| No | Tools/Framework | Description |
| 1 | ITIL | Information Technology Infrastructure Library (ITIL) is the world-wide de facto standard in Service Management. ITIL provides a comprehensive, consistent volume of best practices drawn from the collective experience of thousands of IT practitioners around the world. ITIL focuses on critical business processes and disciplines needed for delivering high-quality services. Out of the ITIL framework, the British Standard BS15000 has emerged. BS15000 is the world’s first standard for managing IT services. All activity is classified under two broad umbrellas, i.e. Service Management and Service Delivery. This approach defines IT quality as the level of alignment between IT services and actual business needs. As a result, organizations can mature their best practices without regard to specific technologies.
|
| 2 | COBIT | Control Objectives for Information and Related Technology (COBIT) has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and control practices (Lainhart 2000). The tools include: (1) Performance Measurement elements, i.e. outcome measures and performance drivers for all IT processes, (2) A list of Critical Success Factors (CSF) that provides succinct, non-technical best practices for each IT process, and (3) Maturity Models to assist in benchmarking and decision-making for capability improvements.
|
| 3 | ASL | Application Services Library (ASL) is a collection of best practice guidance for managing application development and maintenance. It is the public domain standard for application management, separate from the IT Infrastructure Library (ITIL), but linked to it in terms of adherence to standards for managing processes and providing a coherent, rigorous, public domain set of guidance (Bastiaens 2004, van der Pols 2004). ASL is a part of the IT Service Management (ITSM) Library. ASL recognises three types of control, i.e. functional, application and technical control. Where InformationTechnology Infrastructure Library (ITIL) is a generally accepted standard for organizing technical management, the Application Services Library (ASL) offers a framework for the organization of application management (Meijer 2003).
|
| 4 | Six Sigma | Six sigma stands for Six Standard Deviations from mean. The Six Sigma methodology provides the techniques and tools to improve the capability and reduce the defects in any process. The Six Sigma methodology improves any existing business process by constantly reviewing and retuning the process (Hammer 2002). To achieve this (cf. Puzdek 2003), Six Sigma uses a methodology known as DMAIC (Define opportunities, Measure performance, Analyze opportunity, Improve performance, Control performance). Customer requirements, design quality, metrics and measures, employee involvement and continuous improvement are main elements of Six Sigma Process Improvement.
|
| 5 | CMM/CMMI | The Capability Maturity Model (CMM) is a methodology used to develop and refine an organization’s software development process. The model describes a five-level evolutionary path of increasingly organized and systematically more mature processes. CMM was developed and is promoted by the Software Engineering Institute (SEI), a research and development center sponsored by the U.S. Department of Defense (DoD). The CMM suggests 5 Maturity Levels of Software Processes (Mathiassen & Sørensen 1996), i.e. the initial, repeatable, defined, managed and optimizing level. CMM is through the years developed further integrating the different activities, i.e. CMM Ingetration (CMMI). Whereas CMM is based on the classical waterfall model, CMMI is addressing iterative development and is being more resultoriented.
|
| 6 | IT Service CMM | IT Service CMM is a maturity growth model aimed at IT Service providers (Niessink 2003). IT Service CMM is a development of the CMM for software development and incorporates similar maturity stages. Moreover, the IT Service CMM originates from the efforts to develop a quality improvement framework in order for service organisations to improve service quality (Niessink & van Vliet 1998). The model does not measure the maturity of individual services, projects or organisational units. Rather, the model measures the maturity of the whole service organisation covering the service delivery process, i.e. including all activities involved in creating the result for the customer, starting from identifying the needs of the customer until evaluation the delivered services (Niessink et al. 2005). The model is delimited from covering the development of new services.
|
| 7 | SAS70 | SAS70 is an auditing standard designed to enable an independent auditor to evaluate and issue an opinion on a service organization’s controls. Statement on Auditing Standards, No. 70 (SAS70) for Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A SAS70 audit (www.sas70.com) is widely recognized, because it represents that a service organization has been through an in-depth audit by an independent accounting and auditing firm of their control activities, which generally include controls over information technology and related processes. Organisations must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. Control objectives and control activities should also be organized in a manner that allows the user auditor and user organisation to identify which controls support the assertions in the user organization’s financial statements, e.g. existence, occurrence, completeness, valuation, etc.
|
| 8 | ISO 17799 | The ISO 17799 or the counterpart of British Standard BS 7799 is a standard for information security including a comprehensive set of controls and best practices in information security. The standard is intended to serve as a single reference point for identifying a range of controls needed for most situations where information systems are used in industry and commerce. Compliance with ISO 17799 and BS7799 ensures that an organisation has established a certain compliance level for each of the ten categories covered (Ma & Pearson 2005), i.e. security policy, security organisation, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, systems development and maintenance, business continuity management, and compliance (ISO 2000, BS 2002).
|
| 9 | SOX | The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted to protect shareholders and the general public from accounting errors and fraudulent practices in the organization (SOX 2002). The legislation not only affects the financial side of corporations, but also affects the IT departments whose job is to store a corporation’s electronic records. The Sarbanes-Oxley Act states that all business records (Alles et al. 2004), including electronic records and electronic messages, must be saved for not less than five years. The consequences for non-compliance are fines, imprisonment, or both. Hence, Sarbanes-Oxley compliance induces significant implications for the IT function (Moore & Swartz 2003). The Sarbanes-Oxley requirements are increasingly integrated with enterprise risk management initiatives (Beasley et a. 2004, Sammer 2004).
|
| 10 | SysTrust | The SysTrust service is an assurance service that was jointly developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). It is designed to increase the comfort of management, customers, and business partners with systems that support a business or particular activity (Pacini et al. 2000). In a SysTrust engagement (McPhie 2000), the practitioner evaluates and tests whether or not a specific system is reliable when measured against three essential principles: availability, security, and integrity.
|
| 11 | PRINCE2 | PRINCE, which stands for Projects IN Controlled Environments, is a project management method covering the organisation, management and control of projects. PRINCE was first developed as a UK Government standard for IT project management. Since its introduction, PRINCE has become widely used in both the public and private sectors and is now the UK’s de facto standard for project management. Although PRINCE was originally developed for the needs of IT projects, the method has also been used on many non-IT projects. The latest version of the method, PRINCE2, is designed to incorporate the requirements of existing users and to enhance the method owards a generic, best practice approach for the management of all types of projects (OGC 2005).
|
| 12 | IT Audit | Sisco (2002) argues that an IT review should contain three main areas to focus the evaluation, i.e.: (1) Technology: identifying capability to meet company needs, stability, capacity and scalability, security, and risks. (2) IT organization: expertise and depth needed to support the business needs, management, morale, capacity, and risks. (3) IT processes: change management, software licenses, project management, policies and procedures regarding technology, and tracking and measuring performance. As a technology organization has many functional parts, a quantification of the IT organisational structure will include (Sisco 2002): (a) Infrastructure. Networks, i.e. LAN, WAN, and desktop support. (b) Business applications. Research & development, and support, including installation services, professional services, help desk, computercenter operations, technology assets, business processes and procedures.
|
| 13 | IT Due Diligence | Sisco (2002b) states that the due diligence objective needs to be clearly defined. Sisco (2002b) suggests that an IT due diligence plan should be broken down to seven parts, i.e.: (1) Current IT operation, (2) Risks and risk avoidance plans, (3) Financial plan (expected cost and budget to continue operation), (4) Capital investment requirements, (5) Leverage opportunities and recommended plans, (6) Transition plan, (7) The due diligence report.
|
| 14 | IT Governance Review | Weill & Ross (2004) suggest that an IT Governance review contains the following activities (1) Mapping the organisations current governance with the tools of a Governance Design Framework (GDF) and a Governance Arrangements Matrix (GAM). (2) Comparing the GDF and GAM, (3) Auditing IT Governance Mechanisms, (4) Designing the To-Be Governance Structure, (5) Transform to the To-Be version of the GDF and GAM of the organisation, and focus on communicating, teaching, convincing, refining, and measuring the success of IT Governance. Alternative mechanisms for design of IT Governance scenarios are proposed by Meyer (2004).
|
| 15 | IT Governance Assessment | Weill & Ross (2004:119) suggest a framework for assessing IT Governance Performance. As IT Governance is defined as specifying the decision rights and accountability framework to encourage desirable behaviour in IT usage (Weill & Ross 2004), governance performance must then be assessed as how well the governance arrangements encourage desirable behaviours, i.e. how well the organisation achieves it’s desired performance goals. Hence, the framework proposes that IT Governance should address five important factors, which are: enterprise setting, governance arrangements, governance awareness, governance performance, and financial performance.
|
| 16 | IT Governance Checklist | Damianides (2005) suggests a checklist for IT Governance containing a set of 44 diagnostic questions. For each of the questions the extent to with the it relates to (a) IT Value Delivery, (b) IT Strategic Alignment, (c), Risk Management, and/or (d) Performance, is specified. The questionnaire contains 3 subgroups, i.e. to uncover IT issues, to find out how management addresses the IT issue, and to self-assessment of IT Governance practice with regard to the board and management.
|
| 17 | IT Governance Assessment Process (ITGAP) Model | Peterson (2004) suggests a four stage process for assessing IT Governance. The Process contain the following steps (1) describe and assess IT Governance value drivers, (2) describe and assess the differentiation of IT decision making authority for the portfolio of IT activities, (3) describe and assess the capabilities of IT Governance, and (4) describe and assess IT value realisation.
|
