Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • 3.1 Information Technology Governance and Leadership

    Member Organizations board is ultimately responsible for setting the Information Technology (IT) Governance and ensuring that IT risks are effectively managed within the Member organization. The board of the Member Organization can delegate its IT Governance responsibilities to senior management or IT steering committee (ITSC). The ITSC could be responsible for defining the IT governance and setting the Member Organization's IT strategy.

    • 3.1.1 Information Technology Governance

      Principle

      An IT Governance structure should be defined, endorsed and supported with appropriate resources to oversee and control the Member Organization's overall approach to Information Technology.

      Control Requirements

      1.Member organizations should establish ITSC and be mandated by the board.
       
      2.The ITSC should be headed by senior manager responsible for Member Organizations operations.
       
      3.The following positions should be represented in the ITSC:
       
       a.senior managers from all relevant departments (e.g., CRO, CISO, compliance officer, heads of relevant business departments);
       
       b.Chief Information Officer (CIO); and
       
       c.Internal Audit may attend as an "observer".
       
      4.An ITSC charter should be developed, approved and reflect the following:
       
       a.committee objectives;
       
       b.roles and responsibilities;
       
       c.minimum number of meeting participants;
       
       d.meeting frequency (minimum on quarterly basis); and
       
       e.documentation and retention of meeting minutes and decisions.
       
      5.A full-time senior manager for the IT function, referred to as CIO, should be appointed at senior management level.
       
      6.The Member Organizations should:
       
       a.ensure the CIO is a Saudi national;
       
       b.ensure the CIO is sufficiently qualified; and
       
       c.obtain a written no objection letter from SAMA prior to assigning the CIO.
       
      7.The Member Organizations should establish formal practices for IT-related financial activities covering budget, cost, and prioritization of spending aligned with IT strategic objectives.
       
      8.The overall IT budget should be monitored, reviewed periodically and adjusted accordingly to meet the IT and business needs.
       
      9.Member Organizations should define roles and responsibilities of senior management and IT staff using a responsibility assignment matrix, also known as RACI. The RACI matrix should outline who are responsible and accountable for the functions, as well as who should be consulted or informed.
       
      10.Member organizations should define enterprise architecture reflecting fundamental components of the business processes and its supporting technology layers to ensure responsive and efficient delivery of strategic objectives.
       
      11.Member Organizations should define enterprise application architect role within the IT function to identify the required changes to the portfolio of applications across the member organizations ecosystem.
       
      12.Roles and responsibilities within IT function should be:
       
       a.documented and approved by the management; and
       
       b.segregated to avoid conflict of interest.
       
      13.Member Organizations should develop formal IT succession plan in coordination with Human Resource (HR) Department taking into consideration the reliance on a key IT staff having critical roles and responsibilities.
       

      • 3.1.2 Information Technology Strategy

        Principle

        An IT strategy should be defined in alignment with the Member Organization's strategic objectives and in compliance with legal and regulatory requirements.

        Control Requirements

        1.IT strategy should be defined, approved, maintained and executed.
         
        2.IT strategic initiatives should be translated into defined roadmap considering the following:
         
         a.the initiatives should require closing the gaps between current and target environments;
         
         b.the initiatives should be integrated into a coherent IT strategy that aligns with the business strategy;
         
         c.the initiatives should address the external ecosystem (enterprise partners, suppliers, start-ups, etc.); and
         
         d.should include determining dependencies, overlaps, synergies and impacts among projects, and prioritization.
         
        3.IT strategy should be aligned with:
         
         a.the Member Organization's overall business objectives; and
         
         b.legal and regulatory compliance requirements of the Member Organization.
         
        4.IT strategy at minimum should address:
         
         a.the importance and benefits of IT for the Member Organization;
         
         b.the current business and IT environment, the future direction, and the initiatives required to migrate to the future state environment; and
         
         c.interdependencies of the critical information assets.
         
        5.Member organization should identify IT strategic and emerging technology risks that may have impact on the achievement of overall organization wide strategic objectives.
         
        6.Member organization should enhance skill sets and expertise (operational and technical) of the existing resources through providing periodic training on emerging technologies and if required to have the relevant resources on boarded in line with member organization direction towards digitalization.
         
        7.IT strategy should be reviewed and updated periodically or upon material change in the Member Organizations operational environment, change in business strategy, objectives or amendment in laws & regulations.
         

      • 3.1.3 Manage Enterprise Architecture

        Principle

        Enterprise architecture should be defined which outlines fundamental components of the business processes, data and supporting technology layers to ensure responsive and efficient delivery of Member organizations IT strategic objectives.

        Control Requirements

        1.The enterprise architecture should be defined, approved and implemented.
         
        2.The compliance with the enterprise architecture should be monitored.
         
        3.The enterprise architecture should address the following, but not limited to:
         
         a.a strategic outline of organizations technology capabilities;
         
         b.outline the gaps between baseline and target architectures, taking both business and technical perspectives; and
         
         c.agility to meet changing business needs in an effective and efficient manner.
         

      • 3.1.4 Information Technology Policy and Procedures

        Principle

        IT policy and procedures should be defined, approved, communicated and implemented to set member organizations commitment and objectives to IT and communicated to the relevant stakeholders.

        Control Requirements

        1.IT policy and procedures should be defined, approved, communicated, and implemented.
         
        2.IT policy and procedures should be reviewed periodically taking into consideration the evolving technology landscape.
         
        3.IT Policy should be developed considering input from relevant member organizations policies (e.g. cyber security, finance, HR).
         
        4.IT Policy should include:
         
         a.the Member Organization's overall IT objectives and scope;
         
         b.a statement of the board's intent, supporting the IT objectives;
         
         c.a definition of general and specific responsibilities for IT; and
         
         d.the reference to supporting IT (inter)national standards and process (where applicable).
         

      • 3.1.5 Roles and Responsibilities

        Principle

        IT roles and responsibilities should be defined and all parties involved in the Member Organization's IT processes should have an adequate level of understanding of the expectations related to their role.

        Control Requirements

        1.The board should be accountable for:
                 		 
         a.the ultimate responsibility for the establishment of IT governance practice;
         
         b.ensuring that robust IT risk management framework is established and maintained to manage IT risks;
         
         c.ensuring that sufficient budget for IT is allocated;
         
         d.approving the IT steering committee (ITSC) charter; and
         
         e.endorsing (after being approved by the ITSC):
         
          1.the governance and management practices roles and responsibilities;
                 		 
          2.the IT strategy; and
                 		 
          3.the IT policy.
                 		 
        2.ITSC, at a minimum, should be responsible for:
                 		 
         a.monitoring, reviewing and communicating the Member Organization's IT risks periodically;
         
         b.approving, communicating, supporting and monitoring:
         
          1.IT strategy;
                 		 
          2.IT policies;
                 		 
          3.IT risk management processes; and
                 		 
          4.key performance indicators (KPIs) and key risk indicators (KRIs) for IT.
                 		 
        3.The CIO, at minimum, should be accountable for:
                 		 
         a.developing, implementing and maintaining:
         
          1.IT strategy;
                 		 
          2.IT policy; and
                 		 
          3.IT budget.
                 		 
         b.ensuring that detailed IT standards and procedures are established, approved and implemented;
         
         c.delivering risk-based IT solutions that address people, process and technology;
         
         d.defining and maintaining specific key performance indicators (KPIs) and key risk indicators (KRIs) for IT process;
         
         e.periodically inform ITSC on the latest developments on IT strategic initiatives and its implementation status;
         
         f.implementing adequate technology to streamline all internal operations and help optimize their strategic benefits;
         
         g.the IT activities across the Member Organization, including:
         
          1.monitoring of the IT operation;
                 		 
          2.monitoring of compliance with IT regulations, policies, standards and procedures; and
                 		 
          3.overseeing the investigation of IT related incidents.
                 		 
         h.analyzing IT costs, value and risks to advise COO/Managing director; and
         
         i.defining IT training plan in coordination with HR.
         
        4.The internal audit function should be responsible for:
                 		 
         a.the identification of comprehensive set of auditable areas for IT risk and performance of effective IT risk assessment during audit planning; and
         
         b.performing IT audits.
         
        5.The enterprise application architect, at minimum should be responsible for:
                 		 
         a.developing of IT ecosystem application architecture models, processes and documentation;
         
         b.developing enterprise level application and custom integration solutions including major enhancements and interfaces, functions and features; and
         
         c.ensuring continuous improvement to transition between current and future states of the application architectures.
         
        6.All Member Organization's staff should be responsible for complying with applicable IT policy, standards and procedures.
                 		 

      • 3.1.6 Regulatory Compliance

        Principle

        Relevant regulations including data privacy should be identified, communicated and complied which are affecting IT operations of the Member Organizations.

        Control Requirements

        1.Member Organizations should establish a process ensuring compliance with IT related regulatory requirements. The process of ensuring compliance should:
         
         a.be performed periodically or when new regulatory requirements become effective;
         
         b.involve representatives from key areas of the Member Organization;
         
         c.result in the update of IT policy, standards and procedures to accommodate any necessary changes (if applicable); and
         
         d.maintain an up-to-date log of all relevant legal, regulatory and contractual requirements; their impact and required actions.
         

      • 3.1.7 Internal IT Audit

        Principle

        IT Audit should be conducted in accordance with generally accepted auditing standards and relevant SAMA framework (s) to verify that the IT control design is adequately implemented and operating as intended.

        Control Requirements

        1.IT audits should be performed independently and according to generally accepted auditing standards and relevant SAMA frameworks.
         
        2.The Member Organizations should establish an audit cycle that determines the frequency of IT audits.
         
        3.Member Organizations should develop formal IT audit plan addressing people, process and technology components.
         
        4.IT audit plan should be approved by the Member Organization's audit committee.
         
        5.The frequency of IT audit should be aligned with the criticality and risk of the IT system or process.
         
        6.A follow-up process for IT audit observations should be established to track and monitor IT audit observations.
         
        7.Member Organizations should ensure that the IT auditors have the requisite level of competencies and skills to effectively assess and evaluate the adequacy of IT policies, procedures, processes and controls implemented.
         
        8.IT audit report, at a minimum, should:
         
         a.include the findings, recommendations, management's response with defined action plan, and responsible party and limitations in scope with respect to the IT audits;
         
         b.signed, dated and distributed according to the format defined; and
         
         c.submitted to the audit committee on periodical basis.
         

      • 3.1.8 Staff Competence and Training

        Principle

        Staff of the Member Organizations should be equipped with the skills and required knowledge to operate the Member Organization's information assets in a controlled manner and provided with training regarding how to operate, address and apply IT relevant controls on Member Organization's information assets.

        Control Requirements

        1.Member Organizations should identify and define critical roles within IT department (e.g. DBA, sysadmin, etc.)
         
        2.Member Organizations should ensure adequate staffing for critical IT roles, such that critical IT roles are not handled by only one staff.
         
        3.Member Organizations should identify the professional certifications required for staff responsible for critical IT roles.
         
        4.Member Organizations should evaluate staffing requirements on periodic basis or upon major changes to the business, operational or IT environments to ensure that the IT function has sufficient resources.
         
        5.Annual IT training plan should be developed by the Member Organizations.
         
        6.Formal training should be conducted, as a minimum for:
         
         a.IT staff (existing and new); and
         
         b.Contractors (where applicable).
         
        7.IT training plan should be reviewed periodically.
         
        8.Specialist training should be provided to staff in the Member Organization's relevant functional area categories in line with their job descriptions, including:
         
         a.staff involved in performing critical IT roles;
         
         b.staff involved in developing and (technically) maintaining information assets; and
         
         c.staff involved in risk assessments.
         

      • 3.1.9 Performance Management

        Principle

        Efficiency and effectiveness of IT processes and services of the Member Organizations should be continuously measured through key performance indicators (KPIs).

        Control Requirements

        1.KPIs should be defined, approved and implemented to measure the execution of IT processes and system performance.
         
        2.KPIs should be defined considering for the following, but not limited to:
         
         a.IT function and related processes;
         
         b.workforce competency and development; and
         
         c.compliance with regulatory regulations.
         
        3.KPIs should be:
         
         a.communicated to the concerned IT Divisions/Units of the Member Organizations for implementation;
         
         b.supported by target value and thresholds;
         
         c.analyzed to identify the deviations against targets and initiate remedial actions;
         
         d.analyzed to identify trends in performance and compliance and take appropriate action; and
         
         e.monitored and periodically reported to the senior management and ITSC.