Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "IT Governance", Peter Weill/Jeanne W. Ross

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "IT Governance", Peter Weill/Jeanne W. Ross
Date: Wed, 14 Feb 2007 12:04:12 -0800 
BKITGOVR.RVW   20070105

"IT Governance", Peter Weill/Jeanne W. Ross, 2004, 1-59139-253-5,
U$35.00
%A   Peter Weill
%A   Jeanne W. Ross
%C   60 Harvard Way, Boston MA   02163
%D   2004
%G   1-59139-253-5
%I   Harvard Business School Press
%O   U$35.00 617-495-6700 800-545-7685 http://www.hbsp.harvard.edu
%O  http://www.amazon.com/exec/obidos/ASIN/1591392535/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1591392535/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1591392535/robsladesin03-20
%O   Audience a- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   267 p.
%T   "IT Governance"

The preface promotes IT (Information Technology) governance, but is
vague on what that might be.  It also talks about decision rights (who
gets to influence or make the decision), IT architecture (though the
book only later notes that this involves integration and the creation
of standards), and business strategies.

Chapter one does give (and repeats in different places) the definition
that IT governance specifies the decision rights and accountability
framework that will encourage proper behaviour in using IT.  Thus,
governance is not about specific decisions as such, but entails the
factors regarding who determines and contributes to decisions.  (The
OECD (Organisation for Economic Co-operation and Development) provides
that corporate governance is a structure for determining
organizational objectives and monitoring performance and progress
towards them.  The book suggests that effective governance arises from
factors involving what decisions ensure effective management, who
makes those decisions, and how the decisions are made and monitored.) 
Concerning the encouragement of proper behaviour, certain management
structures will suit certain activities.  For example, the need for
innovation is not supported by a requirement that business units carry
the entire capital cost of infrastructure demanded by new
technologies, whereas assistance from the corporation as a whole (plus
the ability to charge other departments that come to use the new
tools) encourage such developments.

There is frequent confusion in regard to the term governance and what
differentiates it from management.  Chapter two notes that management
might be said to increase direct performance, while governance may,
through analysis, redirect activities to great effect.  (In a sense
this only moves the question back one level: this simply seems to be
the distinction between strategic and operational management.)  The
text also notes that five basic classes of decisions must be made in
IT: principles, architecture, infrastructure, business application
needs, and the priorizing of investment.  However, the examples given
are not particularly helpful: it is clear why one set of IT principles
and policies might support certain given business objectives, but not
why they might be chosen over others.  Principles should, according to
the book, clarify the desired operating model, IT's support for the
model, and the IT funding structure: the examples given definitely
don't illuminate financial support.  Infrastructure is defined as the
common (long-term) services supporting an activity: whether utilities,
data, or human capital.  There is little of use in the discussion of
business needs, and most of the investment material is quite generic.

Chapter three lists six governance archetypes, where decisions are
made by executive management, IT management, business unit management,
a consensus of executive and business unit management, a consensus of
IT and business unit management, and anarchy.  A grid is created
noting (from survey data) which of these archetypes has input to, or
decision power over, five IT decision areas.  There is little useful
analysis, and a few case studies.  Types of decision-making mechanisms
are catalogued and discussed in chapter four.  Three basic types are
the basis for the outline, decision-making structures (such as
committees and teams), alignment processes (policy audits), and
communications.  Chapter five is an attempt to assess what type of IT
governance works best, but the means are questionable and the
appraisal is weak.  The raw data seems to indicate that it is best to
obtain input from executive management and the business units, but
that decisions are best left to IT management.  As this runs counter
to common business practice, the text tries to suggest alternative
models.  Case studies in chapters six are presented as linking
strategy, IT governance and performance.  The links are weak, and
similar stories in chapter seven do little to explain distinctive
governance issues for government and not-for-profit organizations. 
The leadership principles suggested for IT governance in chapter eight
are generic, and unrelated to the research or analysis cited in the
prior material.

Some of the figures and illustrations (such as the governance
arrangements matrix) are helpful and explanatory while others (like
the governance design framework) are of little use.

The writing in the book is not engaging.  The material presented is
true, but not compelling, and is slow to develop.  Content is repeated
in later chapters or sections, usually with expansion, but the lack of
initial development leaves the reader wondering if anything of value
is going to be said or done.  There is some merit in the deliberation
that this work makes on management, decisions, and sources of input,
but there would have been greater worth in compressing the few ideas
into fewer pages.

copyright Robert M. Slade, 2007   BKITGOVR.RVW   20070105


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
Be very glad that your PC is insecure--it means that after you
buy it, you can break into it and install whatever software you
want. What YOU want, not what [content providers] want.
                                                      - John Gilmore
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/CISSP-Discuss/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:CISSP-Discuss-digest@yahoogroups.com 
    mailto:CISSP-Discuss-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "IT Governance", Peter Weill/Jeanne W. Ross, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  Re: [CISSP-D] Books for CISSP, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Next by Date:  [CISSP-D] Please help me out, skpappu_pappu
Previous by Thread:  [CISSP-D] PING for CISSPs in Portugal, Mervin Pearce
Next by Thread:  [CISSP-D] Please help me out, skpappu_pappu
Indexes:  [Date] [Thread] [Top] [All Lists]