Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Technology Management (ITM101) Week 02: IT Standards & Governance Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP.

Similar presentations


Presentation on theme: "Information Technology Management (ITM101) Week 02: IT Standards & Governance Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP."— Presentation transcript:

1 Information Technology Management (ITM101) Week 02: IT Standards & Governance Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP

2 Corporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders IT Governance: Subset of the Corporate Governance framework tasked with ensuring the alignment of IT with enterprise objectives IT governance aims to ensure that expectations for IT are met and IT risks are mitigated. Governance?

3 IT Governance

4 Why is IT Governance a ‘Hot Topic’?  Increased sensitivity to protecting stakeholder interests  Shareholders (see: Sarbanes Oxley)  Consumers (see: HIPAA)  Suppliers (see: PCI)

5 Forces Driving Governance Compliance Project Execution Security Business/IT Alignment ROI

6 Other ‘Non-Regulatory’ Reasons…  Recognized need for tight business linkage  Strategic Alignment  Value Delivery  Resource Management  Risk Management  Performance Management  Effective Management of Outsourced IT Suppliers  Relationship Management  Financial Management  Performance Management  Contract Management

7 Definitions

8 IIA International Professional Practices Framework: [IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives. IIA International Professional Practices Framework: [IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives. [IT Controls] Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure, and people. [Governance] The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. IT Governance Definitions

9 CobiT 4.1: IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives. CobiT 4.1: IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives. Definition of IT Governance From COBIT

10 Common Framework Structure

11 Governance: High Level View  The business of running IT vs. running the technology  Setting the rules and assuring they are followed  An ethical responsibility to stakeholders  Principal - business  Commonwealth - people  Each other - reputation

12 IT Governance Objectives The purpose of IT governance is to direct IT endeavors and that IT is aligned with business objectives. Ideally:  Governance should be a top- down process  Linkages to business process and strategy exist for all actions  Information in oral, paper, and electronic forms  Governance transcends physical boundaries  Through governance, acceptable practices, policies, and procedures are established Business DriversInternal EnvironmentEntrustment FrameworkDecision Model and Framework Value Realization and Delivery Framework Performance ManagementValue Management

13 Responsibility for IT Governance Responsibility: IT governance is the responsibility of the board of directors and executive management.  Integral part of enterprise governance  Consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives. Sub-Committees: Architecture, Security, etc. Sub-Committees: Architecture, Security, etc. Service Delivery & Functional Operation Management Teams Networks Systems Desktop Information Security Steering Committee Application s Management Board Operations

14 IT Governance: COBIT Focus Areas  Strategic Alignment  Value Delivery  Resource Management  Risk Management  Performance Measurement

15 Focus Areas of IT Governance Five main focus areas for IT governance, all driven by stakeholder value.  Two are outcomes:  Value delivery  Risk management.  Three are drivers:  Strategic alignment  Performance measurement  Resource management (which overlays them all)

16 5 Key Security Strategy Elements Element # Element Name 1Policies 2Procedures 3Authentication 4Authorization 5Recovery Plan 4 Key Control Elements Element # Element Name 1Preventive 2Detective 3Containment 4Recovery Security Strategy: Elements & Controls

17 Security Program Infrastructure Maturity Level Description Level 1 Control objectives have been documented in a policy Level 2 Security control processes have been documented in procedures Level 3 Supporting procedures have been implemented (stakeholders have been made aware and trained) Level 4 Policies, procedures and controls are tested and reviewed to ensure continued adequacy Level 5 Procedures and controls are fully integrated into the culture of the organization Measuring Maturity

18 ISO Family (1799, 20000, 27001) International Standard Organization ’s Security Managemen t Standards Framework of standards that provide best practices for information security manageme nt ITIL IT Infrastructur e Library Best practices framework drawn from the public and private sectors internationa lly COSO Committee of Sponsoring Organization s of the Treadway Commission Organizatio n dedicated to financial reporting through business ethics, internal controls, and corporate governance COBIT Control Objectives for Information and related Technology Framework and supporting toolset to bridge the gap between control requirement s, technical issues, and business risks FISMA Federal Information Security Managemen t Act of 2002 Mandatory set of processes required by legislation for US federal information systems OCTAV E Operationall y Critical Threat, Asset, and Vulnerability Evaluation Risk based strategic assessment and planning technique for security CMMI Capability Maturity Model Integration An approach to governance based on process maturity IT Governance Frameworks

19 Clear Business Ownership and Direction  Alignment of Business and IT Objectives (CobiT 4.1 ‘Framework’)  Enterprise Strategy  Business Goals for IT  IT Goals  Enterprise Architecture for IT  IT Scorecard

20 Linking Technical and Business Risk  Risk is the ‘lingua franca’ of business.  Management needs to be able to compare IT Risks with other risks.  IT Governance must do an effective job of translating technical risks to business risks.

21 Linking Technical and Business Risk Technical Risk Incidents resulting from Changes Equipment Age Audit Scores Information Security Incidents Overdue Controls Issues Business Exposures Disruptions to Critical Business Processes (i.e.: Orders to Cash) Compromise Company Reputation Compromise Company Secrets Organizational Capacity / Health Financial Goals May not be Met

22 IT Governance in a Sourced Environment

23 Business Strategy and Processes IT Governance Suppliers’ IT Strategy and Processes Commercial Relationship Commercial Relationship

24 Considerations in a Sourced Environment  Sourcing Strategy  Contract Management  Finance Management  Relationship Management  Performance Management

25 Sourcing Strategy  Part of IT Strategic Plan  Inventory of critical Supplier relationships  Update based on changes to Business, IT or Supplier Strategies  May contain intervention plans

26 Contract Management  Initial negotiation and in-life change management  Defines Services/Quality  Defines ownership of Intellectual Property  Compliance with Law and Policy  Audit Rights

27 Contract Change Management  Required by either changing business needs or to address ambiguity.  Should be viewed as a negotiation.  Each party will attempt to get concessions not previously obtained - value is at risk  Depend on Relationship Management for smaller changes to avoid this risk

28 Intellectual Property  Supplier IP may be used to deliver efficiencies ($)  However, use of Supplier IP may limit sourcing flexibility.  Who owns process ‘know-how’ and does this change over time?  What risk does this represent?

29 Intellectual Property Mitigations  Inventory, inventory, inventory  IT processes supporting the business  Materials (documents, rights, etc.)  Risk Management discussion with business  Seek legal help  Follow up!

30 Audit Rights  Business requirements drive specifics.  Must be in the initial contract  For supplier shared services, SAS70 Type II  Audit rights should be unlimited and at no cost.

31 Finance Management  Deal financials reporting  Invoice Verification  Service receipt  Credits  Incentives  Internal cost recovery

32 Finance Management  This is THE PLACE to receive an independent confirmation of IT value delivery.  Budgets are a very unforgiving reality check!

33 Relationship Management  Overall Supplier management  Monitor business needs  Communication Forums  Issue Management  Risk Management  Project Management

34 Risk Management  IT Governance process to evaluate Supplier Financial, Service Delivery, Relationship and Information Security risks in total.  As before, there may be a translation here from technical risk to business risk.  Can use Probability x Business Impact as the metric. The business should supply the Impact.  This can be a powerful tool to use with Suppliers. They speak the lingua franca as well.

35 Project Management  Good Project Management helps assure value delivery  Define ‘project’ vs. ‘daily work’ in the contract.  Has linkages to Finance Management (paying Project costs), Service Delivery (assuring Project deliverables) NPS

36 Performance Management  Aligning Service Delivery Requirements  Managing and Reporting against SLAs  Management of individual projects  Work prioritization

37 An Audit Checklist for IT Governance

38 IT Governance Audit Planning  Audit Team Composition  Audit Criteria  Learnings from the Balanced Scorecard Approach

39 Audit Team Composition  Leadership - Business or IT?  Audit Supervision and Auditor in Charge Independence is a must  Beware setting up an audit team that may reflect corporate IT Governance issues  Consider sourcing knowledgeable auditors

40 IT Governance Audit Criteria / Standards  IIA Governance Auditing Standards  ISACA / ITGI IT Governance Auditing Guidelines  ITGI Risk IT Framework  ITGI Val IT Framework  >

41 Learnings from the Balanced Scorecard  Consider IT Governance from various business points of view (1)  Corporate  Customer  Operational Excellence  Future / Sustainability 1. “Measuring and Improving IT Governance Through the Balanced Scorecard” Information Systems Control Journal, Volume 2, 2005

42 ObjectiveExample Metrics Business/ IT Alignment Operational budget approval Value DeliveryBusiness Unit Performance Cost Management Attainment of expense and recovery targets Risk ManagementResults of Internal Audits Intercompany SynergySingle System Solutions Balanced Scorecard: Corporate View

43 ObjectiveExample Metrics Customer Satisfaction Business Unit Survey ratings Competitive Costs Attainment of unit cost targets Development PerformanceMajor Project Scores Operational Performance Attainment of targeted levels Balanced Scorecard: Customer View

44 ObjectiveExample Metrics Development ProcessFunction Point Measures Operational process Change Management effectiveness Process MaturityLevel of IT Processes Enterprise Architecture State of the infrastructure assessment Balanced Scorecard: Operational View

45 ObjectiveExample Metrics Human Resource Management Staff Turnover Employee SatisfactionSatisfaction survey scores Knowledge Management Implementation of learned lessons Balanced Scorecard: Future View

46 CobIT as a RoadMap to IT Governance

47  Globally standard released as a set of tools that ensures IT is working effectively  Functions as an overarching framework  Provides common language to communicate goals, objectives and expected results to all stakeholders  Based on, and integrates, industry standards and good practices in:  Strategic alignment of IT with business goals  Value delivery of services and new projects  Risk management  Resource management  Performance measurement COBIT as a RoadMap to IT

48 Relationship Amongst Process, Goals and Metrics (DS5) C OBI T:Processes, Goals and Metrics

49 Defined Responsibilities for Each Process Link business goals to IT goals. CI A/ R IC Identify critical dependencies and current performance. CCR A/ R CCCCCC Build an IT strategic plan. ACCRICCCCIC Build IT tactical plans. CIACCCCCRI Analyze program portfolios and manage project and service portfolios. CIIARRCRCCI RACI Chart Activities Functions A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed.

50 The C OBI T Framework

51 Key Driving Forces for C OBI T o Data o Application systems o Technology o Facilities o People o Plan and Organize o Aquire and Implement o Deliver and Support o Monitor and Evaluate o Effectiveness o Efficiency o Confidentiality o Integrity o Availability o Compliance o Information reliability IT ResourcesIT Processes Business Requirement s The ressources made available to—and built up by—IT How IT is organized to respond to the requirements What the stakeholders expect from IT

52 Goals Responsibilities Control Objectives Requirements BusinessIT Governance Information the business needs to achieve its objectives Information executives and board need to exercise their responsibilities Direction and Resourcing How Does C OBI T Link to IT Governance? IT Governance

53 Activities or Tasks Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete Process es A series of joined activities with natural control breaks Domains Natural grouping of processes, often matching an organisational domain of responsibility Process Orientation

54 IT Domains Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate IT Processes IT strategy Computer operations Incident handling Acceptance testing Change management Contingency planning Problem management Activities Record new problem. Analyse. Propose solution. Monitor solution. Record known problem. Etc. … Natural grouping of processes, often matching an organisational domain of responsibility A series of joined activities with natural (control) breaks Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete Process Orientation

55 Process Orientation Plan and Organise  Description  This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Proper organisation and technological infrastructure must be put in place.  Topics  Strategy and tactics  Vision planned  Organisation and infrastructure  Questions  Are IT and the business strategy aligned?  Is the enterprise achieving optimum use of its resources?  Does everyone in the organisation understand the IT objectives?  Are IT risks understood and being managed?  Is the quality of IT systems appropriate for business needs? Domains

56 C OBI T Processes Plan and Organize Acquire and Implement PO1Define an IT strategic plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organisation and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes.

57 C OBI T Processes Deliver and Support Monitor and Evaluate ME1Monitor and evaluate IT performance. ME2Monitor and evaluate internal control. ME3 Ensure compliance with external Provide IT Governance requirements. ME4 DS1Define and manage service levels. DS2Manage third-party services. DS3Manage performance and capacity. DS4Ensure continuous service. DS5Ensure systems security. DS6Identify and allocate costs. DS7Educate and train users. DS8Manage service desk and incidents. DS9Manage the configuration. DS10Manage problems. DS11Manage data. DS12Manage the physical environment. DS13Manage operations.

58 King TickIT Where C OBI T Typically Sits CMM COSO ITIL Governance Layer IT Governance Layer IT Management Layer C OBI T


Download ppt "Information Technology Management (ITM101) Week 02: IT Standards & Governance Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP."

Similar presentations


Ads by Google