Information Technology Management (ITM101) Week 02: IT Standards & Governance

Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP

Corporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders

IT Governance: Subset of the Corporate Governance framework tasked with ensuring the alignment of IT with enterprise objectives

IT governance aims to ensure that expectations for IT are met and IT risks are mitigated.

Governance?

IT GovernanceIT Governance

Why is IT Governance a ‘Hot Topic’?

Increased sensitivity to protecting stakeholder interests Shareholders (see: Sarbanes

Oxley) Consumers (see: HIPAA) Suppliers (see: PCI)

Forces Driving Governance

Compliance

ProjectExecution

Security

Business/ITAlignment ROI

Other ‘Non-Regulatory’ Reasons…

Recognized need for tight business linkage Strategic Alignment Value Delivery Resource Management Risk Management Performance Management

Effective Management of Outsourced IT Suppliers Relationship Management Financial Management Performance Management Contract Management

Definitions

IIA International Professional Practices Framework:

[IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives.

IIA International Professional Practices Framework:

[IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives.

[IT Controls] Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure, and people.

[IT Controls] Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure, and people.

[Governance] The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

[Governance] The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

IT Governance Definitions

CobiT 4.1:

IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.

CobiT 4.1:

IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.

Definition of IT Governance From COBIT

Common Framework Structure

Governance: High Level View

The business of running IT vs. running the technology

Setting the rules and assuring they are followed

An ethical responsibility to stakeholders Principal - business Commonwealth - people Each other - reputation

IT Governance Objectives

The purpose of IT governance is to direct IT endeavors and that IT is aligned with business objectives. Ideally: Governance should be a

top-down process Linkages to business

process and strategy exist for all actions

Information in oral, paper, and electronic forms

Governance transcends physical boundaries

Through governance, acceptable practices, policies, and procedures are established

Business Drivers

Internal Environment

Entrustment Framework

Decision Model and Framework

Value Realization and Delivery Framework

Performance Management

Value Management

Responsibility for IT Governance

Responsibility:IT governance is the responsibility of the board of directors and executive management. Integral part of

enterprise governance

Consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.

Sub-Committees:Architecture, Security, etc.

Service Delivery & Functional Operation Management Teams

Networks

Systems

Desktop

Information Security Steering Committee

Applications

Management Board

Operations

IT Governance: COBIT Focus Areas

Strategic Alignment Value Delivery Resource Management Risk Management Performance Measurement

Focus Areas of IT Governance

Five main focus areas for IT governance, all driven by

stakeholder value.

Stakeholder Value Drivers

IT Value Delivery

Risk Management

Performance Managemen

t

IT Strategic Alignment

IT Resource Management

Two are outcomes: Value delivery Risk

management. Three are drivers:

Strategic alignment

Performance measurement

Resource management (which overlays them all)

5 Key Security Strategy Elements

Element # Element Name

1 Policies

2 Procedures

3 Authentication

4 Authorization

5 Recovery Plan

4 Key Control Elements

Element # Element Name

1 Preventive

2 Detective

3 Containment

4 Recovery

Security Strategy: Elements & Controls

Security Program Infrastructure

Maturity Level Description

Level 1 Control objectives have been documented in a policy

Level 2 Security control processes have been documented in procedures

Level 3Supporting procedures have been implemented (stakeholdershave been made aware and trained)

Level 4Policies, procedures and controls are tested and reviewed toensure continued adequacy

Level 5 Procedures and controls are fully integrated into the culture of the organization

Measuring Maturity

ISO Family

(1799, 20000, 27001)Internation

al Standard Organizatio

n’s Security

Management

StandardsFramewor

k of standards

that provide

best practices

for information security managem

ent

ITIL

IT Infrastructure Library

Best practices

framework drawn

from the public and

private sectors

internationally

COSO

Committee of

Sponsoring Organizatio

ns of the Treadway

Commission

Organization

dedicated to

financial reporting through business ethics, internal controls,

and corporate governanc

e

COBIT

Control Objectives

for Information and related TechnologyFramewor

k and supporting toolset to bridge the

gap between control

requirements,

technical issues,

and business

risks

FISMA

Federal Information

Security Manageme

nt Act of 2002

Mandatory set of

processes required

by legislation

for US federal

information systems

OCTAVE

Operationally Critical

Threat, Asset, and Vulnerabilit

y Evaluation

Risk based strategic assessme

nt and planning

technique for

security

CMMI

Capability Maturity Model

Integration

An approach

to governanc

e based on process maturity

IT Governance Frameworks

Clear Business Ownership and Direction

Alignment of Business and IT Objectives (CobiT 4.1 ‘Framework’) Enterprise Strategy Business Goals for IT IT Goals Enterprise Architecture for IT IT Scorecard

Linking Technical and Business Risk

Risk is the ‘lingua franca’ of business.

Management needs to be able to compare IT Risks with other risks.

IT Governance must do an effective job of translating technical risks to business risks.

Linking Technical and Business Risk

Technical Risk

Incidents resulting from Changes

Equipment Age

Audit Scores

Information Security Incidents

Overdue Controls Issues

Business Exposures

Disruptions to Critical Business Processes (i.e.: Orders to

Cash)

Compromise Company Reputation

Compromise Company Secrets

Organizational Capacity / Health

Financial Goals May not be Met

IT Governance in a Sourced Environment

IT Governance in aSourced Environment

Business Strategy and ProcessesBusiness Strategy and Processes

IT GovernanceIT Governance

Suppliers’ IT Strategy and ProcessesSuppliers’ IT Strategy and Processes

CommercialRelationship

CommercialRelationship

Considerations in a Sourced Environment

Sourcing Strategy Contract Management Finance Management Relationship Management Performance

Management

Sourcing Strategy

Part of IT Strategic Plan Inventory of critical Supplier

relationships Update based on changes to

Business, IT or Supplier Strategies May contain intervention plans

Contract Management

Initial negotiation and in-life change management

Defines Services/Quality Defines ownership of Intellectual

Property Compliance with Law and Policy Audit Rights

Contract Change Management

Required by either changing business needs or to address ambiguity.

Should be viewed as a negotiation. Each party will attempt to get

concessions not previously obtained - value is at risk

Depend on Relationship Management for smaller changes to avoid this risk

Intellectual Property

Supplier IP may be used to deliver efficiencies ($)

However, use of Supplier IP may limit sourcing flexibility.

Who owns process ‘know-how’ and does this change over time?

What risk does this represent?

Intellectual Property Mitigations

Inventory, inventory, inventory IT processes supporting the

business Materials (documents, rights,

etc.) Risk Management discussion with

business Seek legal help Follow up!

Audit Rights

Business requirements drive specifics.

Must be in the initial contract For supplier shared services, SAS70

Type II Audit rights should be unlimited

and at no cost.

Finance Management

Deal financials reporting Invoice Verification

Service receipt Credits Incentives

Internal cost recovery

Finance Management

This is THE PLACE to receive an independent confirmation of IT value delivery.

Budgets are a very unforgiving reality check!

Relationship Management

Overall Supplier management Monitor business needs Communication Forums Issue Management Risk Management Project Management

Risk Management

IT Governance process to evaluate Supplier Financial, Service Delivery, Relationship and Information Security risks in total.

As before, there may be a translation here from technical risk to business risk.

Can use Probability x Business Impact as the metric. The business should supply the Impact.

This can be a powerful tool to use with Suppliers. They speak the lingua franca as well.

Project Management

Good Project Management helps assure value delivery

Define ‘project’ vs. ‘daily work’ in the contract.

Has linkages to Finance Management (paying Project costs), Service Delivery (assuring Project deliverables)

NPS

Performance Management

Aligning Service Delivery Requirements

Managing and Reporting against SLAs

Management of individual projects Work prioritization

An Audit Checklist for IT Governance

IT Governance Audit Planning

Audit Team Composition Audit Criteria Learnings from the Balanced

Scorecard Approach

Audit Team Composition

Leadership - Business or IT? Audit Supervision and

Auditor in Charge Independence is a must

Beware setting up an audit team that may reflect corporate IT Governance issues

Consider sourcing knowledgeable auditors

IT Governance Audit Criteria / Standards

IIA Governance Auditing Standards

ISACA / ITGI IT Governance Auditing Guidelines

ITGI Risk IT Framework ITGI Val IT Framework << Insert your Company

business policies here >>

Learnings from the Balanced Scorecard

Consider IT Governance from various business points of view (1) Corporate Customer Operational Excellence Future / Sustainability

1. “Measuring and Improving IT Governance Through the Balanced Scorecard”Information Systems Control Journal, Volume 2, 2005

Objective Example Metrics

Business/ IT Alignment Operational budget approval

Value Delivery Business Unit Performance

Cost Management Attainment of expense and recovery targets

Risk Management Results of Internal Audits

Intercompany Synergy Single System Solutions

Balanced Scorecard: Corporate View

Objective Example Metrics

Customer Satisfaction Business Unit Survey ratings

Competitive Costs Attainment of unit cost targets

Development Performance Major Project Scores

Operational Performance Attainment of targeted levels

Balanced Scorecard: Customer View

Objective Example Metrics

Development Process Function Point Measures

Operational process Change Management effectiveness

Process Maturity Level of IT Processes

Enterprise ArchitectureState of the

infrastructure assessment

Balanced Scorecard: Operational View

Objective Example Metrics

Human Resource Management Staff Turnover

Employee Satisfaction Satisfaction survey scores

Knowledge Management Implementation of learned lessons

Balanced Scorecard: Future View

CobIT as a RoadMap to IT Governance

Globally standard released as a set of tools that ensures IT is working effectively

Functions as an overarching framework

Provides common language to communicate goals, objectives and expected results to all stakeholders

Based on, and integrates, industry standards and good practices in:

Strategic alignment of IT with business goals Value delivery of services and new projects Risk management Resource management Performance measurement

COBIT as a RoadMap to IT

Relationship Amongst

Process, Goals and

Metrics (DS5)

COBIT:Processes, Goals and Metrics

Defined Responsibilities for Each Process

Link business goals to IT goals. C IA/R

I C

Identify critical dependencies and current performance.

C C RA/R

C C C C C C

Build an IT strategic plan. A C C R I C C C C I C

Build IT tactical plans. C I A C C C C C R I

Analyze program portfolios and manage project and service portfolios.

C I I A R R C R C C I

RACI Chart

Activities Funct

ions

A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed.

The COBIT Framework

Key Driving Forces for COBIT

o Datao Application

systemso Technologyo Facilities o People

o Plan and Organize

o Aquire and Implement

o Deliver and Support

o Monitor and Evaluate

o Effectiveness o Efficiencyo Confidentialityo Integrityo Availabilityo Compliance o Information

reliability

IT Resources

IT ProcessesBusiness

Requirements

The ressources made available to—and built

up by—IT

How IT is organized to respond to the requirements

What the stakeholders expect from IT

Goals ResponsibilitiesControl

Objectives

Requirements

Business IT Governance

Information the business needs to achieve its objectives

Information executives and board need to exercise their responsibilities

Direction and Resourcing

How Does COBIT Link to IT Governance?

IT Governance

Activities or Tasks

Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete

Processes

A series of joined activities with natural control breaks

Domains

Natural grouping of processes, often matching an organisational domain of responsibility

Process Orientation

IT Domains• Plan and

Organise• Acquire and

Implement• Deliver and

Support• Monitor and

Evaluate

IT Processes• IT strategy• Computer operations• Incident handling• Acceptance testing• Change management• Contingency planning• Problem management

Activities• Record new problem.• Analyse.• Propose solution.• Monitor solution.• Record known problem.• Etc. …

Natural grouping of processes, often matching an organisational domain of responsibility

A series of joined activities with natural (control) breaks Actions needed to achieve a

measurable result—activities have a life cycle, whereas tasks are discrete

Process Orientation

Process Orientation Plan and Organise

Description This domain covers strategy and tactics, and concerns

the identification of the way IT can best contribute to the achievement of the business objectives. The realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Proper organisation and technological infrastructure must be put in place.

Topics Strategy and tactics Vision planned Organisation and infrastructure

Questions Are IT and the business strategy aligned? Is the enterprise achieving optimum use of its

resources? Does everyone in the organisation understand the IT

objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business

needs?

D

om

ain

s

COBIT Processes

Plan andOrganize

Acquire andImplement

PO1 Define an IT strategic plan.PO2 Define the information architecture.PO3 Determine technological direction.PO4 Define the IT processes, organisation and relationships.PO5 Manage the IT investment.PO6 Communicate management aims and direction.PO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.

AI1 Identify automated solutions.AI2 Acquire and maintain application software.AI3 Acquire and maintain technology infrastructure.AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit solutions and changes.

COBIT Processes

Deliver andSupport

Monitor andEvaluate

ME1 Monitor and evaluate IT performance.ME2 Monitor and evaluate internal control.ME3 Ensure compliance with external

Provide IT Governance requirements.

ME4

DS1 Define and manage service levels.DS2 Manage third-party services.DS3 Manage performance and capacity.DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users.DS8 Manage service desk and incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical environment.DS13 Manage operations.

King

TickIT

Where COBIT Typically Sits

17799CMM

COSO

ITIL

Govern

ance

Layer

ITG

overn

ance

Layer

ITM

anagem

en

tLa

yer

COBIT