5202 review. what is it governance? = right things, done right good it governance
TRANSCRIPT
What is COBIT 5?
• Its about best practice.• It tries to cover IT end-to-end.• It tells you what you need to be thinking about when
running (or auditing) IT.• Its not about the technology, its about the processes you
use to deliver technology.• Its about how to decide what you do(Right Things) and
then how to do them in an efficient, effective and secure manner (Done Right).
• It is critical that you understand the processes it recommends.
Six IT Decisions That Your IT People Shouldn’t MakeWeill & Ross
1. How much should we spend on IT?2. Which business processes should receive our IT
dollars?3. Which IT services should be firm wide?4. How good do our services need to be?5. What security and privacy risks are we willing to
take?6. Whom do we blame if an IT initiative goes
wrong?
Strategy
Execution
ISACA’s View of Governance• What is IT governance?
Define each of the components?
• Value Delivery• Risk Management• IT Strategic Alignment• Resource Management• Performance Management
• How does this compare with the definition we used last week?
• Doing the right thing– Value Delivery– Risk Management
• Doing it right– Strategic Alignment– Resource Management– Performance Management
What Does a Company Want From its IT Systems?
• Take 5 minutes and write down all of the attributes of an IT system that a company would want.
• For example: A company wants its IT systems to be available.
• Effective• Efficient• Confidential• Integrity• Available• Compliant• Reliable
What are controls? Controls are defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented.
What types of controls are there? • Preventive Controls• Detective Controls• Corrective Controls
Give me some examples?
What is the difference between general and application controls?
General controls are part of an IT service like identity management. Application controls are part of a business process.
What are application controls trying to achieve?
Did the right people handle a transaction? Was it recorder correctly? Is it being processed correctly? Are all our transactions are authentic and do they have integrity?
What is the control environment?
The actions, policies, values, and management styles that influence, and set the tone of a firm's day-to-day activities.
BusinessDictrionary.com
Corporate Leadership
• Senior corporate leadership sets the tone• They are ultimately responsible• Principals & Policies describe the desired
outcomes• Others may write them, but the board must
approve them
Higher Level Management
• Management defines how these objectives will be realized
• Processes, standards and guidelines document the practices and activities are designed to ensure that the organization meet the goals set by senior leadership
Management’s Use of Controls
• Control are put in place to ensure that the Processes, Standards and Guidelines are being followed.
• Therefore, they help mitigate the risk that the behaviors desired by senior leadership will not occur.
• Controls are usually used in combinations so as to ensure that if one fails, the others will correct the behavior.
Monitoring & Audit
• Management should monitor their controls to see if the desired behavior is being realized
• Audits examine the adequacy and effectiveness of the controls that an organization has put it place.
Our Starting Point
CIO
Information Systems
Development
Computer Operations
Technical Support
Office of CIO Quality Assurance
Organizing an IT Function
What are the major categories of IT administrative controls?
• IT standards, policies and proceedures
• IT budget• IT asset controls• IT personnel management
controls• IT purchasing controls• IT office controls• IT monitoring controls• IT performance measures
Enterprise Architecture
What’s an Enterprise Architecture and what’s it for?
EA “…is the organizing logic of business processes and IT infrastructure reflecting the integration and standardization requirements of the firms operating model”
MIT Center for Information ResearchAlignment Flexibility
What is the IT Strategy?
• IT Strategy is at the highest level of decision making• It’s a political process• It sets forth IT’s goals & objectives, as well as
describing how to reach them• It defines budget, personnel resources,
performance measurements & the balanced score card
• It communicates all of the above to the entire orangization
Archetypes of IT Decision Making
1. Business Monarchy - high level exec’s make decisions
2. IT Monarchy – IT makes decisions
3. Feudal – business units make decisions independently
4. Federal – IT and business units make decisions
5. Duopoly – small team representing IT and business make decisions
6. Anarchy – everyone can go their own way
Most commonly used for deciding how much
to spend on IT.
Most commonly used for deciding technical issues. EA sometimes
gets stuck here.
Very old school and hard to be successful.
Often used for application decisions, can be cumbersome.
Small mix of CIO and businesses, ISACA preferred position.
Theoretical, never seen in real world.
A Representative IT Strategy Process
Inputs Strategy Outputs
6 Answers
Enterprise Architecture
Vision
Goals and Objectives
CIO Drafts
Steering Team approves
Strategy Team approves
Roadmap
Resource Plans
Budget Plans
PerformanceMeasures
Balanced Scorecard
General Input
Strategic Themes
Business Value Creation &Investment Portfolio
Enabling IT Capabilities,Talent,andEnterpriseInfrastructure
IT OperatingPrinciples
ITStrategy
StrategyThe IT Strategy “filter”`
Busin
ess N
eed
Busin
ess
NeedB
usin
ess
Need
Busin
ess N
eed
IT Portfolio
1
Alignment
Portfolio Categories
Innovation
NewBusinessModels or Competitive Capability
Discretionary
Growth
Increase RevenueIncrease Intimacy
Efficiency Cost-OutProductivity
Run the Engine Sustain Operations
Run The Engine
Discretionary Budget in Portfolio Perspective
Innovation2%$0.5MM
DiscretionaryGrowth 30%
$12MM
Efficiency38%$15MM
Run the Engine
30%$12MM Run The
Engine
We can change the portfolio targets to shift investment to business opportunities.
1 Yr1 Yr
3 Yr3 Yr
1 Yr1 Yr
3 Yr3 Yr
1 Yr1 Yr
3 Yr3 Yr
1 Yr1 Yr
3 Yr3 Yr
Targets
Run the Engine
What’s the difference between these concepts?
• A policy • A procedure• A standard• A guideline
Which are controls?
What are some of the items that should be included in any policy?
• Company logo• “Policies and Procedures”
title • Policy name • Objective• Applies to • Key guidelines • Samples • Questions? • Last revision date
Your Questions
1. Assuming you need policies, how would you go about deciding how many and which ones?
2. What’s the right mix of policies, procedures, standards and guidelines?
3. Assuming you now have a set of policies, how do you know if they are any good? Working?
4. As an auditor looking at an IT organization’s policies, what would you look for?
What does a data center really do?• Provides network services• Provides applications services
to the company• Provides data storage and
backup service• Provides maintenance services
for all of its HW & SW• Provides technical support
services• It keeps itself safe and always
available
Operations = the organization
Data Center = the place
What is a Service?
• A Service is a set of actions or solutions that are put in place or are performed to provide a repeatable and consistent set of outcomes, deliverables, and performance for people, organizations, and systems that represent consumers or beneficiaries of such results.
The International Foundation for Information Technology.
IT service management (ITSM) refers to the implementation and management of quality information technology services. IT service management is performed by IT service providers
through people, process and information technology.
Wikipedia
What is quality?
• Why is it important?• What are TQM’s principles?• What does all of this have to do with 6 Sigma?• Where does a balanced scorecard fit in?
Managing Quality in IT• IT is all about providing services• Quality of an IT service is about meeting desired
outcomes• Non-desired outcomes are service defects• QMS means an organizational spirit of continuous
improvement• Making improvements to prevent service defects means
establishing controls on the process• Therefore a strong control environment is highly
analogous to having a strong QMS
What is the role of the contract in any outsourcing deal?
• Outsourcing always adds complexity
• Most of the original risks remain• Added risk of the two parties
not working well together• The contract tries to define what
the relationship will be to minimize these risks.
• Therefore, it’s a preventive control
MSA Terms & Conditions
1. Guiding Principles2. Services3. Personnel4. Assets & Third Party
Contracts5. Retained Authorities6. Fees & Payment Terms7. Record Keeping & Audit
Rights8. Representation, etc.9. Terms & Termination10. Disentanglements
11. Limitations of Liability12. Proprietary Rights13. Security & Confidentiality 14. Legal Compliance15. Indemnification16. Insurance17. Dispute Resolution18. Use of Subcontractors19. Miscellaneous
MonitoringMonitoring = comparing the expected
outcomes with the actual outcomes over time
Monitoring shows whether or not an organization’s controls are assuring complianceMonitoring gives management the data it needs to determine performance managementMonitoring gives the quality management system the data it needs to continually improve IT’s processes
Strategic Performance Measuresaka: Key Performance Indicators
• Metrics calculated from monitoring data• Tied directly to the IT strategy through
objectives• Objective expectations must be clear• If the data generates metrics that surpass the
expectation, the strategy can be called successful.
IT Balanced Score Card
• A collection of strategic performance measures
• Intended to show performance from a number of perspectives
FinancialOperationalValueSystem ImplementationCustomer Satisfaction• Often too operational, not
strategic enough
Right Things(Governance)
Done Right(Management)
What is IT’s role in the business?What is our IT strategy? Where are we technologically
and where do we want to be?
What portfolio of projects offer us the best value?
What will our control environment be like?What policies do we need?
QMS
Establish & run
the control environment
Run IT’s services
Implement IT projects
KPI’s KPI’s KPI’s
IT Balanced ScorecardTransparent StakeholderCommunications
IT PerformanceOptimization
In other words …
• Governance’s goal is to optimize IT performance• To optimize, you need a transparent view of IT• Transparency comes from performance management• To manage performance you need to monitor that
performance• IT does a lot of different things so you need to monitor all of
them• To monitoring you define KPI’s and track • The qualtity process helps you define processes & KPI’s• The balance scorecard should show the KPIs of what the
stakeholders think most important.
ISACA’s Risk IT Framework
1. What is IT Risk?2. What are the three types of IT Risk?3. What are the three risk processes that an
enterprise ought to have?4. What is risk appetite?5. What is risk tolerance?6. What are the three parts of a risk culture?
Risk Evaluation
• What are some ways you might express IT risk in business terms?– COBIT– COSO ERM
• What is a risk scenario?• What is a risk factor?• What are the four types of risk response and
when would you use them?
Gartner’s Security Processes You Must Get Right
Security’s Responsibility1. Security Governance2. Policy Management3. Awareness & Education4. Identity & Access
Management5. Vulnerability
Management6. Incident Response
IT’s Responsibility1. Change Management2. Disaster Recovery &
Business Continuity3. Project Life Cycle
Management4. Vendor Management
Gartner’s Security Processes You Must Get Right
Security’s Responsibility1. Security Governance2. Policy Management3. Awareness & Education4. Identity & Access
Management5. Vulnerability
Management6. Incident Response
IT’s Responsibility1. Change Management2. Disaster Recovery &
Business Continuity3. Project Life Cycle
Management4. Vendor Management
Incident Response
1. Preparation2. Detect and Expose3. Triage4. Classify and Contain5. Remediate6. Report and Post-Mortem
Three Related Concepts
• BackupThe Goal: store the company’s data and other digital resources in case of loss
Three Related Concepts
• Backup• Disaster Recovery
The Goal: get the company’s information systems back up and running as fast as possible
Three Related Concepts
• Backup• Disaster Recovery• Business Continuity
The Goal: Keep the business viable until normal operations can resume