Manage Compliance with External Requirements

Transcription

1 Manage Compliance with External Requirements Description IT is subject to requirements that are highly complex and constantly changing. The school jurisdiction s senior leadership is ultimately accountable with these requirements, but must delegate responsibility to IT leadership and IT staff. In order to minimize the risks associated with being non-compliant with or contractual requirements, it is necessary to identify and analyze requirements, implement a response and obtain assurance that requirements have been met. Value Provides assurance to senior leadership that IT operations are in with legal, regulatory requirements. Goals Ensure with laws, regulations requirements. Target Audience Primary IT Leadership Key Activities Secondary Senior Leadership School Administrators IT Staff Identify requirements. Implement a process to continuously review local and international laws, regulations and other external requirements. Identify and maintain documentation related to the regulatory requirements applicable to each information system planned or in use. Manage Compliance with External Requirements Evaluate IT policies, plans to confirm. Evaluate methods of deterring users from performing acts of non-. Adjust policies, plans to ensure that requirements are addressed and communicated. Report positive assurance of. Implement a process to obtain and report on of IT policies, plans with or contractual agreements. Ensure that any corrective actions taken to address gaps have been taken in a timely manner by the responsible process owner. School Technology Services Self-Evaluation Guide: IT Governance 85

2 RACI Chart Roles Activities Identify requirements. Evaluate IT policies, plans to confirm. Report positive assurance of. RACI Responsibilities Responsible the person or group who is responsible for performing a task Accountable the person who is held accountable for the task being complete (Ideally, accountability is assigned to only one role for each process.) Consulted the person or group communicated with prior to a task being performed Informed the parties who are notified about an activity before, during or after it is performed. 86 School Technology Services Self-Evaluation Guide IT Governance

3 Maturity Model Manage Compliance Note: The required or desired level of maturity will vary between jurisdictions, based on the size, needs, costs, capability and alignment with the jurisdiction s strategic plan. It is not necessary to assume that any jurisdiction should be at a Level 5 in all or any of these activities. Attributes is aware of requirements that impact the jurisdiction. issues that impact the jurisdiction are discussed in response to issues or requests for information from senior leadership. Communication to stakeholders about regulatory, contractual and legal requirements that impact the jurisdiction is sporadic and usually in response to issues. Senior leadership is aware of the need. understands the requirements for complying with critical requirements. Regulatory, contractual and legal requirements impacting the jurisdiction are frequently communicated to stakeholders. informally communicates issues to senior leadership. Senior leadership is aware of the requirements of an effective IT process. Senior leadership commits resources to the development of a sound IT process. Communication to stakeholders about regulatory, legal requirements, policies occurs on a regular basis and in a formal way. informs senior leadership of incidences of non and of the corrective actions taken. and IT staff have a comprehensive understanding of the requirements for contractual, legal and regulatory. The need to ensure with relevant legislation, regulations and contracts is understood throughout the jurisdiction. has extensive knowledge of applicable external requirements, including future trends, anticipated changes and the need for new solutions. assurance reports are regularly discussed at the senior leadership level. Understanding of the jurisdiction s external obligations is widespread throughout the jurisdiction. PEOPLE Awareness, Understanding and Communication Manage Compliance with External Requirements School Technology Services Self-Evaluation Guide: IT Governance 87

4 Some knowledge of exists in isolation. Minimum skills required to perform have not been identified. Training needs have not been identified. and IT staff have the skills and expertise to manage at a basic level. Minimum skill requirements to manage have been identified. Training in managing is provided in response to emerging needs or requests from individuals. and IT staff have the skills and expertise to perform all key processes. Skill requirements for all areas of have been defined and documented. A formal training plan has been developed. Training for is available. and IT staff have the skills and expertise to perform all activities. Proficiency in critical aspects of is ensured for individuals who perform these tasks. Skill requirements are reviewed and updated on a regular basis. Formal training is required for individuals who perform these tasks. Certification in is encouraged for individuals who perform these tasks. Proficiency in all aspects of is ensured for individuals who perform these tasks. The jurisdiction encourages formal training in, based upon personal and jurisdiction goals. External experts and industry leaders are engaged to provide guidance and input into. Ongoing training is provided to ensure that end users understand or contractual changes that affect them. PEOPLE (continued) Skills and Expertise 88 School Technology Services Self-Evaluation Guide IT Governance

5 Allocation of responsibility is assumed or done in an ad hoc way. Allocation of responsibility and accountability is done informally. Individuals assume responsibility. There is confusion about who is responsible and accountable when issues arise. Accountability and responsibility have been formally assigned and documented. process owners are identified, but may not have sufficient authority to fulfill their responsibilities. process owners have the level of authority required to fulfill their responsibilities. process owners are empowered to make decisions and to take action to ensure with requirements. process owners escalate issues, according to a defined escalation process. Manage Compliance with External Requirements PEOPLE (continued) Responsibility and Accountability School Technology Services Self-Evaluation Guide: IT Governance 89

6 Activities to ensure occur in isolation and are based upon individual IT staff practices. Monitoring of processes to ensure with requirements is implemented in response to issues. Common and informal policies that ensure with requirements are defined, but not documented. with policies that ensure with requirements is left to the individual s discretion. Where is a recurring requirement, individual procedures have been developed and are followed on a year-to-year basis. Formal policies for key processes have been defined, documented and communicated. Policies and procedures are based upon generally accepted good practices. Formal policies for all activities are defined, documented and regularly reviewed. Senior leadership approves policies. A process to regularly review the environment to identify external requirements and ongoing changes has been implemented. Standardized internal good practices are used for specific needs, such as standing regulations and recurring service contracts. A framework is implemented and integrated. Generally accepted best practices and standards are used to inform policy and procedure development. Exceptions to policies and procedures are noticed and corrective action is taken. The framework includes a selfassessment process. policies and procedures are regularly reviewed and updated. PROCESS Policies, Plans and Procedures 90 School Technology Services Self-Evaluation Guide IT Governance

7 Some legal, regulatory and contractual goals are set and monitored inconsistently. with requirements is monitored informally. informally reports to senior leadership about. is monitored regularly. Targets and thresholds for have been defined and documented. informs senior leadership about in a formal way. metrics are formally defined and approved. Measures of the effectiveness of policies are used to inform decision making and continuous improvement. There is a process in place to monitor incidences of non, identify root causes and implement corrective action. is integrated into appropriate IT policies and procedures. processes are monitored and measured. Manage Compliance with External Requirements PROCESS (continued) Goal Setting and Measurement School Technology Services Self-Evaluation Guide: IT Governance 91

8 Tools may exist to support legal, regulatory and contractual activities; they are generally based upon standard desktop tools. There is no formal approach to using tools to support activities. Basic tools and templates, specific to maintaining with requirements, have been developed and implemented. Common approaches to the use of tools to support with requirements are emerging. Tools specifically applicable to are beginning to be implemented. A formal plan is developed to acquire and implement tools to support activities. The basic level of functionality in tools and templates is used. Tools in use are not fully integrated. Standard pro forma contracts and legal processes are used to minimize risks associated with contractual liability. Tools to support have been implemented. Integration of tools to support IT is emerging. There is a formal and structured approach to using tools to support. Tools are used in key areas to automate and formalize. A standardized and integrated set of automated tools and formalized techniques is used, jurisdiction wide, to support. TOOLS Tools and Automation 92 School Technology Services Self-Evaluation Guide IT Governance