Full Access Isaca CGEIT Tutorials

The data owner is the role that is accountable for the confidentiality, integrity, and availability of information within an enterprise, because the data owner is the person who has the authority and responsibility to classify, label, and protect the information assets according to their value and sensitivity1. The data owner also defines the business requirements for the information security and ensures that the data custodian implements the appropriate controls to safeguard the information2. The data owner is also part of the IT governance domain 4: Value Delivery3. References := 1: Data Classification Standard3, page 42: 3 Pillars of Data Security: Confidentiality, Integrity & Availability43: CGEIT Review Manual 2023, ISACA, page 155.

IT governance is the process of ensuring that IT supports the business objectives and strategies of the enterprise, and that IT investments and resources are aligned with the enterprise’s needs and priorities. When individual business units design their own IT solutions without consulting the IT department, they may create solutions that are not compatible with the existing enterprise goals, such as customer satisfaction, operational efficiency, regulatory compliance, or innovation. This can result in duplication of efforts, waste of resources, increased complexity, security risks, or missed opportunities. Therefore, it is important for IT governance to establish a clear vision, strategy, and framework for IT that guides the business units in developing and implementing IT solutions that support the enterprise goals. Some examples of IT governance frameworks are COBIT1, ITIL2, and ISO/IEC 385003. References :=

• COBIT | ISACA
• ITIL | AXELOS
• ISO/IEC 38500:2015(en), Information technology — Governance of IT for the organization

Before developing an IT strategic plan, it is essential to review the enterprise business plan, which defines the enterprise’s structure, governance, and operations. The enterprise business plan describes the enterprise’s vision, mission, goals, objectives, strategies, and performance measures. It also outlines the enterprise’s value proposition, market position, competitive advantage, and customer segments. The IT strategic plan should align with and support the enterprise business plan by providing a roadmap for how IT will enable and enhance the business capabilities and outcomes. The IT strategic plan should also consider the enterprise’s risk appetite and tolerance, which are defined by the enterprise’s risk management framework.

The other options are not necessarily required before developing an IT strategic plan. Aligning the enterprise vision statement with business processes is part of the IT strategic planning process, but it does not have to be done before developing the IT strategic plan. Developing an enterprise architecture (EA) framework is a separate activity that can be done in parallel or after developing the IT strategic plan. The EA framework defines how to create and use an enterprise architecture, which provides a holistic view of the organization’s business, information, and technology. Reviewing the enterprise risk tolerance level is also part of the IT strategic planning process, but it does not have to be done before developing the IT strategic plan. The risk tolerance level reflects the acceptable level of variation around a particular set of risk-based objectives.

Translating business needs into IT initiatives. IT strategic planning is the process of defining how the IT function supports and enables the overall business strategy and objectives of an enterprise1. It helps to align IT with business goals, optimize IT investments and resources, manage IT risks and opportunities, and deliver value to the stakeholders1. By implementing an IT strategic planning process, an enterprise can translate its business needs into IT initiatives that are consistent, coherent, and feasible1. These IT initiatives can include projects, programs, services, systems, architectures, policies, standards, and processes that address the current and future business requirements and challenges1. Translating business needs into IT initiatives is the primary goal of implementing an IT strategic planning process, as it ensures that IT is responsive, relevant, and effective in supporting the enterprise’s mission, vision, and values1.