1. IT Governance In Higher Education What is it, and how does it benefit your Institution? Pre-Conference Seminar June 23, 2007

2. James Yung,CISA Associate Director, IS Audit Harvard University Risk Management and Audit Services Presenter 3. Agenda

What is IT Governance

IT Governance at Harvard University

CoBIT in Assessing IT Governance at Harvard

4. Questions

What does IT Governance mean to you?

Is IT Governance happening in your university?

What are your key challenges in IT Governance?

5. How do most research universities govern the large and rapidly evolving set of information technology initiatives that take place on their campuses? ANSWER:Inefficiently, ineffectively and not as well as they should. ~ Source: Educause IT Governance in Higher Education 2006 ~ 6. What is IT Governance?

Its about organization leadership

Decision making that leads to better alignment of IT and the business

IT delivering more business value

IT resources are used responsibly

IT risks are managed appropriately

7.

Enterprise governanceis a set of responsibilities and practices exercised by the board and executive management with the goals of:

• Providingstrategic direction

• Ensuring thatobjectivesare achieved

• Ascertaining thatrisksare managed appropriately

• Verifying that theenterprises resourcesare used responsibly

• Enterprise Governance

2007 IT Governance Institute 8.

Enterprise governance is about :

Conformance

• Adhering to legislation, internal policies, audit requirements, etc.

Performance

• Improving profitability, efficiency, effectiveness, growth, etc.

• Enterprise Governance Drives IT Governance

Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board. Performance Conformance 2007 IT Governance Institute 9.

IT governanceis:

The responsibility of the board of directors and executive management

Anintegral partof enterprise governance, consisting of the leadership, organizational structures and processes that ensure that theenterprises IT sustains and extends the organizations strategies and objectives

• IT Governance, as Defined by IT Governance Institute (ITGI)

64% Doing something about it 42% Notdoingsomething about it 2003 2005 Source: Surveys by PwC for the IT Governance Institute Sep-Oct 2003 and Sep-Oct 2005 36% 58% 2007 IT Governance Institute PERFORMANCE MEASUREMENT RESOURCE MANAGEMENT RISK MANAGEMENT VALUE DELIVERY STRATEGIC ALIGNMENT www.itgi.org www.itgi.org 10.

• IT Governance Domain

Value delivery Focuses on ensuring thelinkage of business and IT plansand onaligning IT operations with enterprise operations IT delivers thepromised benefits against the strategy , concentrating on optimizing costs and proving the intrinsic value of IT Is about theoptimal investment in , andthe proper management of ,critical IT resources : applications, information, infrastructure and peopleSenior management,appetite for risk ,compliance requirements , transparency about the significant risks to the organisation Tracks and monitors strategy implementation, project completion, resource usage, process performance and service deliveryto achieve goals measurable beyond conventional accounting Performancemeasurement Risk management Resourcemanagement Strategicalignment 2007 IT Governance Institute 11. 2007 IT Governance Institute

• IT Governance Stakeholders

Business management Set direction for IT, monitor results and insist on corrective measures Defines business requirements for IT and ensures that value is delivered and risks are managed Delivers and improves IT services as required by the business Provides independent assurance to demonstrate that IT delivers what is needed Measures compliance with policies and focuses on alerts to new risks Risk andcomplianceIT audit IT management Board andexecutive 12. IT Governance at Harvard 13. Harvard University Facts

12 Schools

143 Research and Academic Centers

Approximately 7,000 Undergraduate and 13,000 Graduate Degree Candidates

More than 19,000 Faculty and Staff

$25B Endowment

$623M Sponsored Research

$2.7B Operating budget

14. IT Governance Risks at Harvard

Wrong IT strategy precludes growth and operational sustainability

False starts and wasted resources (i.e. money, time and productivity)

Short-sighted planning

Fragmented IT planning

High project implementation failure rates

Lack of disaster recovery planning

15. Why Audit IT Governance at Harvard

IT is strategic and critical to the university reputation and success

Compliance with numerous regulations (FERPA, HIPAA, GLB, PCI, etc.) depends on effective IT controls

Expectation and reality often dont match

IT had not received the attention it deserves

16.

• The Need for IT Governance at Harvard

KeepingIT Running Security Value/Cost ManagingComplexity Aligning IT withBusiness RegulatoryCompliance

• Millions of dollars on IT spending

• Decentralized IT computing and Business operations

• Increasing numbers of severe security breaches

• IT ability to scale and sustain operation

• Various IT delivery models

• Regulatory compliance SAS 112, FERPA, HIPAA, GLB, PCI, etc.

17.

IT strategy is aligned with school strategy

Schools and IT are effectively communicating

The organization is structured to facilitate theimplementation of its strategy and goals

Risks and opportunities are effectively managed

Performance against objectives are transparent

Stakeholders need to know that: 18. Risk Management and Audit Services Mission To Assist University Management and Governing Boards in Identifying, Managing and Mitigating Risk and Ensuring Risk Management Processes are Integrated Into the Universitys Business Practices and Academic and Research Activities 19. RMAS Organization 20. System Base Audit Integrated Audit IT Governance Audit Level of Complexity Value Add Evolution of RMAS IS AuditLow High Tactical Strategic

Objective is to audituniversity critical systems based on high, medium or low risk criteria.

Audit of network, servers, access controls, change controls, BCP/DR

Objective is to assure information technology controls are enabled tosupport the business process.

Audit of applications, servers, access controls, change controls, BCP/DR

Objective is to ensure IT strategy is aligned with business objectives.

Audit IT processes, management policy, procedures and compliance.

Audit IT internal controls and security management.

20062000 Pre-2000 21. CoBIT and IT Governance Control Objectives IT (CoBIT) is an International standard in directing and controlling an enterprises information technology.CoBIT sets the standards of measuring IT Governance process maturity.

Plan and Organize

Acquire and Implement

Delivery and Support

Monitor and Evaluate

Process Maturity Domain IT Processes Business Requirements IT Resources Basic CoBIT Principle 22. Benefits of CoBIT

CoBIT offers an IT Governance Auditing Framework

Internationally recognized standard for best management practices and processes

IT risks and IT controls are easily communicated to IT and non-IT professionals

23. C OBI T Framework

The C OBI T framework was created with the main characteristics:

• Business-focused

• Process-oriented

• Controls-based

• Measurement-driven

2007 IT Governance Institute C OBI T Framework Characteristics 24. PERFORMANCE:Business Goals CONFORMANCE Basel II, Sarbanes- Oxley Act, etc. Enterprise Governance IT Governance ISO9001:2000 ISO 17799 ISO20000 Best Practice Standards QA Procedures Processes and Procedures DriversC OBI T COSO SecurityPrinciples ITIL BalancedScorecard

• Where Does C OBI T Fit?

2007 IT Governance Institute 25. CoBIT Approach In AssessingIT Governance At Harvard 26. Background

A major premier school in transition:

• New Dean

• Changes in academic curriculum

• Aggressive recruitment of faculty

• Campus expansion and facility improvements

• Decentralized to centralized IT operations

27.

Focus within two primary areas:

IT Governancethat assessed technology organizations performance against its responsibilities of delivering efficient and quality IT services measured against the Schools overall strategic business objectives

IT Assessmentthat evaluated the processes and systems of internal control and compliance

Assessing IT Governance Detailed review of the school IT Governance and internal controls within Information Technology Services. 28. Audit Approach Identify Business GoalsIT GoalsKey IT processes and Key IT resources Identify Control Objectives

Perform risk assessment

Identify risks

Inquire and confirm

Inspect (walk-through and review)

Observe

Sampling and analyze

Planning Scoping Testing 29. 2007 IT Governance Institute IT Governance Audit ObjectivesEffectiveness Information beingrelevant and pertinentto the business process as well as beingdelivered in a timely, correct, consistent and usablemanner Efficiency Provision of information through theoptimal(most productive and economical )use of resources Confidentiality Theprotection of sensitive informationfrom unauthorised disclosure Integrity Relates to theaccuracy and completenessof information Availability Information being available when required by the business process now and in the future;it also concerns the safeguarding of necessary resources and associated capabilities Compliance Complying with those laws, regulations and contractual arrangementsto which the business process is subject, i.e., externally imposed business criteria as well as internal policies Reliability The provision ofappropriate information for management to operate the entityand to exercise its fiduciary and governance responsibilities 30.

IT Governance

IT Enterprise Strategy

Steering Committee effectiveness

IT Budgeting & Investments

Identification & Prioritization IT initiatives

IT Performance Metrics

Incident Response, support calls & problem management

IT Controls

Change Mgmt Framework

Project Mgmt

System Development Life Cycle

Incident Response

Mgmt of Third-Party Vendors Contracts

Business Continuity/Disaster Recovery

Data Center

Scope of Work Observations andRecommendations Risk Analysis

ITS

Office of Academic Affairs

Student Office

Office of Administration

Faculty

IT Steering Committee

Approach IT Audit IT Governance Process Strategy Controls InterviewsDocumentation

Organizational charts

ITS Budgets

Third-party Contracts

Helpdesk Reports

Project Logs

Training Materials

Policy and Procedures

Communications

31. CoBIT Four IT Process Domains

Plan and Organize

Acquire and Implement

Delivery and Support

Monitor and Evaluate

Business Requirements IT Resources 32. 2007 IT Governance Institute

• Objectives:

• • Planning, communicating and managing the realization of the strategic vision

• • Implementing organizational and technological infrastructure

• Scope:

• • Is the enterprise achieving optimum use of its resources?

• • Does everyone in the organization understand the IT objectives?

• • Is the quality of IT systems appropriate for business needs?

Plan and Organize (PO) PO1 Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organizationand relationships. PO5 Manage the IT investment. PO6 Communicate management aims anddirection. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. Plan and Organize 33. 2007 IT Governance Institute

• Objectives:

• • Identifying, developing or acquiring, implementing, and integrating IT solutions

• • Changes in and maintenance of existing systems

• Scope:

• • Are new projects likely to deliver solutions that meet business needs?

• • Are new projects likely to be delivered on time and within budget?

• • Will the new systems work properly when implemented?

Acquire and Implement (AI) AI1 Identify automated solutions. AI2 Acquire and maintain applicationsoftware. AI3 Acquire and maintain technologyinfrastructure. AI4 Enable operation and use . AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions andchanges. Acquire and Implement (AI) 34. 2007 IT Governance Institute Deliver and Support (DS)

• Objectives:

• • The management of security, continuity, data and operational facilities

• • Service support for users

• Scope:

• • Are IT services being delivered in line with business priorities?

• • Is the workforce able to use IT systems productively and safely?

• • Are adequate confidentiality, integrity and availability in place?

DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations. Deliver and Support 35. 2007 IT Governance Institute Monitor and Evaluate (ME)

• Objectives:

• • Performance management

• • Monitoring of internal control

• Scope:

• • Is ITs performance measured to detect problems before it is too late?

• • Does management ensure that internal controls are effective and efficient?

• • Can IT performance be linked to business goals?

• • Are risk, control, compliance and performance measured and reported?

ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure compliance with external requirements. ME4 Provide IT governance. Monitor and Evaluate 36. Align Business Goals with Key IT Goals 37. School Harvard Target IT Governance Maturity Benchmark 1.5

Using CoBITs Maturity Benchmark, ITS scored a 1.5, which is estimated to be in line with Harvard Universitys other IT organizations.

• School can gain significant benefits in operational efficiencies (i.e.productivity), effectiveness (i.e. operational costs) and compliance by operating within a target maturity level rating of 3.0.

• Five Key IT Governance recommendations were identified to help the school to achieve the goals of reaching maturity level of 3.0.

38. Key Recommendations Listed in priority order:

IT Governance recommendations will require the Schools senior leadership teams involvement, as it ultimately set the strategic direction.

*IT Control recommendations are the responsibility of the CIO.

39. Benefits to the Auditee

Clearly communicate who is accountable for decisions in academic and administrative computing

Foster true partnership between IT and business leaders

Clarify IT decision-making roles and responsibilities

Strengthen general IT controls and security

40. Lessons Learned

Auditing IT governance involves interaction at every level of the organization leadership and internalexternal stakeholders

IT governance scope must be clear and concise

Appropriate risk and controls must be identified

IT governance should be conducted with a senior auditor with appropriate consultative skill sets

Internal audit plays a critical role in IT governance

IT GOVERNANCE AUDIT IS NOT FOR FAINT-HEARTED 41. Questions 42. References IT Governance Institute -http://www.itgi.org/ ISACA -http://www.isaca.org / IT Audit -http://www.theiia.org/itaudit/