IT Governance Leveraging Best Practices for Governance Success
IT Governance – Leveraging Best Practices for Governance Success Greg Charles, Ph. D. Area Senior Technology Specialist Western U. S. ITIL, Governance & Best Practices Lead CA, Inc. December 2007
IT Governance Defined as: The management of risk & compliance. “The overall methodology by which IT is directed, administered and controlled” Governance Compliance 5/25/2021 *
Three Pillars of IT Governance Infrastructure Management 5/25/2021 * IT Use/Demand Management IT Project Management
Managing Ever-Increasing Complexity 5/25/2021 *
The Real World View? SAP Identity Manager PSFT Siebel Network Router End User Load Balancer Firewall Switch Portal Mainframe Black Box Web Servers Database Applications Web Services Databases 3 rd Party applications 5/25/2021 *
The Cruel Reality Application Screen Scrape Application Download File Application Message Queue Sockets Transaction File Application Sockets RPC Application Transaction File Application Source: Gartner * ORB APPC Message ORB 5/25/2021 Screen Scrape Transaction File CICS Gateway Download File Application Message Queue Application Screen Scrape Transaction File CICS Gateway Message Download File Message Queue APPC RPC
Addressing These Challenges: Improving Engagement and Efficiency WHAT IS ENGAGEMENT? WHAT IS EFFICIENCY? Doing the Right Things Doing Things Right IT’s ability to partner with the business to maintain alignment and maximize return from IT investments IT’s ability to make the best use of its people, budgets and assets 5/25/2021 *
Obstacles Prevent Effective Engagement $ $ $ Overwhelming Demand: - Unstructured capture of requests and ideas - No formal process for prioritization and tradeoffs - Reactive vs. proactive IT and Biz Divide - Business thinks in IT services – IT delivers in technology terms - Costs disassociated with services 5/25/2021 * IT Seen as Black Box: - Business lacks visibility - Poor customer satisfaction
Disparate Systems Reduce Efficiency - No Single System of Record for Decision-Making - IT Management systems siloed - Relevant Metrics Hard to Obtain - Disparate Systems Costly to Maintain and Upgrade 5/25/2021 *
IT Governance Landscape 5/25/2021 *
How to Improve Engagement? Structured IT Governance Process Integrated Demand Management - Capture, catalog, and prioritize all demand - Manage service requests from help desks - Match resources to highest-value initiatives Comprehensive Portfolio Management - Services, projects, assets, applications - Systematic evaluation and prioritization - Map controls to compliance requirements - 100% visibility into strategic initiatives - A single invoice to the customer for all services Business Intelligence for the BRM - Visibility into all services that support LOB - Detailed cost invoices 5/25/2021 *
How to Improve Efficiency? Comprehensive Management Empower the PMO - Automate, enforce, and report on process compliance World-Class Project Execution - Leverage best practices across entire project portfolio - Rapid time to value Comprehensive Resource Management - Drive maximum utilization of in-house and outsourced resources - Capture time and allocate staff for any type of investment - Advance Resource Mgmt capabilities Scalable, Transparent Status Capture - Capture time and cost of all activities in a single repository for charge-backs and reporting - Capture asset costs through integration with Asset Management Solution 5/25/2021 *
Approaches Currently In Use > Business As Usual - “Firefighting” > Legislation - “Forced” > Best Practice Focused 5/25/2021 *
IT Governance Model Audit Models Sarbanes. Oxley COSO US Securities & Exchange Commission COBIT® Quality System IT Planning IT OPERATIONS ASL ISO 20000 5/25/2021 Project Mgmt. BS 15000 IT Security ITIL® App. Dev. (SDLC) CMMi Service Mgmt. Quality Systems & Mgmt. Frameworks * ISO 17799 PMI PMBOK PRINCE 2 TSO IS Strategy ISO Six Sigma
Best Practices Quality & Control Models • ISO 900 x • COBIT® • TQM • EFQM • Six Sigma • COSO • Deming • etc. . Process Frameworks • ITIL® • Application Service Library • Gartner CSD • IBM Processes • EDS Digital Workflow • Microsoft MOF • Telecom Ops Map • etc. . • What is not defined cannot be controlled • What is not controlled cannot be measured • What is not measured cannot be improved 5/25/2021 *
ITIL® v 2 to v 3 Introduction to ITIL Planning To Implement Service Management T h e Service Management Service B The ICT Support u Business Infrastructure s Perspective Management i Service n Small-Scale Delivery Security e. Implementation Management s s Application Management Software Asset Management 5/25/2021 T h e * T e c h n o l o g y
ITIL Service Support Model The Business, Customers or Users Monitoring Tools Difficulties Queries Enquiries Communications Updates Work-arounds Incidents Customer Service Desk Survey reports Incident Management Problem Management Service reports Incident statistics Audit reports Changes Customer Survey reports Releases Change Problem statistics Management Problem reports Problem reviews Diagnostic aids Change schedule Audit reports Release CAB minutes Management Change statistics Change reviews Audit reports Release schedule Release statistics Release reviews Secure library’ Testing standards Audit reports Incidents Problems Known Errors Changes CMDB 5/25/2021 * Releases Configuration Management CMDB reports CMDB statistics Policy standards Audit reports Cls Relationships
ITIL Service Delivery Model Business, Customers and Users Communications Updates Reports Queries Enquiries Availability Management Availability plan AMDB Design criteria Targets/Thresholds Reports Audit reports Service Level Management Capacity plan CDV Targets/thresholds Capacity reports Schedules Audit reports Requirements Targets Achievements Financial Management For IT Services Financial plan Types and models Costs and charges Reports Budgets and forecasts Audit reports Alerts and Exceptions Changes Management Tools 5/25/2021 * SLAs, SLRs OLAs Service reports Service catalogue SIP Exception reports Audit reports IT Service Continuity Management IT continuity plans BIS and risk analysis Requirements defined Control centers DR contracts Reports Audit reports
COBIT® (Control Objectives for IT) > Focused on IT Standards and Audit, Cob. IT is jointly “owned/maintained” by ITGI and ISACA (Information Systems Audit and Control Association) > Based on over 40 International standards > Supported by over 150 IT Governance Chapters – www. itgi. org – www. isaca. org Best Practices: Industry and CA best practices are applied to all of our solutions to maximize standardization and quality 5/25/2021 *
The COBIT® Cube (Business Requirements) 4 Domains 34 Processes ____ 318 Control Objectives 215 in COBIT® 4. 0 5/25/2021 *
The Four COBIT® Domains Planning & Organization Acquisition & Implementation (AI Process Domain) (PO Process Domain) Monitoring (M Process Domain) Delivery & Support (DS Process Domain) 5/25/2021 *
Planning & Organization PO 1 Define a Strategic IT Plan PO 2 Define the Information Architecture PO 3 Determine the Technological Direction PO 4 Define the IT Organization and Relationships PO 5 Manage the IT Investment PO 6 Communicate Management Aims and Direction PO 7 Manage Human Resources PO 8 Ensure Compliance with External Requirements PO 9 Assess Risks PO 10 Manage Projects PO 11 Manage Quality 5/25/2021 *
The Four COBIT® Domains Planning & Organization Acquisition & Implementation (AI Process Domain) (PO Process Domain) Monitoring (M Process Domain) Delivery & Support (DS Process Domain) 5/25/2021 *
Acquisition & Implementation AI 1 Identify Solutions AI 2 Acquire and Maintain Application Software AI 3 Acquire and Maintain Technology Architecture AI 4 Develop and Maintain IT Procedures AI 5 Install and Accredit Systems AI 6 Manage Changes 5/25/2021 *
The Four COBIT® Domains Planning & Organization Acquisition & Implementation (AI Process Domain) (PO Process Domain) Monitoring (M Process Domain) Delivery & Support (DS Process Domain) 5/25/2021 *
Delivery and Support DS 1 Define Service Levels DS 2 Manage Third-Party Services DS 3 Manage Performance and Capacity DS 4 Ensure Continuous Service DS 5 Ensure Systems Security DS 6 Identify and Attribute Costs DS 7 Educate and Train Users DS 8 Assist and Advise IT Customers DS 9 Manage the Configuration DS 10 Manage Problems and Incidents DS 11 *Manage Data 5/25/2021
DS 5 – Ensure Systems Security DS 5. 1 Manage Security Measures DS 5. 2 Identification, Authentication and Access DS 5. 3 Security of Online Access to Data DS 5. 4 User Account Management DS 5. 5 Management Review of User Accounts DS 5. 6 User Control of User Accounts DS 5. 7 Security Surveillance DS 5. 8 Data Classification DS 5. 9 Central Identification and Access Rights Management DS 5. 10 Violation and Security Activity Reports DS 5. 11 Incident Handling DS 5. 12 Reaccreditation DS 5. 13 Counterparty Trust DS 5. 14 Transaction Authorization DS 5. 15 Non-Repudiation DS 5. 16 Trusted Path DS 5. 17 Protection of Security Functions DS 5. 18 Cryptographic Key Management DS 5. 19 Malicious Software Prevention, Detection and Correction DS 5. 20 Firewall Architectures and Connections with Public Networks 5/25/2021 * DS 5. 21 Protection of Electronic Value
The Four COBIT® Domains Planning & Organization Acquisition & Implementation (AI Process Domain) (PO Process Domain) Monitoring (M Process Domain) Delivery & Support (DS Process Domain) 5/25/2021 *
Monitoring M 1 Monitor the Processes M 2 Assess Internal Control Adequacy M 3 Obtain Independent Assurance M 4 Provide for Independent Audit 5/25/2021 *
COBIT® Summary Planning & Organization Acquisition & Implementation (AI Process Domain) (PO Process Domain) Monitoring (M Process Domain) Delivery & Support (DS Process Domain) 5/25/2021 *
How to Make IT a Reality? Key Success Factors Theory – ITIL® / COBIT® / etc. § Guidelines for Best Practices § Provides theory but not always defines the process § Education is an important component Process § Convert theory to process that is applicable to the unique needs of the organization § Training & Education § Tool configuration Technology – CA and others § Provide the technology that enables & automates the process § Repeatability, compliance & notifications § Implement processes impossible without technology 5/25/2021 *
Tools to Aid Success Maturity Model Solution Sheets ROI Tool Transitional Maturity Process Model Assessments Profilers 5/25/2021 Blueprints *
Governance: Meeting Customer Needs Leveraging Best Practices: ITIL®, COBIT®, COSO, ITAM, ITSM, Six Sigma, etc. Best Practices: Industry and CA best practices are applied to all of our solutions to maximize standardization and quality 5/25/2021 *
IT Governance – Leveraging Best Practices for Success Greg Charles, Ph. D. Area Senior Technology Specialist Western U. S. ITIL & Best Practices Lead CA, Inc. December 2007
- Slides: 34