1 / 58

Information Technology Management (ITM101)

Information Technology Management (ITM101) . Week 02: IT Standards & Governance . Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP. Governance?. IT governance aims to ensure that expectations for IT are met and IT risks are mitigated. .

yaron
Télécharger la présentation

Information Technology Management (ITM101)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Technology Management (ITM101) Week 02: IT Standards & Governance Matthew W. Stephan: CISM, CISSP, CGEIT, CRISC, PMP

  2. Governance? IT governance aims to ensure that expectations for IT are met and IT risks are mitigated. Corporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders IT Governance: Subset of the Corporate Governance framework tasked with ensuring the alignment of IT with enterprise objectives

  3. IT Governance

  4. Why is IT Governance a ‘Hot Topic’? • Increased sensitivity to protecting stakeholder interests • Shareholders (see: Sarbanes Oxley) • Consumers (see: HIPAA) • Suppliers (see: PCI)

  5. Forces Driving Governance Business/ITAlignment ROI Compliance ProjectExecution Security

  6. Other ‘Non-Regulatory’ Reasons… • Recognized need for tight business linkage • Strategic Alignment • Value Delivery • Resource Management • Risk Management • Performance Management • Effective Management of Outsourced IT Suppliers • Relationship Management • Financial Management • Performance Management • Contract Management

  7. Definitions

  8. IT Governance Definitions IIA International Professional Practices Framework: [IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives. [IT Controls] Controls that support business management and governance as well as provide general and technical controls over information technology infrastructures such as applications, information, infrastructure, and people. [Governance] The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

  9. Definition of IT Governance From COBIT CobiT 4.1: IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.

  10. Common Framework Structure

  11. Governance: High Level View • The business of running IT vs. running the technology • Setting the rules and assuring they are followed • An ethical responsibility to stakeholders • Principal - business • Commonwealth - people • Each other - reputation

  12. IT Governance Objectives • Governance should be a top-down process • Linkages to business process and strategy exist for all actions • Information in oral, paper, and electronic forms • Governance transcends physical boundaries • Through governance, acceptable practices, policies, and procedures are established The purpose of IT governance is to direct IT endeavors and that IT is aligned with business objectives. Ideally:

  13. Responsibility for IT Governance Management Board Information Security Steering Committee Sub-Committees: Architecture, Security, etc. Service Delivery & Functional Operation Management Teams Applications Systems Operations Desktop Networks Responsibility: IT governance is the responsibility of the board of directors and executive management. • Integral part of enterprise governance • Consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.

  14. IT Governance: COBIT Focus Areas Strategic Alignment Value Delivery Resource Management Risk Management Performance Measurement

  15. Focus Areas of IT Governance IT Resource Management • Two are outcomes: • Value delivery • Risk management. • Three are drivers: • Strategic alignment • Performance measurement • Resource management (which overlays them all) Five main focus areas for IT governance, all driven by stakeholder value.

  16. Security Strategy: Elements & Controls

  17. Measuring Maturity

  18. IT Governance Frameworks

  19. Clear Business Ownership and Direction • Alignment of Business and IT Objectives (CobiT 4.1 ‘Framework’) • Enterprise Strategy • Business Goals for IT • IT Goals • Enterprise Architecture for IT • IT Scorecard

  20. Linking Technical and Business Risk Risk is the ‘lingua franca’ of business. Management needs to be able to compare IT Risks with other risks. IT Governance must do an effective job of translating technical risks to business risks.

  21. Linking Technical and Business Risk

  22. IT Governance in a Sourced Environment

  23. IT Governance in aSourced Environment Business Strategy and Processes IT Governance Commercial Relationship Commercial Relationship Suppliers’ IT Strategy and Processes

  24. Considerations in a Sourced Environment Sourcing Strategy Contract Management Finance Management Relationship Management Performance Management

  25. Sourcing Strategy Part of IT Strategic Plan Inventory of critical Supplier relationships Update based on changes to Business, IT or Supplier Strategies May contain intervention plans

  26. Contract Management Initial negotiation and in-life change management Defines Services/Quality Defines ownership of Intellectual Property Compliance with Law and Policy Audit Rights

  27. Contract Change Management Required by either changing business needs or to address ambiguity. Should be viewed as a negotiation. Each party will attempt to get concessions not previously obtained - value is at risk Depend on Relationship Management for smaller changes to avoid this risk

  28. Intellectual Property Supplier IP may be used to deliver efficiencies ($) However, use of Supplier IP may limit sourcing flexibility. Who owns process ‘know-how’ and does this change over time? What risk does this represent?

  29. Intellectual Property Mitigations • Inventory, inventory, inventory • IT processes supporting the business • Materials (documents, rights, etc.) • Risk Management discussion with business • Seek legal help • Follow up!

  30. Audit Rights Business requirements drive specifics. Must be in the initial contract For supplier shared services, SAS70 Type II Audit rights should be unlimited and at no cost.

  31. Finance Management • Deal financials reporting • Invoice Verification • Service receipt • Credits • Incentives • Internal cost recovery

  32. Finance Management This is THE PLACE to receive an independent confirmation of IT value delivery. Budgets are a very unforgiving reality check!

  33. Relationship Management Overall Supplier management Monitor business needs Communication Forums Issue Management Risk Management Project Management

  34. Risk Management IT Governance process to evaluate Supplier Financial, Service Delivery, Relationship and Information Security risks in total. As before, there may be a translation here from technical risk to business risk. Can use Probability x Business Impact as the metric. The business should supply the Impact. This can be a powerful tool to use with Suppliers. They speak the lingua franca as well.

  35. Project Management NPS Good Project Management helps assure value delivery Define ‘project’ vs. ‘daily work’ in the contract. Has linkages to Finance Management (paying Project costs), Service Delivery (assuring Project deliverables)

  36. Performance Management Aligning Service Delivery Requirements Managing and Reporting against SLAs Management of individual projects Work prioritization

  37. An Audit Checklist for IT Governance

  38. IT Governance Audit Planning Audit Team Composition Audit Criteria Learnings from the Balanced Scorecard Approach

  39. Audit Team Composition • Leadership - Business or IT? • Audit Supervision and Auditor in Charge Independence is a must • Beware setting up an audit team that may reflect corporate IT Governance issues • Consider sourcing knowledgeable auditors

  40. IT Governance Audit Criteria / Standards IIA Governance Auditing Standards ISACA / ITGI IT Governance Auditing Guidelines ITGI Risk IT Framework ITGI Val IT Framework << Insert your Company business policies here >>

  41. Learnings from the Balanced Scorecard 1. “Measuring and Improving IT Governance Through the Balanced Scorecard” Information Systems Control Journal, Volume 2, 2005 • Consider IT Governance from various business points of view (1) • Corporate • Customer • Operational Excellence • Future / Sustainability

  42. Balanced Scorecard: Corporate View

  43. Balanced Scorecard: Customer View

  44. Balanced Scorecard: Operational View

  45. Balanced Scorecard: Future View

  46. CobIT as a RoadMap to IT Governance

  47. Globally standard released as a set of tools that ensures IT is working effectively Functions as an overarching framework Provides common language to communicate goals, objectives and expected results to all stakeholders Based on, and integrates, industry standards and good practices in: Strategic alignment of IT with business goals Value delivery of services and new projects Risk management Resource management Performance measurement COBIT as a RoadMap to IT

  48. COBIT:Processes, Goals and Metrics Relationship Amongst Process, Goals and Metrics (DS5)

  49. Defined Responsibilities for Each Process RACI Chart A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed. Functions Activities

  50. The COBIT Framework

More Related