Docstoc

IT Governance

Document Sample
IT Governance Powered By Docstoc
					IT Governance

IT Governance
« Some thoughts on how IT risk, control, audit and assurance is evolving beyond COBIT toward the broader concept of IT governance; why IT governance should be on the board agenda wherever IT is strategic to the business; how it fits in the broader concepts of enterprise governance and how management and boards can address it.»

IT Governance

What IT problem?
What does the board do?

Are they doing the right things? Are they doing them the right way? Are they being done well? Are we getting benefits?

IT governance is the responsibility of the board of directors and consists of the leadership, organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.

How does management react?

Cascading strategy and goals Organisational alignment A control framework Balanced business scorecard

IT Governance

IT Governance
      
Stakeholders Governance Framework IT Alignment & Value Delivery Performance Measurement Risk Management Security Conclusions

IT Governance

Stakeholders Apply Pressure
Shareholders and Executive Lower cost, higher profitability and increased market share Customers and Staff Society More functionality at lower cost and greater ease of use Greater accountability for executives in private and public sector

IT Governance

What Are Customers Saying ?

E-biz Facts
 Guarantee of delivery  Customer loyalty  Ease of use  Customer service  Security

IT Governance

What Signals Are Regulators Giving?
Federal Reserve
 Focus on operational risk within which

security and IT are very significant  All major risk issues have been caused by breakdowns in
 Internal control  Oversight  Information technology

IT Governance

What Signals Are Regulators Giving?
President Clinton’s Commission on Critical Infrastructure Protection

 Concern for extreme dependence of industry on IT  Two recommendations
 Awareness of senior company officers  Need to address three technical improvements
 Authenticate  Segregate  Make

accountable

IT Governance

What Do Standards Say ?
“…strengthen internal control…boards need to set strategic aims, provide leadership, supervise management and report to shareholders on their stewardship.”  Turnbull: “…board to assure appropriate and effective processes to monitor risk and effectiveness of the system of internal control… broader corporate governance role for audit committees...monitor and report on risks...”  BIS: “...governance arrangements for critical systems should be effective, accountable and transparent…”
 Cadbury:

Stewardship is extending to IT as boards question the depth of their enterprise’s reliance on IT.

IT Governance

What Is Management Thinking ?
Uncertainty, complexity & growth Personal & visual contact

“IT has been the longest running disappointment in business in the last 30 years!” Jack Welch, Chairman, General Electric, World Economic Forum, Davos, 1997 “Technology can help fulfil a visionary dream, but often its use is closer to a sobering nightmare!” Vesa Vaino, CEO Merita Bank, SIBOS, Helsinki, 1998 “I am writing a book on the history of information technology…in order to better understand why it is such a mess!” Philippe Corniou, CIO, Renault, IT Governance Forum, Paris, 2001

IT Governance

IT Governance
      
Stakeholders Governance Framework IT Alignment & Value Delivery Performance Measurement Risk Management Security Conclusions

IT Governance

Why Get Into Governance?
 

“Due diligence”

IT is critical to the business  IT is strategic to the business

Expectations and reality don’t match  IT hasn’t gotten the attention it deserves  IT involves huge investments and large risks


IT Governance

Why Get Into Governance?
“Due diligence”
 Infrastructure and productive functions
 Skills, culture, operating environment  Capabilities, risks, process knowledge and customer information  Service levels
Enterprises should be equally inquisitive about themselves.

IT Governance

IT Is Critical to Most Businesses
This criticality arises from:  The increasing dependence on information and the systems and communications that deliver it  The dependence on entities beyond the direct control of the enterprise  IT failures increasingly impacting reputation and enterprise value  The potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costs  The risks of doing business in an interconnected world  The need to build and maintain knowledge essential to sustain and grow the business

IT Governance

IT Is Strategic to Most Businesses
If so, wouldn’t you want to know whether your organisation’s information technology is:
 Likely to achieve its objectives?  Resilient enough to learn and adapt?

 Judiciously managing the risks it faces?
 Appropriately recognising opportunities and acting on them?

IT Governance

Managing Information Technology
Expectations
Harness and exploit IT to

Reality
Business losses, reputational damage

deliver business value Provide fast development, with appropriate quality and with security Ascertain that IT investments have a quantitative return and IT does more with less Move from efficiency and productivity gains towards value creation and business effectiveness, especially in industries requiring that the focus move from the back office to the front office

or a weakened competitive position Enterprise effectiveness and core processes directly impacted by the quality of IT deliverables The failure of IT initiatives intended to bring innovation to the enterprise to achieve their promise Technology that is inadequate for the enterprise or obsolete too soon Poor support for the business Deadlines that are not met Costs that are higher than expected and quality and efficiency lower than anticipated

IT Governance

Why Has IT Not Gotten the Attention It Merits?
 IT requires more technical insight than do other disciplines to understand how IT
Enables the enterprise  Creates risks  Gives rise to opportunities


 IT has traditionally been treated as an entity separate to the business  IT is complex, and even more so in the extended enterprise operating in a networked economy

IT Governance

IT Involves Huge Investments and Large Risks
 October 1992: A new command and control system developed by the London ambulance service failed on the first day of operation.  August 1997: UK investment managers, Save & Prosper, abandoned a major new IT system, having spent 2 million pounds on its design and implementation.  1997: Barings Bank collapsed as a result of unauthorized trading, in part enabled by the willful manipulation of management information.  October 1998: UK Internet bank Egg launched a new online-only credit card, only to find its technical infrastructure was unable to cope with the demand.

IT Governance

What Should Boards Do About It?
 Be driven by stakeholder value  Adopt an IT governance framework  Ask the right questions  Focus on IT’s
 Alignment with the business  Value delivery  Risk management
IT Value Delivery

 Measure results

IT Strategic Alignment

Stakeholder Value Drivers

Risk Management

Performance Measurement

IT Governance

What Should Management Do About It?
 Align IT strategy with business goals  Cascade strategy and goals down into the organisation  Set up organisational structures that facilitate strategy

implementation  Adopt a control and governance framework  Provide IT infrastructures that facilitate creation and sharing of business information  Embed responsibilities for risk management in the organisation  Focus on important IT processes and core IT competencies  Measure performance (balanced business scorecard)

IT Governance

COBIT: An IT Control Framework
Starts from the premise that IT needs to

deliver the information that the enterprise needs to achieve its objectives. Promotes process focus and process ownership Divides IT into 34 processes belonging to four domains and provides a high level control objective for each Looks at fiduciary, quality and security needs of enterprises,providing seven information criteria that can be used to generically define what the business requires from IT Is supported by a set of over 300 detailed control objectives

Planning Acquiring & Implementing Delivery & Support Monitoring

Effectiveness

Efficiency Availability Integrity Confidentiality Reliability Compliance

IT Governance

COBIT: An IT Control Framework
Recent COBIT developments added a management and governance layer, providing management with a toolbox containing:
 Performance measurement elements (outcome measures and performance drivers for all IT processes)  A list of critical success factors that provides succinct nontechnical best practices for each IT process  A maturity model to assist in benchmarking and decision-making for control over IT

IT Governance

IT Governance Defined (1)
Several definitions with common elements:



  

 

Responsibility of the board of directors Protects shareholder value Ensures risk transparency Directs and controls IT investment, opportunity, benefits and risks Aligns IT with the business while accepting IT is a critical input to and component of the strategic plan, influencing strategic opportunities Sustains the current operation and prepares for the future Is an integral part of a global governance structure

IT Governance

IT Governance Defined (2)
IT governance, like other governance subjects, is the responsibility of executives and shareholders (represented by the board of directors). It consists of the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.

IT Governance

IT Governance Framework
Act if not aligned

Set measurable goals

Deliver Compare against the results goals

Measure performance

IT Governance

IT Governance Framework
Provide Direction
Set Objectives
IT is aligned with the business IT enables the business and maximises benefits IT resources are used responsibly IT-related risks are managed appropriately

IT Activities
Increase automation (make the business effective) Decrease cost (make the enterprise efficient) Manage risks (security, reliability and compliance)

Compare

Measure Performance

IT Governance

IT Governance Activities & Subjects
IT G overn ance A ctivities
B ecom e inform ed of role and im pact o f IT on the enterprise S et direction and expected return D eterm ine required capabilities and investm ents A ssign responsibilities S ustain current operations M ake transform ation happen D efine constraints w ithin w hich to operate A cquire and m obilise resources M easure perform ance M anage risk O btain assurance

B o a r d a n d /o r A c tiv ity T y p e M anagem ent
B /M B M B /M M B /M B M B B /M B P lan D irect P lan D irect O rganise D irect D irect O rganise C ontrol C ontrol C ontrol

IT Governance

IT Governance Activities & Subjects
IT Governance Subjects
 The objectives of Inform ation technology— how it: Im proves cost-efficiencies C reates revenue enhancem ent S upports the building of new capabilities E nables core business processes E nables new business m odels The opportunities and risks of new technology: Internet and intranet E -com m erce M obile com puting W orkflow technology K now ledge system s, etc. The key processes and core com petencies: The return on investm ent of IT projects and initiatives, and how they deliver against expectations P erform ance of IT services against service level agreem ents IT risks, asset protection and inform ation security IT acquisition and outsourcing strategies Im portant IT processes such as change, application and problem m anagem ent C ore IT com petencies: planning, support, operations, project m anagem ent, know ledge m anagem ent E thical behavior, data privacy and fraud prevention





IT Governance

IT Governance
       
Drivers Stakeholders Governance Framework IT Alignment & Value Delivery Risk Management Performance Measurement Security Conclusions

IT Governance

IT Alignment
The Board should drive business alignment by: Ascertaining that the IT strategy is aligned with the business strategy Ascertaining that IT delivers against the strategy through clear expectations and measurement Directing IT strategy to balance investments between supporting and growing the enterprise Making considered decisions about where IT resources should be focused
Business Strategy

Business Operations

Alignment Activities

IT Strategy

IT Operations

“IT alignment is a journey, not a destination.”

IT Governance

IT Value Delivery
The board should drive alignment to ensure that IT delivers value:
 With the business strategy focusing on competitive advantage, elapsed time for

order/service fulfillment, customer satisfaction, customer wait time, employee productivity and profitability  Supported by an IT strategy that delivers on time, within budget and with the benefits that were promised

“IT value is in the eye of the beholder.”

IT Governance

IT Risk Management
The board should manage enterprise risk by:  Ascertaining that there is transparency about the significant risks to the organisation  Being aware that the final responsibility for risk management rests with the board  Being conscious that risk mitigation can generate cost-efficiencies  Considering that a proactive risk management approach creates competitive advantage  Insisting that risk management is embedded in the operation of the enterprise “It is the IT alligators you do not see that will get you!”

IT Governance

IT Risk Management
Risk Management Expands….
Risk Allocation - contracts, SLAs, etc. Risk Mitigation - security & control practices Risk Transfer - insurance & liability Risk Assurance - audit & certification Risk Acceptance - formal, transparent

IT Governance

IT Balanced Scorecard
IT Goals and Measures Financial
Goals Measures

Customer
Goals Measures

Information

Process
Goals Measures

Learning
Goals Measures

“If you are playing the enterprise game and not keeping IT’s score, you are only practising.”

IT Governance

IT Balanced Scorecard
Financial

Example IT Measures

• # of IT customers • Cost per IT customer • Cost-efficiency of IT •
processes up Delivery of IT value per employee

Customer

• Level of service •
delivery up Satisfaction of existing customers # of new customers reached # of new service delivery channels

Process • Availability of systems
& services • Developments on schedule & budget • Throughput & response times • Amount of errors and rework

•
•

Information

Learning

• Staff productivity & • • •
morale # of staff trained in new techno/services Value delivery per employee up Increased availability knowledge systems

IT Governance
An IT scorecard is one of the most effective means to achieve IT and business alignment

Scorecard Objectives
 

Demonstrate the value added by the IT organisation Establish a balanced set of measures for determining the effectiveness of the IT organisation Set guidelines for creating the IT strategic plan and linking it into operational plans Communicate and motivate IT performance in key areas as required by the business and its stakeholders Establish a framework for IT management reporting







Approval of an IT scorecard by key stakeholders should be considered an IT governance best practice.
From Ron Saull, CIO InvestorsGroup, Ca

IT Governance

IT Governance
       
Drivers Stakeholders Governance Framework IT Alignment & Value Delivery Risk Management Performance Measurement Security Conclusions

IT Governance

Information Security
Some Practices for the Board Room Know what questions to ask Know what is needed Raise the awareness at the top Have clarity of purpose Measure your performance Keep on doing it

IT Governance

Information Security
Some Questions for the Board Room
Would people recognise a security incident when they saw one? Would they ignore it? Would they know what to do about it?  Does anyone know how many computers the company owns? Would management know if some went missing?  Does anyone know how many people are using the organisation’s systems? Does anybody care whether they are allowed or not, or what they are doing?  Did the company suffer from the latest virus attack? How many did it have last year?  What are the most critical information assets of the enterprise? Does management know where the enterprise is most vulnerable?
  Is management concerned that company confidential information can be leaked ?  Has the organisation ever had its network security checked by a third party?  Is IT security a regular agenda item on IT management meetings?

IT Governance

IT Security Requirements
Business Drivers
Shorter business cycles

 Managing networked    

c/s systems “Provenance” control Non-sharable info Profiling users Trust….

Need to involve/connect/tie in with more partners Network centric business models Leverage VPN, remote access, collaborative tools

Technology Drivers
Manage Risk
Internet - UNIX - TCP/IP More hackers, more tools

Leverage Opportunities
E-cash, e-commerce, e-tc. Open, modular, scalable

Increased dependency on IT

Security a commodity

IT Governance

IT Security Awareness
How to sell to top management
Different styles depending on function  FUD  Cost reduction  Responsibility  Differentiator Cost of security Strategic approach - benchmark - gap

analysis - choices

IT Governance
Leadership

Cost of IT Security

Industry reference site

Benchmarking

Good Practice

Cost of noncompliance

Baseline operation

“Cowboy” operation

5 - 10%

20 - 25%

45 - 50%

55%

Cost of security and control vs. IT Budget = driver for change

IT Governance
Policy
Security Management Process Human Policy & Behaviour 2 Procedures 1 3 & Culture Network 6 Segregation

IT Security Performance

5

4 Application
Security

System Access Control

Tools & Technology

0 1 2 3 4 5 Very Very poor Poor Fair Good good Excel

100
10 10 20 20 20 20 100

1. Policies & procedures 2. Security mgt 3. Human behav. & culture 4. Application security 5. System access control 6. Network segregation
Legend for symbols used
Average of best security performers in the financial industry (begin „96) Company status — Feb „97 Company. objective for 2001 5 - Excellent: 4 - Very good: 3 - Good: 2 - Fair: 1 - Poor: 0 - Very poor:

80 76 60 48 40 20 0 42 64

88

92

96

Legend for ranking used
Best possible, highly integrated Advanced level of practice Moderately good level of practice Some effort made to address issues Recognise the issues Complete lack of good practice

1996 1997 1998 1999 2000 2001

IT Governance

IT Security is a Continuous Effort
Perform
Active Monitoring

 Design
Security Defenses

 Issue
Security Policy

Perform
Intrusion Testing

Security
Management

IT Governance

IT Governance
       
Drivers Stakeholders Governance Framework IT Alignment & Value Delivery Performance Measurement Risk Management Security Conclusions

IT Governance

IT Governance Summarized
Objectives
 To understand the issues and the strategic importance of IT  To ensure that the enterprise can sustain its operations and  To ascertain it can implement the strategies required to extend its activities into the future  Ensuring that expectations for IT are met and IT risks are mitigated  Within broad governance arrangements that cover relationships between the entity's management and its governing body, its owners and its other stakeholders and providing the structure through which:
 The entity's overall objectives are set
 The method of attaining those objectives is outlined  The manner in which performance will be monitored is described

Goal

Position

IT Governance

Become Informed About:

 Business and IT performance measures  Business and IT outcome drivers  IT strategic and alignment issues  Best practices in IT governance  Questions boards and management should ask

IT Governance

IT Governance

Board Briefing on IT Governance
TABLE OF CONTENTS
E xec utive S um m ary ................................ ................................ ................................ ........ 1. W hat Is IT G overnance? ................................ ................................ ............................ 2. W hy Is IT G overnance I m por tant? ................................ ................................ ............ 3. W ho D oes It C oncer n? ................................ ................................ ................................ 4. W hat C an T hey D o A bo ut It? ................................ ................................ .................... 4.1 H ow S hould the B oa rd A ddr ess thes e C ha llenges ? ................................ ................ 4.2 H ow S hould E x ecutive M a na gem ent A ddress the E xp ecta tions? ........................... 5. W hat D oes It C over? ................................ ................................ ................................ .. 5.1 IT S tra tegic A lignm ent ................................ ................................ ........................ 5.2 IT V a lu e D eliver y ................................ ................................ ................................ . 5.3 P erfor m a nc e M ea surem ent ................................ ................................ ................... 5.4 R isk M a na gem ent ................................ ................................ ................................ . 6. W hat Q uestio ns S ho uld B e A s ked? ................................ ................................ ............ 7. H ow Is It A ccom p lis he d? ................................ ................................ ............................ 8. H ow D oes Y our O rganis atio n C o m p ar e? ................................ ................................ .. 9. W hat D o R eg ulatory and S tandards B odies S ay? ................................ ..................... A ppe nd ix A . IT G overnance C he c klist ................................ ................................ .......... A ppe nd ix B . B oard A ctio n P lan ................................ ................................ ..................... A ppe nd ix C . M anage m e nt A c tio n P lan................................ ................................ .......... A ppe nd ix D . IT G overnance M atur ity M ode l ................................ ............................... A ppe nd ix E . T he E m erg ing E nte rp rise M o de l ................................ .............................. A ppe nd ix F. R eg ulatory R e ports o n G over nance ................................ .......................... R e fer e nces ................................ ................................ ................................ .......................

IT Governance

IT Governance Toolkit
Activities WHO HOW Subjects of attention IT & Business Objectives Core IT competencies

Best Practices

V A R P                 

Business & Technology Developments

Measurement Results

Critical Success Factors Measurement Performance

V = IT Value Delivery A = IT Strategic Alignment R = Risk Management P = Performance Measurement

IT Governance

IT Governance

Information Security Governance:
Guidance for Boards of Directors and Executive Management
T a b le o f C o n te n ts
P U R P O SE A N D ST R U C T U R E O F D O C U M E N T ................................................................................... IN F O R M A T IO N SE C U R IT Y G O V E R N A N C E : A P R IM E R F O R B O A R D S O F D IR E C T O R S A N D E X E C U T IV E M A N A G E M E N T ...................................................................................................... 1 . T H E B A C K G R O U N D T O I N FO R M A T IO N S E C U R IT Y G O V E R N A N C E ............................................................. 2 . W H A T I S I N FO R M A T IO N S E C U R IT Y ? ...................................................................................................... 3 . W H Y I S I N FO R M A T IO N S E C U R IT Y I M PO R T A N T ? ..................................................................................... 4 . W H O S H O U L D B E C O N C E R N E D W IT H I N FO R M A T IO N S E C U R IT Y G O V E R N A N C E ?....................................... 5 . W H A T S H O U L D T H E B O A R D A N D M A N A G E M E N T D O ? ............................................................................ U n d ersta n d W h y In fo rm atio n Secu rity N eed s to be G overned ............................................................... E n su re It F its in the IT G o vern a nce F ra m ewo rk ................................................................................... Ta ke B o a rd Level A ction ..................................................................................................................... Ta ke M a n ag em en t Level A ctio n ........................................................................................................... 6 . W H A T A R E S O M E T H O U G H T - PR O V O K IN G Q U E ST IO N S T O A S K ? .............................................................. To U n cover In fo rm a tio n Secu rity Issues............................................................................................... To F in d O u t H o w M a n a g em en t A d d resses th e Info rm a tio n S ecu rity Issu es ........................................... To S elf-a ssess In fo rm a tion Secu rity G overna n ce P ra ctices ................................................................... 7 . W H A T S H O U L D I N FO R M A T IO N S E C U R IT Y G O V E R N A N C E D E L I V E R ? ........................................................ S tra teg ic A lig n m en t ............................................................................................................................. V a lu e D elivery .................................................................................................................................... R isk M a na g em en t ................................................................................................................................ P erfo rm a n ce M ea su rem en t .................................................................................................................. 8 . W H A T C A N B E D O N E T O S U C C E SS F U L L Y I M PL E M E N T I N FO R M A T IO N S E C U R IT Y G O V E R N A N C E ? .............. Q u estion s fo r D irecto rs ....................................................................................................................... Q u estion s fo r M an a g ers ...................................................................................................................... A d o p t B est P ra ctices ........................................................................................................................... C o n sid er C ritica l S uccess F a cto rs ....................................................................................................... In tro d uce P erfo rm a nce M ea su res ........................................................................................................ 9 . H O W D O E S M Y O R G A N I S A T IO N C O M P A R E ?........................................................................................... 1 0 . W H A T D O R E G U L A T O R Y A N D S T A N D A R D S B O D I E S S A Y ? ..................................................................... R E FE R E N C E S ...........................................................................................................................................

IT Governance

 IT is an integral part of the business  IT governance is an integral part of corporate governance

IT Governance

IT Governance
IT Governance Institute 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 info@isaca.org www.isaca.org www.ITgovernance.org
This information is provided for the educational use of ISACA members and chapters only. It is copyrighted by Information Systems Audit and Control Association. Any commercial use by chapters, members or non-members is strictly forbidden.


				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:438
posted:5/22/2009
language:English
pages:53