5202 Review

What is IT Governance?

= Right Things, Done Right Good IT Governance

What is COBIT 5? Its about best practice. It tries to cover IT end-to-end. It tells you what you need to be thinking about when running (or auditing) IT. Its not about the technology, its about the processes you use to deliver technology. Its about how to decide what you do(Right Things) and then how to do them in an efficient, effective and secure manner (Done Right). It is critical that you understand the processes it recommends.

Six IT Decisions That Your IT People Shouldn’t Make Weill & Ross 1.How much should we spend on IT? 2.Which business processes should receive our IT dollars? 3.Which IT services should be firm wide? 4.How good do our services need to be? 5.What security and privacy risks are we willing to take? 6.Whom do we blame if an IT initiative goes wrong? Strategy Execution

ISACA’s View of Governance What is IT governance? Define each of the components? Value Delivery Risk Management IT Strategic Alignment Resource Management Performance Management How does this compare with the definition we used last week? Doing the right thing – Value Delivery – Risk Management Doing it right – Strategic Alignment – Resource Management – Performance Management

What Does a Company Want From its IT Systems? Take 5 minutes and write down all of the attributes of an IT system that a company would want. For example: A company wants its IT systems to be available. Effective Efficient Confidential Integrity Available Compliant Reliable

What are controls ? Controls are defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented.

What types of controls are there? Preventive Controls Detective Controls Corrective Controls Give me some examples?

What is the difference between general and application controls? General controls are part of an IT service like identity management. Application controls are part of a business process. What are application controls trying to achieve? Did the right people handle a transaction? Was it recorder correctly? Is it being processed correctly? Are all our transactions are authentic and do they have integrity?

What are “layered controls,” also know in security as “defense in depth”?

What is the control environment? The actions, policies, values, and management styles that influence, and set the tone of a firm's day-to- day activities. BusinessDictrionary.com

Corporate Leadership Senior corporate leadership sets the tone They are ultimately responsible Principals & Policies describe the desired outcomes Others may write them, but the board must approve them

Higher Level Management Management defines how these objectives will be realized Processes, standards and guidelines document the practices and activities are designed to ensure that the organization meet the goals set by senior leadership

Management’s Use of Controls Control are put in place to ensure that the Processes, Standards and Guidelines are being followed. Therefore, they help mitigate the risk that the behaviors desired by senior leadership will not occur. Controls are usually used in combinations so as to ensure that if one fails, the others will correct the behavior.

Monitoring & Audit Management should monitor their controls to see if the desired behavior is being realized Audits examine the adequacy and effectiveness of the controls that an organization has put it place.

Our Starting Point CIO Information Systems Development Computer Operations Technical Support Office of CIO Quality Assurance

Organizing an IT Function What are the major categories of IT administrative controls? IT standards, policies and proceedures IT budget IT asset controls IT personnel management controls IT purchasing controls IT office controls IT monitoring controls IT performance measures

Enterprise Architecture What’s an Enterprise Architecture and what’s it for? EA “…is the organizing logic of business processes and IT infrastructure reflecting the integration and standardization requirements of the firms operating model” MIT Center for Information Research Alignment Flexibility

Federal Enterprise Architecture Model

= Who get what, when, where, why & how Politics

What is the IT Strategy? IT Strategy is at the highest level of decision making It’s a political process It sets forth IT’s goals & objectives, as well as describing how to reach them It defines budget, personnel resources, performance measurements & the balanced score card It communicates all of the above to the entire orangization

Archetypes of IT Decision Making 1.Business Monarchy - high level exec’s make decisions 2.IT Monarchy – IT makes decisions 3.Feudal – business units make decisions independently 4.Federal – IT and business units make decisions 5.Duopoly – small team representing IT and business make decisions 6.Anarchy – everyone can go their own way Most commonly used for deciding how much to spend on IT. Most commonly used for deciding technical issues. EA sometimes gets stuck here. Very old school and hard to be successful. Often used for application decisions, can be cumbersome. Small mix of CIO and businesses, ISACA preferred position. Theoretical, never seen in real world.

A Representative IT Strategy Process Inputs Strategy Outputs 6 Answers Enterprise Architecture Vision Goals and Objectives CIO Drafts Steering Team approves Strategy Team approves Roadmap Resource Plans Budget Plans Performance Measures Balanced Scorecard General Input

Strategic Themes Business Value Creation & Investment Portfolio Enabling IT Capabilities, Talent, and Enterprise Infrastructure IT Operating Principles IT Strategy Strategy The IT Strategy “filter”` Business Need IT Portfolio 1 Alignment

Portfolio Categories Innovation New Business Models or Competitive Capability Discretionary Growth Increase Revenue Increase Intimacy Efficiency Cost-Out Productivity Run the Engine Sustain Operations Run TheEngine

Discretionary Budget in Portfolio Perspective Innovation 2% $0.5MM Discretionary Growth 30% $12MM Efficiency 38% $15MM Run the Engine 30% $12MM Run TheEngine We can change the portfolio targets to shift investment to business opportunities. 1 Yr 3 Yr 1 Yr 3 Yr 1 Yr 3 Yr 1 Yr 3 Yr Targets Run the Engine

What’s the difference between these concepts? A policy A procedure A standard A guideline Which are controls?

What are some of the items that should be included in any policy? Company logo “Policies and Procedures” title Policy name Objective Applies to Key guidelines Samples Questions? Last revision date

Your Questions 1.Assuming you need policies, how would you go about deciding how many and which ones? 2.What’s the right mix of policies, procedures, standards and guidelines? 3.Assuming you now have a set of policies, how do you know if they are any good? Working? 4.As an auditor looking at an IT organization’s policies, what would you look for?

What does a data center really do? Provides network services Provides applications services to the company Provides data storage and backup service Provides maintenance services for all of its HW & SW Provides technical support services It keeps itself safe and always available Operations = the organization Data Center = the place

What is a Service? A Service is a set of actions or solutions that are put in place or are performed to provide a repeatable and consistent set of outcomes, deliverables, and performance for people, organizations, and systems that represent consumers or beneficiaries of such results. The International Foundation for Information Technology.

IT service management (ITSM) refers to the implementation and management of quality information technology services. IT service management is performed by IT service providers through people, process and information technology. Wikipedia

What is quality? Why is it important? What are TQM’s principles? What does all of this have to do with 6 Sigma? Where does a balanced scorecard fit in?

Managing Quality in IT IT is all about providing services Quality of an IT service is about meeting desired outcomes Non-desired outcomes are service defects QMS means an organizational spirit of continuous improvement Making improvements to prevent service defects means establishing controls on the process Therefore a strong control environment is highly analogous to having a strong QMS

What is the role of the contract in any outsourcing deal? Outsourcing always adds complexity Most of the original risks remain Added risk of the two parties not working well together The contract tries to define what the relationship will be to minimize these risks. Therefore, it’s a preventive control

MSA Terms & Conditions 1.Guiding Principles 2.Services 3.Personnel 4.Assets & Third Party Contracts 5.Retained Authorities 6.Fees & Payment Terms 7.Record Keeping & Audit Rights 8.Representation, etc. 9. Terms & Termination 10. Disentanglements 11. Limitations of Liability 12. Proprietary Rights 13. Security & Confidentiality 14. Legal Compliance 15. Indemnification 16. Insurance 17. Dispute Resolution 18. Use of Subcontractors 19. Miscellaneous

Monitoring Monitoring = comparing the expected outcomes with the actual outcomes over time Monitoring shows whether or not an organization’s controls are assuring compliance Monitoring gives management the data it needs to determine performance management Monitoring gives the quality management system the data it needs to continually improve IT’s processes

Strategic Performance Measures aka: Key Performance Indicators Metrics calculated from monitoring data Tied directly to the IT strategy through objectives Objective expectations must be clear If the data generates metrics that surpass the expectation, the strategy can be called successful.

IT Balanced Score Card A collection of strategic performance measures Intended to show performance from a number of perspectives Financial Operational Value System Implementation Customer Satisfaction Often too operational, not strategic enough

Right Things (Governance) Done Right (Management) What is IT’s role in the business? What is our IT strategy? Where are we technologically and where do we want to be? What portfolio of projects offer us the best value? What will our control environment be like? What policies do we need? QMS Establish & run the control environment Run IT’s services Implement IT projects KPI’s IT Balanced Scorecard Transparent Stakeholder Communications IT Performance Optimization

In other words … Governance’s goal is to optimize IT performance To optimize, you need a transparent view of IT Transparency comes from performance management To manage performance you need to monitor that performance IT does a lot of different things so you need to monitor all of them To monitoring you define KPI’s and track The qualtity process helps you define processes & KPI’s The balance scorecard should show the KPIs of what the stakeholders think most important.

ISACA’s Risk IT Framework

1.What is IT Risk? 2.What are the three types of IT Risk? 3.What are the three risk processes that an enterprise ought to have? 4.What is risk appetite? 5.What is risk tolerance? 6.What are the three parts of a risk culture?

Risk Evaluation What are some ways you might express IT risk in business terms? – COBIT – COSO ERM What is a risk scenario? What is a risk factor? What are the four types of risk response and when would you use them?

Gartner’s Security Processes You Must Get Right Security’s Responsibility 1.Security Governance 2.Policy Management 3.Awareness & Education 4.Identity & Access Management 5.Vulnerability Management 6.Incident Response IT’s Responsibility 1.Change Management 2.Disaster Recovery & Business Continuity 3.Project Life Cycle Management 4.Vendor Management

Gartner’s Security Processes You Must Get Right Security’s Responsibility 1.Security Governance 2.Policy Management 3.Awareness & Education 4.Identity & Access Management 5.Vulnerability Management 6.Incident Response IT’s Responsibility 1.Change Management 2.Disaster Recovery & Business Continuity 3.Project Life Cycle Management 4.Vendor Management

Incident Response 1.Preparation 2.Detect and Expose 3.Triage 4.Classify and Contain 5.Remediate 6.Report and Post-Mortem

Three Related Concepts Backup The Goal: store the company’s data and other digital resources in case of loss

Three Related Concepts Backup Disaster Recovery The Goal: get the company’s information systems back up and running as fast as possible

Three Related Concepts Backup Disaster Recovery Business Continuity The Goal: Keep the business viable until normal operations can resume

Standards vs Maturity Models Threshold vs Framework