GLOSSARY

Photo by Danish Muhammed on Pexels.com
  • Business Strategy– According to CIO Wiki, a business strategy is a set of guiding principles that, when communicated and adopted in the organization, generates a desired pattern of decision making. It is therefore about how people throughout the organization should make decisions and allocate resources in order accomplish key objectives. A good strategy provides a clear roadmap, consisting of a set of guiding principles or rules, that defines the actions people in the business should take (and not take) and the things they should prioritize (and not prioritize) to achieve desired goals (Business Strategy)
  • IT Strategy– According to CIO Wiki, an IT Strategy (Information Technology Strategy or Technology Strategy or ICT Strategy or IS Strategy) is a plan of action to create an information technology capability for maximum, and sustainable value for an organization. IT Strategy helps create shareholder value. In other words, it helps maximize the return on IT investments. (IT Strategy)
  • Business-IT Strategy Alignment– According to Wikipedia, a business-IT alignment is a process in which a business organization uses information technology (IT) to achieve business objectives. This typically improved financial performance or marketplace competitiveness. For example, alignment is the capacity to demonstrate a positive relationship between information technologies and the accepted financial measures of performance. (Business-IT Alignment)
  • Business Model– A business model describes the rationale of how an organization creates, delivers, and captures value, in economic, social, cultural or other contexts. The process of business model construction and modification is also called business model innovation and forms a part of business strategy. (Business Model)
  • Value Creation (Contribution to the Business)- Value creation is the performance of actions that increase the worth of goods, services or even a business. Many business operators now focus on value creation both in the context of creating better value for customers purchasing its products and services, as well as for shareholders in the business who want to see their stake appreciate in value. (value-creation)
  • IT Best Practice – According to Gartner, IT Best Practice is a group of tasks that optimizes the efficiency (cost and risk) or effectiveness (service level) of the business discipline or process to which it contributes. It must be implementable, replicable, transferable and adaptable across industries. (Best Practice)
  • Value Chains – According to Wikipedia, a value chain is a set of activities that a firm operating in a specific industry performs in order to deliver a valuable product (i.e., good and/or service) for the market. (Value Chain)
  • IT Plan Templates– The IT Strategic Plan (strategy plan) Template comprises of four sections: Executive Summary: summary/synthesis of the strategic plan including vision, mission, goals, drivers, key programs and initiatives etc. (IT Strategic Plan Template)
  • COBIT– Control Objectives for Information and Related Technologies (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance.  The framework defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process-activities, process objectives, performance measures and an elementary maturity model. (COBIT)
  • PEST analysis– According to Wikipedia, PEST analysis (political, economic, socio-cultural and technological) describes a framework of macro-environmental factors used in the environmental scanning component of strategic management. It is part of an external analysis when conducting a strategic analysis or doing market research, and gives an overview of the different macro-environmental factors to be taken into consideration. It is a strategic tool for understanding market growth or decline, business position, potential and direction for operations. (PEST Analysis)
  • Business Policy – Business policies are the guidelines developed by an organization to govern its actions. They define the limits within which decisions must be made. Business policy also deals with acquisition of resources with which organizational goals can be achieved. Business policy is the study of the roles and responsibilities of top level management, the significant issues affecting organizational success and the decisions affecting organization in long-run. (MSG Management Study Guide)
  • IT Policy is a set of policies issued by an organization to ensure that all users within the domain of the organization or its networks comply with rules and guidelines related to the usage of the information stored digitally at any point in the network or within the organization’s boundaries of authority. IT Governance is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. (Gartner_Inc)
  • IT Policy Framework– According to Wikipedia, A policy framework is document that sets out a set of procedures or goals, which might be used in negotiation or decision-making to guide a more detailed set of policies, or to guide ongoing maintenance of an organization’s policies. Policy framework or specific frameworks may refer to: NIST Cybersecurity Framework (Policy Framework)
  • Risk Management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities. (Risk Management)
  • Risk profile– A risk profile is a quantitative analysis of the types of threats an organization, asset, project or individual faces. The goal of a risk profile is to provide a non-subjective understanding of risk by assigning numerical values to variables representing different types of threats and the danger they pose. In finance, a risk profile can be a useful tool for discussing and evaluating a potential investment’s ability to maximize return on investment (ROI) while minimizing risk. (Rouse)
  • Policy analysis– Policy analysis is a technique used in public administration to enable civil servants, activists, and others to examine and evaluate the available options to implement the goals of laws and elected officials. The process is also used in the administration of large organizations with complex policies. (Policy Analysis)
  • Cybersecurity posture– Cybersecurity posture refers to an organization’s overall defense against cyber-attacks. Your cybersecurity posture encompasses any security policies in place, employee training programs, or security solutions you have deployed, from malware to anti-virus. It is the collective security status of all software and hardware, services, networks, and information, and how secure you are as a result of those tools and processes. (SecurityScorecard)
  • Governance comprises all of the processes of governing whether undertaken by the government of a state, by a market or by a network – over a social system (family, tribe, formal or informal organization, a territory or across territories) and whether through the laws, norms, power or language of an organized society. It relates to “the processes of interaction and decision-making among the actors involved in a collective problem that lead to the creation, reinforcement, or reproduction of social norms and institutions”. In lay terms, it could be described as the political processes that exist in and between formal institutions. (Governance)
  • IT Governance– Information and technology (IT) governance is a subset discipline of corporate governance, focused on information and technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization’s strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. (Corporate Governance)
  • IT Governance Framework– Information Technology Governance Framework or IT Governance Framework is a type of framework that defines the ways and methods through which an organization can implement, manage and monitor IT governance within an organization. It provides guidelines and measures to effectively utilize IT resources and processes within an organization. (IT Governance Framework)
  • Governance, Risk Management and Compliance (GRC)- Governance, risk management and compliance (GRC) is the term covering an organization’s approach across these three practices: Governance, risk management, and compliance. The first scholarly research on GRC was published in 2007 where GRC was formally defined as “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.” The research referred to common “keep the company on track” activities conducted in departments such as internal audit, compliance, risk, legal, finance, IT, HR as well as the lines of business, executive suite and the board itself. (Governance, Risk Management, and Compliance)
  • Val IT is a governance framework that can be used to create business value from IT investments. It consists of a set of guiding principles and a number of processes and best practices that are further defined as a set of key management practices to support and help executive management and boards at an enterprise level. The latest release of the framework, published by IT Governance Institute (ITGI), based on the experience of global practitioners and academics, practices and methodologies were named Enterprise Value: Governance of IT Investments, The Val IT Framework 2.0. It covers processes and key management practices for three specific domains and goes beyond new investments to include IT services, assets, other resources and principles and processes for IT portfolio management. (Val IT)
  • Risk Governance– Risk governance refers to the institutions, rules conventions, processes and mechanisms by which decisions about risks are taken and implemented. It can be both normative and positive, because it analyses and formulates risk management strategies to avoid and/or reduce the human and economic costs caused by disasters. (Risk Governance)
  • ISO/IEC 38500 – is an international standard for Corporate governance of information technology published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT. With the evolution of thinking in the field of IT governance, ISO/IEC 38500 was revised in 2015. The main changes include the title of the standard, from Corporate Governance of IT to Governance of IT for the Organization, which reflects the wider applicability of the standard. Terminology and definitions have also been updated and refined throughout the document to reflect the widened scope and to make the standard more applicable across different international jurisdictions, cultures and languages. (ISO/IEC 38500)
  • COSO – The Committee of Sponsoring Organizations of the Treadway Commission (‘COSO’) is a joint initiative to combat corporate fraud. It was established in the United States by five private sector organizations, dedicated to guiding executive management and government entities in relevant aspects of organizational governance, business ethics, internal control, business risk management, fraud and financial reports. COSO has established a common internal control model against which companies and organizations can evaluate their control systems. COSO has the support of five support organizations: the Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA) and Financial Executives International (FEI). (Committee of Sponsoring Organizations)
  • ISO 27001/27002- ISO/IEC 27001 is an information security standard, part of the ISO/IEC 27000 family of standards, of which the last version was published in 2013, with a few minor updates since then. It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.[2] . ISO/IEC 27001 specifies a management system that is intended to bring information security under management control and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit. (ISO/IEC 27001)
  • Government Regulation, e.g., FERPA, GLBA or HIPPA- FISA Amendment Act

  1. Fact Sheet (aka Cheat Sheet), e.g., NIST Financial Sector Access Rights Management:  https://www.nccoe.nist.gov/sites/default/files/library/fact-sheets/fs-arm-fact-sheet.pdf

Created by Reaj Islam