Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • 2. Framework Structure and Features

    • 2.1 Structure

      The Framework is structured around four main domains, namely: 

      • Information Technology Governance and Leadership.
      • Information Technology Risk Management.
      • Information Technology Operations Management.

      System Change Management.

      For each domain, several subdomains are defined. A subdomain focusses on a specific IT governance topic. Per subdomain, the Framework states a principle and Control Requirements.

      • A Principle summarizes the main set of required IT controls related to the subdomain.
      • The Control Requirements reflects the mandated IT controls that should be considered.

      The framework should be implemented in view of principles mentioned in per subdomains along with its associated Control Requirements.

      Control Requirements have been uniquely numbered according to the following numbering system throughout the Framework:


      Figure 2 - Control requirements numbering system

      The figure below illustrates the overall structure of the Framework and indicates the IT Governance Framework domains and subdomains, including a reference to the applicable section of the Framework.  
       

      Figure 3 - Information Technology Governance Framework

    • 2.2 Principle-Based

      The framework is principle based, also referred to as risk based. This means that it prescribes key IT governance principles and objectives to be embedded and achieved by the Member Organizations. The list of mandated Control Requirements provides additional direction and should be considered by the Member Organizations in achieving the objectives. When a certain control requirement cannot be tailored or implemented, the Member Organizations should consider applying compensating controls, pursuing an internal risk acceptance and requesting a formal waiver from SAMA. Please refer to Appendix D for details for the - How to request Waiver from the Framework - process.

    • 2.3 Self-Assessment, Review and Audit

      The implementation of the framework at the Member Organizations will be subject to a periodic self-assessment. The self-assessment will be performed by the Member Organizations based on a questionnaire. The self-assessments will be reviewed and audited by Saudi Central Bank to determine the level of compliance with the framework and the IT maturity level of the Member Organizations. Please refer to ‘2.4 Information Technology Governance Maturity Model' for more details about the information technology governance maturity model.

    • 2.4 Information Technology Governance Maturity Model

      The Information Technology Governance maturity level will be measured with the help of a predefined maturity model. The information technology governance maturity model distinguishes 6 maturity levels (0, 1, 2, 3, 4 and 5), which are summarized in the table below. In order to achieve levels 3, 4 or 5, Member Organizations should first meet all criteria of the preceding maturity levels.

      Maturity LevelDefinition and CriteriaExplanation

      0

      Non-existent

      • No documentation.
      • There is no awareness or attention for certain information technology control.
      • IT controls are not in place. There may be no awareness of the particular risk area or no current plans to implement such IT controls.

      1

      Ad-hoc

      • IT controls is not or partially defined.
      • IT controls are performed in an inconsistent way.
      • IT controls are not fully defined.
      • IT control design and execution varies by department or owner.
      • IT control design may only partially mitigate the identified risk and execution may be inconsistent.

      2

      Repeatable but informal

      • The execution of the IT control is based on an informal and unwritten, though standardized, practice.
      • Repeatable IT controls are in place. However, the control objectives and design are not formally defined or approved.
      • There is limited consideration for a structured review or testing of a control.

      3

      Structured and formalized

      • IT controls are defined, approved and implemented in a structured and formalized way.
      • The implementation of IT controls can be demonstrated.
      • IT policies, standards and procedures are established.
      • Compliance with IT documentation i.e., policies, standards and procedures is monitored, preferably using a governance, risk and compliance tool (GRC).
      • Key performance indicators are defined, monitored and reported to evaluate the implementation.

      4

      Managed and measurable

      • The effectiveness of the IT controls are periodically assessed and improved when necessary.
      • This periodic measurement, evaluations and opportunities for improvement are documented.
      • Effectiveness of IT controls are measured and periodically evaluated.
      •  Key risk indicators and trend reporting are used to determine the effectiveness of the IT controls.
      • Results of measurement and evaluation are used to identify opportunities for improvement of the IT controls.

      5

      Adaptive

      • IT controls are subject to a continuous improvement plan.
      • The enterprise-wide IT governance program focuses on continuous compliance, effectiveness and improvement of the IT controls.
      • IT controls are integrated with enterprise risk management framework and practices.
      • Performance of IT controls are evaluated using peer and sector data.
       

      Table 1 - Information technology governance Maturity Model

      • 2.4.1 Maturity Level 3

        To achieve level 3 maturity, a Member Organization should define, approve and implement IT controls. In addition, it should monitor compliance with the IT documentation. The IT documentation should clearly indicate "why", "what" and "how" IT controls should be implemented. The IT documentation consists of IT policies, standards and procedures.


        Figure 4 - Information Technology Documentation Pyramid

        The IT policy should be endorsed and mandated by the board of the Member Organization and stating "why" IT is important to the Member Organization. The policy should highlight which information assets should be protected and "what" IT principles and objectives should be established.

        Based on the IT policy, IT standards should be developed. These standards define "what" IT controls should be implemented, such as, segregation of duties, back-up and recovery rules, etc. The standards support and reinforce the IT policy and are to be considered as IT baselines.

        The step-by-step tasks and activities that should be performed by staff of the Member Organization are detailed in the IT procedures. These procedures prescribe "how" the IT controls, tasks and activities have to be executed in the operating environment.

        The process in the context of this framework is defined as a structured set of activities designed to accomplish the specified objective. A process may include policies, standards, guidelines, procedures, activities and work instructions, as well as any of the roles, responsibilities, tools and management controls required to reliably deliver the output.

        The actual progress of the implementation, performance and compliance of the IT controls should be periodically monitored and evaluated using key performance indicators (KPIs).

      • 2.4.2 Maturity Level 4

        To achieve maturity level 4, Member Organizations should periodically measure and evaluate the effectiveness of implemented IT controls. In order to measure and evaluate whether the IT governance controls are effective, key risk indicators (KRIs) should be defined. A KRI indicates the norm for effectiveness measurement and should define thresholds to determine whether the actual result of measurement is below, on, or above the targeted norm. KRIs are used for trend reporting and identification of potential improvements.

      • 2.4.3 Maturity Level 5

        Maturity level 5 focuses on the continuous improvement of IT controls. Continuous improvement is achieved through continuously analyzing the goals and achievements of IT governance and identifying structural improvements. IT controls should be integrated with enterprise risk management practices and supported with automated real-time monitoring. Business process owners should be accountable for monitoring the compliance of the IT controls, measuring the effectiveness of the IT controls and incorporating the IT controls within the enterprise risk management framework. Additionally, the performance of IT controls should be evaluated using peer and sector data.