Objectives, Risks, and Controls
Published: April 25, 2008
Governance provides the principles, structures, and decision rights needed to carry out an organization’s key objectives and priorities in the context of the requirements and risks of the organization. Governance is defined in the Manage Layer, but it is integrated throughout all of the phases. Management reviews introduce the appropriate level of governance, risk, compliance, and change management to Operate Phase activities. Every company will need to evaluate laws and regulations to determine their own policies and thus their own compliance controls. However, the MRs still provide management controls, and compliance can be evaluated at these points of the lifecycle. The following table provides examples of how management objectives for this phase can be related to risk and then to controls that help manage those risks. By clearly linking objectives, risks, and controls an IT organization will be more effective and compliant and will more efficiently gather and maintain documented evidence of their control environment and risk management. Table 6. Operate Phase Objectives, Risks, and Controls
|
|