It Governance Manual
It Governance Manual
It Governance Manual
Governance Manual
Bank Audi
Jordan Branches
March 2017
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 1 of 42
Contents
1. Introduction ......................................................................................................... 3
2. Context ............................................................................................................... 3
3. Scope ................................................................................................................. 5
4. Objectives ........................................................................................................... 6
5. Pain Points and Trigger Events ............................................................................... 7
6. General Policies .................................................................................................... 8
7. Five key Principles of the Governance Framework ................................................... 11
8. Goals Setting and Cascading ................................................................................ 12
Appendix A: Matrix of Enterprise Goals........................................................................ 14
Appendix B: Matrix of Information and Related Technology Goals ................................... 17
Appendix C: IT Governance and Management Processes................................................ 21
Appendix D: Minimum Set of Policies for the Governance Framework .............................. 33
Appendix E: Minimum Set of Reports for the Governance Framework .............................. 37
Appendix F: Services and Software Infrastructure for Information Technology ................. 38
Appendix G: Goals Cascade ....................................................................................... 39
Appendix H: Definitions ............................................................................................. 41
Appendix I: References ............................................................................................. 42
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 2 of 42
1. Introduction
Bank Audi has recognized that the Board and Executives need to embrace IT like any other
significant business asset in the Bank. Bank Audi Board of Directors and Executive
Management - both in the business and IT functions - collaborated and worked together to
include IT within the Governance and Management approach.
In response to the Central Bank of Jordan‟s regulations number 65/2016, Bank Audi has
taken the initiative to use the COBIT5 framework for the Governance and Management of
Information and Related technology to comply with the regulation.
COBIT5 provides a comprehensive framework that assists Bank Audi in achieving its
objectives for the Governance and Management of enterprise IT. Simply stated, it helps
Bank Audi create optimal value from IT by maintaining a balance between realizing benefits
and optimizing risk levels and resource use. COBIT5 enables IT to be governed and
managed in a holistic manner for the entire enterprise, taking in the full end-to-end business
and IT functional areas of responsibility, considering the IT-related interests of internal and
external stakeholders.
2. Context
Bank Audi is a regional group with a universal banking profile. The Bank offers universal
financial products and services including Corporate, Commercial, Individual and Retail, and
Private Banking services, in addition to Investment Banking. As end of December 2016,
Bank Audi‟s consolidated assets reached USD 44.4 billion, principally driven by private
customers‟ deposits of USD 36 billion, with shareholders‟ equity reaching USD 3.8 billion.
Bank Audi‟s group staff headcount exceeds 7,000 employees and its shareholders‟ base
encompasses more than 1,500 holders of common shares and/or holders of Global
Depositary Receipts (GDRs) representing common shares. Bank Audi ranks first among
Lebanese banking groups and is positioned in the inner circle of top regional banking groups.
Its shares are listed on the Beirut Stock Exchange. Its GDRs are listed on both the Beirut
Stock Exchange and the London Stock Exchange.
Based on a diversified universal model, Bank Audi operates principally in Lebanon, the
Middle East and North Africa (MENA) region, Europe and Turkey while offering a wide range
of products and services; commercial and Corporate Banking, Retail and individual banking,
online brokerage, private banking and investment banking. The bank is considered a full-
fledged regional bank with presence in 11 countries.
To confirm its leading position in domestic, regional and international markets and further
sustain its steady growth dynamic, Bank Audi launched its operations in Jordan in
September 2004. Bank Audi Jordan Branches deliver fully-integrated business and financing
solutions to clients of small, medium and large enterprises through a solid network of 14
branches, 26 ATMs and highly-trained human capital. The bank accounts are designed to
offer customers the security of savings accounts. It also offers special deposit accounts with
attractive interest rates. Number of Bank Audi Employees Jordan Branches is around 300.
Bank Audi has a wide range of consumer lending products which include various loan types;
home, car, personal, high-tech (PC, Flat Panels, iPads and Smart phones) and other retail
and purpose loans. These are all tangible proofs of the bank‟s pioneering approach to
banking.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 3 of 42
Bank Audi offers a large selection of classic to premium credit cards from VISA and
MasterCard that cater to different segments such as individuals with varying needs and all
types of businesses. Moreover, Bank Audi provides a comprehensive range of insurance and
savings products.
Bank Audi has gradually expanded its line of services to introduce internet banking through
Audi On-Line, allowing a number of account transactions to be conducted online anywhere
and anytime with utmost convenience.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 4 of 42
3. Scope
The scope of implementing this guide includes all Bank Audi operations based on information
technology in various branches and departments in Jordan. All stakeholder parties shall be
considered concerned with applying the instructions, each in its respective role and location.
The following parties and their key responsibilities are defined in CBJ regulations in this
regard:
Chairman and members of the Board and outsourced experts:
Shall be assigned responsibilities of overall direction of the governance project/program,
approve tasks and responsibilities within the project, and support and provide needed
funds.
Regional Manager and his Deputies and Assistants, and the Heads of the different
Departments and Units along with the Branch Managers shall be assigned responsibility
of hiring the right experienced people in the Bank's operations to represent them in the
project and characterize their tasks and responsibilities.
Regional Manager and the Directive/Steering Committee of Information Technology and
the project managers: take over the responsibilities of the project/program
management.
Internal Audit: take over their responsibilities directly upon the instructions, and
participate in the project/program, representing the role of internal audit in executive
matters as a consultant and independent observer to facilitate the success and
completion of the project/program.
Risks, Information Security, Compliance and Legal Departments: take over the
responsibilities involved in the project/program, representing the role of those
departments, and to ensure the representation of project/program by all interested
parties.
Specialists, holders of technical and professional certificates of (COBIT5 Foundation
COBIT5 Implementation, COBIT5 Assessor, and CGEIT) standard, who are hired from
inside and outside the bank: take over the role of the mentor to disseminate knowledge
of the standard and to facilitate the implementation process.
According to CBJ regulations, Bank Audi Board through the established Corporate
Governance Committee shall have direct responsibility for the five processes of
Governance (EDM) (Evaluate, Direct and Monitor) listed in Appendix C.
Bank Audi Board and Risk Management Department shall take over direct responsibility
for the process of "Ensure Risk Optimization” (EDM 03) and the process of “APO12
Manage Risk.”
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 5 of 42
4. Objectives
Bank Audi has set the following objectives of the Governance and Management of
Information and Related Technology framework:
4.1. Meet stakeholder needs and achieve the objectives of the bank through the
utilization of an established Governance framework that:
Facilitates the creation of value by delivering expected benefits, optimizing risk,
and optimizing resources.
Provides assurance of information quality to support decision-making.
Provides for technological infrastructure that enables the bank to achieve its
objectives.
Upgrade the bank operations by employing efficient, reliable and purpose-driven
technological systems.
Strict risk management of information technology to ensure the necessary
protection of the bank‟s assets.
Assist in achieving compliance with the requirements of laws, regulations and
instructions as well as to comply with Bank Audi policies, strategy and internal
working procedures.
Improve the reliability of the internal control environment.
Maximize the level of satisfaction of information technology users by efficiently
and effectively meeting the needs of their work.
Management of external party‟s services entrusted with carrying out operations,
services and products.
4.2. Utilize the COBIT5 process reference model to design efficient and effective solutions
for the delivery of value to stakeholders.
4.3. Separate Governance from Management as consistent with internationally
recognized standards for the governance and management of information and
related technology.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 6 of 42
5. Pain Points and Trigger Events
Bank Audi has recognized the need to have a Governance framework for Information and
Related Technology in place after identifying a number of factors and pain points.
Specific issues that disrupt the business and cause additional or excessive management
effort are referred to as “pain points”, where issues that prompt change as a result of
internal decisions or foreseeable external factors are referred to as “trigger events.”
The pain points and trigger events were used as the launching point for the implementation
initiative at Bank Audi, the business case for Governance or Management of enterprise IT
improvement is now related to practical, everyday issues being experienced.
In addition to the pain points, the Governance framework will help Bank Audi deal with the
following signals and triggers in the internal and external environment.
Merger, acquisition or diversification.
A shift in the market, economy or competitive position.
A change in the Business operating model or sourcing arrangements.
New Regulatory or Compliance requirements.
A significant technology change or paradigm shift.
An enterprise wide Governance focus or project.
External Audit or consultant assessments.
A new Business Strategy or priority.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 7 of 42
6. General Policies
6.1. This guide is based on the Central Bank of Jordan‟s regulations No: 65/2016 and it is
created based on the COBIT5 framework. It should be reviewed and updated on
regular basis to ensure its consistency with any updated regulations, or framework
update by ISACA.
6.2. Bank Audi shall, through the Committee of Information Technology Governance
emanating from the Board, review this guide and update it whenever necessary.
6.3. The bank shall publish this guide in any appropriate method for public inspection
such as its website.
6.4. Committees
Bank Audi has established the required committees to govern and direct the
governance framework in the bank; IT Governance Committee and IT Steering
Committee.
IT Governance Committee:
- As per the Central Bank of Jordan instruction, the Board shall form a committee
of Governance of Information Technology and this committee shall be formed
from three members at least, and preferably include people with experience or
strategic knowledge in information technology.
- The committee shall meet on a quarterly basis at least, maintains documented
records of the meetings, and shall have the tasks mentioned in CBJ regulations.
IT Steering Committee:
- The Senior Executive Management shall form necessary directive committees to
ensure a strategic alignment of Information Technology to achieve the strategic
objectives of the bank and that shall be in a sustainable manner. Therefore, a
committee named the IT Steering Committee shall be formed and headed by
the Regional Manager and with the membership of Senior Executive
Management Managers, including the Head of Information Technology, Head of
Risk Management and Head of Information Security. One of its members shall
be elected to be an observer member in this committee as well as the Head of
Internal Audit, and can invite third parties to attend the meetings, when
needed.
- The committee shall document its meetings, provided that periodic meetings
shall be once every three months at least, and shall, in particular, carry out the
tasks mentioned in CBJ regulations
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 8 of 42
6.6. Policies System
Bank Audi Board or its delegate committees will adopt the necessary policies system
for the management and operations of governance of information technology as per
Appendix D, and to consider this policy system a minimum with the possibility of the
combination of these policies as the work nature requires.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 9 of 42
Bank Audi Board or its delegate will adopt information systems and reports contained
in Appendix E, and consider those systems a minimum, determining the owners of
such information and reports through which authority to review and use is
determined and delegated as needed for the work.
Bank Audi policies and reports will be regularly reviewed and updated to reflect the
development of the bank‟s objectives and operations and in accordance with accepted
good practices and standards.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 10 of 42
The Governance Framework of Information and Related Technology
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 11 of 42
• Principle 5: Separating Governance from Management:
COBIT5 framework makes a clear distinction between Governance and Management.
These two disciplines encompass different types of activities, require different
organizational structures and serve different purposes.
Governance: ensures that stakeholder needs, conditions and options are evaluated to
determine balanced, agreed-on enterprise objectives to be achieved; setting direction
through prioritization and decision making; and monitoring performance and compliance
against agreed-on direction and objectives.
Management: plans, builds, runs and monitors activities in alignment with the direction
set by the governance body to achieve the enterprise objectives.
Bank Audi has adopted the COBIT5 goals cascade mechanism to translate stakeholder
needs into specific, actionable and customized enterprise goals, IT-related goals and
enabler goals. This translation allows setting specific goals at every level and in every
area of the bank in support of the overall goals and stakeholder requirements, and thus
effectively supports alignment between Bank Audi needs and IT solutions and services.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 12 of 42
Step 4. IT-related Goals Cascade to Enabler Goals
Achieving IT-related goals requires the successful application and use of a number of
enablers. The enabler concept is explained in detail in chapter 5 in the COBIT5
framework. Enablers include:
1) Principles, Polices and Frameworks,
2) Processes,
3) Organizational Structures,
4) Culture, Ethics and Behaviors,
5) Information,
6) Services, Infrastructure and Applications, and
7) People, Skills and Competencies
For each enabler, a set of specific relevant goals can be defined in support of the IT-
related goals. Processes are one of the enablers, and appendix G in this document
contains a mapping between IT-related goals and the relevant COBIT 5 processes, which
then contain related process goals.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 13 of 42
Appendix A: Matrix of Enterprise Goals
The below table is based on CBJ instructions appendix (1), which is based on the COBIT5
framework created by ISACA.
Bank Audi will adopt the below list of enterprise goals as per the COBIT5 framework and CBJ
regulations, and evaluate the Banks needs on a regular basis to select the most important,
relevant goals for each year(s). The Bank‟s goals will support its stakeholder‟s needs.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 14 of 42
06 Customer-oriented Number of customer service disruptions due to IT service-
service culture related incidents (reliability).
Percent of business stakeholders satisfied that customer
service delivery meets agreed-on levels.
Number of customer complaints.
Trend of customer satisfaction survey results.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 15 of 42
with business processing costs.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 16 of 42
Appendix B: Matrix of Information and Related Technology Goals
The below table is based on CBJ instructions number (2), which is based on ISACA‟s COBIT5
framework. Bank Audi will adopt the below list of IT goals as per the COBIT5 framework and
CBJ regulations.
Based on the selected Enterprise Goals from appendix A above, the Bank will select the
related IT goals from the table below, based on COBIT5 goals cascade mechanism.
Related
Goal Measurement Criteria for Goals
Goal Description Enterprise
# Achievement (Examples)
Goalsi
01 Alignment of IT Percent of enterprise strategic goals and 01, 03, 05, 07,
and business requirements supported by IT strategic 11, 13
strategy goals.
Level of stakeholder satisfaction with
scope of the planned portfolio of
programmes and services.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 17 of 42
Percent of enterprise risk assessments
including IT-related risk.
Frequency of update of risk profile.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 18 of 42
09 IT agility Level of satisfaction of business 01, 14
executives with IT‟s responsiveness to
new requirements.
Number of critical business processes
supported by up-to-date infrastructure
and applications.
Average time to turn strategic IT
objectives into an agreed-on and
approved initiative.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 20 of 42
Appendix C: IT Governance and Management Processes
The below table is based on CBJ instructions number (3), which is based on ISACA‟s COBIT5
framework. Bank Audi will adopt the below list of processes goals as per COBIT5 framework
and CBJ regulations.
Based on the selected IT related Goals from appendix B above, the Bank will select the
related process goals from the table below, based on COBIT5 goals cascade mechanism.
Process Process Title Process Description Process Purpose Numbers of
Goals of
Directly
Related
Information
and Related
Technology
Goals1
Evaluate, Direct and Monitor (EDM) Processes
EDM01 Ensure Analyze and articulate the Provide a 01,03,07
Governance requirements for the consistent
Framework governance of enterprise approach
Setting and IT, and put in place and integrated and
Maintenance maintain effective enabling aligned with the
structures, principles, enterprise
processes and practices, governance
with clarity of approach. To
responsibilities and ensure that IT-
authority to achieve the related decisions
enterprise‟s mission, goals are made in line
and objectives. with the
enterprise‟s
strategies and
objectives, ensure
that IT-related
processes are
overseen
effectively and
transparently,
compliance with
Legal and
regulatory
requirement is
confirmed, and
the governance
requirements for
board members
are met.
EDM02 Ensure Optimize the value Secure optimal 01,05,06,07,17
Benefits contribution to the value from IT-
Delivery business from the business enabled
processes, IT services and initiatives,
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 21 of 42
IT assets resulting from services and
investments made by IT at assets; cost-
acceptable costs. efficient delivery
of solutions and
services; and a
reliable and
accurate picture
of costs and likely
benefits so that
business needs
are supported
effectively and
efficiently.
EDM03 Ensure risk Ensure that the Ensure that IT- 04,06,10,15
optimization enterprise‟s risk appetite related enterprise
and tolerance are risk does not
understood, articulated exceed risk
and communicated, and appetite and risk
that risk to enterprise tolerance, the
value related to the use of impact of IT risk
IT is identified and to enterprise
managed. value is identified
and managed,
and the potential
for compliance
failures is
minimized.
EDM04 Ensure Ensure that adequate and Ensure that the 09,11,16
resource sufficient IT-related resource needs of
optimization capabilities (people, the enterprise are
process and technology) met in the optimal
are available to support manner, IT costs
enterprise objectives are optimized,
effectively at optimal cost. and there is an
increased
likelihood of
benefit realization
and readiness for
future change.
EDM 05 Ensure Ensure that enterprise IT Make sure that 03,06,07
stakeholder performance and the
transparency conformance measurement communication to
and reporting are stakeholders is
transparent, with effective and
stakeholders approving the timely and the
goals and metrics and the basis for reporting
necessary remedial is established to
actions. increase
performance,
identify areas for
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 22 of 42
improvement, and
confirm that IT-
related objectives
and strategies are
in line with the
enterprise‟s
strategy.
Align, Plan and Organize (APO) Processes
APO01 Manage the IT Clarify and maintain the Provide a 01, 02, 09, 11,
Management governance of enterprise consistent 15, 16, 17
Framework IT mission and vision. management
Implement and maintain approach to
mechanisms and enable the
authorities to manage enterprise
information and the use of governance
IT in the enterprise in requirements to
support of governance be met, covering
objectives in line with management
guiding principles and processes,
policies. organizational
structures, roles
and
responsibilities,
reliable and
repeatable
activities, and
skills and
competencies.
APO02 Manage Provide a holistic view of Align strategic IT 01,07,17
Strategy the current business and plans with
IT environment, the future business
direction, and the objectives. Clearly
initiatives required to communicate the
migrate to the desired objectives and
future environment. associated
Leverage enterprise accountabilities so
architecture building blocks they are
and components, including understood by all,
externally provided with the IT
services and related strategic options
capabilities to enable identified,
nimble, reliable and structured and
efficient response to integrated with
strategic objectives. the business
plans.
APO03 Manage Establish a common Represent the 01,09,11
Enterprise architecture consisting of different building
Architecture business process, blocks that make
information, data, up the enterprise
application and technology and their inter-
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 23 of 42
architecture layers for relationships as
effectively and efficiently well as the
realizing enterprise and IT principles guiding
strategies by creating key their design and
models and practices that evolution over
describe the baseline and time, enabling a
target architectures. standard,
Define requirements for responsive and
taxonomy, standards, efficient delivery
guidelines, procedures, of operational and
templates and tools, and strategic
provide a linkage for these objectives.
components. Improve
alignment, increase agility,
improve quality of
information and generate
potential cost savings
through initiatives such as
re-use of building block
components.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 26 of 42
effectiveness and
compliance.
APO11 Manage Define and communicate Ensure consistent 05,07,13
Quality quality requirements in all delivery of
processes, procedures and solutions and
the related enterprise services to meet
outcomes, including the quality
controls, ongoing requirements of
monitoring, and the use of the enterprise and
proven practices and satisfy
standards in continuous stakeholder
improvement and needs.
efficiency efforts.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 27 of 42
and services
portfolio.
BAI02 Manage Identify solutions and Create feasible 01,07,12
Requirements analyze requirements optimal solutions
Definition before acquisition or that meet
creation to ensure that enterprise needs
they are in line with while minimizing
enterprise strategic risk.
requirements covering
business processes,
applications,
information/data,
infrastructure and services.
Co-ordinate with affected
stakeholders the review of
feasible options including
relative costs and benefits,
risk analysis, and approval
of requirements and
proposed solutions.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 28 of 42
implement actions to meet requirements.
the identified
requirements.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 29 of 42
the identification, informed decision
gathering, organizing, making and
maintaining, use and enhanced
retirement of knowledge. productivity.
BAI09 Manage Asset Manage IT assets through Account for all IT 06,11
their life cycle to make assets and
sure that their use delivers optimize the value
value at optimal cost, they provided by these
remain operational (fit for assets.
purpose), they are
accounted for and
physically protected, and
those assets that are
critical to support service
capability are reliable and
available. Manage software
licenses to ensure that the
optimal number are
acquired, retained and
deployed in relation to
required business usage,
and the software installed
is in compliance with
license agreements.
BAI10 Manage Define and maintain Provide sufficient 02,11,14
Configuration descriptions and information about
relationships between key service assets to
resources and capabilities enable the service
required to deliver IT- to be effectively
enabled services, including managed, assess
collecting configuration the impact of
information, establishing changes and deal
baselines, verifying and with service
auditing configuration incidents.
information, and updating
the configuration
repository.
Deliver, Service and Support (DSS) Processes
DSS01 Manage Co-ordinate and execute Deliver IT 04,07,11
Operations the activities and operational
operational procedures service outcomes
required to deliver internal as planned.
and outsourced IT
services, including the
execution of pre-defined
standard operating
procedures and the
required monitoring
activities.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 30 of 42
DSS02 Manage Provide timely and Achieve increased 04,07
Service effective response to user productivity and
Requests and requests and resolution of minimize
Incidents all types of incidents. disruptions
Restore normal service; through quick
record and fulfill user resolution of user
requests; and record, queries and
investigate, diagnose, incidents.
escalate and resolve
incidents.
DSS03 Manage Identify and classify Increase 04,07,11,14
Problems problems and their root availability,
causes and provide timely improve service
resolution to prevent levels, reduce
recurring incidents. Provide costs, and
recommendations for improve customer
improvements. convenience and
satisfaction by
reducing the
number of
operational
problems.
DSS04 Manage Establish and maintain a Continue critical 04,07,14
Continuity plan to enable the business business
and IT to respond to operations and
incidents and disruptions in maintain
order to continue operation availability of
of critical business information at a
processes and required IT level acceptable
services and maintain to the enterprise
availability of information in the event of a
at a level acceptable to the significant
enterprise. disruption.
DSS05 Manage Protect enterprise Minimize the 02,04,10
Security information to maintain the business impact
Services level of information of operational
security risk acceptable to information
the enterprise in security
accordance with the vulnerabilities and
security policy. Establish incidents.
and maintain information
security roles and access
privileges and perform
security monitoring.
DSS06 Manage Define and maintain Maintain 04,07
Business appropriate business information
Process process controls to ensure integrity and the
Controls that information related to security of
and processed by in-house information assets
or outsourced business handled within
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 31 of 42
processes satisfies all business
relevant information processes in the
control requirements. enterprise or
Identify the relevant outsourced.
information control
requirements and manage
and operate adequate
controls to ensure that
information and
information processing
satisfy these requirements.
Monitor, Evaluate and Assess (MEA) Processes
MEA01 Monitor, Collect, validate and Provide 04,07,11,15
Evaluate and evaluate business, IT and transparency of
Assess process goals and metrics. performance and
Performance Monitor that processes are conformance and
and performing against agreed- drive achievement
Conformance on performance and of goals.
conformance goals and
metrics and provide
reporting that is
systematic and timely.
MEA02 Monitor, Continuously monitor and Obtain 02,04,15
Evaluate and evaluate the control transparency for
Assess the environment, including key stakeholders
System of self-assessments and on the adequacy
Internal independent assurance of the system of
Control reviews. Enable internal controls
management to identify and thus provide
control deficiencies and trust in
inefficiencies and to initiate operations,
improvement actions. Plan, confidence in the
organize and maintain achievement of
standards for internal enterprise
control assessment objectives and an
and assurance activities. adequate
understanding of
residual risk.
MEA03 Monitor, Evaluate that IT processes Ensure that the 02,04
Evaluate and and IT-supported business enterprise is
Assess processes are compliant compliant with all
Compliance with laws, regulations and applicable
With External contractual requirements. external
Requirements Obtain assurance that the requirements.
requirements have been
identified and complied
with, and integrate IT
compliance with overall
enterprise compliance.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 32 of 42
Appendix D: Minimum Set of Policies for the Governance Framework
The below table is based on CBJ instructions number (6), which is based on ISACA‟s COBIT5
framework. Bank Audi will adopt the below list of minimum set of policies to govern and
manage the processes in the Bank.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 33 of 42
Policy Name Purpose Scope
into account the operations location “On-site ,
Off-site, Near-site, Off-shore” and take into
account the service level requirements, and
activation of the right of Audit (Audit right) by
credible third parties, and to achieve the
requirements of business continuity and the
controls necessary to protect to the
confidentiality and credibility as well as the
efficiency and effectiveness in the use of
resources.
Project Portfolio Development of standards for the All Bank projects
Management management of projects, including phases of related to information
the project and the governance necessary to technology.
achieve the requirements relating to quality
(Quality Requirements) and those relating to
the protection and confidentiality
(Confidentiality Requirements) and those
relating to compliance achieve the objectives
of the bank and its operations.
Asset management Setting rules for the classification of the Data, hardware,
degree of risk data and the various regulations software and tools
and standards, and to identify owners and associated with it.
controls protected during the various stages of
their life cycle.
Acceptable use of The development of rules and standards to Hardware, software,
information determine acceptable behavior and applications and
technology unacceptable for information technology networks, including
resources resources. the Internet and e-
mail.
Change Development of standards necessary to ensure All information
Management the credibility of the change in documenting technology
the necessary approvals from the assets operations.
subject to change owners.
Mainframes/servers To establish rules and standards to reduce the All organizations and
processes of access and illegal use of devices. central-owned or
managed by the Bank
for all development
environments,
testing, operation,
including operating
and other tools
associated systems.
Client Machines The development of rules and standards of All the client
behavior and other technology to ensure the machines linked to
protection of sensitive data stored on the networks or stand
devices. alone machines.
Portable devices The development of rules and standards to All portable devices
ensure the protection of sensitive data stored such as Laptop, PDA,
on portable devices. Smartphone, USB
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 34 of 42
Policy Name Purpose Scope
Memory Cards, ...
etc.
User Access The development of policy for access All software and
Management management; granting access to the data and hardware, databases.
the software and hardware, according to the
business needs to ensure confidentiality,
credibility and availability of the resources of
information technology.
System Development of policy for the development The new/upgraded
Development and acquisition of software. software developed in
Lifecycle house or purchased.
Service Level The development of rules and criteria for All agreements and
Management identifying and accepting, documenting and contracts and
measuring, monitoring and improving the level obligations with
of services provided both internal and external internal and external
parties to ensure optimal utilization of parties.
resources.
Backup and The development of policy for backup and Data in operating
Restore recovery mechanisms to ensure high environments where
availability of data, credibility and needed.
confidentiality.
Data Retention Development of policy for the amount of the All the hardware and
data that should be available either in paper software tools, means
or those located on computers and various and data retention.
applications and the length of time to be
retained and the trade-off between the
amount of data available and the speed and
performance in data access.
Purchasing Policy The development of rules and standards of the All the technical
evaluation of external suppliers. equipment and
related programs.
Remote Access The development of rules and standards for Parties and partners,
the remote access to the bank‟s computer internal and external,
networks and devices. such as service
providers, and all
development
environments and
testing and operation
of devices and
networks, including,
but not limited to
Internet networks,
and networks
encrypted, and lines
of different
communication such
as (Frame relay,
ISDN, VPN, DSL,
MPLS)
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 35 of 42
Policy Name Purpose Scope
Networks The development of rules and standards to All network elements
ensure efficiency and effectiveness in all environments.
requirements in the use of the network
elements.
Wireless networks The development of rules and standards in Including all the
order to protect sensitive data transmitted physical and virtual
over wireless networks from interception and wireless networks.
illegal use.
Firewalls Setting minimum rules and standards All the Firewalls
governing the protection of the bank‟s operating in all
firewalls. environments such as
(DMZ, Proxy, External
DNS, VPN, Routers,
Switches, Servers, ...
etc)
Penetration Testing Testing the devices and network elements to All the technical
and Vulnerability ensure no security breaches/ vulnerabilities in assets of the Bank of
Assessment place. servers/clients/ and
components of the
networks and
software.
Public Branch Setting minimum standards for the protection All owned and non-
Exchange of the public branch exchange ensure the owned devices in the
protection and confidentiality of the data and bank.
the Bank's operations from illegal use.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 36 of 42
Appendix E: Minimum Set of Reports for the Governance Framework
The below table is based on CBJ instructions number (7), which is based on ISACA‟s COBIT5
framework. Bank Audi will adopt the below list of minimum set of reports to ensure proper
reporting is maintained in the bank, the reports are considered as an anchor for the
decision-making processes in the bank
1. Authority Matrix.
2. IT Risk Factor Analysis.
3. IT Risk Scenario Analysis.
4. IT Risk Register.
5. RACI Chart.
6. IT Risk Profile.
7. IT Risk Report.
8. IT Risk Map or Heat Map.
9. Risk Universe, Appetite and Tolerance.
10. Key Risk Indicators.
11. Risk Taxonomy.
12. Risk and Control Activity Matrix (RCAM).
13. Information Security budget.
14. MIS Reports.
15. Audit Strategy.
16. IT Audit Charter and Engagement Letter.
17. IT Audit Plan.
18. HR Matrix.
19. Assurance Findings Register.
20. Assurance Report Repository.
21. The best international standards for the management of projects and information
technology resources, and risk management, information technology, security,
protection and checking on information technology.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 37 of 42
Appendix F: Services and Software Infrastructure for Information Technology
The below table is based on CBJ instructions number (8) please refer to it for further details.
Bank Audi will adopt the below list of systems of services, programs and IT infrastructure
supporting information to achieve the IT governance processes and objectives of information
and related technology.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 38 of 42
Appendix G: Goals Cascade
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 39 of 42
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 40 of 42
Appendix H: Definitions
Governance: Governance ensures that stakeholder needs, conditions and options are
evaluated to determine balanced, agreed-on enterprise objectives to be achieved;
setting direction through prioritization and decision making; and monitoring performance
and compliance against agreed-on direction and objectives.
COBIT5: Formerly known as Control Objectives for Information and related Technology
(COBIT); now used only as the acronym in its fifth iteration. A complete, internationally
accepted framework for governing and managing enterprise information and technology
(IT) that supports enterprise executives and management in their definition and
achievement of business goals and related IT goals. COBIT describes five principles and
seven enablers that support enterprises in the development, implementation, and
continuous improvement and monitoring of good IT-related governance and
management practices.
Control: The means of managing risk, including policies, procedures, guidelines,
practices or organizational structures, which can be of an administrative, technical,
management or legal nature. also used as a synonym for safeguard or countermeasure.
Enterprise goal: Business goal
Governance framework: A framework is a basic conceptual structure used to solve or
address complex issues; an enabler of governance; a set of concepts, assumptions and
practices that define how something can be approached or understood, the relationships
amongst the entities involved, the roles of those involved, and the boundaries (what is
and is not included in the governance system).
Governance of enterprise IT: A governance view that ensures that information and
related technology support and enable the enterprise strategy and the achievement of
enterprise objectives. It also includes the functional governance of IT, i.e., ensuring that
IT capabilities are provided efficiently and effectively.
IT goal: A statement describing a desired outcome of enterprise IT in support of
enterprise goals. An outcome can be an artifact, a significant change of a state or a
significant capability improvement.
Process: Generally, a collection of practices influenced by the enterprise‟s policies and
procedures that take inputs from a number of sources (including other processes),
manipulates the inputs and produces outputs (e.g., products, services).
The Board: The Board of Directors of the Bank.
Senior Executive Management: Includes Bank's general manager or regional director,
deputy director-general or deputy regional director, assistant general manager or
assistant regional director, CFO, COO, Director of Risk Management, Head of Treasury
(Investment), director of compliance, as well as any employee of the bank that has
executive authority parallel to any of any of the above-mentioned authorities and
functionally and directly linked to director general.
Stakeholders: Any interested party in the bank, such as shareholders, employees,
creditors, customers, suppliers or external concerned regulatory bodies.
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 41 of 42
Appendix I: References
Version Control
Subject of
Version REVIEWED BY APPROVED BY DATE
Change
V 1.0 First Draft Peter Tessin Mar 2017
IT Governance Manual
Issue Date: March 2017 Bank Audi – Jordan Branches
This Guide is developed based on CBJ regulations No. 65/2016 and ISACA’s COBIT5 Framework Page 42 of 42