Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Technology Management (ITM101)

Similar presentations

Presentation on theme: "Information Technology Management (ITM101)"— Presentation transcript:

1 Information Technology Management (ITM101)
Week 02: IT Standards & Governance Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP

2 Governance? Corporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders IT Governance: Subset of the Corporate Governance framework tasked with ensuring the alignment of IT with enterprise objectives IT governance aims to ensure that expectations for IT are met and IT risks are mitigated.

3 IT Governance

4 Why is IT Governance a ‘Hot Topic’?
Increased sensitivity to protecting stakeholder interests Shareholders (see: Sarbanes Oxley) Consumers (see: HIPAA) Suppliers (see: PCI) This is what you will find by googling ‘IT Governance’ or looking it up on Wikipedia. Auditors should be very familiar will all of these. Businesses are under more and more legal / regulatory pressure to properly protect and use information assets in their possession. However, this is definitely not everything.

5 Forces Driving Governance
Business/IT Alignment ROI Compliance Project Execution Security

6 Other ‘Non-Regulatory’ Reasons…
Recognized need for tight business linkage Strategic Alignment Value Delivery Resource Management Risk Management Performance Management Effective Management of Outsourced IT Suppliers Relationship Management Financial Management Contract Management Recognized need - businesses with strong IT governance are more likely to achieve their objectives. All of these from CobiT • Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. • Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT. • Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure. • Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation. • Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.

7 Definitions

8 IT Governance Definitions
IIA International Professional Practices Framework: [IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives. [IT Controls] Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure, and people. [Governance] The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

9 Definition of IT Governance From COBIT
IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives. CobiT definition combines elements of the IIA definitions

10 Common Framework Structure

11 Governance: High Level View
The business of running IT vs. running the technology Setting the rules and assuring they are followed An ethical responsibility to stakeholders Principal - business Commonwealth - people Each other - reputation

12 IT Governance Objectives
The purpose of IT governance is to direct IT endeavors and that IT is aligned with business objectives. Ideally: Governance should be a top-down process Linkages to business process and strategy exist for all actions Information in oral, paper, and electronic forms Governance transcends physical boundaries Through governance, acceptable practices, policies, and procedures are established Business Drivers Internal Environment Entrustment Framework Decision Model and Framework Value Realization and Delivery Framework Performance Management Value Management

13 Responsibility for IT Governance
Management Board Information Security Steering Committee Responsibility: IT governance is the responsibility of the board of directors and executive management. Integral part of enterprise governance Consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives. Sub-Committees: Architecture, Security, etc. The foundation of a successful information security program begins with strong upper-level management support. This support establishes a focus on security within the highest levels of the organization. Without a solid foundation (i.e., proactive support of those persons in positions that control IT resources), the effectiveness of the security program can fail when pressured by politics and budget limitations. Any information security program must get its direction from executive management. The requirements of today’s laws and regulations have identified either the organization’s board of directors or an executive management steering committee as responsible for instituting an effective program. Service Delivery & Functional Operation Management Teams Applications Systems Operations Networks Desktop

14 IT Governance: COBIT Focus Areas
Strategic Alignment Value Delivery Resource Management Risk Management Performance Measurement We have seen these before.

15 Focus Areas of IT Governance
Five main focus areas for IT governance, all driven by stakeholder value. Stakeholder Value Drivers IT Value Delivery Risk Management Performance Management IT Strategic Alignment IT Resource Management Two are outcomes: Value delivery Risk management. Three are drivers: Strategic alignment Performance measurement Resource management (which overlays them all)

16 Security Strategy: Elements & Controls
5 Key Security Strategy Elements Element # Element Name 1 Policies 2 Procedures 3 Authentication 4 Authorization 5 Recovery Plan 4 Key Control Elements Element # Element Name 1 Preventive 2 Detective 3 Containment 4 Recovery An effective security strategy requires at a minimum five key elements: policies, procedures, authentication, authorization, and recovery plan because people have a tendency to wipe things out inadvertently. Estimated that 65% of information loss still comes from errors and omissions. So you have to have a recovery plan to be able to recover the information as you go through the process. An effective security function requires a well-administered security and privacy policy meaning that not only do we have the written word but that you check it from time to time to make sure it continues to meet the goals and objectives of an organization and that it can be marked through this post development life cycle. Security strategy must become part of the business and System Development Life Cycle (SDLC). I prefer business process life cycle because the things that we implement in this controlled environment are such that it’s not just for information technology; it is for the entire organization. It’s a business process because all of those things that we have to do in developing systems and applications are to be done whenever we have a project or business process that is to be developed. Information is not the IT purview. Information is a corporate activity and corporate function and should not be part of IT.

17 Security Program Infrastructure
Measuring Maturity Security Program Infrastructure Maturity Level Description Level 1 Control objectives have been documented in a policy Level 2 Security control processes have been documented in procedures Level 3 Supporting procedures have been implemented (stakeholders have been made aware and trained) Level 4 Policies, procedures and controls are tested and reviewed to ensure continued adequacy Level 5 Procedures and controls are fully integrated into the culture of the organization All security decisions must be linked to the organization’s business objectives or mission statement. As with other organization wide policies, the information security program must be established by the implementation of a Global or Tier 1 policy. This type of policy is organization wide and requires that all areas of the organization comply with the policy. To be successful, the security and privacy policies and procedures must have three key elements. They must be: Documented Communicated Current To supplement an information security policy, the organization must offer awareness programs, user training, and support education. Information security’s goal is not to stop all access to all information but to provide a safe and secure process for all authorized personnel to gain access. The information strategy must, therefore, address three key concepts: Identification Authentication Authorization

18 IT Governance Frameworks
ISO Family (1799, 20000, 27001) International Standard Organization’s Security Management Standards Framework of standards that provide best practices for information security management ITIL IT Infrastructure Library Best practices framework drawn from the public and private sectors internationally COSO Committee of Sponsoring Organizations of the Treadway Commission Organization dedicated to financial reporting through business ethics, internal controls, and corporate governance COBIT Control Objectives for Information and related Technology Framework and supporting toolset to bridge the gap between control requirements, technical issues, and business risks FISMA Federal Information Security Management Act of 2002 Mandatory set of processes required by legislation for US federal information systems OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation Risk based strategic assessment and planning technique for security CMMI Capability Maturity Model Integration An approach to governance based on process maturity

19 Clear Business Ownership and Direction
Alignment of Business and IT Objectives (CobiT 4.1 ‘Framework’) Enterprise Strategy Business Goals for IT IT Goals Enterprise Architecture for IT IT Scorecard Flow is from the top to the bottom, and then repeat. The Enterprise Strategy creates Business Goals for IT, which then are codified into IT Goals and Enterprise Architecture for IT. IT progress is tracked on a scorecard, which then can feed into the Enterprise Strategy.

20 Linking Technical and Business Risk
Risk is the ‘lingua franca’ of business. Management needs to be able to compare IT Risks with other risks. IT Governance must do an effective job of translating technical risks to business risks. Originally lingua Franca (or Sabir) referred to a mixed language composed mostly of Italian with a broad vocabulary drawn from Persian, French, Greek and Arabic. Lingua Franca literally means "Frankish language". This originated from the Arabic custom of referring to all Europeans as Franks. This mixed language was used for communication throughout the medieval and early modern Middle East[citation needed] as a diplomatic language; Work with the board to define the enterprise’s appetite for IT risk, and obtain reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite. Embed risk management responsibilities into the organisation, ensuring that the business and IT regularly assess and report IT-related risks and their impact and that the enterprise’s IT risk position is transparent to all stakeholders.

21 Linking Technical and Business Risk
Technical Risk Incidents resulting from Changes Equipment Age Audit Scores Information Security Incidents Overdue Controls Issues Business Exposures Disruptions to Critical Business Processes (i.e.: Orders to Cash) Compromise Company Reputation Compromise Company Secrets Organizational Capacity / Health Financial Goals May not be Met This is a partial list of Technical Risks. What is not necessarily clear in CobiT is the need to translate into your own Company business risk lingua franca. This allows risks to be compared. As with other Governance skills, to the extent you can speak the lingua franca, and to the extent you fundamentally understand the risks of other parts of the business, you can be more effective at making the case to invest in IT to reduce either IT risk or business risk. The business exposures is also a partial list. Connections between the right column and the left column depend on the nature of your own business.

22 IT Governance in a Sourced Environment

23 IT Governance in a Sourced Environment
Business Strategy and Processes IT Governance Commercial Relationship Commercial Relationship Suppliers’ IT Strategy and Processes Instead of your own internal IT Strategy and Process, you now run on Strategies and Processes which are to some extent out of your control. A strong commercial relationship is needed to assure business Strategies and Processes are met - which is just what IT Governance is all about. Strategic Alignment Value Delivery Resource Management Risk Management Performance Measurement

24 Considerations in a Sourced Environment
Sourcing Strategy Contract Management Finance Management Relationship Management Performance Management

25 Sourcing Strategy Part of IT Strategic Plan
Inventory of critical Supplier relationships Update based on changes to Business, IT or Supplier Strategies May contain intervention plans Key word in this is ‘Strategy’ - the biggest risks are the ones that are strategic, as they generally have the most downside risk. And the IT Strategic Plan had better be part of the Business Strategic Plan! Inventory should include all supplier relationships that are critical to the business, how they inter-relate, whether a supplier is on the ascendency or not, opportunities for substitution, etc. MUST be sensitive to and in touch with Strategy changes. Is IT becoming more / less strategic to the business? Is IT moving toward a shared services environment or not? Is a Supplier making strategic changes in the way they offer services? Intervention plans are needed in the case something goes ‘sproing’.

26 Contract Management Initial negotiation and in-life change management
Defines Services/Quality Defines ownership of Intellectual Property Compliance with Law and Policy Audit Rights Contract management is all about imagining situations you may get caught in sometime in the future, and attempting to address them in advance. Depending on the nature of the relationship, services can be defined either very tightly (short term agreement, commodity deliverables) or somewhat loosely (longer term agreement, non-commodity deliverables). Which party benefits from Moore’s Law?

27 Contract Change Management
Required by either changing business needs or to address ambiguity. Should be viewed as a negotiation. Each party will attempt to get concessions not previously obtained - value is at risk Depend on Relationship Management for smaller changes to avoid this risk Process is managed by the Contract Owner - remember Clear Business Ownership! All large agreements have an inherent level of ambiguity. It is NOT possible to tie down each and every loose end in a complex deal - this risks deadlock. And there is some part of ‘you don’t know what you don’t know’. Contract changes should be viewed as a continuation of the original negotiations and or preparation for deal renewal. Each party will attempt to get concessions. Many contract changes are routine. Avoid risk by having a contract change process agreed before you need to use it.

28 Intellectual Property
Supplier IP may be used to deliver efficiencies ($) However, use of Supplier IP may limit sourcing flexibility. Who owns process ‘know-how’ and does this change over time? What risk does this represent? Lawyers may refer to IP as “Customer Data” or “Customer Developed Materials” or similar. There is a balance here. On the one hand, you may want to leverage Supplier’s ability to spread fixed costs across multiple Customers - this may be the only way Supplier has to provide Services at the agreed cost. On the other hand, you do NOT want to be in a lock-in situation.

29 Intellectual Property Mitigations
Inventory, inventory, inventory IT processes supporting the business Materials (documents, rights, etc.) Risk Management discussion with business Seek legal help Follow up! Best mitigation is the result of good IT governance. This is why you should have a fundamental understanding and documentation of the critical business processes IT supports, and what information flow, IT infrastructure, and IT processes are associated with those critical business processes. To the extent you don’t know, there is an exposure (see risk management). Once everything is documented, don’t stop! If you abandon the inventory and documentation to the Supplier, then you risk it becoming theirs, even if the agreement says otherwise.

30 Audit Rights Business requirements drive specifics.
Must be in the initial contract For supplier shared services, SAS70 Type II Audit rights should be unlimited and at no cost. This is another area where the process inventory comes in handy. That will help you determine what the business risks really are, and therefore the level of assurance that is needed. You must get the language right in the initial agreement, as anything afterwards will likely cost you money. Suppliers can and do use third party assessments (SAS70 Type II, ISO certifications). These are NOT the same and you need to determine if and how these can be ‘fit’ into your overall controls environment. Suppliers should also be obligated to communicate ANY controls weakness they identify that could in any way affect the Customer environment. This is hard to get, but worth it.

31 Finance Management Service receipt Credits Incentives
Deal financials reporting Invoice Verification Service receipt Credits Incentives Internal cost recovery

32 Finance Management This is THE PLACE to receive an independent confirmation of IT value delivery. Budgets are a very unforgiving reality check! If you don’t know your finance people, get to know them now. They know how budgets work, how money flows within your business, where there is flexibility, etc. Powerful stuff.

33 Relationship Management
Overall Supplier management Monitor business needs Communication Forums Issue Management Risk Management Project Management Relationship Management is where it all comes together in assuring the health of the Customer - Supplier Relationship. This area is tasked with routinely polling the business to determine the satisfaction with Supplier services. ‘Satisfaction’ here is more of a squishy, qualitative measure that may be used to confirm (or not) the quantitative measures of Performance Management. Communications forums depend on the nature of the deal. The more strategic, the more likely there will be ‘top to top’ executive level meetings in addition to routine business management and service delivery meetings. All Issues (contract change interpretation requests, disputes, etc.) are managed here. Importantly, there is a risk management connection here. The overall risk (contract, performance, financial, relationship) is monitored here and used both with the internal ERM processes as well as for Supplier dialog. Lastly, Project Management is here, as the PMO sets the rules by with other areas operate.

34 Risk Management IT Governance process to evaluate Supplier Financial, Service Delivery, Relationship and Information Security risks in total. As before, there may be a translation here from technical risk to business risk. Can use Probability x Business Impact as the metric. The business should supply the Impact. This can be a powerful tool to use with Suppliers. They speak the lingua franca as well. This Relationship Management process is the linkage from the IT risk space (technical risk, financial risk, service delivery risk) to the Enterprise Risk Management space. There are specific added risks such as Supplier Financial viability.

35 Project Management Good Project Management helps assure value delivery
Define ‘project’ vs. ‘daily work’ in the contract. Has linkages to Finance Management (paying Project costs), Service Delivery (assuring Project deliverables) NPS Project Management in this case sets the rules that other parts of the organization follow. It is critically important to know what you may already be paying for as part of the ‘daily work’ part of your agreement. Otherwise, you risk paying twice, once as daily work, another time as project effort. It is not assured the Supplier resources developing project responses are as familiar with your overall agreement as, say, the contract manager.

36 Performance Management
Aligning Service Delivery Requirements Managing and Reporting against SLAs Management of individual projects Work prioritization Aligning Service Delivery Requirements includes adjustments as needed when business requirements change. Can be in terms of system availability, but can also be in terms of security, business continuity, and disaster recovery. Extra special bonus points here for describing Service Delivery in terms of business process terms (i.e.: business process availability, business process interruptions. SLAs in a sourced environment are generally, but not always, subject to financial performance credits. Not penalties, but credits. The goal is to have an SLA structure than continually encourages good performance. Management of individual projects vs. Project Management. This includes verification that the services were received / performed as specified, tracking milestones, etc. PMO sets the rules, service delivery executes against the rules. Work Prioritization - generally an issue for Daily Work as no Supplier has infinite capacity. You didn’t have infinite capacity when the area was in-sourced either. Work with the business to determine what can be put off, what needs to be done now. Alternatively, contract for short term capacity.

37 An Audit Checklist for IT Governance
NOTE: Should be 30 Minutes into the presentation at this point. This is going to be a VERY short review of some very high level watch-outs. If IT Governance is a hot topic, can auditing of IT Governance be far behind as a hot topic. MISTI has a day long webcast on the topic. However, it is geared to IT Auditors....

38 IT Governance Audit Planning
Audit Team Composition Audit Criteria Learnings from the Balanced Scorecard Approach

39 Audit Team Composition
Leadership - Business or IT? Audit Supervision and Auditor in Charge Independence is a must Beware setting up an audit team that may reflect corporate IT Governance issues Consider sourcing knowledgeable auditors There are a number of risks that must be considered when setting up an IT Governance audit team as IT Governance effectiveness depends in large part on how well it straddles a line between business and IT, as we have described. If IT Governance is the responsibility of the Board and the Executives - then politics are in play. Managing the audit out of the IT side of the internal audit activity may mean the audit supervisor or AIC may be asked to provide and defend findings related to IT Management - people that could in theory affect the IT Auditor’s career, depending on how your shop is set up. Alternatively, a business audit supervisor or AIC may not have an appreciation for IT. Bottom line, if there are corporate culture or tone issues that affect IT Governance, the same culture or tone issues may affect an internal audit team.

40 IT Governance Audit Criteria / Standards
IIA Governance Auditing Standards ISACA / ITGI IT Governance Auditing Guidelines ITGI Risk IT Framework ITGI Val IT Framework << Insert your Company business policies here >> Important consideration here is to assure you meet the IIA IPPF requirement to either have corporate policy regarding IT Governance that has already been deployed or agree on the Criteria to be used prior to beginning the audit. Criteria and Standards MUST cover corporate compliance. For example, SOX requirements that system changes are performed in accordance with management intent. See ITIL Change and Configuration Management.

41 Learnings from the Balanced Scorecard
Consider IT Governance from various business points of view (1) Corporate Customer Operational Excellence Future / Sustainability This is a novel concept. Evaluate IT Governance in terms of how other parts of the business see it (corporate, customer), how well IT is delivering (Operational Excellence) and whether the operation is really sustainable. Source as shown. 1. “Measuring and Improving IT Governance Through the Balanced Scorecard” Information Systems Control Journal, Volume 2, 2005

42 Balanced Scorecard: Corporate View
Objective Example Metrics Business/ IT Alignment Operational budget approval Value Delivery Business Unit Performance Cost Management Attainment of expense and recovery targets Risk Management Results of Internal Audits Intercompany Synergy Single System Solutions

43 Balanced Scorecard: Customer View
Objective Example Metrics Customer Satisfaction Business Unit Survey ratings Competitive Costs Attainment of unit cost targets Development Performance Major Project Scores Operational Performance Attainment of targeted levels

44 Balanced Scorecard: Operational View
Objective Example Metrics Development Process Function Point Measures Operational process Change Management effectiveness Process Maturity Level of IT Processes Enterprise Architecture State of the infrastructure assessment

45 Balanced Scorecard: Future View
Objective Example Metrics Human Resource Management Staff Turnover Employee Satisfaction Satisfaction survey scores Knowledge Management Implementation of learned lessons

46 CobIT as a RoadMap to IT Governance

47 COBIT as a RoadMap to IT Globally standard released as a set of tools that ensures IT is working effectively Functions as an overarching framework Provides common language to communicate goals, objectives and expected results to all stakeholders Based on, and integrates, industry standards and good practices in: Strategic alignment of IT with business goals Value delivery of services and new projects Risk management Resource management Performance measurement The COBIT mission is to research, continually update, publicise and promote an authoritative, internationally accepted IT governance control framework for adoption by enterprises and day-to-day use by business managers, IT professionals and assurance professionals. Now in its 4.1 release, the framework has been used successfully by IT organisations and business executives in many industries and of many sizes. COBIT provides a common language to communicate goals, objectives and expected results. A common language benefits all levels of IT, including management and stakeholders.

48 COBIT:Processes, Goals and Metrics
Relationship Amongst Process, Goals and Metrics (DS5) The chart illustrates the relationship between the business, IT, process and activity goals, and the different metrics. From top left to top right, the goals cascade is illustrated. Below the goal is the outcome measure for the goal. The small arrow indicates that the same metric is a performance indicator for the higher-level goal. The example provided is from DS5 Ensure systems security. COBIT provides metrics only up to the IT goals outcome as delineated by the dotted line. While they are also performance indicators for the business goals for IT, COBIT does not provide business goal outcome measures. The metrics have been developed with the following characteristics in mind: • A high insight-to-effort ratio (i.e., insight into performance and the achievement of goals as compared to the effort to capture them) • Comparable internally (e.g., percent against a base or numbers over time) • Comparable externally irrespective of enterprise size or industry • Better to have a few good metrics (may even be one very good one that could be influenced by different means) than a longer list of lower-quality metrics • Easy to measure, not to be confused with targets

49 Defined Responsibilities for Each Process
RACI Chart A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed. Functions Activities Link business goals to IT goals. C I A/R Identify critical dependencies and current performance. R Build an IT strategic plan. A Build IT tactical plans. Analyze program portfolios and manage project and service portfolios. COBIT also provides information on what processes should be delegated and to whom they should be delegated. This helps to ensure that IT processes are being managed at the appropriate level within an enterprise. The ‘RACI’ Chart is defined for each process and indicates who is responsible, accountable, consulted or should be informed about specific tasks within a given process. The roles in the RACI chart are categorized for all processes as: • Chief executive officer (CEO) • Chief financial officer (CFO) • Business executives • Chief information officer (CIO) • Business process owner • Head operations • Chief architect • Head development • Head IT administration (for large enterprises, the head of functions such as human resources, budgeting and internal control) • The project management officer (PMO) or function • Compliance, audit, risk and security (groups with control responsibilities but not operational IT responsibilities)

50 The COBIT Framework Let’s take a closer look at the COBIT framework. COBIT defines IT activities in a generic process model within four domains along with a set of information criteria. The four domains are: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. The domains map to IT’s traditional responsibility areas of plan, build, run and monitor. The COBIT framework provides a reference process model and common language for everyone in an enterprise to view and manage IT activities. Incorporating an operational model and a common language for all parts of the business involved in IT is one of the most important and initial steps towards good governance. It also provides a framework for measuring and monitoring IT performance, communicating with service providers and integrating best management practices. A process model encourages process ownership, enabling responsibilities and accountability to be defined. • Plan and Organise (PO)—Provides direction to solution delivery (AI) and service delivery (DS) (example controls: Define Strategic IT Plan, Manage Quality) • Acquire and Implement (AI)—Provides the solutions and passes them to be turned into services (example controls: Identify Automated Solutions, Manage Changes) • Deliver and Support (DS)—Receives the solutions and makes them usable for end users (example controls: Define and Manage Service Levels, Identify and Allocate Costs • Monitor and Evaluate (ME)—Monitors all processes to ensure that the direction provided is followed (example controls: Ensure Regulatory Compliance, Monitor and Evaluate IT Performance)

51 Key Driving Forces for COBIT
The ressources made available to—and built up by—IT How IT is organized to respond to the requirements What the stakeholders expect from IT Business Requirements IT Resources IT Processes Plan and Organize Aquire and Implement Deliver and Support Monitor and Evaluate Data Application systems Technology Facilities People Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information reliability

52 How Does COBIT Link to IT Governance?
Goals Responsibilities Control Objectives Requirements Business IT Governance Information the business needs to achieve its objectives Information executives and board need to exercise their responsibilities Direction and Resourcing IT Governance

53 Process Orientation Domains Natural grouping of processes, often matching an organisational domain of responsibility Processes A series of joined activities with natural control breaks Activities or Tasks Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete

54 Process Orientation Plan and Organise Acquire and Implement
IT Domains Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate IT Processes IT strategy Computer operations Incident handling Acceptance testing Change management Contingency planning Problem management Activities Record new problem. Analyse. Propose solution. Monitor solution. Record known problem. Etc. … Natural grouping of processes, often matching an organisational domain of responsibility A series of joined activities with natural (control) breaks Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete

55 Process Orientation Plan and Organise
Description This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Proper organisation and technological infrastructure must be put in place. Topics Strategy and tactics Vision planned Organisation and infrastructure Questions Are IT and the business strategy aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organisation understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs? Domains

56 COBIT Processes Plan and Organize Acquire and Implement PO1
Define an IT strategic plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organisation and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. Plan and Organize AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes. Acquire and Implement

57 COBIT Processes Deliver and Support Monitor and Evaluate DS1
Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations. Deliver and Support ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure compliance with external Provide IT Governance requirements. ME4 Monitor and Evaluate

58 Where COBIT Typically Sits
King COSO Governance Layer COBIT Governance Layer IT ITIL 17799 Management Layer IT CMM TickIT

Download ppt "Information Technology Management (ITM101)"

Similar presentations

Ads by Google