3.1.1 Information Technology Governance
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 |
Effective from 2021-11-04 - Nov 03 2021
To view other versions open the versions tab on the right
Principle
An IT Governance structure should be defined, endorsed and supported with appropriate resources to oversee and control the Member Organization's overall approach to Information Technology.
Control Requirements
| 1. | Member organizations should establish ITSC and be mandated by the board. | |
| 2. | The ITSC should be headed by senior manager responsible for Member Organizations operations. | |
| 3. | The following positions should be represented in the ITSC: | |
| a. | senior managers from all relevant departments (e.g., CRO, CISO, compliance officer, heads of relevant business departments); | |
| b. | Chief Information Officer (CIO); and | |
| c. | Internal Audit may attend as an "observer". | |
| 4. | An ITSC charter should be developed, approved and reflect the following: | |
| a. | committee objectives; | |
| b. | roles and responsibilities; | |
| c. | minimum number of meeting participants; | |
| d. | meeting frequency (minimum on quarterly basis); and | |
| e. | documentation and retention of meeting minutes and decisions. | |
| 5. | A full-time senior manager for the IT function, referred to as CIO, should be appointed at senior management level. | |
| 6. | The Member Organizations should: | |
| a. | ensure the CIO is a Saudi national; | |
| b. | ensure the CIO is sufficiently qualified; and | |
| c. | obtain a written no objection letter from SAMA prior to assigning the CIO. | |
| 7. | The Member Organizations should establish formal practices for IT-related financial activities covering budget, cost, and prioritization of spending aligned with IT strategic objectives. | |
| 8. | The overall IT budget should be monitored, reviewed periodically and adjusted accordingly to meet the IT and business needs. | |
| 9. | Member Organizations should define roles and responsibilities of senior management and IT staff using a responsibility assignment matrix, also known as RACI. The RACI matrix should outline who are responsible and accountable for the functions, as well as who should be consulted or informed. | |
| 10. | Member organizations should define enterprise architecture reflecting fundamental components of the business processes and its supporting technology layers to ensure responsive and efficient delivery of strategic objectives. | |
| 11. | Member Organizations should define enterprise application architect role within the IT function to identify the required changes to the portfolio of applications across the member organizations ecosystem. | |
| 12. | Roles and responsibilities within IT function should be: | |
| a. | documented and approved by the management; and | |
| b. | segregated to avoid conflict of interest. | |
| 13. | Member Organizations should develop formal IT succession plan in coordination with Human Resource (HR) Department taking into consideration the reliance on a key IT staff having critical roles and responsibilities. | |