1 / 58

IS 657 Information Systems Governance and Risk Management Part I Intro IT Governance and COBIT 5

IS 657 Information Systems Governance and Risk Management Part I Intro IT Governance and COBIT 5. Yüe “Jeff” Zhang, Acct & IS Dept , CSUN Debbie Lew, E&Y and ISACA. Outline of Part I. Why IT governance - IT Challenges Governance Overview Definition Place in corporate governance

acacia
Télécharger la présentation

IS 657 Information Systems Governance and Risk Management Part I Intro IT Governance and COBIT 5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IS 657 Information Systems Governance and Risk ManagementPart I Intro IT Governance and COBIT 5 Yüe “Jeff” Zhang, Acct & IS Dept, CSUN Debbie Lew, E&Y and ISACA

  2. Outline of Part I • Why IT governance - IT Challenges • Governance Overview • Definition • Place in corporate governance • Perspective • Principles • Focus areas

  3. Learning Objectives (LO) of Part I • Understand the needs for governance of enterprise IT • Understand what governance of enterprise IT means • Define supporting structures, framework, and processes • Understand the elements and actions required to develop a framework and its implementation

  4. The Place of IT Governance • IT governance is • a subset discipline of Corporate Governance • focused on IT systems and their performance and risk management. • Wikipedia: • http://en.wikipedia.org/wiki/Corporate_governance

  5. Governance OverviewEnterprise Governance • Enterprise Governance is a set of responsibilities and practices exercised by the board and the executive management. • Strategic direction to the organization • Achieving objectives • Managing risks • Responsible use of resources • Balancing performance and conformance

  6. Governance OverviewIT Governance • “IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that enterprise IT sustains the organization's strategies and objectives.” • Integrate and institutionalize good practices • Take full advantage of information • Satisfy quality, fiduciary and security requirements • Optimize resources • Balance risk versus return

  7. IT Governance: why (1) • The rising interest in IT governance is driven by • the need for greater accountability for decision-making around the use of IT • in the best interest of all stakeholders. • Around the (new) use of IT • IT can be (and should be) used to enable the company to undertake new initiatives • “IT as enabler of business” • -- “You can do others can’t with your stronger IT” Enabler - COBIT 5 term

  8. IT Governance: why (3) • The rising interest in IT governance is driven by • the need for greater accountability for decision-making around the use of IT • in the best interest of all stakeholders. • Greater accountability: • Budget • Time • Mission-critical

  9. IT Governance: why (2) • The rising interest in IT governance is driven by • the need for greater accountability for decision-making around the use of IT • in the best interest of all stakeholders. • Stakeholders: • Number • Types • Positions of functioning

  10. Governance OverviewWhy IT Governance - data • “Effective IT Governance is the single most important predictor of the value an organization generates from IT” • “Firms with focused strategies and above average IT Governance had more than 20% higher profits than other firms following the same strategies” Peter Weill and Jeannie W. Ross, IT Governance

  11. Governance OverviewWhy IT Governance - data • 85% of organizations demand business cases for change projects • Only 40% of approved projects have valid (realistic) benefit statements • Less than 10% of organizations ensure benefits are realized post‐project • Less than 5% of organizations hold project stakeholders responsible for benefit attainment

  12. Governance OverviewIT management vs governance

  13. IT Challenges Classic IT Challenges • Keeping IT Running • Costs • Value • Security • Mastering Complexity • Aligning IT with Business • Regulatory Compliance • Staffing (HR, Skills, Retention) • Resources From itgi.org Try re-numbering: 1, center at IT, inner-out 2, center at strategy, top-down Learn about ITGI

  14. Classic IT Challenges1. Keeping IT Running Risks: • Mission critical processes can be adversely impacted • Productivity loss • Lost business, customers, revenue, profits • Reputational risk Control Objective: • Assure Continuity and Quality of IT services • Business continuity: http://en.wikipedia.org/wiki/Business_continuity

  15. IT Challenges – Dr. Colin BoswellProvision of User Services • Service Level monitoring • User satisfaction surveys • Training • Documentation • Help Desk • What/how do/should they do? - discussion

  16. IT Challenges – Dr. Colin BoswellService Level Management • Service level agreements • Agreeing service levels • Service level: http://en.wikipedia.org/wiki/Service_level • Performance monitoring/measuring and reporting • External service providers • New practice: outsourcing

  17. Classic IT Challenges2. Costs Risks: • Excessive spend on IT(Amgen story) • Gartner Group: ill‐conceived IT projects $$$ • Lack of understanding of IT costs: e.g. TCO • Increasing complexity of IT assets • Mismatch of IT spending by IT & biz • Resource skills lacking or non‐aligned Control Objective: • Manage costs and vendors as carefully as possible

  18. IT Challenges – Dr. Colin BoswellCost Management • The cost of service provision • Cost reporting • Cost justification • Procurement • Third party service providers

  19. Classic IT Challenges3. Value Risks: • Cost of IT investments outweigh the benefits • Expected outcomes of IT investments • Users expectations not met • Google search: “user expectation management” • Impaired business performance Control Objective: • Identify “right” IT investments, execute with excellence

  20. Classic IT Challenges4. Security Risks: • Exposure/corruption of information • Take down systems and applications • Loss of business intelligence • Abuse/misuse of information • Ability to do business affected… Control Objective: • Ensure IT security is sufficient to reduce risk to an acceptable level

  21. IT Challenges – Dr. Colin BoswellService Availability and Security • Computer/network operations • Capacity planning and management • Software/hardware availability and maintenance • Risk management and disaster recovery planning • Other aspects of security (…) Purpose of IT security: Confidentiality, Integrity, Availability

  22. Classic IT Challenges5. Mastering Complexity Risks: • Not maintaining technical competencies • Integration of new systems • Lack of standardization • Not adaptable to change • Not taking advantage of technology improvements Control Objective: • Organize & manage IT to be adaptable & flexible

  23. Classic IT Challenges6. AligningIT With Business Risks: • Poorly defined business requirements and/or business drivers • Prioritization mismatch between IT & business • Lack of Business Unit sponsorship • Communication gaps between business & IT  Control Objective: • Ensure IT links with the business to deliver value

  24. An IS Project Gone Astray Rainer & Cegielski, (C) Wiley 2010;

  25. IT ChallengesStrategy and Planning • Management commitment • IS Strategic Plan • Audit and review • IT auditing is a hot career • COBIT certification prepares for IT auditing • International standards • Reporting procedures • – Dr. Colin Boswell, Gartner/NZ, IBRS

  26. Classic IT Challenges7. Regulatory Compliance Risks: • Ability to do business – at all!! • Penalty Costs • Reputational risk & IT [Compliance example: PCIDSS] [PCIDSS requirements] HIPAA for healthcare… Control Objective: • Ensure compliance with all relevant regulations and contracts

  27. Classic IT Challenges8. Staffing Risks: • Insufficient coverage can lead to poor performance in all other areas • Not adaptable to change • Attracting and maintaining required skills • Skills not adequate to grow new business demands Control Objective: • Ensure IT staffing is skilled and adequate in coverage

  28. Classic IT Challenges9. Resources Risks: • Adverse performance in all previous challenges • Ability to do business Control Objective: • Ensure IT resources are sufficient

  29. IT ChallengesSystems Development and Acquisitions • The project approach to systems development or acquisitions • Systems development / acquisition • User control • Audit requirements and security • Cost justification • Quality and standards • User developed PC systems

  30. IT ChallengesTesting and Implementation • Testing • Implementation • Documentation • Training • User acceptance and sign off • Post implementation review

  31. IT ChallengesProject Management • Project ownership • Project scope • Project planning • Project monitoring, control and reporting • User involvement

  32. IT ChallengesProblem Management • Problem management procedures • Help Desk

  33. IT ChallengesChange Management • Coordination • Priority and urgency • Span of authority • Change management: • http://en.wikipedia.org/wiki/Change_management

  34. IT ChallengesSummary and inference • Challenges are multi-facet, multi-functional, critical  • Company-wide attention needed • Company-wide coordination needed • Company-wide institutional mechanism needed • Board-level awareness, vision, and guidance needed • Need to establish accountability – importance and expenses  accountable Beyond IT

  35. IT Governance Global Status Report 2011 • In 2011, PricewaterhouseCoopers (PwC) was commissioned by the IT Governance Institute (ITGI) to conduct the third global survey on IT governance. The following pages communicate the key findings. Global Status Report on GEIT— 2011

  36. Governance OverviewGlobal Status Report on GEIT - 2011 • Value creation of It investments is one of the most important dimensions of IT’s contribution to the business (mentioned by more than nine out of 10 respondents). • challenges:Increasing IT costs and an insufficient number of IT staff are the most common issues experienced • IT leading or following—there is a correlation between the position of the head of IT in the enterprise’s hierarchy and the pro-active nature of the It department. • 70 percent of respondents noted that the head of IT is a member of the senior management team, but this figure increases to 80 percent for those enterprises where IT has a proactive role.

  37. Governance OverviewGlobal Status Report on GEIT - 2011 • A focus on governance—Governance of enterprise It (GEIt) is a priority with most enterprises. Two-thirds of respondent enterprises have some GEIT activities in place, • the most common being the use of IT policies and standards, followed by • employment of defined and managed IT processes. • main driver for activities related to GEIt is ensuring that IT functionality aligns with business needs, • the most commonly experienced outcomes are improvements in management of IT-related risk and communication and relationships between business and IT.

  38. Governance OverviewGlobal Status Report on GEIT - 2011 • Moving out—Outsourcing is highly prevalent across the board, especially in larger enterprises and those where It is considered important or very important to the delivery of the business strategy or vision. • Cloudy days—Respondents reported that their heads were in the cloud: • 60 percent use or are planning to use cloud computing for non-mission-critical IT services, and more than 40 percent use or are planning to use it for mission-critical It services. • For companies that do not have plans to use cloud computing the main reasons are data privacy and security concerns.

  39. Governance OverviewGlobal Status Report on GEIT - 2011 • Watching expenses—the global economic downturn has had an effect on IT activities, the primary response initiatives being: • (1) a reduction in contractor staff, • (2) a reduction in permanent staff and • (3) a consolidation of the infrastructure. • Social networking—the use of Facebook or twitter at work is not highly prized; only one out of five respondents believes that the benefits of employees using social networking outweigh the risks. • Corporate’s own proprietary version

  40. Global Status Report on GEIT – 2011Conclusions and Recommendations • The right governance enablers can ensure the transparency of IT supply and demand and facilitate decision making about demand and its prioritisation in pursuit of value delivery to the enterprise • GEIT initiatives must take a balanced and holistic view of the five GEIT focus areas • Governing enterprise IT effectively can help increase project success rates by addressing both the way projects are selected or approved and the way they are governed and overseen • Successfully implementing GEIT depends on several factors: change management, communication, proper scoping and identification of achievable objectives

  41. Global Status Report on GEIT – 2011Conclusions and Recommendations • Outsourcing can create significant benefits, with the proper governance focus • GEIT can help enable the adoption of emerging technologies such as cloud computing • The use of frameworks and structures can help improve the governance of enterprise architecture

  42. Governance OverviewIT Governance perspective: enterprise-wide • The traditional involvement of board-level executives in IT issues was to defer all key decisions to the company’s IT professionals. • IT governance implies a system in which ALL stakeholders (who are they?) have clear accountability for their respective responsibilities in the decision making process affecting/related to IT

  43. Governance OverviewPrinciples of IT Governance • IT Governance involves structures and processes that direct organizations towards achieving objectives. There are four essential principles: • Direct and Control • Responsibility • Accountability • Activities • Reference: IT Governance Institute, COBIT 4.1

  44. Governance OverviewIT Governance Focus Areas • IT Governance are grouped into the following five focus areas: • Strategic Alignment, • Value Delivery, • Risk Management, • Resource Management, • Performance Measurement. • Reference: IT Governance Institute, COBIT 4.1 IT Governance Pentagon

  45. Governance OverviewIT Governance Focus Areas • Linking business and IT Plans • Executing the value proposition • Optimal investment and proper management • Risk awareness and appetite • Track and monitor • Reference: IT Governance Institute, COBIT 4.1 IT Governance Pentagon

  46. The COBIT Framework The Need for a Control Framework “A control framework for IT Governance • defines the reasons IT Governance is needed, • the stakeholders and • what it needs to accomplish.” • Now to the higher level of “enterprise governance of IT” – emphasizing • Stakeholder needs • End-to-end coverage

  47. The COBIT Framework Definition and Mission - Definition • COBIT stands for “Control Objectives for Information and Related Technology.” • Now just COBIT • Developed by the IT Governance Institute (ITGI) • Promoted/advocated by ISACA • a standard setting body in the areas of information governance, control, and security for professionals.

  48. The COBIT Framework Definition and Mission - Mission • COBIT Mission: [Importance of mission] • To research, develop, publicize and promote an authoritative, up‐to‐date, internationally accepted IT governance control framework • for adoption by enterprises and day‐to‐day use by business managers, IT professionals and assurance professionals • Reference: IT Governance Institute, COBIT 4.1

  49. The COBIT Framework Definition and Mission - Mission • COBIT's success as an increasingly internationally accepted set of guidance materials for IT governance has resulted in the creation of a growing family of publications and products designed to assist in the implementation of effective IT governance throughout an enterprise. • Reference: IT Governance Institute, COBIT 4.1

  50. Why COBIT? • COBIT Case Studies by Industry: • http://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Case-Studies.aspx

More Related