by-step instructions to perform various tasks in
accordance with policies and standards.
• Guidelines are advice about how to achieve the goals of the security policy, but
they are suggestions, not rules. They are an important communication tool to let
people know how to follow the policy’s guidance. They convey best practices for
using technology systems or behaving according to management’s preferences.
This chapter covers the basics of what you need to know about policies,
standards, procedures, and guidelines, and provides some examples to illustrate
the principles. Of these, security policies are the most important within the
context of a security program, because they form the basis for the decisions that
are made within the security program, and they give the security program its
“teeth.” As such, the majority of this chapter is devoted to security policies. There
are other books that cover policies in as much detail as you like. See the
References section for some recommendations. The end of this chapter provides
you with some guidance and examples for standards, procedures, and guidelines,
so you can see how they are made, and how they relate to policies.
Security Policies
A security policy is the essential foundation for an effective and comprehensive
security program. A good security policy should be a high-level, brief, formalized
statement of the security practices that management expects employees and
other stakeholders to follow. A security policy should be concise and easy to
understand so that everyone can follow the guidance set forth in it.
In its basic form, a security policy is a document that describes an
organization’s security requirements. A security policy specifies what should be
done, not how; nor does it specify technologies or specific solutions. The security
policy defines a specific set of ...
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
ISO 45001 will be the new standard concerning Occupational Health and Safety. As its publication date is approaching, the main aim of this webinar will be to provide insights on some of the key implementation steps. Additionally, the webinar explores some possible ways of transitioning from OHSAS 18001 to ISO 45001.
Main points covered:
• Understanding the organizations objectives
• Identification of requirements for ISO 45001 implementation
• The role of top management in ISO 45001implementation
• The establishment of a positive and an effective safety culture within your organization
• Actions to be undertaken in case of hazard identification
Presenter:
Eldeen Pozniak is the Director of Pozniak Safety Associates Inc. and an International Management Consultant specializing in Occupational Health and Safety. She has provided a variety of ground to executive – level multi-project management and oversight and direction of the safety management systems, program elements and organizational culture from strategic and action plans to on-site implementation. Moreover, she has a unique blend of high level strategic, business, and safety management system understanding, and specific technical safety knowledge.
Link of the recorded session published on YouTube: https://youtu.be/xF5ejJFdUdw
The COBIT 5 framework describes seven categories of enablers
• Principles, policies and frameworks are the vehicle to translate the desired behaviour into practical guidance for
day-to-day management.
• Processes describe an organised set of practices and activities to achieve certain objectives and produce a set of
outputs in support of achieving overall IT-related goals.
• Organisational structures are the key decision-making entities in an enterprise.
• Culture, ethics and behaviour of individuals and of the enterprise are very often underestimated as a success factor
in governance and management activities.
• Information is pervasive throughout any organisation and includes all information produced and used by the
enterprise. Information is required for keeping the organisation running and well governed, but at the operational
level, information is very often the key product of the enterprise itself.
• Services, infrastructure and applications include the infrastructure, technology and applications that provide the
enterprise with information technology processing and services.
• People, skills and competencies are linked to people and are required for successful completion of all activities and
for making correct decisions and taking corrective actions.
A compilation of Strategic Management chapter into PPT in alliance with SME. The intended idea was distribute the PPT as online resource with institute to promote online learning as well as quick sheet sheet for teachers/educators.
In this presentation you will learn:
- The 4 key documents and the benefits of the ISO 55000 standard
- To develop an Asset Management Policy & associated communication plan
- To identify the value of stakeholder analysis & leadership alignment
- To explain the critical foundational concepts in asset management systems
CHAPTER
5
Security Policies, Standards, Procedures, and
Guidelines
The four components of security documentation are policies, standards,
procedures, and guidelines. Together, these form the complete definition of a
mature security program. The Capability Maturity Model (CMM), which measures
how robust and repeatable a business process is, is often applied to security
programs. The CMM relies heavily on documentation for defining repeatable,
optimized processes. As such, any security program considered mature by CMM
standards needs to have well-defined policies, procedures, standards, and
guidelines.
• Policy is a high-level statement of requirements. A security policy is the primary
way in which management’s expectations for security are provided to the
builders, installers, maintainers, and users of an organization’s information
systems.
• Standards specify how to configure devices, how to install and configure
software, and how to use computer systems and other organizational assets, to be
compliant with the intentions of the policy.
• Procedures specify the step-by-step instructions to perform various tasks in
accordance with policies and standards.
• Guidelines are advice about how to achieve the goals of the security policy, but
they are suggestions, not rules. They are an important communication tool to let
people know how to follow the policy’s guidance. They convey best practices for
using technology systems or behaving according to management’s preferences.
This chapter covers the basics of what you need to know about policies,
standards, procedures, and guidelines, and provides some examples to illustrate
the principles. Of these, security policies are the most important within the
context of a security program, because they form the basis for the decisions that
are made within the security program, and they give the security program its
“teeth.” As such, the majority of this chapter is devoted to security policies. There
are other books that cover policies in as much detail as you like. See the
References section for some recommendations. The end of this chapter provides
you with some guidance and examples for standards, procedures, and guidelines,
so you can see how they are made, and how they relate to policies.
Security Policies
A security policy is the essential foundation for an effective and comprehensive
security program. A good security policy should be a high-level, brief, formalized
statement of the security practices that management expects employees and
other stakeholders to follow. A security policy should be concise and easy to
understand so that everyone can follow the guidance set forth in it.
In its basic form, a security policy is a document that describes an
organization’s security requirements. A security policy specifies what should be
done, not how; nor does it specify technologies or specific solutions. The security
policy defines a specific set of ...
Similar to CELOE MRKI Lecture Notes 02 v0.1_old.pptx (20)
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
How to Split Bills in the Odoo 17 POS ModuleCeline George
Bills have a main role in point of sale procedure. It will help to track sales, handling payments and giving receipts to customers. Bill splitting also has an important role in POS. For example, If some friends come together for dinner and if they want to divide the bill then it is possible by POS bill splitting. This slide will show how to split bills in odoo 17 POS.
We all have good and bad thoughts from time to time and situation to situation. We are bombarded daily with spiraling thoughts(both negative and positive) creating all-consuming feel , making us difficult to manage with associated suffering. Good thoughts are like our Mob Signal (Positive thought) amidst noise(negative thought) in the atmosphere. Negative thoughts like noise outweigh positive thoughts. These thoughts often create unwanted confusion, trouble, stress and frustration in our mind as well as chaos in our physical world. Negative thoughts are also known as “distorted thinking”.
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Ethnobotany and Ethnopharmacology:
Ethnobotany in herbal drug evaluation,
Impact of Ethnobotany in traditional medicine,
New development in herbals,
Bio-prospecting tools for drug discovery,
Role of Ethnopharmacology in drug evaluation,
Reverse Pharmacology.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
The Indian economy is classified into different sectors to simplify the analysis and understanding of economic activities. For Class 10, it's essential to grasp the sectors of the Indian economy, understand their characteristics, and recognize their importance. This guide will provide detailed notes on the Sectors of the Indian Economy Class 10, using specific long-tail keywords to enhance comprehension.
For more information, visit-www.vavaclasses.com
The Art Pastor's Guide to Sabbath | Steve ThomasonSteve Thomason
What is the purpose of the Sabbath Law in the Torah. It is interesting to compare how the context of the law shifts from Exodus to Deuteronomy. Who gets to rest, and why?
The Art Pastor's Guide to Sabbath | Steve Thomason
CELOE MRKI Lecture Notes 02 v0.1_old.pptx
1. Aspek People, Process,
dan Technology Pada
Seven Enablers
ISH4U3 Manajemen Risiko dan Keamanan Informasi
By: Rokhman Fauzi & Team Teaching IS Management
Information Systems | School of Industrial Engineering | Telkom University
2. Agenda
1. Prinsip, kebijakan, dan kerangka kerja
2. Proses
3. Struktur organisasi
4. Etika, perilaku, dan kultur
5. Informasi
6. Layanan, aplikasi, dan infrastruktur
7. SDM, skill, dan kompetensi
2
3. Drivers for Risk
The main drivers for risk management include providing:
Stakeholders with substantiated and consistent opinions over the
current state of risk throughout the enterprise
Guidance on how to manage risk to levels within the enterprise’s
risk appetite
Guidance on how to set up the appropriate risk culture for the
enterprise
Wherever possible, quantitative risk assessments enabling
stakeholders to consider the cost of mitigation and the required
resources against the loss exposure 3
5. Risk Function Perspectives
5
COBIT 5 for Risk provides guidance and
describes how each enabler contributes to the
overall governance and management of the risk
function. For example:
Which Processes are required to define and
sustain the risk function, govern and manage
risk
What Information flows are required to
govern and manage risk—e.g., risk universe,
risk profile
The Organisational Structures that are
required to govern and manage risk
effectively—e.g., enterprise risk committee,
risk function
What People and Skills should be put in
place to establish and operate an effective
risk function
6. Seven Enablers & IT Risk
The seven categories of enablers also apply to managing risk. The enablers support the
provisioning of risk governance and management over enterprise IT, as shown in the
following examples:
1. Principles, Policies and Frameworks—Risk principles, risk policies and compliance
approaches
2. Processes—The core risk processes in the evaluate, direct and monitor (EDM) and
align, plan and organise (APO) domains, as well as the application of many other
processes to the risk function
3. Organisational Structures—ERM committee, chief risk officer (CRO)
4. Culture, Ethics and Behaviour—Enterprisewide behaviour, management behaviour and
risk professionals’ behavior supporting risk management
5. Information—Risk profile, risk scenarios, risk map
6. Services, Infrastructure and Applications—Emerging risk advisory services
7. People, Skills and Competencies—CRISC certification, risk management and technical
skills
6
7. The Principles, Policies and Frameworks (1)
7
The Principles, Policies and Frameworks
model (figure 14) shows:
• Stakeholders—Stakeholders for principles
and policies can be internal or external to
the enterprise. They include the board and
executive management, compliance officers,
risk managers, internal and external
auditors, service providers and customers,
and regulatory agencies. The stakes are
twofold: Some stakeholders define and set
policies, others have to align to, and comply
with, the policies.
• Goals and metrics—Principles, policies
and frameworks are instruments to
communicate the rules of the enterprise, in
support of the governance objectives and
enterprise values, as defined by the board
and executive management.
8. The Principles, Policies and Frameworks (2)
▪ Principles need to:
– Be limited in number
– Use simple language, expressing as clearly as possible the core values of the
enterprise
▪ Policies provide more detailed guidance on how to put principles into practice
and they influence how decision making aligns with the principles. Good policies
are:
▫ Effective—They achieve the stated purpose.
▫ Efficient—They ensure that principles are implemented in the most efficient
way.
▫ Non-intrusive—They appear logical for those who have to comply with them,
i.e., they do not create unnecessary resistance.
▫ Aligned—They are in alignment with the overall enterprise strategy. 8
9. The Principles, Policies and Frameworks (3)
9
Life cycle—Policies have a life cycle that has to support the
achievement of the defined goals. Frameworks are key
because they provide a structure to define consistent
guidance.
For example, a policy framework provides the structure in
which a consistent set of policies can be created and
maintained, and it also provides an easy point of navigation
within and amongst individual policies.
10. The Principles, Policies and Frameworks (4)
10
• Good practices:
Good practice requires that policies be part of
an overall governance and management
framework, providing a (hierarchical) structure
into which all policies should fit and clearly
make the link to the underlying principles.
As part of the policy framework, the following
items need to be described:
• Scope and validity
• Roles and responsibilities of the
stakeholders
• The consequences of failing to comply with
the policy
• The means for handling exceptions
• The manner in which compliance with the
policy will be checked and measured
Policies should be aligned with the enterprise’s
risk appetite. Policies are a key component of
an enterprise’s system of internal control,
whose purpose it is to manage and contain risk.
As part of risk governance activities, the
enterprise’s risk appetite is defined, and this risk
appetite should be reflected in the policies. A
risk-averse enterprise has stricter policies than
a risk-aggressive enterprise.
Policies need to be revalidated and/or updated
at regular intervals to ensure relevance to
business requirements and practices.
11. Processes
11
Goals—Process goals are defined as ‘a statement describing the desired outcome of a process. An outcome
can be an artefact, a significant change of a state or a significant capability improvement of other processes’.
They are part of the goals cascade, i.e., process goals support IT-related goals, which, in turn, support
enterprise goals. Process goals can be categorised as:
• Intrinsic goals—Does the process have intrinsic quality? Is it accurate and in line with good practice? Is it
compliant with internal and external rules?
• Contextual goals—Is the process customised and adapted to the enterprise’s specific situation? Is the
process relevant, understandable and easy to apply?
• Accessibility and security goals—The process remains confidential, when required, and is known and
accessible to those who need it.
Stakeholders—Processes have internal and external
stakeholders, with their own roles; stakeholders and their
responsibility levels are documented in RACI
(responsible, accountable, consulted, informed) charts.
External stakeholders include customers, business
partners, shareholders and regulators. Internal
stakeholders include the board, management, staff and
volunteers.
12. Processes (2)
12
• Life cycle—Each process has a life cycle. It is defined, created, operated, monitored and
adjusted/updated or retired. Generic process practices such as those defined in the COBIT
process assessment model (PAM), based on International Organization for
Standardization/International Electrotechnical Commission (ISO/IEC) 15504, can assist
with defining, running, monitoring and optimising processes.
• Good practices—COBIT 5: Enabling Processes contains a process reference model, in
which process internal good practices are described in increasing levels of detail:
practices, activities and detailed activities. In this publication, this good practice is not
repeated; only risk-specific guidance is developed when relevant.
16. Organisational Structures (1)
16
Stakeholders—Organisational
structures stakeholders can be
internal or external to the enterprise.
These stakeholders include the
individual members of the structure,
other structures, organisational
entities, clients, suppliers and
regulators. Their roles vary and
include decision making, influencing
and advising. The stakes of each of
the stakeholders also vary, i.e., what
interest do they have in the decisions
made by the structure?
Goals—The goals for the Organisational Structures enabler include have a proper mandate,
have well-defined operating principles and the application of other good practices. The
outcome of the organizational structures enabler should include numerous good activities
and decisions.
17. Organisational Structures (2)
17
Life cycle—An organisational structure has a life cycle. The organisational structure is created,
exists and is adjusted, and, finally, it can be disbanded. During its inception, a mandate—a
reason and purpose for its existence—has to be defined.
Good practices—A number of good practices for organisational structures can be
distinguished, such as:
• Operating principles—The practical arrangements regarding how the structure operates,
such as frequency of meetings,
documentation and housekeeping rules
• Decisions—Risk-based direction considering the processing of relevant inputs and
required or expected outputs
• Span of control—The decision-rights boundaries of the organisational structure
• Level of authority/decision rights—The decisions that the structure is authorised to make
• Delegation of authority—The structure’s authority to delegate a subset of its decision
rights to other structures that report to it.
• Escalation procedures—The escalation path for a structure, which describes the required
actions in case of problems in making decisions.
18. Lines of Defense Against Risk
18
• As the first line of defence, operational
managers own and manage risk. They also
are responsible for implementing corrective
actions to address process and control
deficiencies.
• In practice, a single line of defence often can
prove inadequate. Management establishes
various risk management and compliance
functions to help build and/or monitor the first
line of defence controls.
• Internal auditors provide the governing body
and senior management with comprehensive
assurance based on the highest level of
independence and objectivity within the
enterprise. This high level of independence is
not available in the second line of defence.
Internal audit also provides assurance on the
manner in which the first and second lines of
defence achieve risk management.
19. Culture, Ethics and Behaviour
19
Stakeholders—Culture, ethics and behaviour stakeholders can be internal or external to the enterprise.
Internal stakeholders include the entire enterprise, external stakeholders include regulators, e.g.,
external auditors or supervisory bodies. Stakes are twofold: Some stakeholders, e.g., legal officers, risk
managers, HR managers, remuneration boards and officers, deal with defining, implementing and
enforcing desired behaviours; others have to align with the defined rules and norms.
20. Culture, Ethics and Behaviour (2)
20
Goals—Goals for the Culture, Ethics and Behaviour enabler relate to:
• Organisational ethics, determined by the values by which the enterprise wants to live
• Individual ethics, determined by the personal values of each individual in the enterprise and
depending, to an important extent, on external factors such as religion, ethnicity, socioeconomic
background, geography and personal experiences
• Individual behaviours, which collectively determine the culture of an enterprise. Many factors, such
as the external factors mentioned above, interpersonal relationships in enterprises, personal
objectives and ambitions also drive behaviours.
Some types of behaviours that can be relevant in this context include:
• Behaviour towards taking risk—How much risk does the enterprise feel it can absorb and which risk is
it willing to take?
• Behaviour towards following policy—To what extent will people embrace and/or comply with policy?
• Behaviour towards negative outcomes—How does the enterprise deal with negative outcomes, i.e.,
loss events or missed opportunities? Will it learn from them and try to adjust, or will blame be
assigned without treating the root cause?
21. Culture, Ethics and Behaviour (3)
21
Life cycle—An organisational culture, ethical stance and individual behaviours, etc., all have their life
cycles. Starting from an existing culture, an enterprise can identify required changes and work towards
their implementation. Several tools, described in the good practices, can be used.
Good practices—Good practices for creating, encouraging and maintaining desired behaviour throughout
the enterprise include:
• Communication throughout the enterprise of desired behaviours and the underlying corporate values
• Awareness of desired behaviour, strengthened by the example behaviour exercised by senior
management and other champions
• Incentives encourage desired behaviour, and deterrents discourage undesirable behaviour, often as
part of the HR reward and recognition programme
• Re-evaluation of expectations, influences and changes in behaviour and practices reports on existing
behaviour versus the behaviour that management perceives
• Rules and norms, which provide more guidance on desired organisational behaviour. These link very
clearly to the principles and policies that an enterprise puts in place.
22. Information
22
Different categories of roles in dealing with
information are possible, ranging from
detailed proposals (e.g., suggesting specific
data or information roles such as architect,
owner, steward, trustee, supplier, beneficiary,
modeller, quality manager, security manager)
to more general proposals—for instance,
distinguishing amongst information
producers, information custodians and
information consumers, as follows:
• Information producer is responsible for
creating the information
• Information custodian is responsible for
storing and maintaining the information
• Information consumer is responsible for
using the information
Stakeholders—Can be internal or external to the enterprise.
The generic model also suggests that, apart from identifying
the stakeholders, their stakes (i.e., why they care or are
interested in the information) need to be identified.
23. Three Subdimensions of Quality (1)
23
[1] Intrinsic quality
The extent to which data values are in conformance with the actual or true values. It includes:
• Accuracy—The extent to which information is correct and reliable
• Objectivity—The extent to which information is unbiased, unprejudiced and impartial
• Believability—The extent to which information is regarded as true and credible
• Reputation—The extent to which information is highly regarded in terms of its source or content
24. Three Subdimensions of Quality (1)
24
[2] Contextual and representational quality
The extent to which information is applicable to the task of the information user and is presented in an intelligible
and clear manner, recognising that information quality depends on the context of use. It includes:
• Relevancy—The extent to which information is applicable and helpful for the task at hand
• Completeness—The extent to which information is not missing and is of sufficient depth and breadth for the
task at hand
• Currency—The extent to which information is sufficiently up to date for the task at hand
• Appropriate amount of information—The extent to which the volume of information is appropriate for the task at
hand
• Concise representation—The extent to which information is compactly represented
• Consistent representation—The extent to which information is presented in the same format
• Interpretability—The extent to which information is in appropriate languages, symbols and units, with
clear definitions
• Understandability—The extent to which information is easily comprehended
• Ease of manipulation—The extent to which information is easy to manipulate and apply to different tasks
25. Three Subdimensions of Quality (3)
25
[3] Security/accessibility quality
The extent to which information is available or obtainable. It includes:
• Availability/timeliness—The extent to which information is available when required, or easily and
quickly retrievable
• Restricted access—The extent to which access to information is restricted appropriately to authorised parties
26. Information Life Cycle
26
Life cycle—The full life cycle of information needs to be considered, and
different approaches may be required for information in different phases of the
life cycle.
The COBIT 5 Information enabler distinguishes the following phases:
1. Plan—The phase in which the creation and use of the information resource
is prepared. Activities in this phase may refer to the identification of
objectives, the planning of the information architecture, and the development
of standards and definitions, e.g., data definitions, data collection
procedures.
2. Design—Defining the risk management information requirements
3. Build/acquire/create/implement—The phase in which the information
resource is acquired. Activities in this phase may refer to the creation of data
records, the purchase of data and the loading of external files.
4. Use/operate
27. Information Life Cycle – Use/Operate
Use/operate, which includes:
• Store—The phase in which information is held electronically or in hard copy (or even
just in human memory). Activities in this phase may refer to the storage of information
in electronic form, e.g., electronic files, databases, data warehouses, or as hard copy,
e.g., paper documents.
• Share—The phase in which information is made available for use through a
distribution method. Activities in this phase may refer to the processes involved in
getting the information to places where it can be accessed and used, e.g., distributing
documents by email. For electronically held information, this life cycle phase may
largely overlap with the store phase, e.g., sharing information through database
access, file/document servers.
• Use—The phase in which information is used to accomplish goals. Activities in this
phase may refer to all kinds of information usage (e.g., managerial decision making,
running automated processes), and may also include activities such as information
retrieval and converting information from one form to another. 27