1 / 59

Information Technology Management (ITM101 )

Information Technology Management (ITM101 ) . Week 02: IT Standards & Governance . Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP. Governance?. IT governance aims to ensure that expectations for IT are met and IT risks are mitigated. .

gittel
Télécharger la présentation

Information Technology Management (ITM101 )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Technology Management (ITM101) Week 02: IT Standards & Governance Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP

  2. Governance? IT governance aims to ensure that expectations for IT are met and IT risks are mitigated. Corporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders IT Governance: Subset of the Corporate Governance framework tasked with ensuring the alignment of IT with enterprise objectives

  3. Is It Necessary?

  4. IT Governance

  5. Why is IT Governance a ‘Hot Topic’? • Increased sensitivity to protecting stakeholder interests • Shareholders (see: Sarbanes Oxley) • Consumers (see: HIPAA) • Suppliers (see: PCI)

  6. Other ‘Non-Regulatory’ Reasons… • Recognized need for tight business linkage • Strategic Alignment • Value Delivery • Resource Management • Risk Management • Performance Management • Effective Management of Outsourced IT Suppliers • Relationship Management • Financial Management • Performance Management • Contract Management

  7. Definitions

  8. IT Governance Definitions IIA International Professional Practices Framework: [IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives. [IT Controls] Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure, and people. [Governance] The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

  9. Definition of IT Governance From COBIT CobiT 4.1: IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.

  10. Common Framework Structure

  11. Governance: High Level View • The business of running IT vs. running the technology • Setting the rules and assuring they are followed • An ethical responsibility to stakeholders • Principal - business • Commonwealth - people • Each other - reputation

  12. IT Governance Objectives • Governance should be a top-down process • Linkages to business process and strategy exist for all actions • Information in oral, paper, and electronic forms • Governance transcends physical boundaries • Through governance, acceptable practices, policies, and procedures are established The purpose of IT governance is to direct IT endeavors and that IT is aligned with business objectives. Ideally:

  13. Responsibility for IT Governance Management Board Information Security Steering Committee Sub-Committees: Architecture, Security, etc. Service Delivery & Functional Operation Management Teams Applications Systems Operations Desktop Networks Responsibility: IT governance is the responsibility of the board of directors and executive management. • Integral part of enterprise governance • Consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.

  14. Roles and Responsibilities Information Owner? These are the department managers assigned as functional owners of organization assets and who are responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the information resources of which they are assigned ownership. The term “owner” must be established in the asset classification policy.

  15. IT Governance: COBIT Focus Areas • Strategic Alignment • Value Delivery • Resource Management • Risk Management • Performance Measurement

  16. Focus Areas of IT Governance IT Resource Management • Two are outcomes: • Value delivery • Risk management. • Three are drivers: • Strategic alignment • Performance measurement • Resource management (which overlays them all) Five main focus areas for IT governance, all driven by stakeholder value.

  17. Security Strategy: Elements & Controls

  18. Measuring Maturity

  19. IT Governance Frameworks

  20. Clear Business Ownership and Direction • Alignment of Business and IT Objectives (CobiT 4.1 ‘Framework’) • Enterprise Strategy • Business Goals for IT • IT Goals • Enterprise Architecture for IT • IT Scorecard

  21. Linking Technical and Business Risk • Risk is the ‘lingua franca’ of business. • Management needs to be able to compare IT Risks with other risks. • IT Governance must do an effective job of translating technical risks to business risks.

  22. Linking Technical and Business Risk

  23. IT Governance in a Sourced Environment

  24. IT Governance in aSourced Environment Business Strategy and Processes IT Governance Commercial Relationship Commercial Relationship Suppliers’ IT Strategy and Processes

  25. Considerations in a Sourced Environment • Sourcing Strategy • Contract Management • Finance Management • Relationship Management • Performance Management

  26. Sourcing Strategy • Part of IT Strategic Plan • Inventory of critical Supplier relationships • Update based on changes to Business, IT or Supplier Strategies • May contain intervention plans

  27. Contract Management • Initial negotiation and in-life change management • Defines Services/Quality • Defines ownership of Intellectual Property • Compliance with Law and Policy • Audit Rights

  28. Contract Change Management • Required by either changing business needs or to address ambiguity. • Should be viewed as a negotiation. • Each party will attempt to get concessions not previously obtained - value is at risk • Depend on Relationship Management for smaller changes to avoid this risk

  29. Intellectual Property • Supplier IP may be used to deliver efficiencies ($) • However, use of Supplier IP may limit sourcing flexibility. • Who owns process ‘know-how’ and does this change over time? • What risk does this represent?

  30. Intellectual Property Mitigations • Inventory, inventory, inventory • IT processes supporting the business • Materials (documents, rights, etc.) • Risk Management discussion with business • Seek legal help • Follow up!

  31. Audit Rights • Business requirements drive specifics. • Must be in the initial contract • For supplier shared services, SAS70 Type II • Audit rights should be unlimited and at no cost.

  32. Finance Management • Deal financials reporting • Invoice Verification • Service receipt • Credits • Incentives • Internal cost recovery

  33. Finance Management • This is THE PLACE to receive an independent confirmation of IT value delivery. • Budgets are a very unforgiving reality check!

  34. Relationship Management • Overall Supplier management • Monitor business needs • Communication Forums • Issue Management • Risk Management • Project Management

  35. Risk Management • IT Governance process to evaluate Supplier Financial, Service Delivery, Relationship and Information Security risks in total. • As before, there may be a translation here from technical risk to business risk. • Can use Probability x Business Impact as the metric. The business should supply the Impact. • This can be a powerful tool to use with Suppliers. They speak the lingua franca as well.

  36. Project Management • Good Project Management helps assure value delivery • Define ‘project’ vs. ‘daily work’ in the contract. • Has linkages to Finance Management (paying Project costs), Service Delivery (assuring Project deliverables) NPS

  37. Performance Management • Aligning Service Delivery Requirements • Managing and Reporting against SLAs • Management of individual projects • Work prioritization

  38. An Audit Checklist for IT Governance

  39. IT Governance Audit Planning • Audit Team Composition • Audit Criteria • Learnings from the Balanced Scorecard Approach

  40. Audit Team Composition • Leadership - Business or IT? • Audit Supervision and Auditor in Charge Independence is a must • Beware setting up an audit team that may reflect corporate IT Governance issues • Consider sourcing knowledgeable auditors

  41. IT Governance Audit Criteria / Standards • IIA Governance Auditing Standards • ISACA / ITGI IT Governance Auditing Guidelines • ITGI Risk IT Framework • ITGI Val IT Framework • << Insert your Company business policies here >>

  42. Learnings from the Balanced Scorecard • Consider IT Governance from various business points of view (1) • Corporate • Customer • Operational Excellence • Future / Sustainability 1. “Measuring and Improving IT Governance Through the Balanced Scorecard” Information Systems Control Journal, Volume 2, 2005

  43. Balanced Scorecard: Corporate View

  44. Balanced Scorecard: Customer View

  45. Balanced Scorecard: Operational View

  46. Balanced Scorecard: Future View

  47. CobIT as a RoadMap to IT Governance

  48. Globally standard released as a set of tools that ensures IT is working effectively Functions as an overarching framework Provides common language to communicate goals, objectives and expected results to all stakeholders Based on, and integrates, industry standards and good practices in: Strategic alignment of IT with business goals Value delivery of services and new projects Risk management Resource management Performance measurement COBITas a RoadMap to IT Governance

  49. COBIT:Processes, Goals and Metrics Relationship Amongst Process, Goals and Metrics (DS5)

  50. Defined Responsibilities for Each Process RACI Chart A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed. Functions Activities

More Related