Download pptx - Information Technology Management (ITM101) Week 02: IT Standards & Governance Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP

Information Technology Management (ITM101) Week 02: IT Standards & Governance

Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP

Corporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders

IT Governance: Subset of the Corporate Governance framework tasked with ensuring the alignment of IT with enterprise objectives

IT governance aims to ensure that expectations for IT are met and IT risks are mitigated.

Governance?

The purpose of IT governance is to direct IT endeavors and that IT is aligned with business objectives. Ideally: Governance should be a

top-down process Linkages to business

process and strategy exist for all actions

Information in oral, paper, and electronic forms

Governance transcends physical boundaries

Through governance, acceptable practices, policies, and procedures are established

Business Drivers

Internal Environment

Entrustment Framework

Decision Model and Framework

Value Realization and Delivery Framework

Performance Management

Value Management

IT Governance Objectives

Five main focus areas for IT governance, all driven by

stakeholder value.

Stakeholder Value Drivers

IT Value Delivery

Risk Management

Performance Managemen

t

IT Strategic Alignment

IT Resource Management Two are outcomes:

Value delivery Risk

management. Three are drivers:

Strategic alignment

Performance measurement

Resource management (which overlays them all)

Focus Areas of IT Governance

ISO Family

(1799, 20000, 27001)Internation

al Standard Organizatio

n’s Security

Management

StandardsFramewor

k of standards

that provide

best practices

for information security managem

ent

ITIL

IT Infrastructure Library

Best practices

framework drawn

from the public and

private sectors

internationally

COSO

Committee of

Sponsoring Organizatio

ns of the Treadway

Commission

Organization

dedicated to

financial reporting through business ethics, internal controls,

and corporate governanc

e

COBIT

Control Objectives

for Information and related TechnologyFramewor

k and supporting toolset to bridge the

gap between control

requirements,

technical issues,

and business

risks

FISMA

Federal Information

Security Manageme

nt Act of 2002

Mandatory set of

processes required

by legislation

for US federal

information systems

OCTAVE

Operationally Critical

Threat, Asset, and Vulnerabilit

y Evaluation

Risk based strategic assessme

nt and planning

technique for

security

CMMI

Capability Maturity Model

Integration

An approach

to governanc

e based on process maturity

IT Governance Frameworks

Val IT Principles

• IT-enabled investments will:

• Be managed as a portfolio of investments

• Include the full scope of activities that are required to achieve business value

• Be managed through their full economic life cycle

• Value delivery practices will:

• Recognize that there are different categories of investments that will be evaluated and managed differently

• Define and monitor key metrics and will respond quickly to any changes or deviations

• Engage all stakeholders and assign appropriate accountability for the delivery of capabilities and the realization of business benefits

• Be continually monitored, evaluated and improved

The Four Questions

The strategic question. Is the investment:In line with our vision?Consistent with our business principles?Contributing to our strategic objectives?Providing optimal value, at affordable cost, at an acceptable level of risk?

The value question. Do we have:• A clear and shared understanding of the

expected benefits?• Clear accountability for realising the

benefits?• Relevant metrics?• An effective benefits realisation process over

the full economic life cycle of the investment?

The architecture question. Is the investment:• In line with our architecture?• Consistent with our architectural principles?• Contributing to the population of our

architecture?• In line with other initiatives?

The delivery question. Do we have:Effective and disciplined delivery and change management processes?Competent and available technical and business resources to deliver:

The required capabilities?The organisational changes required to leverage the capabilities?

Are wedoing

the rightthings?

Are wedoing

the rightthings?

Are wedoing them

the rightway?

Are wedoing them

the rightway?

Are wegetting

them donewell?

Are wegetting

them donewell?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wedoing

the rightthings?

Are wedoing

the rightthings?

Are wedoing

the rightthings?

Are wedoing

the rightthings?

Are wedoing them

the rightway?

Are wedoing them

the rightway?

Are wedoing them

the rightway?

Are wedoing them

the rightway?

Are wegetting

them donewell?

Are wegetting

them donewell?

Are wegetting

them donewell?

Are wegetting

them donewell?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wegetting

thebenefits?

Are wegetting

thebenefits?Some fundamental

questionsabout thevalue enabledby IT

P3M—Projects, Programs and Portfolios

PortfolioManagement

ProgramManagement

Project Management

Program—A structured grouping of projects designed to produce clearly identified business value

Project—A structured set of activities concerned with delivering a defined capability based on an agreed schedule and budget

Portfolio—A suite of business programs managed to optimize overall enterprise value

What fits where?

Board / Senior Executive

Business Management

IT Operations

IT (Functional Mgt)

Audit

ors

Outsourcing Benefits: Access to Expertise and Technologies

Access to expertise and the deployment of new technologies rapid technological developments

require a significant portion of the human resources capacity of internal IT divisions and require high investments in the training of IT professionals.

An IT supplier whose core business consists of the delivery of IT services is able to keep the level of knowledge of its IT professionals up to date more effectively and efficiently.

Outsourcing Benefits: Increase in the Level of Flexibility

Increase in the level of flexibility Due to the fact that an IT supplier has

several customers, the IT supplier is better able to absorb the peaks and valleys in the demand for IT services than the internal IT division, which generally only provides services to its parent organization.

Outsourcing Benefits: Decrease in Costs

Decrease in costs Due to their scale and ability to share

production resources, IT suppliers are able to provide more efficient and effective IT services

Increase the predictability of costs: Outsourcing contracts are generally

multi-year contracts This increases the predictability

of costs for the outsourcing organization.

This is an important advantage, particularly for investors.

Outsourcing Benefits: Generation of Cash Flows

The generation of cash flows Through the sale of assets,

hardware and immovable property, the outsourcing organization is able to generate a one-time cash flow by outsourcing its IT services.

Outsourcing Disdvantages: Management of IT Suppliers

Management of IT supplier(s) The management of IT suppliers

requires the attention of the management of the outsourcing organization and this carries its own costs.

Furthermore, many organizations have difficulty finding qualified managers to assume this role.

Outsourcing Disdvantages: Confidentiality

Confidentiality Outsourcing arrangements cause

the outsourcing organization’s confidential data to be accessible to the IT supplier’s employees

This constitutes a risk that must be considered when the decision to outsource is taken

Dependency on the IT supplier(s): By entering into a multi-year

contract, outsourcing organizations become dependent on their IT suppliers, particularly when there are changes in IT services required by the outsourcing organization

Outsourcing Disdvantages: Dependency on the IT Supplier

Dependency on the IT supplier(s) By entering into a multi-year

contract, outsourcing organizations become dependent on their IT suppliers,

Particularly when there are changes in IT services required by the outsourcing organization.

Outsourcing Disdvantages: Confidentiality

Confidentiality Outsourcing arrangements cause

the outsourcing organization’s confidential data to be accessible to the IT supplier’s employees

This constitutes a risk that must be considered when the decision to outsource is taken

Dependency on the IT supplier(s): By entering into a multi-year

contract, outsourcing organizations become dependent on their IT suppliers, particularly when there are changes in IT services required by the outsourcing organization

Outsourcing Disdvantages: Dependency on the IT Supplier

Dependency on the IT supplier(s) By entering into a multi-year

contract, outsourcing organizations become dependent on their IT suppliers,

Particularly when there are changes in IT services required by the outsourcing organization.

Projects

The three main goals of project management are…1. Complete the project on time or

earlier.

2. Complete the project on budget or

under.

3. Meet the specifications to the

satisfaction of the customer.

Project Structure

Functional Structure: The team is housed in a specific functional

area. Assistance from other areas must be negotiated.

Pure Project: Team members work exclusively for the project

manager, which is best for large projects.

Matrix Structure: A compromise between the functional and

project structures. Members remain in various functional areas and the project manager coordinates across functional areas. Dual authority can cause problems.

What AON Nodes look like.

Early Start

Early Finish

Late Finish

Late Start

Activity

Activity Duration

Slack

The earliest you can complete an activity--determined by adding the activity time (duration) to the early start time.

This is the latest you can finish an activity without delaying project completion. It is the same as the Latest Start time of the next activity. If there are two or more subsequent activities, this time is the same as the earliest of those “Latest Start” times.

The is the earliest you can start an activity. It is determined by the earliest finish time of the precedent activity. If there are two or more precedent activities, this time is the same as precedent activity with the latest “Early Finish” time.

This is the Latest Finish time minus the activity duration.

Slack (S) is the difference, if any, between the earliest start (ES) and latest start times (LS) or the early finish (EF) and late finish (EF) times.

S = LS - ES or S = LF - EF

Types of Project Risk

1. Service/Product Risks: If the project involves new service or product, several risks can arise.

Market risk comes from competitors. Technological risk can arise from advances

made once the project has started, rendering obsolete the technology chosen for service or product.

Legal risk from liability suits or other legal action.

2. Project Team Problems: Poor member selections and inexperience, lack of cooperation, etc.

3. Operations Risk: Information inaccuracy, miss-communications, bad project timing, weather…

Types of Project Risk

1. Service/Product Risks: If the project involves new service or product, several risks can arise.

Market risk comes from competitors. Technological risk can arise from advances

made once the project has started, rendering obsolete the technology chosen for service or product.

Legal risk from liability suits or other legal action.

2. Project Team Problems: Poor member selections and inexperience, lack of cooperation, etc.

3. Operations Risk: Information inaccuracy, miss-communications, bad project timing, weather…

Breakdown of IT spending

Investment –

new/improved

capabilities

* Maintenance, Operations, and Ongoing support of Systems and

Equipment

30%

70%

IT MOOSE*

IT Spend

Support current business at current business volumes

Budget Category Considerations Average % of IT New IT investments:

Projects that deliver new business capabilities

These projects were likely conceived and approved

before the lean times began.20%

Projects to improve IT efficiency

Waste creeps in when IT is busy completing other work on

behalf of the business.9%

IT MOOSE*:

Maintenance and smaller enhancement activity against

applications

Maintenance budgets are often based on previous year with little year to year scrutiny. 15%

Operational costs of applications and services,

including software licenses and support

Inattention to detail over time can create waste in licensing and contractual maintenance

fees.

19%

Data centre and networking costs

Data centre and networking costs Reduced business can correlate to reduced

requirements for storage and computing capacity.

19%

End user support, including desktop software

What level of support/time between desktop upgrades is appropriate during lean times? 10%

Administration, planning, architecture, and IT management

Can you shift deployments of administrative or architecture

staff to more tactical assignments, temporarily?

7%Forrester Research Inc. (2008): ” Budget Adjustments For CIOs In Lean Economic Times”

Support business growth

Reduce cost of business

Reduce cost of IT MOOSE

25

Adoption of ITIL and Other Frameworks Brings Discipline and Efficiency to IT Ops The Information Technology Infrastructure Library (ITIL)

standardizes IT terminologies to establish guidelines and a common language for IT operational processes like:

Change management, Problem resolution, Service delivery, and Resolution of customer inquiries.

Other frameworks include: COBIT (control objectives for information and related

technology) ISO 17799

These frameworks help companies standardize: IT operations, Management processes, and Practices

Helps lower costs by: Reducing unplanned and unscheduled work and Making it easier to adopt and implement cost-reducing

technologies

26

Server virtualization lowers hardware costs and reduces administrative burden

The proliferation of smaller Wintel and Linux servers has started to escalate the costs of scale-out/scale-up efforts, Drives greater staff costs to administer and provision the burgeoning number of individual servers.

With virtualization, the decentralize/recentralize pendulum swings back toward centralization as small mainframes and even larger Unix servers, become the new platform on which to consolidate hundreds of virtual servers Lowering software licensing costs Lowering server administration staff costs.

Questions answered by the Local Contingency Plan: WHO: Designates individuals and invests them with

authority WHAT: Expectations and procedures associated with an

incident WHEN: The tasks that need to be performed before,

during, and after an incident WHERE: Identifies key locations for incident planning and

response, including locations of emergency equipment, escape routes, and indoor post-evacuation rendezvous points

WHY: Protects people and serves as a gateway to continuity

HOW: Explains the way your department should prepare and respond

Introduction: The Local Contingency Plan