Policy library

Introduction

Information Technology Management System (ITMS)

Extent:

This ITMS policy applies to all IT resources, processes, and personnel in the Eika Alliance, including employees, contractors, and third-party service providers.

1. Summary

This information technology management system (ITMS) provides a comprehensive framework for the management of IT resources, security, and operations in the Eika Alliance. It aligns our IT strategy with our business goals, ensures regulatory compliance, and manages IT-related risks effectively.

2. Strategic Alignment and Management

2.1 IT Strategy

  • Align IT initiatives with the overall business strategy
  • Establish clear IT goals and key performance indicators (KPIs)
  • Regular review and adjustment of IT strategy by top management

2.2 IT Governance Structure

  • Establish an IT Steering Committee that reports to the Board
  • Define roles and responsibilities for IT governance
  • Implement a group-wide IT policy framework

2.3 Risk Management and Compliance

  • Implement an IT risk management framework in line with the company's risk management
  • Ensure compliance with relevant financial regulations (e.g., GDPR)
  • Regular risk assessments and compliance audits with board-level reporting

3. Information Security and Data Protection

3.1 Security Strategy

  • Implement a comprehensive information security program
  • Regular security assessments and penetration testing
  • Board-level reporting on safety posture and significant events

3.2 Data Governance

  • Establish data classification and handling procedures
  • Implement privacy measures in line with the regulations
  • Ensure data integrity and privacy across all systems

4. IT Investments and Financial Management

4.1 IT Budgeting and Cost Management

  • Transparent IT budgeting process aligned with business goals
  • Regular review of IT expenses and value delivery
  • Cost optimization strategies for IT operations

4.2 Prioritization of Investments

  • Establish a process for evaluation and prioritization of IT investments
  • Align IT investments with business strategy and risk management
  • Regular reporting on large IT projects and their business impact

5. Operational Excellence and Service Delivery

5.1 Administration of IT Services

  • Implement industry-standard frameworks (e.g., ITIL) for the delivery of IT services
  • Establish and monitor service level agreements (SLAs)
  • Regular reporting on the performance of the IT service

5.2 Vendor and Third-Party Management

  • Implement a vendor risk management framework
  • Regular assessment of critical IT vendors and service providers
  • Ensure that the supplier complies with safety and regulatory requirements

6. Innovation and Digital Transformation

6.1 New Technologies

  • Establish an innovation committee to evaluate new technologies
  • Develop a strategy for adopting AI, blockchain, and other new technologies
  • Ensure ethical and responsible use of new technology

6.2 Digital Transformation Initiatives

  • Align digital transformation efforts with business strategy
  • Regular board updates on major digital initiatives
  • Assess and manage risks related to digital transformation

7. Business Continuity and Resiliency

7.1 Business Continuity Planning

  • Develop and maintain comprehensive business continuity plans
  • Regular testing of business continuity and disaster recovery features
  • Ensure robustness in critical IT systems and infrastructure

7.2 Cybersecurity Resilience

  • Implement a cyber resilience framework
  • Regular cyber incident response exercises
  • Board-level reporting on cyber resilience

8. Talent Management and Culture

8.1 Strategy for IT Talent

  • Develop strategies to attract and retain IT talent
  • Implement continuous learning and development programs
  • Foster a culture of innovation and awareness of cybersecurity

8.2 Digital Culture

  • Promote a digital-first culture across the organization
  • Encourage cross-functional collaboration between IT and business units
  • Regular assessment of digital competence across the organization

9. Performance Measurement and Reporting

9.1 IT Performance Metrics

  • Establish key performance indicators for IT
  • Regular board-level reporting on IT performance
  • Benchmarking against industry standards and peers

9.2 Value Delivery

  • Implement mechanisms to measure and communicate IT value delivery
  • Regular assessment of IT's contribution to business outcomes
  • Stakeholder satisfaction surveys and feedback mechanisms

10. Continuous Improvement and Adaptation

10.1 Policy Review and Update

  • Annual review and update of ITMS
  • Adapt IT policies and procedures to changing business and regulatory environments
  • Continuous alignment with industry best practices

10.2 Auditing and Insurance

  • Regular internal and external IT audits
  • Independent attestation on IT controls and risk management
  • The board's supervision of significant audit findings and corrective measures

11. The Board's Supervision and Responsibilities

11.1 The Board's Role in IT Governance

  • Regular board review of IT strategy and major initiatives
  • Approval of IT-related Level 1 policies and significant IT investments
  • Supervision of IT risk management and compliance

11.2 IT Expertise on the Board

  • Ensure sufficient IT expertise on the board
  • Regular IT-focused training for directors
  • Consider establishing a separate IT committee on the board

12. Regulatory Engagement and Compliance

12.1 Managing Regulatory Matters

  • Proactively engage with financial regulators on IT issues
  • Timely response to regulatory inquiries and investigations
  • Regular updates to the board on regulatory developments affecting IT

12.2 Compliance Monitoring and Reporting

  • Implement mechanisms to monitor compliance with IT-related regulations
  • Regular compliance reporting to the board
  • Timely remediation of any compliance issues
Previous
EA IKT Governance Model 2.0
Next
IT Corporate Security Policies