© it management consulting ltd., london, +44-7798 527910 [email protected] implementing it...
TRANSCRIPT
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
Implementing IT Governance Frameworks
within Regulated InstitutionsMalta, 25th June, 2007Malta, 25th June, 2007
Dr. Martin RosenbergProgram Director InternationalIT Management Consulting Ltd.
- 2 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
IT Governance Drivers
1. Pace of creating new regulations is increasing. Compliance is not going away!
2. Shift from tactical compliance efforts towards addressing multiple regulations
3. Compliance projects are costly and long, need for standardization of controls and automation
4. Need to reduce compliance efforts from end-to-end perspective by focusing on improved risk management and reliable corporate governance
5. Corporate governance depends on IT governance that creates a common language across IT departments and business units, facilitates risk mitigation and benefits business performance
6. Auditor skills and relationships not sufficient, limited availability of skills within accounting companies and IT. Good IT governance needed to facilitate auditing tasks
7. IT frameworks to help develop IT governance policies and controls for different compliance requirements
8. Need to mange outsourcing, acquisitions and business performance
- 3 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
Sample of Regulations…
…Euro-SOX (EU)EU Digital Signature DirectiveEU Data Protection DirectiveMiFID Basel IIISO Security Program StandardsPayment Cards Data Security Standards… etc.
- 4 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
“IT Governance – A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.” source: ISACA
IT Governance Definition
- 5 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
IT Governance is NOT IT Management or IT Standards
DIRECT
CONTROL
RISK MANAGE
DECIDEPOLICIESPOLICIES
PROCESSESPROCESSES
RELATIONSHIPSRELATIONSHIPS
MEASUREMENTSMEASUREMENTS
IT OrganizationIT Organization
IT Governance Structure
- 6 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
Need both Lifecycle Mgmt and Governance to properly manage investments, assets and quality
Multiple Lifecycles
Business
Projects
Services
Assets
Appl.
Infra.
Sourcing
Plan Build Run
Lifecycles evolve in different pace and need synchronization
Example:
Service Mgmt Lifecycle
Applies to Multiple Lifecycles
- 7 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
IT Governance ties it all together and aligns with business goals
IT StrategyArchitectureTech. DirectionProgram MgmtInvestmentsResources
IT StrategyArchitectureTech. DirectionProgram MgmtInvestmentsResources
POLICIESPOLICIES PROCESSESPROCESSES RELATIONSHIPSRELATIONSHIPS MEASUREMENTSMEASUREMENTS
DIRECTCONTROL
RISK MANAGE
DECIDE
Plan Build Run
Governing Lifecycles
- 8 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
IT ManagementIT Governance
PLAN BUILD RUN
DECIDE
DIRECT
CONTROL
RISK MANAGE
IT Governance is not IT Processes Execution
Simplified View
- 9 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
Strategic Alignment
Ensuring the link of business and IT plans, defining IT value proposition, aligning IT and business operations
Value Delivery
Executing IT value proposition via the delivery cycle
Resource Management
Optimal investment in and management of critical IT resources
Risk Management
Understanding enterprise’s appetite for risk and compliance requirements, implementing risk management responsibilities
Performance Measurement
Tracking and monitoring strategy implementation, project completion, process performance and service delivery (e.g. via balanced scorecards)
©2005 IT Governance Institute (ITGI), All rights reserved
IT Governance Focus Areas
- 10 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
Strategic IT plan
Info & Technical Architecture
Investments and Budgets
Program/Project Office
Solutions/ApplicationsDevelopment& Acquisition
Projects &Enhancem. &Maintenance
Service Delivery & Support
Operations
Vendor mgmt
Performance Measurement
Compliance& Control
IT Governance
Plan &Organize
DevelopAcquire &Implement
Monitor &Evaluate
Deliver &Support
IT Organization’s Process Groupings - Problem
Process Examples:
Process Examples: Process Examples:
PROBLEM: Very Little or NO End-to End Integration (Across the Board)
- 11 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
Uncoordinated Commitment
Multiple, incompatible IT frameworks with diverse focus and purpose:
Investment-centric
Functionality-centric
Service-centric
StrategyStrategy
DevelopmentDevelopment
ArchitectureArchitecture
OperationsOperationsOutsourcersOutsourcers
BusinessRelationsBusinessRelations
Different Views of IT Value through different Frameworks!
Multitude of IT Frameworks and Lack of Integration
ISO 17799 ISO 17799 ITILITILRUPRUP Other…Other…PMI/Prince2 PMI/Prince2 TOGAFTOGAF
- 12 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
COBIT an Integrating end-to-end ‘Umbrella’ Framework for IT
COSOCOSO
ISO 17799 ISO 17799 ITILITILTOGAFTOGAFBest Practice Frameworks
Other…Other…
COBITCOBIT
PMI/Prince2 PMI/Prince2
Business Function Business Function
Business Function Business Function
Business Function Business Function
Business Function Business Function
IT FunctionIT Function
Corporate Governance
IT Governance
- 13 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
Value DeliveryResource Mgmt
Risk Mgmt
Strategic Alignment
Plan Build Run
Business Projects Architecture
Performance Mgmt
COSOCOSO PMI/Prince2 PMI/Prince2 TOGAFTOGAFISO 17799ISO 17799Best Practice
Frameworks (examples)
ITILITIL
Security Services
IT Governan
ce
CMMCMM
COBIT an Integrating end-to-end ‘Umbrella’ Framework for IT
- 14 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
Business-Focused Process-Oriented Control-Based Measurement-Driven
COBIT: An Integrated Control Framework
- 15 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
©2005 IT Governance Institute (ITGI), All rights reserved
Control, Alignment, Monitoring
- 16 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
PLAN AND ORGANIZEPLAN AND ORGANIZE
AI1 Identify automated solutionsAI2 Acquire and maintain application softwareAI3 Acquire and maintain technology infrastructureAI4 Enable operation and useAI5 Procure IT resourcesAI6 Manage changesAI7 Install and accredit solutions and changes
ME1 Monitor & evaluate IT performanceME2 Monitor & evaluate internal controlME3 Ensure regulatory complianceME4 Provide IT governance
PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine technological directionPO4 Define IT processes, org. & relationshipsPO5 Manage the IT investmentPO6 Communicate mgmt aims and directionPO7 Manage IT human resourcesPO8 Manage qualityPO9 Assess and manage IT risksPO10 Manage projects
DS1 Define and manage service levelsDS2 Manage third-party servicesDS3 Manage performance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and allocate costsDS7 Educate and train usersDS8 Manage service desk and incidentsDS9 Manage the configurationDS10 Manage problemsDS11 Manage dataDS12 Manage the physical environmentDS13 Manage operations
DELIVER AND SUPPORT
DELIVER AND SUPPORT
AQUIRE ANDIMPLEMENT
AQUIRE ANDIMPLEMENT
MONITOR ANDEVALUATE
MONITOR ANDEVALUATE
Business & Governance Objectives
INFORMATIONINFORMATION
©2005 IT Governance Institute (ITGI), All rights reserved
Process Oriented
- 17 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
PLAN AND ORGANIZEPLAN AND ORGANIZE
DELIVER AND SUPPORT
DELIVER AND SUPPORT
AQUIRE ANDIMPLEMENT
AQUIRE ANDIMPLEMENT
MONITOR ANDEVALUATE
MONITOR ANDEVALUATE
COBIT IT Governance
Framework
COBIT IT Governance
Framework
ITIL Framework
ITIL Framework
Business PerspectiveBusiness Perspective
Service DeliveryService Delivery
Service SupportService Support
Application ManagementApplication Management
ICT Infrastructure MgmtICT Infrastructure Mgmt
Security ManagementSecurity Management
INFORMATIONINFORMATION
Mapping doc with COBIT V3 exists with COBIT V4.0 coming soon, See ITGI
COBIT and ITIL mapping
- 18 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
COBIT Framework provides well-defined links between: IT Governance Requirements, IT Processes and IT Controls
Top-Down Summary COBIT framework ties businesses requirements for information
and governance to the objectives of IT function COBIT process model enables IT activities and resources to be
properly managed and controlled based on control objectives and aligned and monitored using KGI and KPI metrics
Bottom-Up Summary IT resources are managed by IT processes to achieve IT goals
that respond to the business requirements
©2005 IT Governance Institute (ITGI), All rights reserved
COBIT Framework Model (summary)
- 19 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
Benefits for Different Stakeholders:
Reduced Risk, Improved Efficiency, Predictability, Cost-efficient use of Resources
©2005 IT Governance Institute (ITGI), All rights reserved
COBIT Framework - Benefits
Executive Management - To obtain value from IT investments and balance risk and control investment in IT environment
Business Management - To obtain assurance on the management and control of IT services provided by internal or third parties
IT Management - To provide IT services that the business requires to support the business strategy in a controlled and managed way
Auditors - To substantiate their opinions and/or provide advice to management on internal controls
- 20 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
COBIT – Widely Accepted IT Governance de facto standard
Selected as IT Governance framework and IT Internal Control framework by governments, commercial organizations and service providers (in 100+ countries)
Sample organizations: EU – European Commission Several Governments Quebec Auditor General Australian National Audit Office US Department of Defense US National Institute of Standards and Technology References COBIT U.S. House of Representatives Adopts COBIT US Federal Financial Institutions Examination Council (FFIEC) Office of The State Auditor of Massachusetts National Association of State Chief Information Officers (NASCIO) Argentina and Uruguay governments Colombian Bank Regulatory Body Philippine Commission on Audit (COA) Adopts COBIT E.g. companies: DaimlerChrysler, Royal Philips Electronics
- 21 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
• Portfolio Management• Continuous Improvement• Bottleneck Method
IT Governance Best Practices Implementation Methods
IT Processes
IT Resources
Business Requirements
Implementing IT Governance
- 22 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
IT Portfolio Management• Selective governance
processes implementation by: Populating and balancing
portfolios (risks/returns, value)• IT Initiatives Portfolio• IT Investments Portfolio • Program/Project Portfolio• Services/Assets Portfolio • Resource Management
E.g. Services Portfolio is driven by overall IT Portfolio Management mapped to business drivers
Risk Return Timing Value
InvestmentsInvestments
AssetsAssetsApplicationsApplications
ResourcesResources
ServicesServices
ProjectsProjects
IT Governance ImplementationMethod 1: Portfolio Management
- 23 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
COBIT Maturity Levels• Selective governance
processes implementation through:
• IT Governance Assessment • Decision on risk levels• Investments decisions in
security & controls• Monitoring & Controlling
• Capability & Performance
Incremental Improvements-> Raising level of maturity
0 Non-Existent0 Non-Existent
1 Initial1 Initial
2 Repeatable2 Repeatable
3 Defined3 Defined
4 Managed4 Managed
5 Optimized5 Optimized
50%50%
7%7%
30%30%
10%10%
3%3%
?%?%
IT Governance ImplementationMethod 2: Continuous Improvement
- 24 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
• Structured Quick-Wins method used by 7% of leading organizations
• Principle: “applying smallest change to get the biggest positive impact”
• Based on: • Systemic thinking• Options analysis• Emerging “people change
techniques”
What-IfAnalysis
Analyzing Potential Bottlenecks
DependenciesDependencies TimingTiming
RiskRiskValueValue
ActivitiesSystems, Skills
Etc.
ActivitiesSystems, Skills
Etc.
Impact on Service DeliveryImpact on Service Delivery
Impact on Business DriversImpact on Business Drivers
Most Significant BottleneckMost Significant Bottleneck
Change ImplementationChange Implementation
IT Governance ImplementationMethod 3: The Bottleneck Method©
- 25 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
• Identifying “the weakest link” • Prioritizing “first things first”• Rapidly identifying hidden cost
drivers and inefficiencies• Enabling breakthrough
improvements ContinuousContinuousImprovementImprovement
BottleneckBottleneckMethodMethod
Eff
ecti
ven
ess/
Sav
ing
sTime
Breakthrough Improvements
Fast-track effectiveness and cost savings compared with continuous improvement
The Bottleneck Method© Benefits
- 26 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
• One Day COBIT Implementation Workshop• Deliverable Generic or Customer Tailored Workshop
• IT Governance Assessment/Readiness (COBIT Based)• 5 - 10 days Deliverable: Assessed Governance maturity level
• All Governance Committees & Processes “Skeleton” Implementation• 4 – 6 weeks Deliverable: High level E-to-E Governance structure
• Quick-wins Process Improvements (via ‘bottleneck method’) of selected processes:
• 1 - 1.5 month per 3 processes• Deliverable: fast-track governance maturity improvement
• Incremental Process Improvements (via continuous improvement) of selected processes:
• 3 – 6 month per 3 processes• Deliverable: next process maturity level
Typical IT Governance implementation projects
- 28 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
©2005 IT Governance Institute (ITGI), All rights reserved
Business Focused: Information Criteria
- 29 -
© IT Management Consulting Ltd., London, +44-7798 527910 [email protected]
COBIT® Foundation Course IT Control Objectives for Sarbanes-Oxley COBIT® Security Baseline Aligning COBIT®, ITIL® & ISO 17799 for Business Benefit COBIT Mapping: Mapping ISO/IEC 17799:2000 With COBIT COBIT Mapping: Mapping SEI’s CCM for SW With COBIT COBIT Mapping: Mapping PMBOK© With CobiT 4.0 COBIT Mapping: TOGAF With CobiT 4.0 COBIT Mapping: Mapping ISO 17799:2005 With CobiT 4.0 COBIT Mapping: Mapping PRINCE2 With CobiT 4.0
Current Enhancements to COBIT