420 likes | 637 Views
IT Governance In Higher Education. “What is it, and how does it benefit your Institution?”. Pre-Conference Seminar – June 23, 2007. Presenter. James Yung, CISA Associate Director, IS Audit Harvard University Risk Management and Audit Services. Agenda. What is IT Governance
E N D
IT Governance In Higher Education “What is it, and how does it benefit your Institution?” Pre-Conference Seminar – June 23, 2007
Presenter James Yung, CISA Associate Director, IS Audit Harvard University Risk Management and Audit Services CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Agenda • What is IT Governance • IT Governance at Harvard University • CoBIT in Assessing IT Governance at Harvard CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Questions • What does IT Governance mean to you? • Is IT Governance happening in your university? • What are your key challenges in IT Governance? CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
How do most research universities govern the large and rapidly evolving set of information technology initiatives that take place on their campuses? ANSWER: Inefficiently, ineffectively and not as well as they should. ~ Source: Educause – IT Governance in Higher Education 2006 ~ CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
What is IT Governance? • It’s about organization leadership • Decision making that leads to better alignment of IT and the business • IT delivering more business value • IT resources are used responsibly • IT risks are managed appropriately CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Enterprise Governance • Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goals of: • Providing strategic direction • Ensuring that objectives are achieved • Ascertaining that risks are managed appropriately • Verifying that the enterprise’s resources are used responsibly ©2007 IT Governance Institute CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Enterprise Governance Drives IT Governance • Enterprise governance is about: • Conformance • Adhering to legislation, internal policies, audit requirements, etc. • Performance • Improving profitability, efficiency, effectiveness, growth, etc. Performance Conformance Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board. ©2007 IT Governance Institute CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
STRATEGIC VALUE ALIGNMENT DELIVERY RISK PERFORMANCE MANAGEMENT MEASUREMENT www.itgi.org www.itgi.org RESOURCE MANAGEMENT • IT Governance, as Defined by IT Governance Institute (ITGI) • IT governance is: • The responsibility of the board of directors and executive management • An integral part of enterprise governance, consisting of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives 64% Doing something about it 2005 36% 42% Not doing something about it 2003 58% ©2007 IT Governance Institute Source: Surveys by PwC for the IT Governance Institute Sep-Oct 2003 and Sep-Oct 2005 CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
IT Governance Domain Focuses on ensuring the linkage of business and IT plans and on aligning IT operationswith enterprise operations Strategic alignment Value delivery IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT Is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people Resource management Risk management Senior management, appetite for risk, compliance requirements, transparency about the significant risks to the organisation Performance measurement Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery to achievegoals measurable beyond conventional accounting ©2007 IT Governance Institute CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
IT Governance Stakeholders Board and executive Set direction for IT, monitor results and insist on corrective measures Defines business requirements for IT and ensures that value is delivered and risks are managed Business management Delivers and improves IT services as required by the business IT management Provides independent assurance to demonstrate that IT delivers what is needed IT audit Risk and compliance Measures compliance with policies and focuses on alerts to new risks ©2007 IT Governance Institute CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
IT Governance at Harvard CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Harvard University Facts • 12 Schools • 143 Research and Academic Centers • Approximately 7,000 Undergraduate and 13,000 Graduate Degree Candidates • More than 19,000 Faculty and Staff • $25B Endowment • $623M Sponsored Research • $2.7B Operating budget CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
IT Governance Risks at Harvard • Wrong IT strategy precludes growth and operational sustainability • False starts and wasted resources (i.e. money, time and productivity) • Short-sighted planning • Fragmented IT planning • High project implementation failure rates • Lack of disaster recovery planning CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Why Audit IT Governance at Harvard • IT is strategic and critical to the university reputation and success • Compliance with numerous regulations (FERPA, HIPAA, GLB, PCI, etc.) depends on effective IT controls • Expectation and reality often don’t match • IT had not received the attention it deserves CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
The Need for IT Governance at Harvard Security Keeping IT Running Aligning IT with Business Managing Complexity Regulatory Compliance Value/Cost • Millions of dollars on IT spending • Decentralized IT computing and Business operations • Increasing numbers of severe security breaches • IT ability to scale and sustain operation • Various IT delivery models • Regulatory compliance SAS 112, FERPA, HIPAA, GLB, PCI, etc. CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Stakeholders need to know that: • IT strategy is aligned with school strategy • Schools and IT are effectively communicating • The organization is structured to facilitate the implementation of its strategy and goals • Risks and opportunities are effectively managed • Performance against objectives are transparent CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Risk Management and Audit Services Mission “To Assist University Management and Governing Boards in Identifying, Managing and Mitigating Risk and Ensuring Risk Management Processes are Integrated Into the University’s Business Practices and Academic and Research Activities” CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
RMAS Organization CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Evolution of RMAS IS Audit 2006 Strategic IT Governance Audit 2000 Integrated Audit • Objective is to ensure IT strategy is aligned with business objectives. • Audit IT processes, management policy, procedures and compliance. • Audit IT internal controls and security management. Pre-2000 System Base Audit • Objective is to assure information technology controls are enabled to support the business process. • Audit of applications, servers, access controls, change controls, BCP/DR Value Add • Objective is to audit university critical systems based on high, medium or low risk criteria. • Audit of network, servers, access controls, change controls, BCP/DR Tactical Low High Level of Complexity CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
CoBIT and IT Governance Control Objectives IT (CoBIT) is an International standard in directing and controlling an enterprise’s information technology. CoBIT sets the standards of measuring IT Governance process maturity. Process Maturity Domain Business Requirements • Plan and Organize • Acquire and Implement • Delivery and Support • Monitor and Evaluate Basic CoBIT Principle IT Processes IT Resources CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Benefits of CoBIT • CoBIT offers an IT Governance Auditing Framework • Internationally recognized standard for best management practices and processes • IT risks and IT controls are easily communicated to IT and non-IT professionals CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
COBIT Framework Characteristics COBIT Framework • The COBIT framework was created with the main characteristics: • Business-focused • Process-oriented • Controls-based • Measurement-driven ©2007 IT Governance Institute CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Where Does COBIT Fit? CONFORMANCE Basel II, Sarbanes- Oxley Act, etc. PERFORMANCE: Business Goals Drivers Balanced Scorecard Enterprise Governance COSO COBIT IT Governance ISO 9001:2000 ISO 17799 ISO 20000 Best Practice Standards QA Procedures Security Principles Processes and Procedures ITIL CAUBO ACPAU June 23, 2007 Pre-Conference Seminar ©2007 IT Governance Institute
CoBIT Approach In Assessing IT Governance At Harvard CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Background • A major premier school in transition: • New Dean • Changes in academic curriculum • Aggressive recruitment of faculty • Campus expansion and facility improvements • Decentralized to centralized IT operations CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Assessing IT Governance Detailed review of the school IT Governance and internal controls within Information Technology Services. • Focus within two primary areas: • IT Governance that assessed technology organization’s performance against its responsibilities of delivering efficient and quality IT services measured against the School’s overall strategic business objectives • IT Assessment that evaluated the processes and systems of internal control and compliance CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Audit Approach • Perform risk assessment • Identify risks Planning Identify Business Goals IT Goals Scoping Key IT processes and Key IT resources Identify Control Objectives • Inquire and confirm • Inspect (walk-through and review) • Observe • Sampling and analyze Testing CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner Effectiveness Provision of information through the optimal (most productive and economical) use of resources Efficiency Confidentiality The protection of sensitive information from unauthorised disclosure Relates to the accuracy and completeness of information Integrity Information being available when required by the business process now and in the future; it also concerns the safeguarding of necessary resources and associated capabilities Availability Complying with thoselaws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies Compliance Reliability The provision of appropriate information for management to operate the entity and to exercise its fiduciary and governance responsibilities IT Governance Audit Objectives ©2007 IT Governance Institute CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
IT Governance IT Audit Strategy Process Controls Interviews Documentation • Organizational charts • ITS Budgets • Third-party Contracts • Helpdesk Reports • Project Logs • Training Materials • Policy and Procedures • Communications Scope of Work • IT Governance • IT Enterprise Strategy • Steering Committee effectiveness • IT Budgeting & Investments • Identification & Prioritization IT initiatives • IT Performance Metrics • Incident Response, support calls & problem management • IT Controls • Change Mgmt Framework • Project Mgmt • System Development Life Cycle • Incident Response • Mgmt of Third-Party VendorsContracts • Business Continuity/Disaster Recovery • Data Center Approach Risk Analysis • ITS • Office of Academic Affairs • Student Office • Office of Administration • Faculty • IT Steering Committee Observations and Recommendations CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
CoBIT Four IT Process Domains • Plan and Organize • Acquire and Implement • Delivery and Support • Monitor and Evaluate Business Requirements IT Resources CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Plan and Organize PO1 Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organization and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. Plan and Organize (PO) • Objectives: • Planning, communicating and managing the realization of the strategic vision • Implementing organizational and technological infrastructure • Scope: • Is the enterprise achieving optimum use of its resources? • Does everyone in the organization understand the IT objectives? • Is the quality of IT systems appropriate for business needs? ©2007 IT Governance Institute CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Acquire and Implement (AI) AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes. Acquire and Implement (AI) • Objectives: • Identifying, developing or acquiring, implementing, and integrating IT solutions • Changes in and maintenance of existing systems • Scope: • Are new projects likely to deliver solutions that meet business needs? • Are new projects likely to be delivered on time and within budget? • Will the new systems work properly when implemented? ©2007 IT Governance Institute CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Deliver and Support DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations. Deliver and Support (DS) • Objectives: • The management of security, continuity, data and operational facilities • Service support for users • Scope: • Are IT services being delivered in line with business priorities? • Is the workforce able to use IT systems productively and safely? • Are adequate confidentiality, integrity and availability in place? ©2007 IT Governance Institute CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Monitor and Evaluate ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure compliance with external requirements. ME4 Provide IT governance. Monitor and Evaluate (ME) • Objectives: • Performance management • Monitoring of internal control • Scope: • Is IT’s performance measured to detect problems before it is too late? • Does management ensure that internal controls are effective and efficient? • Can IT performance be linked to business goals? • Are risk, control, compliance and performance measured and reported? ©2007 IT Governance Institute CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Align Business Goals with Key IT Goals CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
IT Governance Maturity Benchmark 1.5 School Harvard Target • Using CoBIT’s Maturity Benchmark, ITS scored a 1.5, which is estimated to be in line with Harvard University’s other IT organizations. • School can gain significant benefits in operational efficiencies (i.e. productivity), effectiveness (i.e. operational costs) and compliance by operating within a target maturity level rating of 3.0. • Five Key IT Governance recommendations were identified to help the school to achieve the goals of reaching maturity level of 3.0. CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Key Recommendations Listed in priority order: • IT Governance recommendations will require the School’s senior leadership team’s involvement, as it ultimately set the strategic direction. • *IT Control recommendations are the responsibility of the CIO. CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Benefits to the Auditee • Clarify IT decision-making roles and responsibilities • Clearly communicate who is accountable for decisions in academic and administrative computing • Foster true partnership between IT and business leaders • Strengthen general IT controls and security CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Lessons Learned • Auditing IT governance involves interaction at every level of the organization leadership and internal\external stakeholders • IT governance scope must be clear and concise • Appropriate risk and controls must be identified • IT governance should be conducted with a senior auditor with appropriate consultative skill sets • Internal audit plays a critical role in IT governance IT GOVERNANCE AUDIT IS NOT FOR FAINT-HEARTED CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Questions CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
References IT Governance Institute - http://www.itgi.org/ ISACA - http://www.isaca.org/ IT Audit - http://www.theiia.org/itaudit/ CAUBO ACPAU June 23, 2007 Pre-Conference Seminar