Show download pdf controls
  • Unit 5: IT governance assessment summary sheet

    This unit must be completed for IT governance included in the assessment.

    For each IT governance:

    IT Governance assessment summary table

    Unit 5: IT governance assessment summary table

    IT projects identity

    IT governance total score

    Tick risk rating if low

    Tick risk rating if medium

    Tick risk rating if high

    Governance

    Enter
    score

    1–25

    26–49

    50–573

    IT Governance assessment questions

    Unit 5: Governance score table

    Question

    Score

    Tick risk rating if low

    Tick risk rating if medium

    Tick risk rating if high

    1. Alignment

    Enter
    score

    1

    2

    3

    2. Staffing

    Enter
    score

    1–2

    3–4

    5–6

    3. Responsibilities

    Enter
    score

    1–2

    3–4

    5–6

    4. Outsourcing

    Enter
    score

    1–2

    3–6

    7–9

    5. ADSM

    Enter
    score

    1–3

    4–6

    7–9

    6. Logical assets

    Enter
    score

    1–3

    4–6

    7–9

    7. Cloud assets

    Enter
    score

    1–3

    4–6

    7–9

    8. Physical assets

    Enter
    score

    1–3

    4–6

    7–9

    9. Business continuity planning

    Enter
    score

    1–2

    3–4

    5–6

    10. Disaster recovery planning

    Enter
    score

    1–2

    3–4

    5–6

    After filling out the above table, you need to work out your overall total score.

    Fill out the tables below to answer the ten questions and the risk rating that you will record with your scores. Also record additional comments and document evidence for each question.

    1. Alignment

    Question 1: How do you know your IT systems will support the future direction of the business?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Long and short term IT strategy is documented, published and regularly updated with clear synergy with long and short term business strategy. Regular updates

    1

    Low

    Long and short term IT strategy is documented and published with clear synergy with long and short term business strategy. No regular updates

    2

    Medium

    No documented IT strategy

    3

    High

    Mitigated

    1

    Low

    2. Staffing

    Question 2: How long have your IT staff been with the business?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Mostly employees with low turnover

    2

    Low

    Mostly employees with medium turnover or mostly long term outsourcing arrangements

    4

    Medium

    Mostly employees with high turnover or mostly contractors

    6

    High

    Mitigated

    2

    Low

    3. Responsibilities

    Question 3: How do your staff know what they are required to do?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Transparency and accountability, roles and responsibilities clearly established/documented and up to date, appropriate segregation of duties/ accountabilities translated to staff performance and development

    2

    Low

    Transparency and accountability, roles and responsibilities clearly established and documented. Deficiencies in segregation of duties or no clear link to staff performance development agreements or IT strategy

    4

    Medium

    Roles and responsibilities not clearly established or documented

    6

    High

    Mitigated

    2

    Low

    4. Outsourcing

    Question 4: To what extent do you outsource IT functions?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    0–30% systems outsourced

    2

    Low

    31–60% systems outsourced

    4

    Medium

    Mitigated – 31–60% systems outsourced

    2

    Low

    Over 60% systems outsourced

    6

    Medium

    Mitigated – Over 60% systems outsourced

    2

    Low

    5. Application development and support methodology (ADSM)

    Question 5: When developing new applications what methodologies do you apply?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Proven methodology, document standards and procedures, clear milestones

    3

    Low

    New methodology, uneven documentation, clear milestones

    6

    Medium

    No or poor methodology, poor documentation, unclear or changing milestones

    9

    Low

    6. Logical assets

    Question 6: How do you monitor and manage access and security to your logical assets?

    Possible answers

    Score

    Risk rating

    Good access control over logical assets – comprehensive access policy, formal user administration procedures enforced, biometric or strong passwords control access to all systems, administrator and user access to systems is regularly checked, automated monitoring.

    3

    Low

    Medium access control to logical assets – some deficiencies identified in some systems or some circumstances (eg terminated employees)

    6

    Medium

    Poor access control – many deficiencies identified systemic lack of control, inadequate or absence of access control procedures.

    9

    Low

    7. Cloud assets

    Question 7: How do you manage access and use of your cloud assets?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Good access control over cloud assets – comprehensive access policy and formal user administration procedures enforced, strong passwords control access to all systems, administrator and user access to systems is regularly checked, automated monitoring

    3

    Low

    Medium access control over cloud assets – some deficiencies identified in some systems or some circumstances (eg terminated employees, contractors)

    6

    Medium

    Poor cloud control – many deficiencies identified or inadequate or absence of cloud computing control procedures

    9

    Low

    8. Physical assets

    Question 8: How do you manage and monitor access to your physical assets?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Good access control over physical assets – comprehensive facilities access policy and formal access administration procedures, enforced biometric controls or strong access control to all facilities, access to facilities is regularly checked and automated monitoring.

    3

    Low

    Medium access control over physical assets – some deficiencies identified in some systems or some circumstances (eg terminated employees, contractors)

    6

    Medium

    Poor access control over physical assets – many deficiencies identified, systemic lack of control, inadequate or absence of access control procedures.

    9

    Low

    9. Business continuity planning (BCP)

    Question 9: Do you have a business continuity plan that sets out what is required to support your operations in the event of a disaster?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Documented BCP, regular BCP training for identified staff, BCP key measures have been tested

    2

    Low

    Documented BCP but no specific BCP training, BCP key measures have never been tested

    4

    Medium

    Unsound or non–existent BCP

    6

    High

    Mitigated

    2

    Low

    10. Disaster recovery planning (DRP)

    Question 10: Do you have a document that sets out what and who is responsible to get your systems back online in the event of a system failure?

    Possible answers (tick the ones that apply)

    Score

    Risk rating

    Documented DRP, alternate operations sites identified, emergency communication channels identified, redundancy inbuilt in systems and data centres, regular scheduled backups, regular DRP training or briefing

    2

    Low

    Documented DRP but deficiencies identified in some aspects, DRP key measures have never been tested

    4

    Medium

    Unsound or non–existent DRP

    6

    High

    Mitigated

    2

    Low

    Last modified: 18 Jun 2019QC 59343