1 / 20

Chapter 5: it strategy and standards

Chapter 5: it strategy and standards. MBAD 7090. Objectives. Business and IT Strategic Plan IT Architecture vs. Infrastructure IT Standards Technology Risk Management. Overview.

luigi
Download Presentation

Chapter 5: it strategy and standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IS Security, Audit, and Control (Dr. Zhao) Chapter 5: it strategy and standards MBAD 7090

  2. Objectives • Business and IT Strategic Plan • IT Architecture vs. Infrastructure • IT Standards • Technology Risk Management IS Security, Audit, and Control (Dr. Zhao)

  3. Overview • IT has become a strategic part of most businesses. An IT Strategic Plan is a formal vision to guide in the acquisition, allocation, and management of information technology resources to fulfill the organization’s objectives. IS Security, Audit, and Control (Dr. Zhao)

  4. Strategic IT Planning • Provides a roadmap for operating plans • Provides a framework for evaluating technology investments “The truth is that those IT leaders who don't master the art of strategic planning won't last long.” (CIO.com, 2008) • Challenges: • Many companies lack well-defined strategies IS Security, Audit, and Control (Dr. Zhao)

  5. First Step in Developing an IT Strategic Plan • Understand the business objectives whether stated or implied. • Guides management in evaluating investments, assessing risk, or implementing controls • Example: Business strategy for an online bookstore • “The business should have desired outcomes-market share gains, higher customer satisfaction levels, and shortened cycle times.” • Question: please figure out where IT factor into that. IS Security, Audit, and Control (Dr. Zhao)

  6. BUSINESS/IT ALIGNMENT STRATEGIC IT PLANNING CYCLE PRIORITIZATION & FUNDING Corporate & Project-specific Architectures Project And Application Driven Requests BUSINESS STRATEGY Global Architecture Direction PROJECTS & PROGRAMS Technology Steering Committee Other Internal & External Requests Request Evaluation Technology Requests Long TermBlueprint Industry Analyst, Vendor, Expert Input Operations And Infrastructure Driven Requests PLAN UPDATES PROGRAM RESULTS MONITORING & CONTROL REVIEW PROCESS PLAN REVIEW AND FEEDBACK Linking Business and IT IS Security, Audit, and Control (Dr. Zhao)

  7. IT Architecture vs. Infrastructure • IT infrastructure • Physical facilities, services, and management that support all computing resources in an organization. • IT architecture • A high-level map or plan that explain & guide how IT elements work together • Business activities and processes • Data sets and information flows • Applications, software, technology IS Security, Audit, and Control (Dr. Zhao)

  8. Workgroup vs. Network Architecture (Google) • Workgroup Centric: • Strategy: Capture desktops • Customer’s labor and capital • User-specific infrastructure • System control by users • Operating system dependency • License software • Data read from files • Network Centric: • Strategy: Occupy Internet • Labor and capital in network • Infrastructure is universal • Network controls in network • Open source browser • Pay for use • Data assembled in context • National Association of State Chief Information Officers (NASCIO)’s vision of enterprise architecture IS Security, Audit, and Control (Dr. Zhao)

  9. IT Standards • Standards guide industry and companies in selecting hardware, software, and developing new applications • Ensure compatibility between applications • Ease technology integration and technical support • Examples • USPS • UNCC IS Security, Audit, and Control (Dr. Zhao)

  10. Policies & Procedures • Ensure that organizational goals are met • Communicate the organization’s stand on systems architecture, testing and validation of requirements, and documentation • Professional associations have issued guidelines in this area IS Security, Audit, and Control (Dr. Zhao)

  11. Case: The Failure of CRM • Various surveys indicate that the failure rate of customer relationship management (CRM) systems are very high • Only 16% CRM have improved business performance (AMR Research of Boston) • 45% CIO are not satisfied with CRM installation (Merrill Lynch survey) • Top reasons • Lack of a strategic plan • Lack of executive sponsorship • Poor alignment of technology and business processes IS Security, Audit, and Control (Dr. Zhao)

  12. Technology Risk Management • Functions of technology risk management (TRM) • Identification, measurement, control, and monitoring of risks. • Areas of technology risks • Enterprise wide • Business unit level IS Security, Audit, and Control (Dr. Zhao)

  13. Centralized Risk Management • Perform all risk management functions for the entire company • Risk management activities are independent of risk taking activities • Evaluate risks compared to other business units’ risks • Drawback: • May cause too little involvement from the business units meaning that risk identification may not be understood IS Security, Audit, and Control (Dr. Zhao)

  14. Business Unit Risk Management • Risks would be better understood • Controls would be feasible • Business unit owners are better able to decide how to mitigate risks • Drawbacks • Business units may downplay their risks to avoid implementing controls • Business units may not have the experience to evaluate their risk IS Security, Audit, and Control (Dr. Zhao)

  15. A Blended Approach • A central risk management figure working with the business units to identify, measure, monitor, and control their risk • Clearly assign responsibility and accountability • Adheres to regulatory requirements and best practices IS Security, Audit, and Control (Dr. Zhao)

  16. Effective Technology Risk Management Program • Part of an overall risk management program • Designated Technology Risk Management manager • Contact point for business management • Involved board of directors • Chief Risk Office at executive level which reports to the CEO, Board of Directors, or both IS Security, Audit, and Control (Dr. Zhao)

  17. Effective Technology Risk Management Program • Annually each business manager completes a risk assessment of their area which includes the business risks of each application, system, or program that the business owns • CobiT or some other standard should be used as a guideline • Add new risks to the business unit • Review risk ratings for an increase or decrease IS Security, Audit, and Control (Dr. Zhao)

  18. Effective Technology Risk Management Program • The Enterprise Technology department performs risk assessments of enterprise-wide applications, systems, and programs • Business manager and the Chief Risk Officer’s staff review the risks and associated controls • Review for compliance with management’s level of acceptable risk IS Security, Audit, and Control (Dr. Zhao)

  19. Audit Involvement • Internal auditors objectively evaluate the risk assessments each time they audit a function, area, or application • External auditors reviews are an independent verification on the adequacy and effectiveness of the Technology Risk Management Program IS Security, Audit, and Control (Dr. Zhao)

  20. Class Exercise • Your organization has recently developed criteria for a risk management program. One goal of the program is to determine the adequacy and effectiveness of the company IT insurance coverage. • Question: • Pleases describe how an effective risk management program can enable a more cost-effective use of IT insurance. IS Security, Audit, and Control (Dr. Zhao)

More Related