Upload
jasmyn-lathrop
View
225
Download
1
Tags:
Embed Size (px)
Citation preview
Information Technology Management (ITM101) Week 02: IT Standards & Governance
Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP
Corporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders
IT Governance: Subset of the Corporate Governance framework tasked with ensuring the alignment of IT with enterprise objectives
IT governance aims to ensure that expectations for IT are met and IT risks are mitigated.
Governance?
IT GovernanceIT Governance
Why is IT Governance a ‘Hot Topic’?
Increased sensitivity to protecting stakeholder interests Shareholders (see: Sarbanes
Oxley) Consumers (see: HIPAA) Suppliers (see: PCI)
Forces Driving Governance
Compliance
ProjectExecution
Security
Business/ITAlignment ROI
Other ‘Non-Regulatory’ Reasons…
Recognized need for tight business linkage Strategic Alignment Value Delivery Resource Management Risk Management Performance Management
Effective Management of Outsourced IT Suppliers Relationship Management Financial Management Performance Management Contract Management
Definitions
IIA International Professional Practices Framework:
[IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives.
IIA International Professional Practices Framework:
[IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives.
[IT Controls] Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure, and people.
[IT Controls] Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure, and people.
[Governance] The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.
[Governance] The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.
IT Governance Definitions
CobiT 4.1:
IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.
CobiT 4.1:
IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.
Definition of IT Governance From COBIT
Common Framework Structure
Governance: High Level View
The business of running IT vs. running the technology
Setting the rules and assuring they are followed
An ethical responsibility to stakeholders Principal - business Commonwealth - people Each other - reputation
IT Governance Objectives
The purpose of IT governance is to direct IT endeavors and that IT is aligned with business objectives. Ideally: Governance should be a
top-down process Linkages to business
process and strategy exist for all actions
Information in oral, paper, and electronic forms
Governance transcends physical boundaries
Through governance, acceptable practices, policies, and procedures are established
Business Drivers
Internal Environment
Entrustment Framework
Decision Model and Framework
Value Realization and Delivery Framework
Performance Management
Value Management
Responsibility for IT Governance
Responsibility:IT governance is the responsibility of the board of directors and executive management. Integral part of
enterprise governance
Consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.
Sub-Committees:Architecture, Security, etc.
Service Delivery & Functional Operation Management Teams
Networks
Systems
Desktop
Information Security Steering Committee
Applications
Management Board
Operations
IT Governance: COBIT Focus Areas
Strategic Alignment Value Delivery Resource Management Risk Management Performance Measurement
Focus Areas of IT Governance
Five main focus areas for IT governance, all driven by
stakeholder value.
Stakeholder Value Drivers
IT Value Delivery
Risk Management
Performance Managemen
t
IT Strategic Alignment
IT Resource Management
Two are outcomes: Value delivery Risk
management. Three are drivers:
Strategic alignment
Performance measurement
Resource management (which overlays them all)
5 Key Security Strategy Elements
Element # Element Name
1 Policies
2 Procedures
3 Authentication
4 Authorization
5 Recovery Plan
4 Key Control Elements
Element # Element Name
1 Preventive
2 Detective
3 Containment
4 Recovery
Security Strategy: Elements & Controls
Security Program Infrastructure
Maturity Level Description
Level 1 Control objectives have been documented in a policy
Level 2 Security control processes have been documented in procedures
Level 3Supporting procedures have been implemented (stakeholdershave been made aware and trained)
Level 4Policies, procedures and controls are tested and reviewed toensure continued adequacy
Level 5 Procedures and controls are fully integrated into the culture of the organization
Measuring Maturity
ISO Family
(1799, 20000, 27001)Internation
al Standard Organizatio
n’s Security
Management
StandardsFramewor
k of standards
that provide
best practices
for information security managem
ent
ITIL
IT Infrastructure Library
Best practices
framework drawn
from the public and
private sectors
internationally
COSO
Committee of
Sponsoring Organizatio
ns of the Treadway
Commission
Organization
dedicated to
financial reporting through business ethics, internal controls,
and corporate governanc
e
COBIT
Control Objectives
for Information and related TechnologyFramewor
k and supporting toolset to bridge the
gap between control
requirements,
technical issues,
and business
risks
FISMA
Federal Information
Security Manageme
nt Act of 2002
Mandatory set of
processes required
by legislation
for US federal
information systems
OCTAVE
Operationally Critical
Threat, Asset, and Vulnerabilit
y Evaluation
Risk based strategic assessme
nt and planning
technique for
security
CMMI
Capability Maturity Model
Integration
An approach
to governanc
e based on process maturity
IT Governance Frameworks
Clear Business Ownership and Direction
Alignment of Business and IT Objectives (CobiT 4.1 ‘Framework’) Enterprise Strategy Business Goals for IT IT Goals Enterprise Architecture for IT IT Scorecard
Linking Technical and Business Risk
Risk is the ‘lingua franca’ of business.
Management needs to be able to compare IT Risks with other risks.
IT Governance must do an effective job of translating technical risks to business risks.
Linking Technical and Business Risk
Technical Risk
Incidents resulting from Changes
Equipment Age
Audit Scores
Information Security Incidents
Overdue Controls Issues
Business Exposures
Disruptions to Critical Business Processes (i.e.: Orders to
Cash)
Compromise Company Reputation
Compromise Company Secrets
Organizational Capacity / Health
Financial Goals May not be Met
IT Governance in a Sourced Environment
IT Governance in aSourced Environment
Business Strategy and ProcessesBusiness Strategy and Processes
IT GovernanceIT Governance
Suppliers’ IT Strategy and ProcessesSuppliers’ IT Strategy and Processes
CommercialRelationship
CommercialRelationship
Considerations in a Sourced Environment
Sourcing Strategy Contract Management Finance Management Relationship Management Performance
Management
Sourcing Strategy
Part of IT Strategic Plan Inventory of critical Supplier
relationships Update based on changes to
Business, IT or Supplier Strategies May contain intervention plans
Contract Management
Initial negotiation and in-life change management
Defines Services/Quality Defines ownership of Intellectual
Property Compliance with Law and Policy Audit Rights
Contract Change Management
Required by either changing business needs or to address ambiguity.
Should be viewed as a negotiation. Each party will attempt to get
concessions not previously obtained - value is at risk
Depend on Relationship Management for smaller changes to avoid this risk
Intellectual Property
Supplier IP may be used to deliver efficiencies ($)
However, use of Supplier IP may limit sourcing flexibility.
Who owns process ‘know-how’ and does this change over time?
What risk does this represent?
Intellectual Property Mitigations
Inventory, inventory, inventory IT processes supporting the
business Materials (documents, rights,
etc.) Risk Management discussion with
business Seek legal help Follow up!
Audit Rights
Business requirements drive specifics.
Must be in the initial contract For supplier shared services, SAS70
Type II Audit rights should be unlimited
and at no cost.
Finance Management
Deal financials reporting Invoice Verification
Service receipt Credits Incentives
Internal cost recovery
Finance Management
This is THE PLACE to receive an independent confirmation of IT value delivery.
Budgets are a very unforgiving reality check!
Relationship Management
Overall Supplier management Monitor business needs Communication Forums Issue Management Risk Management Project Management
Risk Management
IT Governance process to evaluate Supplier Financial, Service Delivery, Relationship and Information Security risks in total.
As before, there may be a translation here from technical risk to business risk.
Can use Probability x Business Impact as the metric. The business should supply the Impact.
This can be a powerful tool to use with Suppliers. They speak the lingua franca as well.
Project Management
Good Project Management helps assure value delivery
Define ‘project’ vs. ‘daily work’ in the contract.
Has linkages to Finance Management (paying Project costs), Service Delivery (assuring Project deliverables)
NPS
Performance Management
Aligning Service Delivery Requirements
Managing and Reporting against SLAs
Management of individual projects Work prioritization
An Audit Checklist for IT Governance
IT Governance Audit Planning
Audit Team Composition Audit Criteria Learnings from the Balanced
Scorecard Approach
Audit Team Composition
Leadership - Business or IT? Audit Supervision and
Auditor in Charge Independence is a must
Beware setting up an audit team that may reflect corporate IT Governance issues
Consider sourcing knowledgeable auditors
IT Governance Audit Criteria / Standards
IIA Governance Auditing Standards
ISACA / ITGI IT Governance Auditing Guidelines
ITGI Risk IT Framework ITGI Val IT Framework << Insert your Company
business policies here >>
Learnings from the Balanced Scorecard
Consider IT Governance from various business points of view (1) Corporate Customer Operational Excellence Future / Sustainability
1. “Measuring and Improving IT Governance Through the Balanced Scorecard”Information Systems Control Journal, Volume 2, 2005
Objective Example Metrics
Business/ IT Alignment Operational budget approval
Value Delivery Business Unit Performance
Cost Management Attainment of expense and recovery targets
Risk Management Results of Internal Audits
Intercompany Synergy Single System Solutions
Balanced Scorecard: Corporate View
Objective Example Metrics
Customer Satisfaction Business Unit Survey ratings
Competitive Costs Attainment of unit cost targets
Development Performance Major Project Scores
Operational Performance Attainment of targeted levels
Balanced Scorecard: Customer View
Objective Example Metrics
Development Process Function Point Measures
Operational process Change Management effectiveness
Process Maturity Level of IT Processes
Enterprise ArchitectureState of the
infrastructure assessment
Balanced Scorecard: Operational View
Objective Example Metrics
Human Resource Management Staff Turnover
Employee Satisfaction Satisfaction survey scores
Knowledge Management Implementation of learned lessons
Balanced Scorecard: Future View
CobIT as a RoadMap to IT Governance
Globally standard released as a set of tools that ensures IT is working effectively
Functions as an overarching framework
Provides common language to communicate goals, objectives and expected results to all stakeholders
Based on, and integrates, industry standards and good practices in:
Strategic alignment of IT with business goals Value delivery of services and new projects Risk management Resource management Performance measurement
COBIT as a RoadMap to IT
Relationship Amongst
Process, Goals and
Metrics (DS5)
COBIT:Processes, Goals and Metrics
Defined Responsibilities for Each Process
Link business goals to IT goals. C IA/R
I C
Identify critical dependencies and current performance.
C C RA/R
C C C C C C
Build an IT strategic plan. A C C R I C C C C I C
Build IT tactical plans. C I A C C C C C R I
Analyze program portfolios and manage project and service portfolios.
C I I A R R C R C C I
RACI Chart
Activities Funct
ions
A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed.
The COBIT Framework
Key Driving Forces for COBIT
o Datao Application
systemso Technologyo Facilities o People
o Plan and Organize
o Aquire and Implement
o Deliver and Support
o Monitor and Evaluate
o Effectiveness o Efficiencyo Confidentialityo Integrityo Availabilityo Compliance o Information
reliability
IT Resources
IT ProcessesBusiness
Requirements
The ressources made available to—and built
up by—IT
How IT is organized to respond to the requirements
What the stakeholders expect from IT
Goals ResponsibilitiesControl
Objectives
Requirements
Business IT Governance
Information the business needs to achieve its objectives
Information executives and board need to exercise their responsibilities
Direction and Resourcing
How Does COBIT Link to IT Governance?
IT Governance
Activities or Tasks
Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete
Processes
A series of joined activities with natural control breaks
Domains
Natural grouping of processes, often matching an organisational domain of responsibility
Process Orientation
IT Domains• Plan and
Organise• Acquire and
Implement• Deliver and
Support• Monitor and
Evaluate
IT Processes• IT strategy• Computer operations• Incident handling• Acceptance testing• Change management• Contingency planning• Problem management
Activities• Record new problem.• Analyse.• Propose solution.• Monitor solution.• Record known problem.• Etc. …
Natural grouping of processes, often matching an organisational domain of responsibility
A series of joined activities with natural (control) breaks Actions needed to achieve a
measurable result—activities have a life cycle, whereas tasks are discrete
Process Orientation
Process Orientation Plan and Organise
Description This domain covers strategy and tactics, and concerns
the identification of the way IT can best contribute to the achievement of the business objectives. The realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Proper organisation and technological infrastructure must be put in place.
Topics Strategy and tactics Vision planned Organisation and infrastructure
Questions Are IT and the business strategy aligned? Is the enterprise achieving optimum use of its
resources? Does everyone in the organisation understand the IT
objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business
needs?
D
om
ain
s
COBIT Processes
Plan andOrganize
Acquire andImplement
PO1 Define an IT strategic plan.PO2 Define the information architecture.PO3 Determine technological direction.PO4 Define the IT processes, organisation and relationships.PO5 Manage the IT investment.PO6 Communicate management aims and direction.PO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.
AI1 Identify automated solutions.AI2 Acquire and maintain application software.AI3 Acquire and maintain technology infrastructure.AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit solutions and changes.
COBIT Processes
Deliver andSupport
Monitor andEvaluate
ME1 Monitor and evaluate IT performance.ME2 Monitor and evaluate internal control.ME3 Ensure compliance with external
Provide IT Governance requirements.
ME4
DS1 Define and manage service levels.DS2 Manage third-party services.DS3 Manage performance and capacity.DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users.DS8 Manage service desk and incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical environment.DS13 Manage operations.
King
TickIT
Where COBIT Typically Sits
17799CMM
COSO
ITIL
Govern
ance
Layer
ITG
overn
ance
Layer
ITM
anagem
en
tLa
yer
COBIT