Date post: | 15-Oct-2015 |
Category: |
Documents |
Upload: | leonard-brown |
View: | 23 times |
Download: | 0 times |
5/25/2018 M101 Understanding IT Governance - Davis
1/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 1
1 2013 Peter Davis+Associates
Understanding IT Governance
Peter T. Davis, CISA, CISSP, CMA,CSP, CMC, CWNA, CISM, COBIT FC, ITIL FC, PMP, SSGB, CGEIT,PRINCE2 FC, ISO 27001 LI/LA, ISO 20000 FC, ISO 22301 FC,
ISO 27005/31000 RM
Principal, Peter [email protected]
www.pdaconsulting.com(v) 416-907-4041(f) 416-907-4851
2 2013 Peter Davis+Associates
Peter T. Davis
IT Governance consulting CISA, CISSP, CMA, CMC,
CISM, COBIT 5 FC, ITILFC, PMP, SSGB, CGEIT,PRINCE2 FC, ISO 27001LI/LA, ISO 20000 FC,ISO 27005/31000 RM
29 years IT security andaudit experience
Authored/co-authored12 books
International Whos Whoof Professionals
5/25/2018 M101 Understanding IT Governance - Davis
2/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 2
4 2013 Peter Davis+Associates
Agenda
What is Governance & IT Governance?
Why is IT Governance important?
How does IT Governance help management?
What are the various methodologies?
How do they fit together?
5 2013 Peter Davis+Associates
Governance
5/25/2018 M101 Understanding IT Governance - Davis
3/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 3
6 2013 Peter Davis+Associates
Standards: Committee for Sponsoring Organisations (COSO)
To discharge its responsibilities and achieve its
objectives, management must establish an adequate
system of internal control. This control system or
framework must be in place to support business
requirements for effectiveness and efficiency of
operations, reliability of information and compliance
with laws and regulations.
The Need Defined: Control and
Governance Framework
7 2013 Peter Davis+Associates
COSO Framework
Internal Environment: The control environment setsthe tone of an organization, influencing the controland risk consciousness of its people
Objective Setting: Forms the risk appetite of anorganization
Event Identification: Differentiates risks andopportunities and identifies events that affectmeeting objectives
Risk Assessment: Every entity faces a variety ofrisks from external and internal sources that must beassessed both at the entity and the activity level
Risk Response: Identifies and evaluates possibleresponses to risk: avoid, mitigate, transfer or acceptrisk.
Control Activities: The policies and procedures thathelp ensure management directives are carried out
Information and Communication: Pertinentinformation must be identified, captured andcommunicated in a form and timeframe thatsupports all other control components
Monitoring: Internal control systems need to bemonitored a process that assesses the quality ofthe systems performance over time
All components must be in place and working for internal control to be effective!!
www.coso.org
5/25/2018 M101 Understanding IT Governance - Davis
4/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 4
8 2013 Peter Davis+Associates
Components of Internal Control
COSO categoriesInternal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information/communication
MonitoringHow do these apply to IT?
9 2013 Peter Davis+Associates
Internal Environment
Organization structure
Control framework
Organization policies and procedures
External influences
5/25/2018 M101 Understanding IT Governance - Davis
5/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 5
10 2013 Peter Davis+Associates
Organization Structure
Defines managers responsibility for:
Decision making
Establishing company policy
Sets limits of such authority
11 2013 Peter Davis+Associates
Control Framework
Segregation of duties
Competence and integrity of
employees
Appropriate level of authority and
responsibilityAccountability
Adequate resources
Supervision of staff and review of
work
5/25/2018 M101 Understanding IT Governance - Davis
6/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 6
12 2013 Peter Davis+Associates
Organization Policies and Procedures
Well-documented policies and procedures
Scope of the function
Activities
Interrelationships
Policies define direction
Procedures define how to implement and
follow policy
13 2013 Peter Davis+Associates
Organization Policies and Procedures
Well-documented policies
and procedures
Scope of the function
Activities
Interrelationships
Policies define direction
Procedures define how to
implement and follow
policy
5/25/2018 M101 Understanding IT Governance - Davis
7/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 7
14 2013 Peter Davis+Associates
External Influences
Government requirements
Industry associations
Unions
Culture
15 2013 Peter Davis+Associates
Enterprise Governance
COSO
IT
Governance
Other
Governance
HR
Governance
Fiduciary
Governance
ISO9000
5/25/2018 M101 Understanding IT Governance - Davis
8/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 8
16
Enterprise Process Model
2013 Peter Davis+Associates
APQC
17 2013 Peter Davis+Associates
Enterprise governance is about:Conformance
Adhering to legislation, internal policies,audit requirements, etc.
Performance Improving profitability, efficiency,
effectiveness, growth, etc.
Enterprise Governance Drives IT Governance
Enterprise governance and IT governance require a
balance between conformance and performance goals
directed by the board.
Performance
Conformance
ISACA/ITGI
5/25/2018 M101 Understanding IT Governance - Davis
9/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 9
18 2013 Peter Davis+Associates
IT Governance
19
Todays New Business Environment
Growing demand for complex,sophisticated, customized supplies andservices
Increased reliance on contractors for
performance of mission-critical functionsEvolution of worldwide competitive markets
2013 Peter Davis+Associates
5/25/2018 M101 Understanding IT Governance - Davis
10/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 10
20
Results:Increased complexity of supplies and
services produced and purchasedIncreased complexity in the processes used
to produce and procure supplies andservices
Need for sophisticated systems to control
contract management processes and outputs
Todays New Business Environment
2013 Peter Davis+Associates
21
Forces Driving IT Governance
Compliance
Security
Business/IT
Alignment
ROI
Project
Execution
2013 Peter Davis+Associates
5/25/2018 M101 Understanding IT Governance - Davis
11/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 11
22 2013 Peter Davis+Associates
Why is IT Important?
Gartner reports that 97% of materialweaknesses in internal controls can bemitigated through IT. Americancompanies predict spending $27.3billion on total compliance in 2006.Seventy-three percent of largeenterprises regularly experience
application downtime due to applicationinfrastructure failure.IT Compliance Journal, Spring 2006
23 2013 Peter Davis+Associates
Why is IT Governance Important?
Huge investments and large risksIncreasing dependence on information, systems and
communicationsIncreasing pressure to leverage technology in business
strategiesMarginal ROI/productivity gains on technology investments
Dependence on entities beyond the direct control of theenterprise; e.g., extranets and outsourcingIncreasing impact of IT failures on reputation and enterprise
valuePotential for technologies to dramatically change organizations
and business practices, create new opportunities and reducecosts
5/25/2018 M101 Understanding IT Governance - Davis
12/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 12
24 2013 Peter Davis+Associates
Why is IT Governance Important?
Need to build and maintain knowledge essential to sustainand grow the businessGrowing complexity of IT environmentsFragmented IT infrastructuresDemand for technologists outstripping supplyCommunication gap between business and IT managersIT service levels that are disappointingIT costs perceived to be out of controlImpaired organizational flexibility and nimbleness to
changeUser frustration leading to ad hoc solutionsIT managers operating like fire-fighters
25 2013 Peter Davis+Associates
Expectations:Deliver results in ever
shortening timeframesDeliver more functionality for
less cost (usually including less
resources)Provide a better service
while reducing operationalcosts
Keep everything undercontrol in riskier environments24x7
IT Managements Challenge
5/25/2018 M101 Understanding IT Governance - Davis
13/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 13
26
Global Status Report on the Governance of
Enterprise IT (GEIT) - 2011
2013 Peter Davis+Associates
27
Global Status Report on the Governance of
Enterprise IT (GEIT) - 2011
2013 Peter Davis+Associates
5/25/2018 M101 Understanding IT Governance - Davis
14/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 14
28 2013 Peter Davis+Associates
IT Managements Challenge
Reality: Executive Management dont always understand IT or its
operation
Us versus Them attitude has led to breakdowns in teamworkand communications
IT find it difficult to prioritize - everyone wants Class Aservice
Poor management reporting can hide good IT service
Poor client facing functions (service desk, user support, projectmgt.) can ruin ITs reputation
IT infrastructure has become chaotic and fragmented
Little or no budgets for investment in underlying IT processesand resources
29
Typical Pain Points
Failed IT initiatives
Rising costs
Perception of low business valuefor IT investments
Significant incidents related to ITrisk (e.g. data loss)
Service delivery problems
Failure to meet regulatory orcontractual requirements
Audit findings for poor ITperformance or low servicelevels
Hidden and/or rogue IT spending
Resource waste through duplicationor overlap in IT initiatives
Insufficient IT resources
IT staff burnout / dissatisfaction
IT enabled changes frequently
failing to meet business needs (latedeliveries or budget overruns)
Multiple and complex IT assuranceefforts
Board members or senior managersthat are reluctant to engage with IT
2012 ISACA. All Rights Reserved. 2013 Peter Davis+Associates
5/25/2018 M101 Understanding IT Governance - Davis
15/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 15
30
Relevant Trigger Events
Merger, acquisition or divestiture
Shift in the market, economy orcompetitive position
Change in business operatingmodel or sourcing arrangements
New regulatory or compliancerequirements
Significant technology change or
paradigm shift
An enterprise-wide governance focusor project
A new CIO, CFO, COO or CEO
External audit or consultantassessments
A new business strategy or priority
By using pain points or trigger events as
the launching point for IT governance
initiatives, the business case for GEIT
improvement can be related to issuesbeing experienced, which will improve
buy-in to the business case.
2012 ISACA. All Rights Reserved. 2013 Peter Davis+Associates
31 2013 Peter Davis+Associates
IT Governance
A structure of relationships and processes to
direct and control the enterprise in order to
achieve the enterprises goals by adding
value while balancing risk versus return over
IT and its processes.
COBIT Framework 3rd Edition, July 2000, Page 5
5/25/2018 M101 Understanding IT Governance - Davis
16/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 16
32 2013 Peter Davis+Associates
What is IT Governance?
IT governance is the term used todescribe how those persons entrustedwith governance of an entity willconsider IT in their supervision,monitoring, control and direction ofthe entity. How IT is applied will havean immense impact on whether theentity will attain its vision, mission orstrategic goals.
Robert Roussey CPA, 2002/2003
President ISACA & ITGI
33 2013 Peter Davis+Associates
Overall seek greater assurance on internal control
Stress governance and the responsibility of directors regarding
internal control
Reluctantly accept pervasiveness and importance of IT; to be
integrated in all standards
Hesitantly go beyond financial risk, towards risks that adversely
affect the entitys ability to achieve its objectives and execute its
strategies
Define expected audit steps
Start setting requirements and expectations for SMEs
Emerging Regulations
The image cannot be displayed. Yourcomputer may not have enough memory toopen the image, or the image may havebeen corrupted. Restart your computer,and then open the file again. If the red xstill appears, you may have to delete theimage and then insert it again.
Why Does IT Need a Control andGovernance Framework?
5/25/2018 M101 Understanding IT Governance - Davis
17/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 17
34 2013 Peter Davis+Associates
Emergence of IT Governance
hA structure of relationships and processes to direct and control theenterprise to achieve the enterprises goals by adding value whilebalancing risk vs. return over IT and its processes
Increased IT Manageability
hNew tools that allow management to self-assess and make choicesfor control implementation and improvements
hAbility to align the IT organisation with the goals of the enterprisehPerformance measurements that ensure that these goals are
achieved
Emerging Management Practices
The image cannot be displayed. Yourcomputer may not have enough memory toopen the image, or the image may havebeen corrupted. Restart your computer,and then open the file again. If the red xstill appears, you may have to delete theimage and then insert it again.
Why Does IT Need a Control and
Governance Framework?
35 2013 Peter Davis+Associates
Principles of IT Governance
Direct and
control
Responsibility
AccountabilityActivities
Measures
ISACA/ITGI
5/25/2018 M101 Understanding IT Governance - Davis
18/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 18
36 2013 Peter Davis+Associates
How IT Governance Helps
Responsibilities:
Ensures ownership by the Board and
Executive Management of IT issues
Increases the understanding of IT
significance to the business and the
impact of potential risks
IT no longer just the CIOs responsibility
but is shared by the whole of
management
Clarifies CIOs role from a corporate
perspective
37 2013 Peter Davis+Associates
How IT Governance Helps
Results:Open dialogue of and shared activity for IT initiativesIncreased trust between the business & ITGreater appreciation of IT needs, risks, and capabilities
resulting in better prepared strategies and plans
A collective and balanced approach to business needsand priorities
Increased transparency and understanding of actualperformance and service levels
More focus on the internals of IT and the need toimprove skills / processes / infrastructure
5/25/2018 M101 Understanding IT Governance - Davis
19/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 19
38 2013 Peter Davis+Associates
IT Governance
Ensures:
Joint responsibility for planning and executing
IT in the business
Clearer understanding by all of objectives and
expectations
Clearer visibility of issues and priorities
Transparency and better comprehension of IT
activities and performance
39 2013 Peter Davis+Associates
IT Governance Delivers
Alignment of IT withbusiness needs
Improved value delivery(operational and project)
Optimized costsManagement of IT-related
risksImproved Quality of
Service
5/25/2018 M101 Understanding IT Governance - Davis
20/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 20
40 2013 Peter Davis+Associates
How IT Governance Helps
Responsibilities:
Ensures ownership by the Board and Executive
Management of IT issues
Increases the understanding of IT significance to the
business and the impact of potential risks
IT no longer just the CIOs responsibility but is shared by
the whole of management
Clarifies CIOs role from a corporate perspective
41 2013 Peter Davis+Associates
How IT Governance Helps
Results:
Open dialogue of and shared activity for ITinitiatives
Increased trust between the business & IT
Greater appreciation of IT needs, risks, andcapabilities resulting in better prepared strategiesand plans
A collective and balanced approach to businessneeds and priorities
Increased transparency and understanding ofactual performance and service levels
More focus on the internals of IT and the need toimprove skills / processes / infrastructure
5/25/2018 M101 Understanding IT Governance - Davis
21/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 21
42 2013 Peter Davis+Associates
IT Governance
1. Strategic issuesI. Strategy and planning
II. Technology Trends
III. Performance
IV. Personnel
2. Risk issuesV. Risks and controls
VI. Personal information privacy
VII. Availability
VIII. Legal issues
43 2013 Peter Davis+Associates
Strategy and Planning
1. Does managementhave a strategicplan?
2. Does the plan form
the basis for annualand long-term plansand budgets andprioritization of ITprojects?
5/25/2018 M101 Understanding IT Governance - Davis
22/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 22
44
The Relationship Between Business, IS & IT Strategies
BUSINESS STRATEGY Business Decisions
Objectives & Direction
Change
IS STRATEGY Business Based
Demand Orientated
Application Focused
IT STRATEGY
Activity Based
Supply Orientated
Technology Focused
Where is the
business going
and Why
What is required
Howit can
be delivered
Infrastructureand services
Needs andprio
rities
Supportsbusiness
Direction forbusiness
2013 Peter Davis+Associates
VALUE
added here
COSTS
incurred here
45 2013 Peter Davis+Associates
Technology Trends
1. Does management haveappropriate proceduresto ensure theorganization is aware of
technology trends?2. Does management
periodically assess trendsand use for re-positioning?
5/25/2018 M101 Understanding IT Governance - Davis
23/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 23
46 2013 Peter Davis+Associates
Performance
1. Have performance metrics and driversbeen identified?
2. Are they monitored?
3. Are they benchmarked against industrystandards?
4. Does the monitoring include third-partyservice providers?
47 2013 Peter Davis+Associates
Governance
1. Is there a steeringcommittee?
2. Is one person tasked withgovernance?
3. Is this person placed highenough in the organization?
4. What procedures are inplace to make sure theorganization complies withall relevant laws?
5/25/2018 M101 Understanding IT Governance - Davis
24/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 24
48 2013 Peter Davis+Associates
Risk and Security
1. Does management periodically assessrisks?
2. How does management ensure dataintegrity, including relevance,completeness, accuracy and timeliness,and its appropriate use within theorganization?
3. Does management regularly review oraudit systems and applications?
49 2013 Peter Davis+Associates
Personal Information Privacy
1. Is someone responsible for privacy?
2. Is the organization in compliance withlaws and regulations?
5/25/2018 M101 Understanding IT Governance - Davis
25/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 25
50 2013 Peter Davis+Associates
Availability
1. Is there an adopted formalavailability policy?
2. Have controls been put in toensure availability?
3. Do you understand theimpact of an interruption ofservice?
4. Is there a business continuity
plan?5. Is the plan tested?
51 2013 Peter Davis+Associates
Legal Issues
1. Have you considered and addressedlegal implications pertaining to theuse of software, hardware, serviceagreements and copyright laws?
5/25/2018 M101 Understanding IT Governance - Davis
26/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 26
52 2013 Peter Davis+Associates
Everyone Agrees on Whats Important
1. Strategic Alignment
2. Value Delivery
3. Risk Management
4. IT Resource
Management
5. Performance
Measurement
AICPA/CICAAICPA/CICA
BSBS
CIO MagazineCIO Magazine
CompassCompass
CSCCSC
GartnerGartner
GigaGiga
ISACAISACA Technology CouncilTechnology Council
53 2013 Peter Davis+Associates
Focus Areas of IT Governance
StakeholderValue Drivers
PerformanceMeasurement
IT ValueDelivery
RiskManagement
IT StrategicAlignment
IT Resource Management
ISACA/ITGI
5/25/2018 M101 Understanding IT Governance - Davis
27/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 27
54 2013 Peter Davis+Associates
IT Governance Process
Processes
StakeholderValue Drivers
Strategy
ResourcesKnowledgeCapabilityInformation...
ResultsOutcomePerformanceRiskAssets
ISACA/ITGI
55 2013 Peter Davis+Associates
IT/Enterprise Alignment
EnterpriseStrategy
IT StrategyEnterpriseOperations
IT Operations
AlignmentActivities
The Board should drive business alignment by:
Ascertaining that the IT strategy is alignedwith the business strategy
Ascertaining that IT delivers against the strategy through clear expectations and measurement
Directing IT strategy to balance investments between supporting and growing the enterprise
Making considered decisions about where IT resources should be focused
ISACA/ITGI
5/25/2018 M101 Understanding IT Governance - Davis
28/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 28
56 2013 Peter Davis+Associates
IT Supporting Strategic Objectives
EnterpriseStrategy
Funding
Sourcing/Staffing
TechnicalInfrastructure
ApplicationArchitecture
BusinessFunctions
ISACA/ITGI
57 2013 Peter Davis+Associates
timetime
timetime
service
service
quali
ty
quali
ty
support
support
business
business
timetime
service
service
cost
cost
delivery
delivery
time
time
timetime
stakeholderstakeholder
valuevalue
Aligned
Better
CheaperFaster
timetime
ITrisks
ITrisks
SecureControlled
Ref: PriceWaterhouseCoopers
IT Governance Creates Benefit Over
Time
5/25/2018 M101 Understanding IT Governance - Davis
29/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 29
58 2013 Peter Davis+Associates
Enterprise Governance Models
COSO/CoCo
ITGovernance
FiduciaryGovernance
OtherGovernance
COBIT/ISO 38500
ISO 27001 ISO 20000 ISO 15504
ITIL
ISO 9126
CMMI ISO 12207
ISO 9001
TickIT
And other
bestpractices
InfoSec
Management
ISO 27002
59 2013 Peter Davis+Associates
Frameworks ComparedCategory Type Examples
IT Governance Focus on how to manage information and
information and communications technology
efficiently and effectively
AS8015-2005, ISO 38500, COBIT, Val IT
Information
Management
Focus on how to perform and organize IT
management, such service delivery and support
ASL, BiSL, GFIM, ISPL, ITIL, OMMF
Enterprise
Architecture
Focus on enterprise components, the externally
visible properties of those components, and therelationships between them.
E2AF, EABOK, EAMMF, FEAF, O-ESA, SABSA,
TOGAF, Zachman
Quality
Management
Focus on quality standards, applied to specific
IT domains
EFQM, ISO 9001, ISO 20000, ISO 27001,
ISO 28000, TQM
Quality
Improvement
Focus on improvement of processes or
performance
IT BSC, ITS-CMM, Six Sigma
ProjectManagement
Focus on portfolio, program and projectmanagement
EVMBOK, IPMA Competence Baseline, MSP,PMBOK, PRINCE2
Risk Management Focus on ident ifyingand managing r isk AS/NZS 4360, COSO ERM, EBIOS, FAIR, ISO27005, ISO 31000, M_o_R, OCTAVE, Risk IT
5/25/2018 M101 Understanding IT Governance - Davis
30/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 30
60 2013 Peter Davis+Associates
Frameworks Compared
Category Type Examples
IT Governance Focus on how to manage information and
information and communications technology
efficiently and effectively
AS8015-2005, ISO 38500, COBIT, Val IT
InformationManagement
Focus on how to perform and organize ITmanagement, such service delivery and support
ASL, BiSL, GFIM, ISPL, ITIL, OMMF
Enterprise
Architecture
Focus on enterprise components, the externally
visible properties of those components, and the
relationships between them.
E2AF, EABOK, EAMMF, FEAF, O-ESA, SABSA,
TOGAF, Zachman
QualityManagement
Focus on quality standards, applied to specificIT domains
EFQM, ISO 9000, ISO 20000, ISO 27001,ISO 28000, TQM
Quality
Improvement
Focus on improvement of processes or
performance
IT BSC, ITS-CMM, Six Sigma
Project
Management
Focus on portfolio, program and project
management
EVMBOK, IPMA Competence Baseline, MSP,
PMBOK, PRINCE2
Risk Management Focus on ident ifyingand managing r isk AS/NZS 4360, COSO ERM, EBIOS, FAIR, ISO
27005, ISO 31000, M_o_R, OCTAVE, Risk IT
61
Why Good Practices are Important!
COBIT, ITIL, ISO 27001 and PRINCE2 are valuable to the ongoing growth
and success of an organization because:
Companies are demanding better returns from IT investments
Best practices help meet regulatory requirements for IT controls
Organizations face increasingly complex IT-related risks
Organizations can optimize costs by standardizing controls
Best practices help organizations assess how IT is performing
Management of IT is critical to the success of enterprise strategy
They help enable effective governance of IT activities
A management framework helps staff understand what to do (policy, internal controlsand defined practices)
They can provide efficiency gains, less reliance on experts, fewer errors, increased
trust from business partners and respect from regulators
2013 Peter Davis+Associates
5/25/2018 M101 Understanding IT Governance - Davis
31/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 31
62
Why Good Practices are Important!
Need for internal controls typically requires that managementselect from a wide variety of well-established best practices
Good practices can help avoid re-inventing the wheel,optimize the use of scarce IT resources and reduce theoccurrence of major IT risks, such as: Project failures
Wasted investments
Security breaches
System crashes
Failures by service providers to understand and meet customer
requirements
2013 Peter Davis+Associates
63 2013 Peter Davis+Associates
Process
Standard
Measurement &
Control
Activities
Policy
Input Output
A process is a logically relatedseries of activities intended tocontribute towards reaching adefined objective
Process Owner responsible forprocess results
Process Manager responsiblefor realization and structure ofthe process and reports to PO
Process Operatives responsiblefor defined activities andreports to PM
Standards = KPI Processes described using
procedures and workinstructions
5/25/2018 M101 Understanding IT Governance - Davis
32/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 32
64
ISO/IEC 15504 a.k.a. SPICE1
2013 Peter Davis+Associates
1Software Process Improvement and Capability dEtermination
Process
Process
Assessment
Capability
Determination
Process
Improvement
Identifies capability andrisks of
Identifies changes to
Leads to
Isexaminedby
Leads to
65
Creating Value
2013 Peter Davis+Associates
Crown copyright 2007
5/25/2018 M101 Understanding IT Governance - Davis
33/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 33
66 2013 Peter Davis+Associates
Risk Analysis
Delivery risk
Not delivering required capabilities
Are we doing things the right way?
Are we getting them done well?
Benefit risk
Benefits not being obtained
Are we doing the right things?
Are we getting the benefits?
67 2013 Peter Davis+Associates
The Value Questions
Thestrategic question.
The architecture question.
The value question.
The delivery question.
Are we
doing the
right things?
Are we
getting them
done well?
Are we
getting the
benefits?
Are we
doing them
the right
way?
Benefit Risk
Delivery Risk
5/25/2018 M101 Understanding IT Governance - Davis
34/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 34
68 2013 Peter Davis+Associates
COBIT 5
69 2013 Peter Davis+Associates
Issuer
The IT Governance Institute
(http://www.itgi.org) is the copyright holder
and issuer of the COBIT guidance
ITGI is part of ISACA (www.isaca.org/cobit)
5/25/2018 M101 Understanding IT Governance - Davis
35/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 35
70
Governance of Enterprise IT
COBIT 5
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
Audit
COBIT1
2005/720001998
Evolution
1996 2012
Val IT 2.0(2008)
Risk IT(2009)
BMIS(2010)
The Evolution of COBIT 5
2012 ISACA. All Rights Reserved.
2013 Peter Davis+Associates
71
COBIT 5 Product Family
2012 ISACA. All Rights Reserved.
2013 Peter Davis+Associates
5/25/2018 M101 Understanding IT Governance - Davis
36/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 36
72
COBIT 5 Process Reference Model
2013 Peter Davis+Associates
73 2013 Peter Davis+Associates
PERFORMANCE:Business Goals
CONFORMANCE:Basel II, Sarbanes-
Oxley Act, etc.
Enterprise Governance
IT Governance
ISO
9001
ISO
27001
ISO
20000Best Practice Standards
QA
ProceduresProcesses and Procedures
Drivers
COBIT
COSO
ISO 27002 ITIL 2011
Balanced
Scorecard
Where Does COBIT Fit?
ISACA/ITGI
5/25/2018 M101 Understanding IT Governance - Davis
37/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 37
74 2013 Peter Davis+Associates
ITIL 2011
75 2013 Peter Davis+Associates
Issuer
IT Infrastructure Library (ITIL) is a collection of best
practices and guidelines for IT service
management and comprises a series of books on
the quality provision of IT-related services
They are published and copyrighted by the UKsCabinet Office (formerly CCTA and Office of
Government Commerce)
See http://www.tsoonline.co.uk and
http://www.get-best-practice.co.uk
5/25/2018 M101 Understanding IT Governance - Davis
38/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 38
76
What is ITIL?
A public framework that describes Best Practice in
IT Service Management
Used to aid the implementation of a framework for
IT Service Management
2011 and V3 build on concepts from V1 and V2
(2007)
Focuses on continual measurement and improvementof quality of IT service delivered
2013 Peter Davis+Associates
77
ITIL Qualification Scheme
2013 Peter Davis+Associates
5/25/2018 M101 Understanding IT Governance - Davis
39/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 39
78
Service Lifecycle
Crown copyright 2007
2013 Peter Davis+Associates
79
Service Lifecycle
2013 Peter Davis+Associates
Strategy Design Transition Operation CSI
Strategy
Management
Service Portfolio
Management
Financial
Management
Demand
ManagementBusiness
Relationship
Management
Design
Coordination
Service Catalog
Management
Service Level
Management
Availability
ManagementCapacity
Management
Service Continuity
Management
Information
Security
Management
Supplier
Management
Transition Planning
and Support
Change
Management
Service Asset and
Configuration
Management
Release andDeployment
Management
Service Validation &
Testing
Change Evaluation
Service Knowledge
Management
Event
Management
Incident
Management
Request
Fulfillment
Problem
ManagementAccess
Management
IT Operations
Management
Technology
Management
Application
Management
Service Desk
7 Step
Improvement
Process
5/25/2018 M101 Understanding IT Governance - Davis
40/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 40
80
Service Delivery Practices and Processes
The role of the ITIL
framework is to
describe approaches,
functions, roles and
processes on which
enterprises may base
their own practices
2013 Peter Davis+Associates
81
Service Delivery Practices and Processes
2013 Peter Davis+Associates
5/25/2018 M101 Understanding IT Governance - Davis
41/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 41
82
ISO 20000-1 vs. ITIL 2011ISO 20000-1 ITIL 2011
Prescriptive: defines the what to do Descriptive: Defines the how to do it
International standard Best practice
Certification for a service providerorganization
Qualifications for individuals
Definitive high-level requirements forprocesses and management system
Detailed best practice guidance,description and implementation aids
Organization structure independentwith very few mandatory rolesspecified
Defines many non-mandatoryfunctions, processes, roles andresponsibilities
16 processes, no functions, lifecycle notexplicitly specified
26 processes and 4 functionsdocumented in 5 lifecycle stages
Definitive set of required documents Description of key documentation
2013 Peter Davis+Associates
83 2013 Peter Davis+Associates
ISO/IEC 27000
5/25/2018 M101 Understanding IT Governance - Davis
42/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 42
84
ISO 27000
International Organization for
Standardization (http://www.iso.org)
Is a standard: also a suite of standards
Best known are ISO 27001 and ISO 27002
(a.k.a. ISO 17799)
2013 Peter Davis+Associates
85
ISO 27000 Series
ISO/IEC 27000:2009 Information security management systems -- Fundamentals andvocabulary
ISO/IEC 27001:2005 Specification for an Information Security Management System ISO/IEC 27002:2005 Code of Practice for Information Security Management ISO/IEC 27003:2010 Information security management system implementation
guidance
ISO/IEC 27004:2009 Information security management Measurement ISO/IEC 27005:2008 Information security risk management
ISO/IEC 27006:2007 Requirements for bodies providing audit and certification ofinformation security management systems
ISO/IEC 27011:2008 Information security management guidelines fortelecommunications organizations based on ISO/IEC 27002
ISO 27799:2008 Information security management in health using ISO/IEC 27002
2013 Peter Davis+Associates
5/25/2018 M101 Understanding IT Governance - Davis
43/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 43
86 2013 Peter Davis+Associates
ISMS Standards
ISO/IEC 27001:2005
Requirements for Information SecurityManagement Systems
ISO/IEC 27002:2005
Code of Practice for InformationSecurity Management
87 2013 Peter Davis+Associates
Issuer
ISO/IEC 27002 Information TechnologyCode ofPractice for Information Security Management waspublished by the International Organisation forStandardisation (http://www.iso.org) andInternational Electrotechnical Commission
(http://www.iec.org)The technical committee identified as ISO/IEC
JTC1/SC27 WG1 is responsible for itsmaintenance
5/25/2018 M101 Understanding IT Governance - Davis
44/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 44
88 2007-12 Peter Davis+Associates
ISO/IEC 27001:2005 Requirements
ISO/IEC 27001:2005 defines good practices for
information security management system
A management system should balance physical,technical, procedural, and personnel security
Information security is a management process, not
a technological process
Aligns with ISO/IEC 27002:2005
89
ISMS
2013 Peter Davis+Associates
Source: ISO/IEC 27001:2005
5/25/2018 M101 Understanding IT Governance - Davis
45/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 45
90
ISO 27002 a.k.a. ISO/IEC 17799
ISO/IEC 17799 Information TechnologyCode ofPractice for Information Security Management waspublished by the International Organization forStandardization (http://www.iso.org) andInternational Electrotechnical Commission(http://www.iec.org)
The technical committee identified as ISO/IECJTC1/SC27 WG1 is responsible for its maintenance
Part of ISO 27000 series
2013 Peter Davis+Associates
91 2013 Peter Davis+Associates
ISO/IEC 27002:2005
Is intended for use as a reference document
Is based on good information security
practices
Was developed by industry for industry
Is not used for assessment and registration
Is not a technical standard
5/25/2018 M101 Understanding IT Governance - Davis
46/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 46
92 2013 Peter Davis+Associates
ISO 27002: The Dirty Dozen
1.1. Risk Assessment and TreatmentRisk Assessment and Treatment2.2. Security PolicySecurity Policy3.3. Security OrganizationSecurity Organization4.4. Asset ManagementAsset Management5.5. Human Resources SecurityHuman Resources Security6.6. Physical and Environmental SecurityPhysical and Environmental Security7.7. Communications and Operations ManagementCommunications and Operations Management8.8. Access ControlAccess Control9.9. Information Systems Acquisition, Development andInformation Systems Acquisition, Development and
MaintenanceMaintenance
10.10. Information Security Incident ManagementInformation Security Incident Management11.11. Business Continuity ManagementBusiness Continuity Management12.12. ComplianceCompliance
93
PRINCE2
PRINCE2 is a process-based approach
for project management providing an
easily tailored and scalable method for
the management of all types of projects.The method is the de-facto standard for
project management in the UK and is
practiced worldwide.
2013 Peter Davis+Associates
5/25/2018 M101 Understanding IT Governance - Davis
47/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 47
95
What is PRINCE2?
Formerly known as PRINCE (and PROMPT beforethat!): PRojects IN Controlled Environments
Introduced by central government because highprofile project failures were too common
Owned by UK Cabinet OfficeLaunched in 1996 & currently in its 5th edition (2009)
It is a method for managing projects It is part of Cabinet Offices PPRM portfolio
It is process based
2013 Peter Davis+Associates
96
PPRMs Related Products
PRINCE2Maturity Model
(P2MM)
Portfolio,Programme
and ProjectOffice(P3O)
Gateway
2013 Peter Davis+Associates
5/25/2018 M101 Understanding IT Governance - Davis
48/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 48
97
PRINCE2 Structure
2013 Peter Davis+Associates
98
PRINCE2 Processes
2013 Peter Davis+Associates
5/25/2018 M101 Understanding IT Governance - Davis
49/49
TCTC 2013 Albany, NY March18, 2013
2013 Peter Davis+Associates 49
99 2013 Peter Davis+Associates
Implementing an IT Governance
Framework
100 2013 Peter Davis+Associates
Summary
To combat entropy, implement an IT
Governance framework
Standards overlap
Use tools like the CCI (previously the UCP)
Work on processes not solutions
Develop an action plan