Presentation on theme: "Information Technology Management (ITM101) Week 02: IT Standards & Governance Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP."— Presentation transcript:
Information Technology Management (ITM101) Week 02: IT Standards & Governance Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP
Corporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders IT Governance: Subset of the Corporate Governance framework tasked with ensuring the alignment of IT with enterprise objectives IT governance aims to ensure that expectations for IT are met and IT risks are mitigated. Governance?
Why is IT Governance a ‘Hot Topic’? Increased sensitivity to protecting stakeholder interests Shareholders (see: Sarbanes Oxley) Consumers (see: HIPAA) Suppliers (see: PCI)
Other ‘Non-Regulatory’ Reasons… Recognized need for tight business linkage Strategic Alignment Value Delivery Resource Management Risk Management Performance Management Effective Management of Outsourced IT Suppliers Relationship Management Financial Management Performance Management Contract Management
IIA International Professional Practices Framework: [IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives. IIA International Professional Practices Framework: [IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives. [IT Controls] Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure, and people. [Governance] The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. IT Governance Definitions
CobiT 4.1: IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives. CobiT 4.1: IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives. Definition of IT Governance From COBIT
Common Framework Structure
Governance: High Level View The business of running IT vs. running the technology Setting the rules and assuring they are followed An ethical responsibility to stakeholders Principal - business Commonwealth - people Each other - reputation
IT Governance Objectives The purpose of IT governance is to direct IT endeavors and that IT is aligned with business objectives. Ideally: Governance should be a top- down process Linkages to business process and strategy exist for all actions Information in oral, paper, and electronic forms Governance transcends physical boundaries Through governance, acceptable practices, policies, and procedures are established Business DriversInternal EnvironmentEntrustment FrameworkDecision Model and Framework Value Realization and Delivery Framework Performance ManagementValue Management
Responsibility for IT Governance Responsibility: IT governance is the responsibility of the board of directors and executive management. Integral part of enterprise governance Consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives. Sub-Committees: Architecture, Security, etc. Sub-Committees: Architecture, Security, etc. Service Delivery & Functional Operation Management Teams Networks Systems Desktop Information Security Steering Committee Application s Management Board Operations
IT Governance: COBIT Focus Areas Strategic Alignment Value Delivery Resource Management Risk Management Performance Measurement
Focus Areas of IT Governance Five main focus areas for IT governance, all driven by stakeholder value. Two are outcomes: Value delivery Risk management. Three are drivers: Strategic alignment Performance measurement Resource management (which overlays them all)
5 Key Security Strategy Elements Element # Element Name 1Policies 2Procedures 3Authentication 4Authorization 5Recovery Plan 4 Key Control Elements Element # Element Name 1Preventive 2Detective 3Containment 4Recovery Security Strategy: Elements & Controls
Security Program Infrastructure Maturity Level Description Level 1 Control objectives have been documented in a policy Level 2 Security control processes have been documented in procedures Level 3 Supporting procedures have been implemented (stakeholders have been made aware and trained) Level 4 Policies, procedures and controls are tested and reviewed to ensure continued adequacy Level 5 Procedures and controls are fully integrated into the culture of the organization Measuring Maturity
ISO Family (1799, 20000, 27001) International Standard Organization ’s Security Managemen t Standards Framework of standards that provide best practices for information security manageme nt ITIL IT Infrastructur e Library Best practices framework drawn from the public and private sectors internationa lly COSO Committee of Sponsoring Organization s of the Treadway Commission Organizatio n dedicated to financial reporting through business ethics, internal controls, and corporate governance COBIT Control Objectives for Information and related Technology Framework and supporting toolset to bridge the gap between control requirement s, technical issues, and business risks FISMA Federal Information Security Managemen t Act of 2002 Mandatory set of processes required by legislation for US federal information systems OCTAV E Operationall y Critical Threat, Asset, and Vulnerability Evaluation Risk based strategic assessment and planning technique for security CMMI Capability Maturity Model Integration An approach to governance based on process maturity IT Governance Frameworks
Clear Business Ownership and Direction Alignment of Business and IT Objectives (CobiT 4.1 ‘Framework’) Enterprise Strategy Business Goals for IT IT Goals Enterprise Architecture for IT IT Scorecard
Linking Technical and Business Risk Risk is the ‘lingua franca’ of business. Management needs to be able to compare IT Risks with other risks. IT Governance must do an effective job of translating technical risks to business risks.
Linking Technical and Business Risk Technical Risk Incidents resulting from Changes Equipment Age Audit Scores Information Security Incidents Overdue Controls Issues Business Exposures Disruptions to Critical Business Processes (i.e.: Orders to Cash) Compromise Company Reputation Compromise Company Secrets Organizational Capacity / Health Financial Goals May not be Met
IT Governance in a Sourced Environment
Business Strategy and Processes IT Governance Suppliers’ IT Strategy and Processes Commercial Relationship Commercial Relationship
Sourcing Strategy Part of IT Strategic Plan Inventory of critical Supplier relationships Update based on changes to Business, IT or Supplier Strategies May contain intervention plans
Contract Management Initial negotiation and in-life change management Defines Services/Quality Defines ownership of Intellectual Property Compliance with Law and Policy Audit Rights
Contract Change Management Required by either changing business needs or to address ambiguity. Should be viewed as a negotiation. Each party will attempt to get concessions not previously obtained - value is at risk Depend on Relationship Management for smaller changes to avoid this risk
Intellectual Property Supplier IP may be used to deliver efficiencies ($) However, use of Supplier IP may limit sourcing flexibility. Who owns process ‘know-how’ and does this change over time? What risk does this represent?
Intellectual Property Mitigations Inventory, inventory, inventory IT processes supporting the business Materials (documents, rights, etc.) Risk Management discussion with business Seek legal help Follow up!
Audit Rights Business requirements drive specifics. Must be in the initial contract For supplier shared services, SAS70 Type II Audit rights should be unlimited and at no cost.
Risk Management IT Governance process to evaluate Supplier Financial, Service Delivery, Relationship and Information Security risks in total. As before, there may be a translation here from technical risk to business risk. Can use Probability x Business Impact as the metric. The business should supply the Impact. This can be a powerful tool to use with Suppliers. They speak the lingua franca as well.
Project Management Good Project Management helps assure value delivery Define ‘project’ vs. ‘daily work’ in the contract. Has linkages to Finance Management (paying Project costs), Service Delivery (assuring Project deliverables) NPS
Performance Management Aligning Service Delivery Requirements Managing and Reporting against SLAs Management of individual projects Work prioritization
An Audit Checklist for IT Governance
IT Governance Audit Planning Audit Team Composition Audit Criteria Learnings from the Balanced Scorecard Approach
Audit Team Composition Leadership - Business or IT? Audit Supervision and Auditor in Charge Independence is a must Beware setting up an audit team that may reflect corporate IT Governance issues Consider sourcing knowledgeable auditors
IT Governance Audit Criteria / Standards IIA Governance Auditing Standards ISACA / ITGI IT Governance Auditing Guidelines ITGI Risk IT Framework ITGI Val IT Framework >
Learnings from the Balanced Scorecard Consider IT Governance from various business points of view (1) Corporate Customer Operational Excellence Future / Sustainability 1. “Measuring and Improving IT Governance Through the Balanced Scorecard” Information Systems Control Journal, Volume 2, 2005
ObjectiveExample Metrics Business/ IT Alignment Operational budget approval Value DeliveryBusiness Unit Performance Cost Management Attainment of expense and recovery targets Risk ManagementResults of Internal Audits Intercompany SynergySingle System Solutions Balanced Scorecard: Corporate View
ObjectiveExample Metrics Customer Satisfaction Business Unit Survey ratings Competitive Costs Attainment of unit cost targets Development PerformanceMajor Project Scores Operational Performance Attainment of targeted levels Balanced Scorecard: Customer View
ObjectiveExample Metrics Development ProcessFunction Point Measures Operational process Change Management effectiveness Process MaturityLevel of IT Processes Enterprise Architecture State of the infrastructure assessment Balanced Scorecard: Operational View
Globally standard released as a set of tools that ensures IT is working effectively Functions as an overarching framework Provides common language to communicate goals, objectives and expected results to all stakeholders Based on, and integrates, industry standards and good practices in: Strategic alignment of IT with business goals Value delivery of services and new projects Risk management Resource management Performance measurement COBIT as a RoadMap to IT
Relationship Amongst Process, Goals and Metrics (DS5) C OBI T:Processes, Goals and Metrics
Defined Responsibilities for Each Process Link business goals to IT goals. CI A/ R IC Identify critical dependencies and current performance. CCR A/ R CCCCCC Build an IT strategic plan. ACCRICCCCIC Build IT tactical plans. CIACCCCCRI Analyze program portfolios and manage project and service portfolios. CIIARRCRCCI RACI Chart Activities Functions A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed.
The C OBI T Framework
Key Driving Forces for C OBI T o Data o Application systems o Technology o Facilities o People o Plan and Organize o Aquire and Implement o Deliver and Support o Monitor and Evaluate o Effectiveness o Efficiency o Confidentiality o Integrity o Availability o Compliance o Information reliability IT ResourcesIT Processes Business Requirement s The ressources made available to—and built up by—IT How IT is organized to respond to the requirements What the stakeholders expect from IT
Goals Responsibilities Control Objectives Requirements BusinessIT Governance Information the business needs to achieve its objectives Information executives and board need to exercise their responsibilities Direction and Resourcing How Does C OBI T Link to IT Governance? IT Governance
Activities or Tasks Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete Process es A series of joined activities with natural control breaks Domains Natural grouping of processes, often matching an organisational domain of responsibility Process Orientation
IT Domains Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate IT Processes IT strategy Computer operations Incident handling Acceptance testing Change management Contingency planning Problem management Activities Record new problem. Analyse. Propose solution. Monitor solution. Record known problem. Etc. … Natural grouping of processes, often matching an organisational domain of responsibility A series of joined activities with natural (control) breaks Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete Process Orientation
Process Orientation Plan and Organise Description This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Proper organisation and technological infrastructure must be put in place. Topics Strategy and tactics Vision planned Organisation and infrastructure Questions Are IT and the business strategy aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organisation understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs? Domains
C OBI T Processes Plan and Organize Acquire and Implement PO1Define an IT strategic plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organisation and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes.
C OBI T Processes Deliver and Support Monitor and Evaluate ME1Monitor and evaluate IT performance. ME2Monitor and evaluate internal control. ME3 Ensure compliance with external Provide IT Governance requirements. ME4 DS1Define and manage service levels. DS2Manage third-party services. DS3Manage performance and capacity. DS4Ensure continuous service. DS5Ensure systems security. DS6Identify and allocate costs. DS7Educate and train users. DS8Manage service desk and incidents. DS9Manage the configuration. DS10Manage problems. DS11Manage data. DS12Manage the physical environment. DS13Manage operations.
King TickIT Where C OBI T Typically Sits CMM COSO ITIL Governance Layer IT Governance Layer IT Management Layer C OBI T