Presentation on theme: "Information Technology Management (ITM101)"— Presentation transcript:
1 Information Technology Management (ITM101) Week 02: IT Standards & GovernanceMatthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP
2 Governance?Corporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders IT Governance: Subset of the Corporate Governance framework tasked with ensuring the alignment of IT with enterprise objectivesIT governance aims to ensure that expectations for IT are met and IT risks are mitigated.
3 IT Governance Objectives The purpose of IT governance is to direct IT endeavors and that IT is aligned with business objectives. Ideally:Governance should be a top-down processLinkages to business process and strategy exist for all actionsInformation in oral, paper, and electronic formsGovernance transcends physical boundariesThrough governance, acceptable practices, policies, and procedures are establishedBusiness DriversInternal EnvironmentEntrustment FrameworkDecision Model and FrameworkValue Realization and Delivery FrameworkPerformance ManagementValue Management
4 Focus Areas of IT Governance Five main focus areas for IT governance, all driven by stakeholder value.Stakeholder Value DriversIT Value DeliveryRisk ManagementPerformance ManagementIT Strategic AlignmentIT Resource ManagementTwo are outcomes:Value deliveryRisk management.Three are drivers:Strategic alignmentPerformance measurementResource management (which overlays them all)
5 IT Governance Frameworks ISO Family (1799, 20000, 27001)International Standard Organization’s Security Management StandardsFramework of standards that provide best practices for information security managementITILIT Infrastructure LibraryBest practices framework drawn from the public and private sectors internationallyCOSOCommittee of Sponsoring Organizations of the Treadway CommissionOrganization dedicated to financial reporting through business ethics, internal controls, and corporate governanceCOBITControl Objectives for Information and related TechnologyFramework and supporting toolset to bridge the gap between control requirements, technical issues, and business risksFISMAFederal Information Security Management Act of 2002Mandatory set of processes required by legislation for US federal information systemsOCTAVEOperationally Critical Threat, Asset, and Vulnerability EvaluationRisk based strategic assessment and planning technique for securityCMMICapability Maturity Model IntegrationAn approach to governance based on process maturity
6 Val IT Principles IT-enabled investments will: Be managed as a portfolio of investmentsInclude the full scope of activities that are required to achieve business valueBe managed through their full economic life cycleValue delivery practices will:Recognize that there are different categories of investments that will be evaluated and managed differentlyDefine and monitor key metrics and will respond quickly to any changes or deviationsEngage all stakeholders and assign appropriate accountability for the delivery of capabilities and the realization of business benefitsBe continually monitored, evaluated and improvedVal IT is based on the 7 principles shown here. The first 3 principles deal with managing the investments:You cannot just look at individual investments, you need to look at them as a portfolio of investments so you can understand the relative value of the proposed investment and make decisions across that portfolio. Even if you are doing a great job on individual investments, if you do not manage them as a portfolio of investments, you will be sub-optimal in delivering value.Investments must include the full scope of activities. You cannot implement a CRM without the technology to support it. Unless you rethink your business model, re-engineer your business process, re-train and re-skill your people and change your reward systems, you will not get the optimal value from that CRM system. Increasingly, you see people questioning the value of their CRM systems and some have commented that in the end it was not about the technology, but about organizational change.You must manage these investments through their full economic life cycle. It is not enough to focus on getting the system up and running and moving onto the next task; you must manage the investment through its journey, for a considerable time, until you get all of the value out of it.The next 4 principles deal with practices that deliver value:Recognizing there are different categories of investments. One of the reactions you get when you talk about this practice is ‘if I apply this to everything, we will not do anything’. Well it is important and the rigor you apply to investments will be different, for example, if there is a new regulation with which your enterprise must comply by 1 July or face a penalty or go out of business, then you just go and do this project. If, on the other hand, your business is growing at 20% a year and you are running out of capacity, you are going to do something about it, but you are faced with options. Should we focus on our CRM system, alternatively our supply chain, business intelligence or knowledge management? These are discretionary opportunities and are more complex to deliver value than our compliance example. So you need to recognize that they are different types of investment with different levels of governance.You must define ‘key metrics’; those that are particularly important.Assigning the appropriate accountability. IT has to be accountable for delivering the technological capabilities required by enterprises, but the business has to be responsible for determining which technology capabilities they need for the changes they require to get value from it. So it is a partnership with appropriate accountabilities and responsibilities. IT is clearly accountable for delivering the technology and the business is clearly accountable for the value of all the changes they made, including using those capabilities. Business is also jointly responsible for ensuring that it understands the decisions that should be made and it should be involved in to deliver the value.In continually monitoring, evaluating and improving our practices, we are ‘pushing the envelope’ in this area a bit since this is a new way of approaching IT investments.
7 The Four Questions Some fundamental questions The strategic question. Is the investment:In line with our vision?Consistent with our business principles?Contributing to our strategic objectives?Providing optimal value, at affordable cost, at an acceptable level of risk?The value question. Do we have:A clear and shared understanding of the expected benefits?Clear accountability for realising the benefits?Relevant metrics?An effective benefits realisation process over the full economic life cycle of the investment?Some fundamental questionsabout the value enabled by ITWe touched on the ‘Four Ares’ earlier but mention it again with more detail here, because it is fundamental to Val IT. To get value, we must continuously ask the questions:Are we doing the right things?The strategic question: Are we doing them the right way?The architecture question; a term that is very fundamental to Val IT: Are we getting them done well?The delivery question: Are we delivering the capabilities that arerequired from a technological point if view?The value question: Are we getting the benefits?Is there a clear understanding of the expected results?Is there clear accountability for realizing the benefits?Do we have the relevant metrics in place?Do we have an effective benefits realization process in place to manage our investments over the full economic life cycle?The architecture question. Is the investment:In line with our architecture?Consistent with our architectural principles?Contributing to the population of our architecture?In line with other initiatives?The delivery question. Do we have:Effective and disciplined delivery and change management processes?Competent and available technical and business resources to deliver:The required capabilities?The organisational changes required to leverage the capabilities?
8 P3M—Projects, Programs and Portfolios Portfolio—A suite of business programs managed to optimize overall enterprise valuePortfolioManagementProgram—A structured grouping of projects designed to produce clearly identified business valueProgramManagementAnother thing that is fundamental to Val IT is our use of terminology. We do not have to use these terms, but it is important to understand how Val IT uses them. We distinguish a project as being a structured set of activities that delivers a defined capability that is necessary but not sufficient to deliver business value. For example, implementing a CRM system is not going to give you business value. Implementing CRM as part of a program, which is a structured group of projects, is both necessary and sufficient to deliver value. So changes to skills and reward systems, competences, etc., are all things that are part of a program. This is the least understood and least adopted concept in this entire approach so far. As long as we continue to focus on technology projects and not on business programs, we will not deliver the value.Finally, portfolio management is a suite of business programs that optimizes the business value across the entire enterprise. So projects deliver capability, programs deliver business value and portfolios deliver overall enterprise value. This is fundamental to understand what Val IT is all about. Coca Cola, a couple of years back, implemented what it called Project, Program and Portfolio Management Office (P3MO). This is not a new concept, but one that is emerging.ProjectManagementProject—A structured set of activities concerned with delivering a defined capability based on an agreed schedule and budget
9 What fits where? Board / Senior Executive Val IT Business Management COBITAuditorsBeyond the comparison of Val IT and COBIT, what fits where? This slide looks at a very simple view of organizations from the board/senior executive through business management to IT functional management, IT operations.COBIT, although it discusses many other aspects, has as its primary focus, the IT functional management.Below that is ITIL and ITIL is moving up and talking about more things, but its primary focus is on IT operational management.And Val IT focuses on the enterprise management of IT from the board/senior executive, business management point of view. Clearly, there is overlap between all of these, and although we talk a lot about IT auditors within the ISACA context, auditors of all dimensions have a very key role to play in ensuring that organizations have the appropriate elements of the Val IT processes and practices in place across this area.IT (Functional Mgt)ITILIT Operations
10 Outsourcing Benefits: Access to Expertise and Technologies Access to expertise and the deployment of new technologiesrapid technological developments require a significant portion of the human resources capacity of internal IT divisions and require high investments in the training of IT professionals.An IT supplier whose core business consists of the delivery of IT services is able to keep the level of knowledge of its IT professionals up to date more effectively and efficiently.
11 Outsourcing Benefits: Increase in the Level of Flexibility Due to the fact that an IT supplier has several customers, the IT supplier is better able to absorb the peaks and valleys in the demand for IT services than the internal IT division, which generally only provides services to its parent organization.
12 Outsourcing Benefits: Decrease in Costs Due to their scale and ability to share production resources, IT suppliers are able to provide more efficient and effective IT servicesIncrease the predictability of costs:Outsourcing contracts are generally multi-year contractsThis increases the predictability of costs for the outsourcing organization.This is an important advantage, particularly for investors.
13 Outsourcing Benefits: Generation of Cash Flows The generation of cash flowsThrough the sale of assets, hardware and immovable property, the outsourcing organization is able to generate a one-time cash flow by outsourcing its IT services.
14 Outsourcing Disdvantages: Management of IT Suppliers The management of IT suppliers requires the attention of the management of the outsourcing organization and this carries its own costs.Furthermore, many organizations have difficulty finding qualified managers to assume this role.
15 Outsourcing Disdvantages: Confidentiality Outsourcing arrangements cause the outsourcing organization’s confidential data to be accessible to the IT supplier’s employeesThis constitutes a risk that must be considered when the decision to outsource is takenDependency on the IT supplier(s):By entering into a multi-year contract, outsourcing organizations become dependent on their IT suppliers, particularly when there are changes in IT services required by the outsourcing organization
16 Outsourcing Disdvantages: Dependency on the IT Supplier Dependency on the IT supplier(s)By entering into a multi-year contract, outsourcing organizations become dependent on their IT suppliers,Particularly when there are changes in IT services required by the outsourcing organization.
17 Outsourcing Disdvantages: Confidentiality Outsourcing arrangements cause the outsourcing organization’s confidential data to be accessible to the IT supplier’s employeesThis constitutes a risk that must be considered when the decision to outsource is takenDependency on the IT supplier(s):By entering into a multi-year contract, outsourcing organizations become dependent on their IT suppliers, particularly when there are changes in IT services required by the outsourcing organization
18 Outsourcing Disdvantages: Dependency on the IT Supplier Dependency on the IT supplier(s)By entering into a multi-year contract, outsourcing organizations become dependent on their IT suppliers,Particularly when there are changes in IT services required by the outsourcing organization.
19 Projects The three main goals of project management are… Complete the project on time or earlier.Complete the project on budget or under.Meet the specifications to the satisfaction of the customer.
20 Project Structure Functional Structure: Pure Project: The team is housed in a specific functional area. Assistance from other areas must be negotiated.Pure Project:Team members work exclusively for the project manager, which is best for large projects.Matrix Structure:A compromise between the functional and project structures. Members remain in various functional areas and the project manager coordinates across functional areas. Dual authority can cause problems.
21 What AON Nodes look like. Early StartEarly FinishLate FinishLate StartActivityActivity DurationSlackThe earliest you can complete an activity--determined by adding the activity time (duration) to the early start time.This is the latest you can finish an activity without delaying project completion. It is the same as the Latest Start time of the next activity. If there are two or more subsequent activities, this time is the same as the earliest of those “Latest Start” times.The is the earliest you can start an activity. It is determined by the earliest finish time of the precedent activity. If there are two or more precedent activities, this time is the same as precedent activity with the latest “Early Finish” time.This is the Latest Finish time minus the activity duration.Slack (S) is the difference, if any, between the earliest start (ES) and latest start times (LS) or the early finish (EF) and late finish (EF) times.S = LS - ES or S = LF - EF
22 Types of Project RiskService/Product Risks: If the project involves new service or product, several risks can arise.Market risk comes from competitors.Technological risk can arise from advances made once the project has started, rendering obsolete the technology chosen for service or product.Legal risk from liability suits or other legal action.Project Team Problems: Poor member selections and inexperience, lack of cooperation, etc.Operations Risk: Information inaccuracy, miss-communications, bad project timing, weather…
23 Types of Project RiskService/Product Risks: If the project involves new service or product, several risks can arise.Market risk comes from competitors.Technological risk can arise from advances made once the project has started, rendering obsolete the technology chosen for service or product.Legal risk from liability suits or other legal action.Project Team Problems: Poor member selections and inexperience, lack of cooperation, etc.Operations Risk: Information inaccuracy, miss-communications, bad project timing, weather…
24 Breakdown of IT spending Budget CategoryConsiderationsAverage %of ITNew IT investments:Projects that deliver newbusiness capabilitiesThese projects were likelyconceived and approvedbefore the lean times began.20%Projects to improve ITefficiencyWaste creeps in when IT isbusy completing other work onbehalf of the business.9%IT MOOSE*:Maintenance and smallerenhancement activity againstapplicationsMaintenance budgets are oftenbased on previous year withlittle year to year scrutiny.15%Operational costs ofapplications and services,including software licenses andsupportInattention to detail over timecan create waste in licensingand contractual maintenancefees.19%Data centre and networkingcostscosts Reduced business cancorrelate to reducedrequirements for storage andcomputing capacity.End user support, includingdesktop softwareWhat level of support/timebetween desktop upgrades isappropriate during lean times?10%Administration, planning,architecture, and ITmanagementCan you shift deployments ofadministrative or architecturestaff to more tacticalassignments, temporarily?7%Support business growthReduce cost of businessReduce cost of IT MOOSE30%Investment – new/improved capabilities70%IT MOOSE*Support current business at current business volumesBusiness executives often look at IT spend as a black box and compare it as a percent to overall revenue. We need to explain the break down of IT spend to these Execs.Maintain and Operate the Organization, Systems, and Equipment (MOOSE)IT Spend* Maintenance, Operations, and Ongoing support of Systems and EquipmentForrester Research Inc. (2008): ” Budget Adjustments For CIOs In Lean Economic Times”
25 Adoption of ITIL and Other Frameworks Brings Discipline and Efficiency to IT Ops The Information Technology Infrastructure Library (ITIL) standardizes IT terminologies to establish guidelines and a common language for IT operational processes like:Change management,Problem resolution,Service delivery, andResolution of customer inquiries.Other frameworks include:COBIT (control objectives for information and related technology)ISO 17799These frameworks help companies standardize:IT operations,Management processes, andPracticesHelps lower costs by:Reducing unplanned and unscheduled work andMaking it easier to adopt and implement cost-reducing technologies
26 Lowering software licensing costs Server virtualization lowers hardware costs and reduces administrative burdenThe proliferation of smaller Wintel and Linux servers has started to escalate the costs of scale-out/scale-up efforts,Drives greater staff costs to administer and provision the burgeoning number of individual servers.With virtualization, the decentralize/recentralize pendulum swings back toward centralization as small mainframes and even larger Unix servers, become the new platform on which to consolidate hundreds of virtual serversLowering software licensing costsLowering server administration staff costs.
27 Introduction: The Local Contingency Plan Questions answered by the Local Contingency Plan:WHO: Designates individuals and invests them with authorityWHAT: Expectations and procedures associated with an incidentWHEN: The tasks that need to be performed before, during, and after an incidentWHERE: Identifies key locations for incident planning and response, including locations of emergency equipment, escape routes, and indoor post-evacuation rendezvous pointsWHY: Protects people and serves as a gateway to continuityHOW: Explains the way your department should prepare and respond