© it management consulting ltd., london, +44-7798 527910 [email protected] implementing it...

© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]

Implementing IT Governance Frameworks

within Regulated InstitutionsMalta, 25th June, 2007Malta, 25th June, 2007

Dr. Martin RosenbergProgram Director InternationalIT Management Consulting Ltd.

[email protected]

- 2 -


IT Governance Drivers

1. Pace of creating new regulations is increasing. Compliance is not going away!

2. Shift from tactical compliance efforts towards addressing multiple regulations

3. Compliance projects are costly and long, need for standardization of controls and automation

4. Need to reduce compliance efforts from end-to-end perspective by focusing on improved risk management and reliable corporate governance

5. Corporate governance depends on IT governance that creates a common language across IT departments and business units, facilitates risk mitigation and benefits business performance

6. Auditor skills and relationships not sufficient, limited availability of skills within accounting companies and IT. Good IT governance needed to facilitate auditing tasks

7. IT frameworks to help develop IT governance policies and controls for different compliance requirements

8. Need to mange outsourcing, acquisitions and business performance

- 3 -


Sample of Regulations…

…Euro-SOX (EU)EU Digital Signature DirectiveEU Data Protection DirectiveMiFID Basel IIISO Security Program StandardsPayment Cards Data Security Standards… etc.

- 4 -


“IT Governance – A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.” source: ISACA

IT Governance Definition

- 5 -


IT Governance is NOT IT Management or IT Standards

DIRECT

CONTROL

RISK MANAGE

DECIDEPOLICIESPOLICIES

PROCESSESPROCESSES

RELATIONSHIPSRELATIONSHIPS

MEASUREMENTSMEASUREMENTS

IT OrganizationIT Organization

IT Governance Structure

- 6 -


Need both Lifecycle Mgmt and Governance to properly manage investments, assets and quality

Multiple Lifecycles

Business

Projects

Services

Assets

Appl.

Infra.

Sourcing

Plan Build Run

Lifecycles evolve in different pace and need synchronization

Example:

Service Mgmt Lifecycle

Applies to Multiple Lifecycles

- 7 -


IT Governance ties it all together and aligns with business goals

IT StrategyArchitectureTech. DirectionProgram MgmtInvestmentsResources

IT StrategyArchitectureTech. DirectionProgram MgmtInvestmentsResources

POLICIESPOLICIES PROCESSESPROCESSES RELATIONSHIPSRELATIONSHIPS MEASUREMENTSMEASUREMENTS

DIRECTCONTROL

RISK MANAGE

DECIDE

Plan Build Run

Governing Lifecycles

- 8 -


IT ManagementIT Governance

PLAN BUILD RUN

DECIDE

DIRECT

CONTROL

RISK MANAGE

IT Governance is not IT Processes Execution

Simplified View

- 9 -


Strategic Alignment

Ensuring the link of business and IT plans, defining IT value proposition, aligning IT and business operations

Value Delivery

Executing IT value proposition via the delivery cycle

Resource Management

Optimal investment in and management of critical IT resources

Risk Management

Understanding enterprise’s appetite for risk and compliance requirements, implementing risk management responsibilities

Performance Measurement

Tracking and monitoring strategy implementation, project completion, process performance and service delivery (e.g. via balanced scorecards)

©2005 IT Governance Institute (ITGI), All rights reserved

IT Governance Focus Areas

- 10 -


Strategic IT plan

Info & Technical Architecture

Investments and Budgets

Program/Project Office

Solutions/ApplicationsDevelopment& Acquisition

Projects &Enhancem. &Maintenance

Service Delivery & Support

Operations

Vendor mgmt

Performance Measurement

Compliance& Control

IT Governance

Plan &Organize

DevelopAcquire &Implement

Monitor &Evaluate

Deliver &Support

IT Organization’s Process Groupings - Problem

Process Examples:

Process Examples: Process Examples:

PROBLEM: Very Little or NO End-to End Integration (Across the Board)

- 11 -


Uncoordinated Commitment

Multiple, incompatible IT frameworks with diverse focus and purpose:

Investment-centric

Functionality-centric

Service-centric

StrategyStrategy

DevelopmentDevelopment

ArchitectureArchitecture

OperationsOperationsOutsourcersOutsourcers

BusinessRelationsBusinessRelations

Different Views of IT Value through different Frameworks!

Multitude of IT Frameworks and Lack of Integration

ISO 17799 ISO 17799 ITILITILRUPRUP Other…Other…PMI/Prince2 PMI/Prince2 TOGAFTOGAF

- 12 -


COBIT an Integrating end-to-end ‘Umbrella’ Framework for IT

COSOCOSO

ISO 17799 ISO 17799 ITILITILTOGAFTOGAFBest Practice Frameworks

Other…Other…

COBITCOBIT

PMI/Prince2 PMI/Prince2

Business Function Business Function




IT FunctionIT Function

Corporate Governance

IT Governance

- 13 -


Value DeliveryResource Mgmt

Risk Mgmt

Strategic Alignment

Plan Build Run

Business Projects Architecture

Performance Mgmt

COSOCOSO PMI/Prince2 PMI/Prince2 TOGAFTOGAFISO 17799ISO 17799Best Practice

Frameworks (examples)

ITILITIL

Security Services

IT Governan

ce

CMMCMM

COBIT an Integrating end-to-end ‘Umbrella’ Framework for IT

- 14 -


Business-Focused Process-Oriented Control-Based Measurement-Driven

COBIT: An Integrated Control Framework

- 15 -



Control, Alignment, Monitoring

- 16 -


PLAN AND ORGANIZEPLAN AND ORGANIZE

AI1 Identify automated solutionsAI2 Acquire and maintain application softwareAI3 Acquire and maintain technology infrastructureAI4 Enable operation and useAI5 Procure IT resourcesAI6 Manage changesAI7 Install and accredit solutions and changes

ME1 Monitor & evaluate IT performanceME2 Monitor & evaluate internal controlME3 Ensure regulatory complianceME4 Provide IT governance

PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine technological directionPO4 Define IT processes, org. & relationshipsPO5 Manage the IT investmentPO6 Communicate mgmt aims and directionPO7 Manage IT human resourcesPO8 Manage qualityPO9 Assess and manage IT risksPO10 Manage projects

DS1 Define and manage service levelsDS2 Manage third-party servicesDS3 Manage performance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and allocate costsDS7 Educate and train usersDS8 Manage service desk and incidentsDS9 Manage the configurationDS10 Manage problemsDS11 Manage dataDS12 Manage the physical environmentDS13 Manage operations

DELIVER AND SUPPORT

DELIVER AND SUPPORT

AQUIRE ANDIMPLEMENT

AQUIRE ANDIMPLEMENT

MONITOR ANDEVALUATE

MONITOR ANDEVALUATE

Business & Governance Objectives

INFORMATIONINFORMATION


Process Oriented

- 17 -


PLAN AND ORGANIZEPLAN AND ORGANIZE

DELIVER AND SUPPORT

DELIVER AND SUPPORT

AQUIRE ANDIMPLEMENT

AQUIRE ANDIMPLEMENT

MONITOR ANDEVALUATE

MONITOR ANDEVALUATE

COBIT IT Governance

Framework

COBIT IT Governance

Framework

ITIL Framework

ITIL Framework

Business PerspectiveBusiness Perspective

Service DeliveryService Delivery

Service SupportService Support

Application ManagementApplication Management

ICT Infrastructure MgmtICT Infrastructure Mgmt

Security ManagementSecurity Management

INFORMATIONINFORMATION

Mapping doc with COBIT V3 exists with COBIT V4.0 coming soon, See ITGI

COBIT and ITIL mapping

- 18 -


COBIT Framework provides well-defined links between: IT Governance Requirements, IT Processes and IT Controls

Top-Down Summary COBIT framework ties businesses requirements for information

and governance to the objectives of IT function COBIT process model enables IT activities and resources to be

properly managed and controlled based on control objectives and aligned and monitored using KGI and KPI metrics

Bottom-Up Summary IT resources are managed by IT processes to achieve IT goals

that respond to the business requirements


COBIT Framework Model (summary)

- 19 -


Benefits for Different Stakeholders:

Reduced Risk, Improved Efficiency, Predictability, Cost-efficient use of Resources


COBIT Framework - Benefits

Executive Management - To obtain value from IT investments and balance risk and control investment in IT environment

Business Management - To obtain assurance on the management and control of IT services provided by internal or third parties

IT Management - To provide IT services that the business requires to support the business strategy in a controlled and managed way

Auditors - To substantiate their opinions and/or provide advice to management on internal controls

- 20 -


COBIT – Widely Accepted IT Governance de facto standard

Selected as IT Governance framework and IT Internal Control framework by governments, commercial organizations and service providers (in 100+ countries)

Sample organizations: EU – European Commission Several Governments Quebec Auditor General Australian National Audit Office US Department of Defense US National Institute of Standards and Technology References COBIT U.S. House of Representatives Adopts COBIT US Federal Financial Institutions Examination Council (FFIEC) Office of The State Auditor of Massachusetts National Association of State Chief Information Officers (NASCIO) Argentina and Uruguay governments Colombian Bank Regulatory Body Philippine Commission on Audit (COA) Adopts COBIT E.g. companies: DaimlerChrysler, Royal Philips Electronics

- 21 -


• Portfolio Management• Continuous Improvement• Bottleneck Method

IT Governance Best Practices Implementation Methods

IT Processes

IT Resources

Business Requirements

Implementing IT Governance

- 22 -


IT Portfolio Management• Selective governance

processes implementation by: Populating and balancing

portfolios (risks/returns, value)• IT Initiatives Portfolio• IT Investments Portfolio • Program/Project Portfolio• Services/Assets Portfolio • Resource Management

E.g. Services Portfolio is driven by overall IT Portfolio Management mapped to business drivers

Risk Return Timing Value

InvestmentsInvestments

AssetsAssetsApplicationsApplications

ResourcesResources

ServicesServices

ProjectsProjects

IT Governance ImplementationMethod 1: Portfolio Management

- 23 -


COBIT Maturity Levels• Selective governance

processes implementation through:

• IT Governance Assessment • Decision on risk levels• Investments decisions in

security & controls• Monitoring & Controlling

• Capability & Performance

Incremental Improvements-> Raising level of maturity

0 Non-Existent0 Non-Existent

1 Initial1 Initial

2 Repeatable2 Repeatable

3 Defined3 Defined

4 Managed4 Managed

5 Optimized5 Optimized

50%50%

7%7%

30%30%

10%10%

3%3%

?%?%

IT Governance ImplementationMethod 2: Continuous Improvement

- 24 -


• Structured Quick-Wins method used by 7% of leading organizations

• Principle: “applying smallest change to get the biggest positive impact”

• Based on: • Systemic thinking• Options analysis• Emerging “people change

techniques”

What-IfAnalysis

Analyzing Potential Bottlenecks

DependenciesDependencies TimingTiming

RiskRiskValueValue

ActivitiesSystems, Skills

Etc.

ActivitiesSystems, Skills

Etc.

Impact on Service DeliveryImpact on Service Delivery

Impact on Business DriversImpact on Business Drivers

Most Significant BottleneckMost Significant Bottleneck

Change ImplementationChange Implementation

IT Governance ImplementationMethod 3: The Bottleneck Method©

- 25 -


• Identifying “the weakest link” • Prioritizing “first things first”• Rapidly identifying hidden cost

drivers and inefficiencies• Enabling breakthrough

improvements ContinuousContinuousImprovementImprovement

BottleneckBottleneckMethodMethod

Eff

ecti

ven

ess/

Sav

ing

sTime

Breakthrough Improvements

Fast-track effectiveness and cost savings compared with continuous improvement

The Bottleneck Method© Benefits

- 26 -


• One Day COBIT Implementation Workshop• Deliverable Generic or Customer Tailored Workshop

• IT Governance Assessment/Readiness (COBIT Based)• 5 - 10 days Deliverable: Assessed Governance maturity level

• All Governance Committees & Processes “Skeleton” Implementation• 4 – 6 weeks Deliverable: High level E-to-E Governance structure

• Quick-wins Process Improvements (via ‘bottleneck method’) of selected processes:

• 1 - 1.5 month per 3 processes• Deliverable: fast-track governance maturity improvement

• Incremental Process Improvements (via continuous improvement) of selected processes:

• 3 – 6 month per 3 processes• Deliverable: next process maturity level

Typical IT Governance implementation projects

- 27 -


Backup Slides

- 28 -


Effectiveness

Efficiency

Confidentiality

Integrity

Availability

Compliance

Reliability


Business Focused: Information Criteria

- 29 -


COBIT® Foundation Course IT Control Objectives for Sarbanes-Oxley COBIT® Security Baseline Aligning COBIT®, ITIL® & ISO 17799 for Business Benefit COBIT Mapping: Mapping ISO/IEC 17799:2000 With COBIT COBIT Mapping: Mapping SEI’s CCM for SW With COBIT COBIT Mapping: Mapping PMBOK© With CobiT 4.0 COBIT Mapping: TOGAF With CobiT 4.0 COBIT Mapping: Mapping ISO 17799:2005 With CobiT 4.0 COBIT Mapping: Mapping PRINCE2 With CobiT 4.0

Current Enhancements to COBIT

© it management consulting ltd., london, +44-7798 527910 [email protected] implementing it...

Documents