Transcription
Australian Standard8015 : 2005Arrianto Mukti Wibowo, M.Sc., CISAIT Governance LabFaculty of Computer ScienceUniversity of Indonesia
Agenda Intro, Tujuan, definisi, Prinsip-prinsip Model AS-8015
Keluarga Besar dari AS-8015 The 8000 series of Corporate Governance standards publishedin 2004 provide guidance for those wishing to do better.–––––– Good Governance Principles (AS8000)Fraud and Corruption Control (AS8001)organisational Codes of Conduct (AS8002)Corporate Social Responsibility (AS8003)Whistle Blower protection programs (AS8004)GCG for ICT (AS8015)The widely acknowledged AS4360 Risk Management standardwas also revised in 2004.This along with the adoption of BS15000 (now ISO 20000) asAS8018 IT Service Management, provided the context for thedrafting and subsequent publishing of AS8015 to provideguidance on the small "c", corporate governance of Informationand Communication Technology.
Reasons for AS-8015 IT is mostly doing its internal ontrolPRINCE2ITILCoBITCMMI But business leaders are STILLnot engaging with IT:––––Not responsibleNot setting directionNot planningNot implementingImprovingSupply doesnot fixdemand!(Mark Toomey, Infonomics Australia)
Tujuan Adanya AS-80151. To provide a framework of principles for Directors touse when evaluating, directing and monitoring theinformation and communication technology (ICT)portfolio in their organizations.2. To promote effective, efficient, and acceptable useof ICT in all organizations by—(a) providing stakeholders (including consumers,shareholders, and employees) with the confidence that, ifthe Standard is followed, they can trust in theorganization’s corporate governance of ICT;(b) informing and guiding Directors in governing the use ofICT in their organization; and(c) providing a basis for objective evaluation of the corporategovernance of ICT.
Australian Standard-8015Good Corporate Governance for ICT“The system by which the current and futureuse of ICT is directed and controlled. Itinvolves evaluating and directing the plans forthe use of ICT to support the organisation andmonitoring this use to achieve plans. Itincludes the strategy and policies for using ICTwithin an organisation.”
Who are the directors? Member of the most senior governingbody of an organization. Includes owners, board members,Directors, partners, senior executivesor similar, and officers authorized byActs of Parliament (mungkin maksudnya parapetinggi yang namanya harus ada dalam statutaperusahaan menurut undang-undang tertentu)
Principles of GCG for ICT
The 6 Principles1. Establish clearly understood responsibilitiesfor ICT2. Plan ICT to best support the organization3. Acquire ICT validly4. Ensure that ICT performs well, wheneverrequired5. Ensure ICT conforms with formal rules6. Ensure ICT use respects human factors
Principle 1:Establish clearly understood responsibilities for ICT Ensure that individuals and groupswithin the organization understand andaccept their responsibilities for ICT.
Principle 2 :Plan ICT to best support the organization Ensure that ICT plans fit the currentand ongoing needs of the organizationand that the ICT plans support thecorporate plans
Principle 3:Acquire ICT validly Ensure that ICT acquisitions are madefor approved reasons in the approvedway; on the basis of appropriate andongoing analysis. Ensure that there is appropriatebalance between costs, risks, long termand short term benefits.
Principle 4:Ensure that ICT performs well, whenever required Ensure that ICT is fit for its purpose insupporting the organization, is keptresponsive to changing businessrequirements, and provides support tothe business at all times when requiredby the business.
Principle 5:Ensure ICT conforms with formal rules Ensure that ICT conforms with allexternal regulations and complies withall internal policies and practices.
Principle 6:Ensure ICT use respects human factors Ensure that ICT meets the current andevolving needs of all the people in theprocess'.
AS-8015 Model
Three main task of directors1. Evaluate the use of ICT2. Direct preparation andimplementation of plans and policies.3. Monitor conformance to policies, andperformance against the nswithwithitsitsDirectorsDirectors
AS-8015 Model
Evaluation of ICT In evaluative the use of ICT, directorsshould consider the pressures actingupon the business. Such astechnological change, economic andsocial trends, and political influences. Directors should also take account ofthe business needs the organizationalobjectives that they must achieve, suchas maintaining competitive advantages.
Direct Plan &Implementation ICT Directors should direct the preparation andimplementation of plans and policies and assignresponsibilities for this implementation. Plans should set the direction for investments in ICTprojects or changes in ICT operations. Policies should establish sound behaviour in the useof ICT. Directors should ensure that the transition fromprojects to operations takes into account impacts onoperational practices and existing ICT infrastructure.Jadi bukan sekedar “IT Project” tetapi sustainsampai ke pelaksanaan sehari-hari pasca proyek !
Monitor ICT To complete the cycle the directors should monitorthrough appropriate performance measurementsystem the performance of the ICT. They should reassure themselves that performanceis in accordance with plans.– Jadi mengaudit TI bukan sekedar asal audit ! They should also make sure that the use of ICTconforms with external legal obligations and internalwork practices. If necessary they should direct the submission ofproposals for approval to address identified needs.
ICT Governance FrameworkThe following table lists the general principles ofsound ICT governance and the actions required byDirectors to implement the principles.They are applicable to most organizations most ofthe time and any variation should be wellconsidered.
ICT Governance Principles (1-2)RefNo.PrincipleActions to Implement the derstoodresponsibilitiesfor ICTDirectors should evaluate the optionsfor assigning the responsibilities forthe effective. efficient. andacceptable use of ICT.Directors should ensure that thosegiven responsibility are competent.Generally these will be businessmanagers assisted by ICTspecialists who understand businessvalues and processes.Directors should evaluatedevelopments in ICT and businessprocesses to ensure that ICT willprovide support for future businessneeds.Directors should direct that plans are carried outand policies implemented according to theassigned ICT responsibilities.Directors retain ultimate responsibility forthe execution of the plans and proposals.They should satisfy themselves thatappropriate ICT governance mechanismsare established.Directors should monitor the performanceof those given responsibility in thegovernance of ICT (for example. In servingon steering committees or in presentingproposals to Directors).Directors should ensure that they receivethe information that they need to meet theirresponsibilities by establishing andappropriately reviewing measurementsystems.2Plan ICT tobest supporttheorganizationIn formulating plans and policiesDirectors should evaluate ICTactivities to ensure they align with theorganization's objectives for changingcircumstances, consider betterpractices and satisfy other keystakeholder requirements.Directors should use prudent riskmanagement procedures asdescribed inAS/NZS 4360.Directors should direct that proposals aresubmitted for approval in a timely fashion toaddress gaps identified in the evaluation of ICTactivities.Directors should also encourage the submissionof proposals for innovative uses of ICT thatenable the organization to undertake newbusinesses or improve processes.Directors should direct the preparation and use ofplans and policies that ensure the organizationbenefits from developments in ICT.Directors should monitor the progress ofapproved ICT proposals to ensure that theyare achieving objectives in required timeframes using allocated resources.Directors should monitor the use of ICT toensure that it is achieving its intendedbenefits.
ICT Governance Principles (3-4)RefNo.PrincipleActions to Implement the PrinciplesEvaluateDirectMonitor3.Acquire ICTvalidityDirectors should monitor the progressof approved ICT proposals to ensurethat they are achieving objectives inrequired time frames using allocatedresources.Directors should monitor the use ofICT to ensure that it is achieving itsintended benefits.Directors should direct that ICT assets(systems and infrastructure) areacquired in an appropriate manner,including the preparation of suitabledocumentation, while ensuring thatrequired capabilities are provided.Directors should direct that theirorganization and suppliers develop ashared understanding of theorganization's intent in making any ICTacquisition.Directors should monitor ICT acquisitions toensure that they do provide the requiredcapabilities.Directors should monitor the extent to whichtheir organization and suppliers maintain theshared understanding of the organization'sintent in making any ICT acquisition.4.Ensure ICTperforms well,wheneverrequiredDirectors should evaluate the risks tothe integrity of information and theprotection of ICT assets from damage,abuse, or misuse.Directors should evaluate options toensure that ICT swill support businessprocesses with the required capabilityand capacity.Directors should direct thoseresponsible to ensure that ICTsupports the business when requiredfor business reasons, with correct andup-to-date data while protected fromloss or misuse, in accordance withAS/NZS ISO/IEC 17799 and AS/NZS7799.2.Directors should direct that resourcesbe allocated sufficiently to ensure thatICT meets the needs of theorganization according to the prioritiesthat they have set.Directors should monitor the extent to whichICT does support the business.Directors should monitor ICT to ensure thatassets are decommissioned and disposed of inaccordance with environmental and datamanagement requirements.Directors should monitor the extent to whichthe policies for data accuracy and the efficientuse of ICT are followed properly.
ICT Governance Principles (5-6)RefNo.PrincipleActions to Implement the PrinciplesEvaluateDirectMonitor5.Ensure ICTconforms withformal rulesDirectors should regularly evaluate theextent to which ICT satisfies internalobligations including legislation, internalpolicies, standards and professionalguidelines.Directors should direct those responsibleto establish regular and routinemechanisms for ensuring that the use ofICT complies with relevant legislation.Directors should direct that policies areestablished and enforced to enable theorganization to meet its internal obligationsin its use of ICT.Directors should direct that ICT staff followthe guidelines set by their professions.Directors should direct that all actionsrelating to ICT be ethical.Directors should monitor the manner in whichmanagers are reviewing ICT compliance andconformance to ensure that the reviews are timely,comprehensive, and suitable for theevaluation of the extent of satisfaction of internalobligations.6.Ensure ICT userespectshuman factorsDirectors should evaluate ICT activities toensure that people's concerns areappropriately considered and their needsidentified.Directors should direct that ICT activitiesare consistent with identified needs.Directors should direct that risks may beraised by anyone at any time. They shouldbe managed in accordance with publishedpolicies and procedures and escalated tothe relevant decision makers.Directors should monitor ICT activities to ensurethat identified needs remain relevant.Directors should monitor work practices to ensurethat they are consistent with the appropriate use ofICT.
Australian Standard-8015 Good Corporate Governance for ICT “The system by which the current and future use of ICT is directed and controlled. It involves evaluating and directing the plans for the use of ICT to support the organisation and monitoring this use to achieve plans. It includes the strategy and policies for using ICT
