Principles, Domains and Processes of HIT Governance Frameworks: A Systematic Review

Introduction: IT governance points out how to manage IT and align the decisions related to IT with processes, resources, and responsibilities within the organization. This study was conducted aimed at a review of studies on the principles, domains, and processes of IT governance framework. Method: This is an applied study that was carried out in the qualitative method of systematic review. The study population consisted of all English articles indexed in scientific databases and electronic journals available. 36 eligible articles from among the articles reviewed entered the study and the data desired were collected through data extraction form and search strategy and analyzed using content analysis. Results: Results showed that among 36 articles, four of the articles dealt with principles, 33 articles with domains, and 24 articles with processes of IT governance frameworks. These principles are related to IT frameworks of ISO 38500, ITIL V3, TOGAF, Prince 2, COBIT, Val IT. The domains included frameworks of CMMI, ITIL, PMBOK, COBIT, ISO 27001, COSO, Val IT, P2CMM. The processes also referred to the frameworks of Val IT, P2CMM, COBIT, ISO 27001 and 27000, ITIL, PMBOK and CMMI. Conclusion: Based on this information and an overview of the principles, domains, and processes of the frameworks obtained in this study, the managers and officials of hospitals' IT units can specify an appropriate governance framework for IT Service Management, method improvement of processes, probable risks management and project management.


INTRODUCTION
Organizations are increasingly dependent on IT and information systems are seamlessly growing more popular every day. IT is a critical factor of success in the organization and provides many opportunities to gain competitive advantages such as operational efficiency, saving money, reduction of human error and is a tool to increase efficiency. Information technology creates new opportunities of business, generating income and costs saving as well (1)(2)(3)(4)(5)(6).
IT governance can be considered as part of the governance of the organization, information management and information related to resources in the same way as human resources and other assets of the organization to be managed. Also, it is argued that IT operations can be considered as a business within another business, with the governance structures and operating principles of that business (7).
One of the prospects of IT governance is that IT is an asset that can be used throughout the organization and governance of these resources will require defining the control mechanisms on who would make what decisions, and how to ensure that business value has been created and will be protected. Strategic alignment of IT operations could really have been identified if the strategic direction of the mother organization is clear. Therefore, good IT governance depends on good enterprise governance in that the goals and path of the organization is clearly defined and communicated (8).
"The understanding of the strategic issues and importance of information technology should be so that the organization can maintain operations and implement of the strategies required to expand its activities in the future." Description of IT governance institution is one of general purposes of IT governance (9). IT governance has also been defined as "a framework for proper decision-making and accountability to encourage desirable behaviors on the use of information technology" (10).
IT governance focuses on the structure of communications and processes of development, guidance and controlling IT resources in order to achieve the organization's objectives through the creation of added value for the organization, balancing investment risk versus return of IT resources and managing IT processes (11)(12)(13). Therefore, a successful and appropriate framework for IT governance consists of the structures, processes and mechanisms of relationships (14)(15)(16)(17).
Rau defines IT governance as the following: "The way of communication and interaction of senior managers with IT managers to ensure investments in information technology that enables them to achieve business strategy in an effective and efficient manner." (18). Therefore, IT governance cannot exist in isolation and must be a subset of enterprise governance. This responsibility is not only a duty of IT management but the board of directors and executive management as well. According to the writings of the IT Governance institute "it is an integral part of the enterprise governance and includes leadership and organizational structures and processes to ensure that IT maintains and expands organizational goals and strategies." (19). There is no simple, complete and ready IT governance framework while there is a number of frameworks available such as Control objectives for Information and Related Technologies (COBIT), Information Technology Infrastructure Library (ITIL) and ISO 17799, which can be a useful starting point for the development of IT governance. On the other hand, most of these frameworks have different functionality in different scopes (7,20,21) Lack of IT specialist human resources, their initial resistance to the use of information technology, lack of knowledge, and lack of educational programs have also been mentioned as management challenges of human resource in using prior workers in information technology in education and health centers (6,22,23). Moreover, pressure for optimal management of costs and increase the care quality for the use of information technology, improving the standard of electronic records of patient and confidentiality of patient's information, is including the effects of state and federal laws for the use of information technology governance in educational centers and health authorities (22,24).
National health care systems are faced with significant challenges in relation to information systems. Most parts of hospital information systems lack proper management. For example, conditions for the development of hospital information system are not appropriate (12). In addition, issues such as poor management of projects, allocating IT budgets unbalanced, fragile IT operational management, security management, and data protection are including problems in the information systems in the health field. Therefore, IT governance frameworks provide a good solution for many of these challenges; (25,26). Because IT governance provides a framework for decision-making and implementation of IT-related plans with respect to the goals, processes, people and technology at the strategic and tactical levels of the organization (27).
The aforementioned preface explains the need to paying specific attention to IT governance in health domain (28). In Iran, the issue of the use of information technology in the health field has been noted as well. For example, the third objective of the subgroup of IT in the map of healthcare system reform of the Islamic Republic of Iran has focused on the optimal use of information technology in the health care services through the deployment of EHR and equitable and classified access to information related to health care (29). Therefore, this study aimed to extract the principles and domains and processes of IT governance frameworks of the studies carried out until 2014.

METHOD
This is an applied study carried out in the qualitative method of systematic review. At this stage, the research community included all English-language articles indexed in scientific databases and electronic journals, Ovid Medline, PubMed, Science Direct, ProQuest, Springer, and google scholar.
A data extraction form was used to extract the principles, domains and processes of governance frameworks out of related articles. The form provided by the researchers on the basis of the articles and related documentation and was used after its content and formal validity was confirmed by the supervisor and consultant.
Procedures and criteria for selecting studies The studies that had all the inclusion criteria but none of the exclusion criteria entered the review. The inclusion criteria are: 1) Are published in English. Because, the articles written in a specific language are sometimes excluded from review and it depends on the availability of resources for translation and interpretation, in this study, and Given that the review was done as part of a student thesis and it was only possible to translate and interpret the texts in English was provided for the researcher, this limitation was considered as one of the criteria inclusion of the articles into the review. 2) Discuss the principles, domains, and processes of IT governance frameworks in particular. With regard to the question of review, the articles studied had explicitly introduced the principles, domains and processes of IT governance frameworks.
3) Access to full-text exists. Given that, access to some of databases resources and journals and the retrieval of full-text articles are not possible for different reasons such as political or financial reasons, and given that using articles in review is possible if they are available full-text, this case was considered as the inclusion criteria.
The contexts dealing with IT governance frameworks in general and not mentioning about the principles, domains and processes of IT governance.
Due to the fact that it was possible that the articles about IT governance frameworks entered search without reference to the principles, and domains, and processes of IT governance, in this part, the articles not dealing with the principles, domains, and processes of IT governance, were excluded from the study.
At the stage of data analysis, the study choice process was multistage. At first, the entrance criteria were used to be able to investigate cases obtained from internet search databases. Except the cases certainly excluded of the review, the titles and abstracts resulting from the search that seemed potentially relevant to the review, were included in review to evaluate their articles' full text. Two reviewers independently checked all the titles and summaries. Kappa coefficient was used to measure the agreement between people about to enter the papers into or exit them from the review (k =77.0). Differences between the reviewers' opinions were resolved by obtaining that of a third reviewer. Decisions on including or excluding the studies were made after re-examining the full text of all potentially relevant articles. The principles, domains, and processes of the 36 eligible for inclusion the study extracted through content analysis (conventional analysis), and were included in data extraction forms. However, taking qualitative and quantitative approach to these studies into account, use of metaanalysis was not possible. In summary, Systematic Review was carried out in two steps. The first step was to determine the principles, domains and processes of IT governance frameworks using systematic review methodology. In this step, scientific databases and electronic journals, PubMed, Science Direct, ProQuest, Springer, Ovid MEDLINE, Google scholar, with keywords "IT Governance", "Information Technology Governance", "COBIT 4.1", "COBIT 5", "ITIL v3 "" PMBOK "," ISO 21500 "," CMMI "," Risk Information Technology "," ISO 27001 "," ISO 38500 "and" TOGAF "and their aligned ones of medical subject headings applying entrance criteria of English and time range of 1946 to 2014 were searched and 567 articles were obtained.
In the second step, the duplication of the articles was checked and 420 repetitive articles were removed as a result, and 147 abstract and full text articles remained. Controlling duplicate articles was conducted by controlling title, authors, abstract, full text, and the relevant journal and there was no superiority between were, but the most complete version of the paper was included in the study.
Then, these studies were investigated in terms of whole content focus on IT governance frameworks and as a result, 84 articles were removed due to lack of enough focus of the content on IT governance frameworks.
Meanwhile, the authors were contacted via e-mail three times to access the full text of abstracts that eventually, 27 articles were removed because of lack of access to the full text. Finally, 36 articles (with all the criteria for inclusion) were checked and the principles, domains, and processes of IT governance frameworks extracted from them and recorded in data extraction form.

RESULTS
Findings showed that 6827 papers were obtained in the initial search by the researchers (Table 1)

Study Selection Process
The study selection process in this part was multi-phase. Firstly, the inclusion criteria were freely used to investigate cases obtained from internet search of databases.
Except the cases certainly excluded of the review, the titles and abstracts resulting from the search that seemed potentially relevant to the review, were included in review to evaluate their articles' full text. Final decisions on including or excluding the studies were made after re-examining the full text of all potentially relevant articles. Challenging duplicate articles on various bases (420 cases), the article given at the first database of surfing were considered.
Table2. Summarizing the findings of the systematic review of the principles, domains, and processes of IT governance framework

DISCUSSION
Surfing foreign databases to achieve the principles, scopes, and processes of IT governance frameworks leaded to achieve 567 articles. Early evaluation of the titles and abstracts showed that 147 full-text articles were eligible for consideration. Based on a review of all articles remaining, 111 studies were excluded because they did not match with the purpose and criteria for this study, and finally 36 articles remained for more detailed analysis.
The findings showed that four of the 36 articles devoted to the principles of IT governance frameworks (30,44,56). These principles were related to IT governance frameworks of ISO 38500, Information Technology Infrastructure Library Version Three, TOGAF, Prince two, control objectives for information and related technology five, control objectives for information and related technology four and one Val IT.
Chief among principles are: responsibility, strategy, business, operation, compliance, human behaviors, organizational architecture, application architecture, IT architecture, business justification, definition of organization structure for the project management team, product-based planning, project division into the controlled and manageable and flexible steps, responsive to stakeholder needs, covering investment to the end, the use of an integrated framework, enabling a comprehensive way, the separation of governance from management, business requirements, the benefits of information technology, information technology and information processes, maximum benefit for the organization, management of team work, a strong business continuity and protection of intellectual property.
As well, 33 of the 36 articles dealt with the scopes of IT governance frameworks (30,32,34,36,38,40,42). These scopes were relevant to IT governance frameworks CMMI, Information Technology Infrastructure Library, PMBOK, control objectives for information and related technology four and one, Information Technology Infrastructure Library version three, ISO 27001, IT governance, COSO, Val IT, and P2CMM. Some of these areas included planning and organizing, funding and implementation, delivery and support, monitoring and evaluation, value governance, portfolio management, investment management, project setup, project start, project directing, stage management, product delivery management, close or end project, planning, security policies, security unit of information, asset management, human resources security, environmental security, operations management, access control, information systems development and maintenance, compatibility, security incident management, service delivery, support services, IT infrastructure management, application programs management, and security management.
Finally, 24 of the 36 articles studied dealt with processes of IT governance frameworks (30, 32-34, 36, 38-43, 45-48, 50, 51, 54, 55, 57, 59, 61, 64, 65). These IT governance frameworks were related to Val IT processes, P2CMM, control objectives for information and related technology, ISO 27000, ISO 27001, information Technology Infrastructure Library, PMBOK, and CMMI. Some of the most important of these processes included: demand management, financial management, information security management, information security management system, allowed services / ports and protocols, probable risk management of procedures and instructions, security policies, access to information and data classification, scheme and security plan, capacity management, monitoring, capacity management, availability management, assess the potential risks associated with the availability, monitoring availability, ongoing management of IT services, logistics management, assignment management and deployment, asset management and configuration, validation and test services, ongoing management, change management, operations management, problem management, budget management, assessment and evaluation of the internal control system, quality management, human management, enterprise architecture management, stakeholder confidence through transparency, knowledge management, management of services agreements, innovation management.
The results of this study are recommended to be used to design IT governance framework in the field of health care. IT department managers and directors of the health and care centers could identify appropriate governance framework for IT Services, management of probable risks, and project management based on this information and an overview of the principles, scopes and processes of governance frameworks listed or they could create better and more comprehensive framework tailored to the specific business needs of their own, inspired by them.