1. IT Management
Corporate management refers to the responsibilities and practices taken by the managers of the leaked organization to indicate the strategic direction, so as to ensure that the goals are achieved, the risks are appropriately resolved, and the company’s resources are reasonably used. And its best measure is an organizational strategy (IT strategic management includes IT project management.)
IT management is to achieve the following two goals, that is, to maintain the operation of the group within the limits of legal requirements and social obligations while using all available opportunities to increase the value of stakeholders.
IT management refers to the responsibilities and duties of managing IT resources based on the interests of stakeholders. The ultimate goal is to make the best use of IT resources. IT management is the responsibility of the board of directors and executive management. The key factor of IT management is to maintain consistency with business strategy and guide the realization of business value. Therefore, it must follow the principle of business priority and the principle of strategic consistency.
2. BSC: IT Balanced Scorecard
It belongs to the process management evaluation technology, which evaluates the traditional financial evaluation through consumer satisfaction, internal process, and innovation ability. The goal is to establish a reporting channel for management to the board of directors, to agree on IT strategic objectives among key stakeholders, to confirm the effectiveness and value of it, and to communicate its performance, risks, and capabilities.
3. EA (Enterprise Architecture)
Enterprise architecture (EA) describes the current and future state, and the gap between them determines the future business strategy and IT strategy. Enterprise architecture (EA) aims to optimize IT investment. In order to assist organizations that are planning it hook, a private organization structure should be recommended.
Organization/function chart: It indicates the division of responsibilities and the degree of separation of responsibilities within the organization.
Job description: It defines the functions and responsibilities of all positions in the organization. And it also shows the degree of separation of responsibilities within the organization.
4. Information Security Policies
Review information security policies as planned or in the event of significant changes in risk to ensure effectiveness, adequacy, and appropriateness. When reformulating information security policies, gap analysis (large companies) or best practices (small and medium-sized companies) should be conducted.
The number of reported information security incidents is to evaluate the effectiveness of the ISMS policy. To check whether the information security management is complete, it is necessary to check the number of vulnerabilities and the adverse effects of critical or sensitive information assets.
The policy is a kind of high-level document, which reflects the culture of the organization. In order to ensure the effectiveness of the policy, its content must be concise and clear. The security policy must be approved and documented by senior management and communicated to all employees, service providers, and business partners in a timely manner.
Acceptable use policy: It refers to effective guidelines and rules for the use of a company’s IT resources. It explains what users are allowed to do with the IT system, what they can’t do, and what punishment they should be punished for violating the rules.
The process is a well-defined step in the written record used to achieve policy objectives and therefore needs to be constantly reviewed and updated. The result of threat factors using weak links is called impact. CMMI is a process improvement approach that can be used to guide process improvement within a project, department, or organization as a whole.
5. IT Risk Management
The total cost of risk management should be lower than the cost of loss. The core is to protect assets. First of all, sensitive and critical information assets should be identified. Risk management is realized through the implementation of the accountability system in the enterprise: Division of responsibilities, attribution responsibility, and traceable responsibility.
Steps of risk management:
Identify assets: identify and grade the information resources or assets that need to be protected
Assess threats, vulnerabilities, and possibilities related to information resources
Quantify the probability of potential threats and their impact on the business
Evaluate the existing control or design new control to reduce the risk to an acceptable level
When assessing IT risk, it is best to assess the total related threats and vulnerabilities of existing IT assets and IT projects.
6. Performance Optimization
Performance is the service perceived by users and stakeholders. Performance optimization is to improve the productivity of the information system to the highest level without unnecessary additional investment in IT infrastructure
The role of safety instrumented systems: performance measurement.
Common performance management tools: balanced scorecard BSC, key business indicator evaluation KPI, target management method, element management method, key event method, 360-degree performance evaluation, mandatory normal distribution method.