3.1.1 Information Technology Governance
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 | Status: In-Force |
Principle
An IT Governance structure should be defined, endorsed and supported with appropriate resources to oversee and control the Member Organization's overall approach to Information Technology.
Control Requirements
| 1. | Member organizations should establish ITSC and be mandated by the board. | |
| 2. | The ITSC should be headed by senior manager responsible for Member Organizations operations. | |
| 3. | The following positions should be represented in the ITSC: | |
| a. | senior managers from all relevant departments (e.g., CRO, CISO, compliance officer, heads of relevant business departments); | |
| b. | Chief Information Officer (CIO); and | |
| c. | Internal Audit may attend as an "observer". | |
| 4. | An ITSC charter should be developed, approved and reflect the following: | |
| a. | committee objectives; | |
| b. | roles and responsibilities; | |
| c. | minimum number of meeting participants; | |
| d. | meeting frequency (minimum on quarterly basis); and | |
| e. | documentation and retention of meeting minutes and decisions. | |
| 5. | A full-time senior manager for the IT function, referred to as CIO, should be appointed at senior management level. | |
| 6. | The Member Organizations should: | |
| a. | ensure the CIO is a Saudi national; | |
| b. | ensure the CIO is sufficiently qualified; and | |
| c. | obtain a written no objection letter from SAMA prior to assigning the CIO. | |
| 7. | The Member Organizations should establish formal practices for IT-related financial activities covering budget, cost, and prioritization of spending aligned with IT strategic objectives. | |
| 8. | The overall IT budget should be monitored, reviewed periodically and adjusted accordingly to meet the IT and business needs. | |
| 9. | Member Organizations should define roles and responsibilities of senior management and IT staff using a responsibility assignment matrix, also known as RACI. The RACI matrix should outline who are responsible and accountable for the functions, as well as who should be consulted or informed. | |
| 10. | Member organizations should define enterprise architecture reflecting fundamental components of the business processes and its supporting technology layers to ensure responsive and efficient delivery of strategic objectives. | |
| 11. | Member Organizations should define enterprise application architect role within the IT function to identify the required changes to the portfolio of applications across the member organizations ecosystem. | |
| 12. | Roles and responsibilities within IT function should be: | |
| a. | documented and approved by the management; and | |
| b. | segregated to avoid conflict of interest. | |
| 13. | Member Organizations should develop formal IT succession plan in coordination with Human Resource (HR) Department taking into consideration the reliance on a key IT staff having critical roles and responsibilities. | |