The establishment process of IT control framework

在组织中建立完整的IT控制框架是一项长期的工作,不可能一蹴而就,应当从基础到高级,从容易到复杂一步步分阶段实现,最终使IT成为组织的核心竞争力。
第一阶段:IT规划与架构设计
1.目标
本阶段的目标是,进行信息化基础建设,构筑支撑业务运行的IT基础平台,建立完善的技术框架和管理流程。
2.主要措施
第一阶段所采取的措施如下:
内部安全威胁可以分为三大类:用户无知、操作失误、及蓄意破坏。其中前两者又占据了主要部分,毕竟恶意的破坏和泄露是少数。
•业务流程调查,识别主要的业务流程,并进行初步建模。
•为企业的业务活动建立标准的数据体系,并具有快速识别新的业务需求和进行业务建模的能力。
•审视业务战略,建立IT愿景目标,进行IT规划与架构设计,建立规范的IT技术标准与管理标准。
•建立项目管理与监理制度,对项目进行绩效分析与控制。
•建立内部员工培训制度,实施全员培训。
第二阶段:完善IT治理,初步控制
1.目标
本阶段的目标是,在总体治理框架的指导下,初步建立IT风险控制体系,为业务系统运行提供较可靠的保障。
2.主要措施
第二阶段采取的措施如下:
建立IT治理委员会,完善IT决策机制及职责担当框架,确保IT战略进入组织的业务战略,使IT进入组织最高管理层的日常议题。
划分安全域,识别信息资产,进行风险评估,按照ISO27001建立信息安全体系,保护组织信息资产的机密性、完整性及可用性。
•按照ITIL规范建立IT服务管理体系,保护组织及IT服务的可靠支付,提高运行绩效可客户满意度。
•按照CMMI标准的要求,完善组织的软件开发过程,提高软件的质量。
•建立业务持续性计划(BCP),保证组织的业务及IT在发生较大的灾难时能够持续运行。
第三阶段:资源协同,全面控制
1.目标
本阶段的目标是,实现有效的资源协同,为业务活动提供可靠的支撑,深化IT风险控制,实现应用系统与安全系统的全面集成。
2.主要措施
第三阶段所采取的措施如下:
建立统一的应用系统平台,实现IT资源协同,为已有业务及新业务提供灵活可靠的支撑平台。
•建立统一安全保障平台,建立有效的应用控制机制,实现应用系统与安全系统全面集成。
•完善IT服务管理机制,进一步提高客户对IT服务的满意度,对IT服务进行量化管理。
•梳理各类IT流程,建立规范化的IT流程控制框架,按照COSO及COBIT建立IT流程框架,明确各流程的KPI、KGI及CMM等级,形成完备的IT流程控制体系。
•建立信息系统审计系统,从独立、客观的角度保证IT系统的效率与效果。
•对IT组织、人员、流程、项目建立较为科学的绩效考核制度。
第四阶段:业务创新,完善控制
1.目标
本阶段的目标是,实现IT风险控制与企业风险控制的高度融合,使IT战略成为企业战略的重要组成部分,IT为企业创造新的竞争机遇。
2.主要措施:
第四阶段所采取的措施如下:

国家电投南阳热电积极开展安规培训拧紧安全弦

•IT战略成为组织决策层的重要议题,IT参与企业流程再造,IT可以为企业创造新的利润增长点。
•为整个组织提供高质量的IT服务,建立全组织的IT共享服务中心。
•IT成为利润中心,对IT进行财务核算。
•IT控制进一步完善,IT风险控制与企业风险控制高度融合,形成良好的信息安全企业文化。
总之建立IT风险管理框架是组织控制IT风险、确保组织实现其业务目标的有效方式。以上所介绍的IT风险控制过程是通过多年的研究及实践总结出来的通用方法论,不同的组织在建立控制的过程中,还要根据自身的实际情况因地制宜,灵活应用。
该文章作者已设置需关注才可以留言
微信扫一扫关注该公众号

国家软件产品质量监督检验中心顺利通过ISO27001信息安全管理体…

Established within the organization and complete IT control framework is a long-term work, not overnight, shall, from basic to advanced, from easy to complex stages, eventually make IT become the core competitiveness of the organization.
Phase 1: IT planning and architecture design

北京机房搬迁,IT服务外包,整柜租用

1 goal
The goal of this stage is to carry out information infrastructure, to build a IT platform to support business operations, the establishment of a sound technical framework and management processes.
2 major measures
The measures taken in the first phase are as follows:
• business process investigation, identify key business processes, and conduct preliminary modeling.
• establish a standard data system for business activities of the company, with the ability to quickly identify new business requirements and conduct business modeling.
• review business strategy, set up IT vision objectives, IT planning and architecture design, establish a standardized IT technical standards and management standards.
Set up project management and supervision system, analyze and control the project performance.
• set up internal staff training system and implement all staff training.
The second stage: improve IT governance, the initial control
1 goal
The goal of this stage is to establish the IT risk control system under the guidance of the overall governance framework to provide a reliable guarantee for the operation of the business system.
2 major measures
The second steps taken are as follows:
Establish the IT Governance Committee, improve the IT decision-making mechanism and the responsibility of the framework, to ensure that the IT strategy into the organization’s business strategy, so that IT into the organization’s top management of the daily issues.
Divide security domain, identify information assets, conduct risk assessment, establish information security system in accordance with ISO27001, and protect the confidentiality, integrity and availability of information assets.
• establish IT service management system in accordance with ITIL specification, protect the reliable payment of organization and IT services, improve operational performance and customer satisfaction.
• improve the organization’s software development process and improve the quality of the software in accordance with CMMI standards.
• establish a business continuity plan (BCP) to ensure that the organization’s business and IT can continue to operate in the event of a major disaster.
The third stage: resource synergy, comprehensive control
1 goal
The goal of this stage is to achieve effective resource coordination, provide reliable support for business activities, deepen IT risk control, and achieve the full integration of application systems and security systems.
2 major measures
The measures taken in the third phase are as follows:
天顺风能主力极力掩盖事实,后市将会这样走!
The establishment of a unified application platform, IT resources to achieve synergy, to provide a flexible and reliable support platform for existing business and new business.
Establish a unified security platform, the establishment of an effective application control mechanism to achieve the full integration of application systems and security systems.
• improve the IT service management mechanism to further improve customer satisfaction with IT services, IT services for quantitative management.
• sort out all kinds of IT process, establish a standardized IT process control framework, in accordance with COSO and COBIT to establish IT process framework, clear the flow of KPI, KGI and CMM levels, the formation of a complete process control system.
Establish an information system audit system to ensure the efficiency and effectiveness of IT system from an independent and objective point of view.
Establish a scientific performance appraisal system for IT organization, personnel, process and project.
The fourth stage: business innovation, improve control
1 goal
The goal of this stage is to achieve a high degree of integration of IT risk control and enterprise risk control, so that the IT strategy has become an important part of corporate strategy, IT for the enterprise to create new opportunities for competition.
2 major measures:
The measures taken in the fourth phase are as follows:
• IT strategy has become an important issue in the decision-making layer, IT participate in enterprise process reengineering, IT can create new profit growth point for the enterprise.

To provide high quality IT services for the whole organization, and to build a IT shared service center.
• IT become a profit center, accounting for IT.
• IT control to further improve, IT risk control and corporate risk control of a high degree of integration, the formation of a good corporate culture of information security.
In short, the establishment of IT risk management framework is an effective way to control the IT risk and ensure the organization to achieve its business objectives. IT risk control process described above is the general method summed up through research and practice of many years of different organizations in the process of establishing control, but also according to their own actual conditions according to local conditions, flexible application.
The author of the article has set up the need to be able to leave a message
Sweep the concern of the public, WeChat

涉密网络通常与互联网进行了物理隔绝,针对涉密网络的攻击需要跳板,技术上得注意U盘,手机等移动设备接入涉密网络,更重要的是加强人员的安全意识教育。

猜您喜欢

坚瑞沃能财务总监王天雄辞职 曾任东方红卫星财务部副总
高合规要求行业切勿匆匆上马虚拟化大数据和云计算
网络安全公益短片防范移动僵尸网络
金正恩穿白大褂视察泡菜厂 强调加强民生建设
JOKER SHERIDANSELLS
火眼金睛识别诈骗邮件或消息