IT Governance Committee Charter

Transcription

1 IT Governance Committee Charter 1

2 Purpose IT Governance Committee IT Governance Committee purpose is to: Understand IT as a business(projects, Costs, Investments, Resource Management) Make recommendations on improvements Assist in policy compliance Assess, Monitor and Document Risk Approve policy, standards and guidelines Be a advocate and spread the word about the Committee and changes that will happen

3 IT Governance Function Charter IT Governance Committee can be defined as the organizational capacity exercised SLU business Leaders and IT management to control the formulation and implementation of IT strategy and ensure the fusion of business and IT. IT Governance Committee concentrates on performing and transforming IT to meet present and future demands of the business and the business customers. Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised enterprise and embedding of risk management responsibilities into the organization. Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery using metrics, dashboards or balanced scorecards that translate strategy into action to achieve goals. Resource management (Multi-Sourcing) is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimization of knowledge and infrastructure. Risk management requires risk awareness by senior SLU officers, a clear understanding of the enterprise s appetite for risk, understanding of compliance, security requirements and transparency about the significant risks to the SLU.

4 IT Governance Committee Guiding Principles Simplicity The ITGC must serve to avoid unnecessary complexity in the management of risks and controls across the enterprise. Develop common risk and controls matrices, avoid duplication of controls, and adopt publicly available standards and frameworks. Consistency To ensure that ITGC is not a constraint on business agility, policy will be guided by risk tolerances, not the other way around. To enable effective decision making and comparison across the University, the ITGC advocate must enable a single version of the truth. Accountability Ownership for risks, controls and policies must be clear. Roles and responsibilities must be delineated unambiguously Alignment Business value of ITGC decisions and approvals will depend in large measure on how well they link to the University requirements.

5 IT Governance Committee Membership: ITS Mike Mueller Mary Estes Peter Juan Keith Hacke Sue Baker Nick Lewis Scott Amendola IT Research Services Kyle Collins- IT Academic Services SLU Business Divisions Kathy Merlo -UMG Michael Lucido Risk Management Elizabeth Winchester Internal Audit Dave Grabe Controller Business and Finance Dean Marty - EHR Ron Rawson - Compliance Stacey Harrington Academic Affairs Patricia Haberberger Human Resources Jay Haugen Registrar Anne Garcia - Compliance Extended ITS Dave Hendel Project Office Mary Frazer IT Finance IT Governance Area Risk (Security, Compliance, Risk Reporting), Standards, Policies and Guidelines Performance Management Resource Management Value Delivery Strategic Alignment Purpose at meeting recommendations, approve, advocate to Senior Leadership making, advocate across ITS making, advocate across ITS making, advocate to Senior Leadership making, advocate across ITS

6 IT Governance Committee Process IT Governance Risk Management Process Situations that create a Risk Assessment UITCG and/ or TBD SLU Enterprise Governance IT Audit Committee/ Board of Trustees President New Project benefit analysis and NPV funding requests Security Breaches or Attacks that require remediation and changes Compliance Audits (HIPAA, Internal Audit, PCI, FISMA with Critical or HIGH Remediation Treatments (spend and funding approval) ITS Governance Directors Escalation of issues for non-remediation, funding, Acceptance of High Risk Approve recommendations and treatment plan, procure, work with VPs to obtain funding IT Governance Risk Register IT Governance Monitoring People, Financial Risks IT Governance Compliance, Audit, Risk Management and General Counsel, Division Stakeholders Directors Identify Risk Access Risk Create Risk Treatment Plan Implement Risk Plan Implement Risk Treatment Plan Security Incidents or Events Policy approval and Compliance NON Compliance with Policy, Regulatory or Security Assessment Phase Risk Owner & IT Governance Committee Evaluate Risk Treatment/ Remediation Phase Risk Owner/IT Governance Committee