580 likes | 714 Views
Information Technology Management (ITM101) . Week 02: IT Standards & Governance . Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP. Governance?. IT governance aims to ensure that expectations for IT are met and IT risks are mitigated. .
E N D
Information Technology Management (ITM101) Week 02: IT Standards & Governance Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP
Governance? IT governance aims to ensure that expectations for IT are met and IT risks are mitigated. Corporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders IT Governance: Subset of the Corporate Governance framework tasked with ensuring the alignment of IT with enterprise objectives
Why is IT Governance a ‘Hot Topic’? • Increased sensitivity to protecting stakeholder interests • Shareholders (see: Sarbanes Oxley) • Consumers (see: HIPAA) • Suppliers (see: PCI)
Forces Driving Governance Business/ITAlignment ROI Compliance ProjectExecution Security
Other ‘Non-Regulatory’ Reasons… • Recognized need for tight business linkage • Strategic Alignment • Value Delivery • Resource Management • Risk Management • Performance Management • Effective Management of Outsourced IT Suppliers • Relationship Management • Financial Management • Performance Management • Contract Management
IT Governance Definitions IIA International Professional Practices Framework: [IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives. [IT Controls] Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure, and people. [Governance] The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.
Definition of IT Governance From COBIT CobiT 4.1: IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.
Governance: High Level View • The business of running IT vs. running the technology • Setting the rules and assuring they are followed • An ethical responsibility to stakeholders • Principal - business • Commonwealth - people • Each other - reputation
IT Governance Objectives • Governance should be a top-down process • Linkages to business process and strategy exist for all actions • Information in oral, paper, and electronic forms • Governance transcends physical boundaries • Through governance, acceptable practices, policies, and procedures are established The purpose of IT governance is to direct IT endeavors and that IT is aligned with business objectives. Ideally:
Responsibility for IT Governance Management Board Information Security Steering Committee Sub-Committees: Architecture, Security, etc. Service Delivery & Functional Operation Management Teams Applications Systems Operations Desktop Networks Responsibility: IT governance is the responsibility of the board of directors and executive management. • Integral part of enterprise governance • Consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.
IT Governance: COBIT Focus Areas Strategic Alignment Value Delivery Resource Management Risk Management Performance Measurement
Focus Areas of IT Governance IT Resource Management • Two are outcomes: • Value delivery • Risk management. • Three are drivers: • Strategic alignment • Performance measurement • Resource management (which overlays them all) Five main focus areas for IT governance, all driven by stakeholder value.
Clear Business Ownership and Direction • Alignment of Business and IT Objectives (CobiT 4.1 ‘Framework’) • Enterprise Strategy • Business Goals for IT • IT Goals • Enterprise Architecture for IT • IT Scorecard
Linking Technical and Business Risk Risk is the ‘lingua franca’ of business. Management needs to be able to compare IT Risks with other risks. IT Governance must do an effective job of translating technical risks to business risks.
IT Governance in aSourced Environment Business Strategy and Processes IT Governance Commercial Relationship Commercial Relationship Suppliers’ IT Strategy and Processes
Considerations in a Sourced Environment Sourcing Strategy Contract Management Finance Management Relationship Management Performance Management
Sourcing Strategy Part of IT Strategic Plan Inventory of critical Supplier relationships Update based on changes to Business, IT or Supplier Strategies May contain intervention plans
Contract Management Initial negotiation and in-life change management Defines Services/Quality Defines ownership of Intellectual Property Compliance with Law and Policy Audit Rights
Contract Change Management Required by either changing business needs or to address ambiguity. Should be viewed as a negotiation. Each party will attempt to get concessions not previously obtained - value is at risk Depend on Relationship Management for smaller changes to avoid this risk
Intellectual Property Supplier IP may be used to deliver efficiencies ($) However, use of Supplier IP may limit sourcing flexibility. Who owns process ‘know-how’ and does this change over time? What risk does this represent?
Intellectual Property Mitigations • Inventory, inventory, inventory • IT processes supporting the business • Materials (documents, rights, etc.) • Risk Management discussion with business • Seek legal help • Follow up!
Audit Rights Business requirements drive specifics. Must be in the initial contract For supplier shared services, SAS70 Type II Audit rights should be unlimited and at no cost.
Finance Management • Deal financials reporting • Invoice Verification • Service receipt • Credits • Incentives • Internal cost recovery
Finance Management This is THE PLACE to receive an independent confirmation of IT value delivery. Budgets are a very unforgiving reality check!
Relationship Management Overall Supplier management Monitor business needs Communication Forums Issue Management Risk Management Project Management
Risk Management IT Governance process to evaluate Supplier Financial, Service Delivery, Relationship and Information Security risks in total. As before, there may be a translation here from technical risk to business risk. Can use Probability x Business Impact as the metric. The business should supply the Impact. This can be a powerful tool to use with Suppliers. They speak the lingua franca as well.
Project Management NPS Good Project Management helps assure value delivery Define ‘project’ vs. ‘daily work’ in the contract. Has linkages to Finance Management (paying Project costs), Service Delivery (assuring Project deliverables)
Performance Management Aligning Service Delivery Requirements Managing and Reporting against SLAs Management of individual projects Work prioritization
IT Governance Audit Planning Audit Team Composition Audit Criteria Learnings from the Balanced Scorecard Approach
Audit Team Composition • Leadership - Business or IT? • Audit Supervision and Auditor in Charge Independence is a must • Beware setting up an audit team that may reflect corporate IT Governance issues • Consider sourcing knowledgeable auditors
IT Governance Audit Criteria / Standards IIA Governance Auditing Standards ISACA / ITGI IT Governance Auditing Guidelines ITGI Risk IT Framework ITGI Val IT Framework << Insert your Company business policies here >>
Learnings from the Balanced Scorecard 1. “Measuring and Improving IT Governance Through the Balanced Scorecard” Information Systems Control Journal, Volume 2, 2005 • Consider IT Governance from various business points of view (1) • Corporate • Customer • Operational Excellence • Future / Sustainability
Globally standard released as a set of tools that ensures IT is working effectively Functions as an overarching framework Provides common language to communicate goals, objectives and expected results to all stakeholders Based on, and integrates, industry standards and good practices in: Strategic alignment of IT with business goals Value delivery of services and new projects Risk management Resource management Performance measurement COBIT as a RoadMap to IT
COBIT:Processes, Goals and Metrics Relationship Amongst Process, Goals and Metrics (DS5)
Defined Responsibilities for Each Process RACI Chart A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed. Functions Activities