Page 1 of 13

CLOUD TRANSFORMATION PROGRAMS (CTPS) IN

TODAY’S GRC WORLD

Process-Oriented Framework

By: Ahmed Ragab

September 2014

Page 2 of 13

Professional Advice

This paper, including all concepts and frameworks, is provided for general information

and practice guidance purposes only. Users of this document are encouraged to use

the presented concepts/framework with a thorough understanding of its general

application. For more specific framework or special controls as per each organization

industry, it is advised to customize specific controls as per each industry parameters,

however the concept will stay valid across different industries. For any further inquiry,

or contribution, you can contact the author for further improvement.

What’s inside?

Cloud Transformation Program (CTP) framework, GRC alignment with Cloud

Transformation, benefits of GRC assurance model for CTP, CTP’s full cycle, different

stakeholders concerns for any CTP,

Who shall read this?

Cloud Transformation Project/Program (CTP) Managers, IT GRC Officers, Change

Managers, CTOs, CIOs, CISOs, IT Auditors, Cloud Computing Architects, and any other

involved stakeholder in Cloud Transformation Program.

Page 3 of 13

TABLE OF CONTENTS

Wide Spectrum

Introduction

Why Organizations consider CTP

within a Compliance Framework?

CIO, CISO, Board and Compliance

Concerns!

GRC Impact on Cloud

Transformation Programs

Cloud Transformation Program

(CTP) Framework

Page 4 of 13

Today’s business dynamics urged

all organizations to adopt more

flexible platforms either in

management processes or IT

infrastructure. Enterprises started

to maturely recognize the new fast

rate of transformation programs to

accommodate business needs.

Customers can not wait any more.

Operational staffs need business-

driven and objectives-oriented

flexible work environment using

dynamic technology infrastructure.

Investors are so keen about the

investments allocation, as usual!

And finally risk and compliance

governors have their own call to

accommodate such topology and

securely maintain organization’s

momentum.

Changing from normal IT-Centric

operations to more flexible,

services-oriented, and on-demand

IT services became a key factor

while applying effective

investment calculations. Hereby,

thinking about Cloud

Transformation Program (CTP)

became on top of the key

enterprises’ transformation

programs. However, such

programs shall not be designed

focusing only on technology

parameters but also considering

the complementary support by

mature processes and compliance

controls in order to ensure smooth

transformation with compliance.

WIDE SPECTRUM

Page 5 of 13

Cloud Transformation Program

(CTP) is not just a strategic change

management move for enterprises,

it is a turn-key pivotal change

management program that covers

all aspects of organizations;

people, processes, technology,

suppliers, behavior …etc. Such

program normally runs as a capital

project in the organization,

accordingly a special attention

should be paid from the

governance, risk and compliance

point of view. And this is regardless

the type of cloud deployment

model public cloud, private cloud,

hybrid cloud, or even community

cloud deployment model.

This paper will tackle the Cloud

Transformation Program (CTP)

from a process-oriented approach

to empower all leading

experts/architects or such program

managers to apply full-fledged

framework enriched with

compliance pillars, i.e. GRC.

INTRODUCTION

Page 6 of 13

No doubt that every IT Transformation Project has its own ICT controls that ensure the

project success “Technically.” However, tackling CTP needs more assurance on

enterprise-wide controls like Governance, Risk, Compliance, and other operational

controls. From this approach, a full-fledged compliance framework has been adopted to

accommodate any CTP effectively. Figure 1 demonstrates the different components of

CTP within a compliance framework.

WHY

ORGANIZATION

SHALL

CONSIDER (CTP)

WITHIN A

COMPLIANCE

FRAMEWORK?

Page 7 of 13

IT Governance – by implementing all

related ICT controls to ensure

Confidentiality, Integrity and

Availability of Information across the

organizational departments

effectively.

IT Risk Management Controls – to

identify, establish, and maintain risk

governance with an integrated view

to the overall Enterprise Risk

Management (ERM). This will lead to

evaluating risks as well as responding

to it.

Compliance – aligning the entire CTP

with the enterprise compliance

indicators and checklists in order to

maintain conformity with the internal

organizational as well as external

regulatory bodies’ compliance

requirements.

Assurance – by establishing the key

controls for implementing the CTP on

different levels: project management

framework, people-related controls,

technology related controls and

processes-related controls.

Aligned IT Services Management

Processes – since implementing such

program is impacting different aspects

in the ICT organization, IT Services

Management has to be aligned or

established (in case if it hasn’t been

identified before) with the dynamics

and complexity of the running CTP. IT

Services Management processes are

very critical and could be dramatically

changed when organizations

transforms from centralized IT

organization to Cloud-based

environment.

Process Reengineering –

organizations may need to reconsider

business processes reengineering,

where a lot of manual operations

could be automated, and some

manual controls will be swapped. In

addition to some new processes could

be released to support the new cloud

operations and functionalities.

Information Security – as per the

special nature of cloud environment,

a considerable information security

controls shall be implemented and

audited to assure information privacy

and controlling any breach. With the

compliance model mentioned above,

InfoSec is considered as the core

technical compliance with the most

critical applied controls.

Project/Program Management – the

mentioned compliance model will

integrate smoothly with the entire

project management processes since

we will use heaving a lot of PM pillars

like; scoping, change management,

risks, quality, integration…etc.

During the roadmap of

such CTP, organizations

need to adopt such a

comprehensive

compliance framework

to achieve the following:-

Page 8 of 13

CIO, CISO Board and

Compliance Concerns!

Page 9 of 13

Budget-wise, we are in trouble! This only happens when we talk about ROI of

Cloud Transformation Program (CTP) from a narrow dimension, which is a

technology solution. Accordingly, tackling such transformation program shall

consider different stakeholders’ concerns in order to reach the benefits

realization. The following figure summarizes main concerns at the main

leading stakeholders for any CTP:-

CIO, CISO Board

and Compliance

Concerns!

Page 10 of 13

GRC Impact on Cloud

Transformation Programs

GRC models have been progressively improved till we reached GRC

Capability Model proposed by OCEG. Saying this, If we consider this

GRC model as principled performance for assuring successful cloud

transformation program will come with the following assured benefits:-

Mature processes definitions

Reliable processes assessment

Robust controls

Dynamic process change

Agile framework for future processes scalability

Compliance management

Quantitative and qualitative performance indicators

Service quality

Reliable CAPEX, OPEX and TCO calculations

More visibility and applicability of Chargeback and Showback

Time-to-market

Envisioning roadmap

Business integrity

People development and awareness

Page 11 of 13

The following framework is merging different conceptual frameworks to come

up with a full-fledged CTP with a compliance tools across Cloud Transformation

Millstones

CLOUD

TRANSFORMATION

PROGRAM (CTP)

FRAMEWORK

Page 12 of 13

Discovery Phase – Organization’s thorough

understanding is the first milestone where we

consider the four main pillars of understanding

(People, Process, Technology, Project

Management Framework). This covers the

entire organization assets for those pillars like:

competency levels, identified and implemented

processes, existing applications and technology

environment, and the project management

different processes maturity levels.

Analysis Phase – this phase represents a

demarcation stage between different pillars as

well as prepares for the next levels of

understanding and connecting

information/perceptions together in order to

come up with a mature assessment views. From

this stage, we can also come up with the

business case and recommendation for

stakeholders’ approval.

Design Phase – building a conceptual

framework for the implementation, operations

and maintenance, and sustainability model is

the state of the art, where the architects invest

a lot of time and efforts to present a

comprehensive integrated model for the cloud

model and the deployment option.

Implementation Phase – is the hardest stage of

delivery the baby, i.e. implementation phase,

where selecting the right solution,

implementer, resources and the right time to

start the implementation with a considerable

attention towards the time-to-market.

Monitoring and Evaluation Phase – is the time

of measuring the expectations on different

levels: applications’ features, performance,

integrity, security, reliability, flexibility, agility

…etc.

Continual Improvement Phase – is the payback

time! Where users started to maturely progress

inside the new cloud environment, so more

services could be configured and some

Chargeback processes will be triggered to show

the IT Business Value.

All different phases mentioned above shall be

designed and supported by a reliable KPIs with

a GRC compliance features.

This will be released in the next white paper . .

Page 13 of 13

About the Author

Ahmed Ragab, Consulting Services Manager at Panorama Consulting

and Business Solutions, is the author of this conceptual framework.

Ahmed is a hands-on experienced processes reengineering

professional with diversified implementation experience in

Information Security Management Systems, IT Governance, IT Risk

Management, IT Audit and Restructuring Programs. He has

formulated many of implementation and processes assurance

framework.

With an inspired GRC model of the principled performance and

articulating Cloud Transformation Framework, this integrated CTP

framework has been formulated in line with GRC pillars.

For any feedback or inquiry, please contact:-

Ahmed Ragab, MSc, ISMS-LA

Consulting Services Manager

Panorama Consulting and Business Solutions

aragab@panoramacbs.com

+965 - 60036963