IT Governance for

normaldeerManagement

Nov 20, 2013 (3 years and 10 months ago)

72 views

IT Governance for
Business Optimisation

-
Mike Stephenson CISSP

-
CA Security Practice Ireland & UK

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein
bel
ong to their respective companies.

2

Risk

-
Risk management covers the multiple areas of risk that an
organisation needs to monitor & manage to stay profitable &
effective.









-
Example:

Hurricane
Katrina

has cost the US oil and gas industry
$billions
,
and has created a new level of
hazard

risk that now needs an improved
policy for hazard risk management in future.


Credit

Market

Legal

Hazard

Trading

Security

Operations

Identify risk >>> measure risk >>> reduce impact >>> report >>> update risk policy


© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein
bel
ong to their respective companies.

3

Compliance

-
Compliance is the management function which ensures that
all
mandatory

rules and regulations
required by regulation,
standards and customers or influencers

for a corporation to
stay in business
are followed,


Compliance Policy
Subject

Example

Regulation


Sarbanes Oxley

: controls for reporting & business outlook

Irish Companies Act

: Audit & accounting

IAASA:
Irish

Audit & Accounting Supervisory Authority

Standard

ISO 17799

: common security standard

ISO 9000

: common standard for quality control

Customer Or Influencer

WalMart :

supply chain vendor standard using RFID

Insurer:

risk management policy requirement for insurance

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein
bel
ong to their respective companies.

4

Corporate Governance

Corporate Governance:

“The overall methodology
by which a corporation is directed, administered
and controlled”



-

The management of risk & compliance.


Compliance

Governance

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein
bel
ong to their respective companies.

5

IT Governance

The business is dependent on IT for all its
operational activity.

IT Governance:

“The management of risk and
compliance in the IT operation”


© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein
bel
ong to their respective companies.

6

Why do you want IT Governance?

-
Mitigation of risk

-
Align IT to business objectives

-
Strengthen IT as a key business unit

-
More transparent business operations

-
Enhance investor confidence

-
Compliance with regulation

-
More efficient and effective


Business Optimisation

The “Compliance Paradox”:
Wholeheartedly embracing the law
can be less expensive than
grudging compliance with it.

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein
bel
ong to their respective companies.

7

What is required to manage risk
and compliance?

Internal Controls


Mitigate risks


Effectiveness & Efficiency


Reliability of financial reporting



Avoid:

Surprises & Pitfalls

Accountability

Transparency

Measurability

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein
bel
ong to their respective companies.

8

Proving Controls are effective

-
Monitoring, Auditing, Reporting

-
Collect, Correlate, Analyse, Visualise

Command & Control

Demonstrate

Report

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein
bel
ong to their respective companies.

9

What must IT Do?

-
Business and IT MUST collaborate on the governance
issue or fail

-
The Business Management own the problem

-
IT support them

-
Most controls are IT
-
based (around 70%)

-
IT will be required to:

-
Identify Controls, Document

-
Test, Monitor & demonstrate effectiveness

-
Security is a critical part of the internal control
environment

-
However other important controls include, Configuration,
Change, Storage and IT management


© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein
bel
ong to their respective companies.

10

Governance Road Map

Governance Achievement

Business Value

IT Governance Institute
-

www.itgi.org

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein
bel
ong to their respective companies.

11

What you really need to do?


Risk

Assessment


Phase 1


Policy

Phase 2

Audit &

Review


Phase 4

Implement

Phase 3

Procedures

Standards

Guidelines

Biz


IT



Baseline


Risk/Trusted Architecture



Business Processes



Metrics

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein
bel
ong to their respective companies.

12

Identifying Risks and Controls

towards a Governance Architecture

Risk Management

Framework

Process

Security

Controls

High Level Control

Objectives
-

KPIs

CobiT

ITIL

ISO

17799

IT Governance Architecture

COSO

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein
bel
ong to their respective companies.

13

Integrated IT Governance
Architecture

Technology Layer

Presentation Layer

Anonymous

Complaints

& Surveys

Business Process

Service Level

Views & Reporting

Governance

Dashboards

Governance

Management

Reports

Process Layer

Governance Monitoring and Processing

Operations

&

Resource

Mgmt.

Service

Mgmt.

Security

Information

Mgmt.

Identity

&

Access

Mgmt.

Reliability

&

Availability

Mgmt.

Change &

Configuration.

Mgmt.

IT Asset

&

Financial

Mgmt.

Project & Portfolio Management

Demand Management Process Management

Portfolio Management Resource Management

Project Management

Risk Assessment

Control Activities

Policies and Procedures

Business Process Monitoring

Workflow & Escalation

Policy Change Notification



Corrective Action Generation

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein
bel
ong to their respective companies.

14

Governance Maturity Model

Manual

Processes


Disparate

Policy

Initial

Integrated

Role &

Entitlements

Management


Consolidated

CMDB


Business Process

Management


Service

Provisioning

Monitoring

Billing

Federated

Identity

Management


Service

Accounting

& Metrics


Enterprise Risk

Management


Business

Impact &

Correlation

Reporting



Consolidated

Identity

Management

&

Service Desk


Storage Analysis

&

Efficiency

Monitoring


Automated

Software Delivery



Asset

Discovery


Back up &

Recover


Operations

Management


Active



Focused on Traditional Services



Silo
-
ed Administration



Informal and Reactive Processes

Efficient



Change in Business Priorities



IT Change Driven by Cost /
Regulatory Pressure



Commitment to Centralization
and Automation

Responsive



IT Now Involved in
Business Change
Planning



Manages to SLA and
Controls



Integrated Enterprise
-
wide IT Management

Business

Driven



Ready for Business
-
Driven
Change



Rapidly Support New
Services and Customers



Enables Support for
Growing Partner Ecosystem


© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein
bel
ong to their respective companies.

15

Moving from Governance to
Improved Business Performance

-
Reduce IT risk

-
Avoid catastrophic security breaches.

-
Focus on the
business
, rather than on fire
-
fighting

-
Increase business efficiency

-
Optimize your business processes and internal controls

-
Reduce costs, Help Desk resource requirements

-
Give employees timely access to the right enterprise resources

and information

-
Increase business effectiveness

-
Increased understanding and optimisation of existing internal controls
processes.

-
Better more timely information to help budgeting, planning, and analysis

-
Improved competitiveness

-
Better corporate decision
-
making


An
integrated
IT Governance approach can help deliver


improved business performance

along with


transparency

of operation


© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein
bel
ong to their respective companies.

16

Summary

-
IT Governance is the management of Risk and Compliance for IT

-
Ensure Business and IT work together

-
Define Internal Controls based on risk assessment

-
A Governance Architecture based on common controls

-
Risk Framework (COSO), CobiT, ISO17799 and ITIL


-
Use a structured approach to building an integrated governance
architecture

-
Result


Risk controlled, Compliance requirements met


Business and operational efficiencies achieved

Good Governance = Business Efficiency

IT Governance for
Business Optimisation

-
Mike Stephenson CISSP

-
CA Security Practice Ireland & UK