5202 review. what is it governance? = right things, done right good it governance

53
5202 Review

Upload: jennifer-snow

Post on 28-Dec-2015

223 views

Category:

Documents


0 download

TRANSCRIPT

5202 Review

What is IT Governance?

=Right Things, Done Right

Good IT Governance

What is COBIT 5?

• Its about best practice.• It tries to cover IT end-to-end.• It tells you what you need to be thinking about when

running (or auditing) IT.• Its not about the technology, its about the processes you

use to deliver technology.• Its about how to decide what you do(Right Things) and

then how to do them in an efficient, effective and secure manner (Done Right).

• It is critical that you understand the processes it recommends.

Six IT Decisions That Your IT People Shouldn’t MakeWeill & Ross

1. How much should we spend on IT?2. Which business processes should receive our IT

dollars?3. Which IT services should be firm wide?4. How good do our services need to be?5. What security and privacy risks are we willing to

take?6. Whom do we blame if an IT initiative goes

wrong?

Strategy

Execution

ISACA’s View of Governance• What is IT governance?

Define each of the components?

• Value Delivery• Risk Management• IT Strategic Alignment• Resource Management• Performance Management

• How does this compare with the definition we used last week?

• Doing the right thing– Value Delivery– Risk Management

• Doing it right– Strategic Alignment– Resource Management– Performance Management

What Does a Company Want From its IT Systems?

• Take 5 minutes and write down all of the attributes of an IT system that a company would want.

• For example: A company wants its IT systems to be available.

• Effective• Efficient• Confidential• Integrity• Available• Compliant• Reliable

What are controls? Controls are defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented.

What types of controls are there? • Preventive Controls• Detective Controls• Corrective Controls

Give me some examples?

What is the difference between general and application controls?

General controls are part of an IT service like identity management. Application controls are part of a business process.

What are application controls trying to achieve?

Did the right people handle a transaction? Was it recorder correctly? Is it being processed correctly? Are all our transactions are authentic and do they have integrity?

What are “layered controls,” also know in security as “defense in depth”?

What is the control environment?

The actions, policies, values, and management styles that influence, and set the tone of a firm's day-to-day activities.

BusinessDictrionary.com

Corporate Leadership

• Senior corporate leadership sets the tone• They are ultimately responsible• Principals & Policies describe the desired

outcomes• Others may write them, but the board must

approve them

Higher Level Management

• Management defines how these objectives will be realized

• Processes, standards and guidelines document the practices and activities are designed to ensure that the organization meet the goals set by senior leadership

Management’s Use of Controls

• Control are put in place to ensure that the Processes, Standards and Guidelines are being followed.

• Therefore, they help mitigate the risk that the behaviors desired by senior leadership will not occur.

• Controls are usually used in combinations so as to ensure that if one fails, the others will correct the behavior.

Monitoring & Audit

• Management should monitor their controls to see if the desired behavior is being realized

• Audits examine the adequacy and effectiveness of the controls that an organization has put it place.

Our Starting Point

CIO

Information Systems

Development

Computer Operations

Technical Support

Office of CIO Quality Assurance

Organizing an IT Function

What are the major categories of IT administrative controls?

• IT standards, policies and proceedures

• IT budget• IT asset controls• IT personnel management

controls• IT purchasing controls• IT office controls• IT monitoring controls• IT performance measures

Enterprise Architecture

What’s an Enterprise Architecture and what’s it for?

EA “…is the organizing logic of business processes and IT infrastructure reflecting the integration and standardization requirements of the firms operating model”

MIT Center for Information ResearchAlignment Flexibility

Federal Enterprise Architecture Model

=Who get what, when,

where, why & how

Politics

What is the IT Strategy?

• IT Strategy is at the highest level of decision making• It’s a political process• It sets forth IT’s goals & objectives, as well as

describing how to reach them• It defines budget, personnel resources,

performance measurements & the balanced score card

• It communicates all of the above to the entire orangization

Archetypes of IT Decision Making

1. Business Monarchy - high level exec’s make decisions

2. IT Monarchy – IT makes decisions

3. Feudal – business units make decisions independently

4. Federal – IT and business units make decisions

5. Duopoly – small team representing IT and business make decisions

6. Anarchy – everyone can go their own way

Most commonly used for deciding how much

to spend on IT.

Most commonly used for deciding technical issues. EA sometimes

gets stuck here.

Very old school and hard to be successful.

Often used for application decisions, can be cumbersome.

Small mix of CIO and businesses, ISACA preferred position.

Theoretical, never seen in real world.

A Representative IT Strategy Process

Inputs Strategy Outputs

6 Answers

Enterprise Architecture

Vision

Goals and Objectives

CIO Drafts

Steering Team approves

Strategy Team approves

Roadmap

Resource Plans

Budget Plans

PerformanceMeasures

Balanced Scorecard

General Input

Strategic Themes

Business Value Creation &Investment Portfolio

Enabling IT Capabilities,Talent,andEnterpriseInfrastructure

IT OperatingPrinciples

ITStrategy

StrategyThe IT Strategy “filter”`

Busin

ess N

eed

Busin

ess

NeedB

usin

ess

Need

Busin

ess N

eed

IT Portfolio

1

Alignment

Portfolio Categories

Innovation

NewBusinessModels or Competitive Capability

Discretionary

Growth

Increase RevenueIncrease Intimacy

Efficiency Cost-OutProductivity

Run the Engine Sustain Operations

Run The Engine

Discretionary Budget in Portfolio Perspective

Innovation2%$0.5MM

DiscretionaryGrowth 30%

$12MM

Efficiency38%$15MM

Run the Engine

30%$12MM Run The

Engine

We can change the portfolio targets to shift investment to business opportunities.

1 Yr1 Yr

3 Yr3 Yr

1 Yr1 Yr

3 Yr3 Yr

1 Yr1 Yr

3 Yr3 Yr

1 Yr1 Yr

3 Yr3 Yr

Targets

Run the Engine

What’s the difference between these concepts?

• A policy • A procedure• A standard• A guideline

Which are controls?

What are some of the items that should be included in any policy?

• Company logo• “Policies and Procedures”

title • Policy name • Objective• Applies to • Key guidelines • Samples • Questions? • Last revision date

Your Questions

1. Assuming you need policies, how would you go about deciding how many and which ones?

2. What’s the right mix of policies, procedures, standards and guidelines?

3. Assuming you now have a set of policies, how do you know if they are any good? Working?

4. As an auditor looking at an IT organization’s policies, what would you look for?

What does a data center really do?• Provides network services• Provides applications services

to the company• Provides data storage and

backup service• Provides maintenance services

for all of its HW & SW• Provides technical support

services• It keeps itself safe and always

available

Operations = the organization

Data Center = the place

What is a Service?

• A Service is a set of actions or solutions that are put in place or are performed to provide a repeatable and consistent set of outcomes, deliverables, and performance for people, organizations, and systems that represent consumers or beneficiaries of such results.

The International Foundation for Information Technology.

IT service management (ITSM) refers to the implementation and management of quality information technology services. IT service management is performed by IT service providers

through people, process and information technology.

Wikipedia

What is quality?

• Why is it important?• What are TQM’s principles?• What does all of this have to do with 6 Sigma?• Where does a balanced scorecard fit in?

Managing Quality in IT• IT is all about providing services• Quality of an IT service is about meeting desired

outcomes• Non-desired outcomes are service defects• QMS means an organizational spirit of continuous

improvement• Making improvements to prevent service defects means

establishing controls on the process• Therefore a strong control environment is highly

analogous to having a strong QMS

What is the role of the contract in any outsourcing deal?

• Outsourcing always adds complexity

• Most of the original risks remain• Added risk of the two parties

not working well together• The contract tries to define what

the relationship will be to minimize these risks.

• Therefore, it’s a preventive control

MSA Terms & Conditions

1. Guiding Principles2. Services3. Personnel4. Assets & Third Party

Contracts5. Retained Authorities6. Fees & Payment Terms7. Record Keeping & Audit

Rights8. Representation, etc.9. Terms & Termination10. Disentanglements

11. Limitations of Liability12. Proprietary Rights13. Security & Confidentiality 14. Legal Compliance15. Indemnification16. Insurance17. Dispute Resolution18. Use of Subcontractors19. Miscellaneous

MonitoringMonitoring = comparing the expected

outcomes with the actual outcomes over time

Monitoring shows whether or not an organization’s controls are assuring complianceMonitoring gives management the data it needs to determine performance managementMonitoring gives the quality management system the data it needs to continually improve IT’s processes

Strategic Performance Measuresaka: Key Performance Indicators

• Metrics calculated from monitoring data• Tied directly to the IT strategy through

objectives• Objective expectations must be clear• If the data generates metrics that surpass the

expectation, the strategy can be called successful.

IT Balanced Score Card

• A collection of strategic performance measures

• Intended to show performance from a number of perspectives

FinancialOperationalValueSystem ImplementationCustomer Satisfaction• Often too operational, not

strategic enough

Right Things(Governance)

Done Right(Management)

What is IT’s role in the business?What is our IT strategy? Where are we technologically

and where do we want to be?

What portfolio of projects offer us the best value?

What will our control environment be like?What policies do we need?

QMS

Establish & run

the control environment

Run IT’s services

Implement IT projects

KPI’s KPI’s KPI’s

IT Balanced ScorecardTransparent StakeholderCommunications

IT PerformanceOptimization

In other words …

• Governance’s goal is to optimize IT performance• To optimize, you need a transparent view of IT• Transparency comes from performance management• To manage performance you need to monitor that

performance• IT does a lot of different things so you need to monitor all of

them• To monitoring you define KPI’s and track • The qualtity process helps you define processes & KPI’s• The balance scorecard should show the KPIs of what the

stakeholders think most important.

ISACA’s Risk IT Framework

ISACA’s Risk IT Framework

1. What is IT Risk?2. What are the three types of IT Risk?3. What are the three risk processes that an

enterprise ought to have?4. What is risk appetite?5. What is risk tolerance?6. What are the three parts of a risk culture?

Risk Evaluation

• What are some ways you might express IT risk in business terms?– COBIT– COSO ERM

• What is a risk scenario?• What is a risk factor?• What are the four types of risk response and

when would you use them?

Gartner’s Security Processes You Must Get Right

Security’s Responsibility1. Security Governance2. Policy Management3. Awareness & Education4. Identity & Access

Management5. Vulnerability

Management6. Incident Response

IT’s Responsibility1. Change Management2. Disaster Recovery &

Business Continuity3. Project Life Cycle

Management4. Vendor Management

Gartner’s Security Processes You Must Get Right

Security’s Responsibility1. Security Governance2. Policy Management3. Awareness & Education4. Identity & Access

Management5. Vulnerability

Management6. Incident Response

IT’s Responsibility1. Change Management2. Disaster Recovery &

Business Continuity3. Project Life Cycle

Management4. Vendor Management

Incident Response

1. Preparation2. Detect and Expose3. Triage4. Classify and Contain5. Remediate6. Report and Post-Mortem

Three Related Concepts

• BackupThe Goal: store the company’s data and other digital resources in case of loss

Three Related Concepts

• Backup• Disaster Recovery

The Goal: get the company’s information systems back up and running as fast as possible

Three Related Concepts

• Backup• Disaster Recovery• Business Continuity

The Goal: Keep the business viable until normal operations can resume

Standards vs Maturity Models

Threshold vs Framework