it governance

IT Governance November, 2013

@CarlosChalicoT #ISACA_ITG

2

IT Governance


3

IT Governance


4

IT Governance


5

IT Governance


6

Quote

Robert Frost

“The brain is a wonderful organ; it starts working the moment you get up in the morning and does not stop until you get into the office”


Carlos Chalico

CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA, PbD Ambassador

Ouest Business Solutions Inc.

Director Eastern Region

7

IT Governance


What´s in this for you?

By the end of this session you will:

!

• Understand the concept of governance, IT governance and its difference against IT management

• Know the advantages of defining an effective IT Governance model

• Know some frameworks available to define IT Governance (COBIT, ISO 38500)

8


First things first

9

Title: Elephant In The Room Artist: Leah Saulnier The Painting Maniac Medium: Painting - Oil

http://www.google.com.mx/url?sa=i&source=images&cd=&cad=rja&docid=NAaWidJVDr5_ZM&tbnid=yu02uz8oBI7G8M:&ved=0CAgQjRwwAA&url=http%253A%252F%252Ffineartamerica.com%252Ffeatured%252Felephant-in-the-room-leah-saulnier-the-painting-maniac.html&ei=59MwUteeGofS2wWcmYH4DA&psig=AFQjCNE9fPozAhzq0kt8Ava5uG1ALf3CNQ&ust=1379018087593443

http://www.google.com.mx/url?sa=i&rct=j&q=canadian%2520flag&source=images&cd=&cad=rja&docid=UefJ6rjsNAkV6M&tbnid=WURaw2xqlXL7nM:&ved=0CAUQjRw&url=http%253A%252F%252Fwww.radiokerry.ie%252Fnews%252Fcanadian-police-stop-al-qaeda-linked-terror-attack%252Fattachment%252Fcanadian-flag%252F&ei=qtUwUuTVH-_22AW4moDoBQ&bvm=bv.52109249,d.b2I&psig=AFQjCNFWErlozkFu-pb-7tBAHt_UCtxRDw&ust=1379018524041220

http://www.google.com.mx/url?sa=i&rct=j&q=mEXICAN%2520FLAG&source=images&cd=&cad=rja&docid=UuXKH3JzwO8rZM&tbnid=-CWgYbvF1Js2GM:&ved=0CAUQjRw&url=http%253A%252F%252Fwww.mapsofworld.com%252Fflags%252Fmexico-flag.html&ei=zdUwUoG1KdOI2gXyjYCQBA&bvm=bv.52109249,d.b2I&psig=AFQjCNEdlUE3ovdgwzYE0jldnN7e7jZLdQ&ust=1379018571080394


10

Quote

“Management must manage”

Harold S. Geneen


So, what does this mean?

Governance

11


From WikipediaGovernance is the act of governing. It relates to decisions that define expectations, grant power, or verify performance. It consists of either a separate process or part of decision-making or leadership processes. In modern nation-states, these processes and systems are typically administered by a government.

12


From WikipediaGovernance is the act of governing. It relates to decisions that define expectations, grant power, or verify performance. It consists of either a separate process or part of decision-making or leadership processes. In modern nation-states, these processes and systems are typically administered by a government.

13


From OECD

14

Corporate governance is one key element in improving economic efficiency and growth as well as enhancing investor confidence. Corporate governance involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are se, and the means of attaining those objectives and monitoring performance are determined.http://www.oecd.org/corporate/ca/corporategovernanceprinciples/31557724.pdf


From OECD

15

Corporate governance is one key element in improving economic efficiency and growth as well as enhancing investor confidence. Corporate governance involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.

http://www.oecd.org/corporate/ca/corporategovernanceprinciples/31557724.pdf


Other Sources

16


Key Points

17

!•Relationships

!•Management •Board •Shareholders •Stakeholders

!•Structure !

•Objectives of the organization !

•Monitoring performance !

•Economic efficiency and growth !

•Confidence


18

Quote

Alison Holt

“Organizations with good governance practices in place can be shown to be more successful than organizations without”


Turning Risk Into Results

19


Turning Risk Into Results

20


21

Quote

“Corporate governance is the system by which companies are directed and controlled”

Adrian Cadbury


22


IT Governance


23



24


HBRHarvard Business Review

http://blogs.hbr.org/2013/08/todays-cto-needs-to-become/http://blogs.hbr.org/cs/2013/07/todays_cio_needs_to_be_the_chi.html

CIO CTO



CIO Information

Innovation



CTO Technology

Transformation


27


Innovate Transform

Value


28


Know Control Measure

Rely

IT Processes

Infrastructure Elements


29


In essence, the governance of IT is the theory that enables an organisation’s principal decision makers to make better decisions around IT and, at the same time, provides guidance for IT managers who are tasked with IT operations and the design, development and implementation of IT solutions.


30


• Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives.

• Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.


31

So, what does this mean?The action of the board or governing body to direct IT activities and to build a decision-making model, combined with the action of the IT management teams to develop supporting systems, processes and procedures, result in the development of an IT governance framework.

What to do

How to do it


32

Why IT Governance?

• “Due diligence”

• IT is critical to the business (and pervasive)

• IT is strategic to the business

• Expectations and reality don’t match

• IT hasn’t gotten the attention it deserves (yet)

• IT may involve huge investments and large risks


33

Why IT Governance?

IT Governance Framework

Cult

ure

Goa

ls

Char

acte

rist

ics

Organization


34

Why IT Governance?


35

Why IT Governance?

834


36

Why IT Governance?


37

Why IT Governance?


38

Why IT Governance?


39

Why IT Governance?


40

Why IT Governance?


41

Why IT Governance?


42

Why IT Governance?


43

Why IT Governance?

GEIT

IT value delivery

Mitigation of

• Strategic alignment • Resources availability & Mgt • Monitoring

Objectives

IT-related risks

to the business


44

Why IT Governance?

ITGI identifies five focus areas of GEIT:

• Strategic alignment

• Value delivery

• Risk management

• Resource management

• Performance measurement


45

Why IT Governance?


46

Why IT Governance?


Available Frameworks

47

ISO 38500COBIT 5


48

Quote

Alison Holt

“A tool is only a tool if it helps you and your business”


Break!


Why IT Governance?

50


51

Quote

Alison Holt

“Where there is poor organisational governance practice in place, it will be difficult to implement good IT and information practice that delivers consistent quality deliverables”


What is ISO?

52

• International Organization for Standardization

• World’s largest developer of voluntary standards

• Founded in 1947

• 19,500 standards released

• Members from 164 countries

• Headquartered in Geneva, SwitzerlandThe Boys. 65 delegates from 25 countries. London, 1946.

http://www.iso.org

http://www.iso.org/


What is a Standard?

53

“A document that provides requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose.

ISO standards can be purchased from the ISO store or from our members”

Office in La Voie Creuse, Geneva, Switzerland, 2007.http://www.iso.org

http://www.iso.org/


What are the benefits?

54

“ISO International Standards ensure that products and services are safe, reliable and of good quality. For business, they are strategic tools that reduce costs by minimizing waste and errors, and increasing productivity. They help companies to access new markets, level the playing field for developing countries and facilitate free and fair global trade”

http://www.iso.org

http://www.iso.org/


ISO/IEC 38500:2008

55

• Provides guiding principles for directors of organizations (owners, board members, partners, senior executives) on the effective, efficient, and acceptable use of IT within their organizations

• Applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization, external service providers, or business units within the organization.

• It also provides guidance to those advising, informing, or assisting directors (this includes IT auditors)

http://www.iso.org

http://www.iso.org/


ISO/IEC 38500:2008

56

• Based on Australian Standard AS 8015-2005

• Submitted for Fast Track ISO adoption

• Alison Holt

• New Zealand

• Longitude 174

• Co-chaired ISO’s working group for IT Governance Framework standards

http://www.ramin.com.au/itgovernance/as8015.html

http://www.ramin.com.au/itgovernance/as8015.html


57

Quote

Alison Holt

“Implementing IT governance is not necessarily a quick process, but it is effective”


58

ISO/IEC 38500:2008


59

Process 1

Process 2

Process 3

Process n

Information Technology Processes

Pervasiveness

ISO/IEC 38500:2008

GoalISO 38500 Guidelines

Directors

Senior Executives

EffectiveEfficientAcceptable

ICTUse


60

Quote

“May the Force be with you”Obi Wan Kenobi


IT potential problems

61

• Different areas of the organisation have different relationships with different IT vendors

• IT systems evolve independently with no united direction or strategy

• IT systems under/over-perform

• IT managers don’t understand the operation

• Operational managers don’t understand IT

• No sense of ownership on data, infrastructure and processes

• Users frustrated for, apparently, not having enough resources

• Nobody thinks or wants the CIO, except when there is a problem.


62

ISO/IEC 38500:2008

ISO38500

Scope, Application,Objectives

Framework

Guidance


Scope, Application, Objectives

63

GoalISO 38500 Guidelines

Directors

Senior Executives

EffectiveEfficientAcceptable

ICTUse

Confidence

Stakeholders


64

ISO/IEC 38500:2008

ISO38500


Framework

Guidance


Framework

65

ISO38500

Six Principles

ModelIT Governance IT Management

1. Responsibility 2. Strategy 3. Acquisition 4.Performance 5. Conformance 6. Human Behaviour


Responsibility

66

• Everyone understands and accepts his or her responsibility

!

• This includes supply of and demand for IT

!

• Those with responsibility for actions also have the authority to perform those actions


Responsibility

67


Responsibility

68

• The CIO that was not respected, even with an ISSP communicated and authorized

• The “Perfect” Operational Director

• The “jumping” requirements

• The eternal “Yes” CIO

• The 24x7x52xFOREVER HR requirement


Strategy

69

• Organisation’s business strategy considers current and future capabilities of IT

!

• Strategic plans for IT satisfy the current and ongoing needs of the organisation


Strategy

70

• “With that money I can setup a new branch”

• “Hey, that IT strategy made me think that the operational strategy needs to be re-visited”


71

Strategy

?


Acquisition

72

• IT acquisitions are made for valid reasons

!

• Appropriate analysis is made to support purchasing decisions

!

• There is a balance among benefits, opportunities, costs and risks in the short and long term


Acquisition

73

• Some suggestions:

• Understand required benefits

• Informal chats with vendors

• Define a formal purchasing process

• Visit other organisations that are doing what you want to do

• Understand the “do nothing” option

• Check out references


Acquisition

74

Time and budget are important, but…

!

…having the organisation understanding the motives is critical


Performance

75

• IT fits the requirements to support the organisation

!

• IT provides services, levels of service and service quality required to meet the organisation’s current and future requirements


Performance

76

• Under-Performance Vs. Over-Performance

• We often over-procure for reasons of convenience

• How would you react if your main server starts running out of space?


Conformance

77

• IT complies and supports compliance

!

• Policies and practices are clearly defined, implemented and enforced


Conformance

78

• How easy has been for your company to configure the systems to comply with laws and regulations?

Compliance onIT Systems Process

Process 2

Process Process

Change

Change


Human Behaviour

79

• IT policies, practices and decisions show respect for human behaviour

!

• This includes current and evolving needs of all of the people in the processes


Human Behaviour

80

• Have you defined policies to make clear how you want your IT systems to be used?

• How are you balancing personal Vs. professional use of the corporate IT resources?

• Is your management team setting the tone?

• How are you connecting with customers, providers, authority?


81

ISO/IEC 38500:2008

ISO38500


Framework

Guidance


Guidance

82

• Provides examples for the application of each one of the six principles


Guidance

83

• Additional documents:

• Cloud computing

• IT Audit

• Digital forensics

• Interoperability

• Business frameworks


84

Quote

“Nothing will work unless you do”Maya Angelou


Implementing ISO 38500

85

Implementation

Design and

DefinitionCommunication and awareness

IT controls

Policies and procedures

Plan development

Business processes improvements

Current State Assessment

Cont

inuo

us

Impr

ovem

entAuditing

OperationMonitoring

Third parties considerations

Extended IT governance

IT processes improvements

Problems identification

Training and testing

Adjustments

Monitoring controls

Reporting

Audit guidelines

Responsibility assignment


Break!


How has COBIT dealt with IT Governance?

87

Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.



88

• Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed-on direction and objectives (EDM)

• Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM)



89

COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.



90

IT Governance

COBIT4.0/4.1

Management

COBIT3

Control

COBIT2

A business framework from ISACA, at www.isaca.org/cobit

Audit

COBIT1

2005/720001998

Evo

lutio

n of

sco

pe

1996 2012

Val IT 2.0 (2008)

Risk IT (2009)

© 2012 ISACA® All rights reserved.

http://www.isaca.org/cobit


COBIT Principles

91

• Meeting stakeholder needs

• Covering the enterprise end-to-end

• Applying a single integrated framework

• Enabling a holistic approach

• Separating governance from management


Meeting Stakeholder Needs

92

Enterprises exist to create value for their stakeholders.


9393

• Enterprises have many stakeholders, and ‘creating value’ means different—and sometimes conflicting—things to each of them.

• Governance is about negotiating and deciding amongst different stakeholders’ value interests.

• The governance system should consider all stakeholders when making benefit, resource and risk assessment decisions.

• For each decision, the following can and should be asked:

• Who receives the benefits?

• Who bears the risk?

• What resources are required?



9494


• Stakeholder needs have to be transformed into an enterprise’s actionable strategy.

• The COBIT 5 goals cascade translates stakeholder needs into specific, actionable and customised goals within the context of the enterprise, IT-related goals and enabler goals.



9595

Meeting Stakeholder Needs• Benefits of the COBIT 5 goals cascade:

• It allows the definition of priorities for implementation, improvement and assurance of enterprise governance of IT based on (strategic) objectives of the enterprise and the related risk.

• In practice, the goals cascade:

• Defines relevant and tangible goals and objectives at various levels of responsibility.

• Filters the knowledge base of COBIT 5, based on enterprise goals to extract relevant guidance for inclusion in specific implementation, improvement or assurance projects.

• Clearly identifies and communicates how (sometimes very operational) enablers are important to achieve enterprise goals.


9696

Covering the enterprise ent-to-end

• COBIT 5 addresses the governance and management of information and related technology from an enterprisewide, end-to-end perspective.

• This means that COBIT 5:

• Integrates governance of enterprise IT into enterprise governance, i.e., the governance system for enterprise IT proposed by COBIT 5 integrates seamlessly in any governance system because COBIT 5 aligns with the latest views on governance.

• Covers all functions and processes within the enterprise; COBIT 5 does not focus only on the ‘IT function’, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise.


9797

Covering the enterprise ent-to-end

Key Components of a governance

system




98

Applying a single integrated framework

• COBIT 5 aligns with the latest relevant other standards and frameworks used by enterprises:

• Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000

• IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF, PMBOK/PRINCE2, CMMI

• This allows the enterprise to use COBIT 5 as the overarching governance and management framework integrator.

• ISACA plans a capability to facilitate COBIT user mapping of practices and activities to third-party references.


99

Enabling a holistic approach

• COBIT 5 enablers are:

• Factors that, individually and collectively, influence whether something will work—in the case of COBIT, governance and management over enterprise IT

• Driven by the goals cascade, i.e., higher-level IT-related goals define what the different enablers should achieve

• Described by the COBIT 5 framework in seven categories


100




101


• Processes—Describe an organised set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals

• Organizational structures—Are the key decision-making entities in an organization

• Culture, ethics and behavior—Of individuals and of the organization; very often underestimated as a success factor in governance and management activities


102


• Principles, policies and frameworks—Are the vehicles to translate the desired behaviour into practical guidance for day-to-day management

• Information—Is pervasive throughout any organisation, i.e., deals with all information produced and used by the enterprise. Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself.


103


• Services, infrastructure and applications—Include the infrastructure, technology and applications that provide the enterprise with information technology processing and services

• People, skills and competencies—Are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions


104


• Systemic governance and management through interconnected enablers—To achieve the main objectives of the enterprise, it must always consider an interconnected set of enablers, i.e., each enabler:

• Needs the input of other enablers to be fully effective, e.g., processes need information, organisational structures need skills and behaviour

• Delivers output to the benefit of other enablers, e.g., processes deliver information, skills and behaviour make processes efficient

• This is a KEY principle emerging from the ISACA development work around the Business Model for Information Security (BMIS).


105

Enabling a holistic approachCOBIT 5 Enabler Dimensions:

• All enablers have a set of common dimensions. This set of common dimensions:

• Provides a common, simple and structured way to deal with enablers

• Allows an entity to manage its complex interactions

• Facilitates successful outcomes of the enablers



Separating Government from Management

106

• The COBIT 5 framework makes a clear distinction between governance and management.

• These two disciplines:

• Encompass different types of activities

• Require different organisational structures

• Serve different purposes

• Governance—In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson.

• Management—In most enterprises, management is the responsibility of the executive management under the leadership of the CEO.



107

• Governance ensures that stakeholders needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives (EDM).

• Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM).



108

COBIT 5 is not prescriptive, but it advocates that organisations implement governance and management processes such that the key areas are covered, as shown.




109

• The COBIT 5 framework describes seven categories of enablers (Principle 4). Processes are one category.

• An enterprise can organise its processes as it sees fit, as long as all necessary governance and management objectives are covered. Smaller enterprises may have fewer processes; larger and more complex enterprises may have many processes, all to cover the same objectives.

• COBIT 5 includes a process reference model (PRM), which defines and describes in detail a number of governance and management processes. The details of this specific enabler model can be found in the COBIT 5: Enabling Processes volume.


110

Quote

“It’s a trap!”Admiral Ackbar


Implementing GEIT with COBIT

111


113



114

• The improvement of the governance of enterprise IT (GEIT) is widely recognized by top management as an essential part of enterprise governance

• Information and the pervasiveness of IT are increasingly part of every aspect of business and public life

• The need to drive more value from IT investments and manage an increasing array of IT-related risk has never been greater

• Increasing regulation and legislation over business use of information is also driving heightened awareness of the importance of a well-governed and managed IT environment



115


• ISACA has developed the COBIT 5 framework to help enterprises implement sound governance enablers. Indeed, implementing good GEIT is almost impossible without engaging an effective governance framework. Best practices and standards are also available to underpin COBIT 5

• Frameworks, best practices and standards are useful only if they are adopted and adapted effectively. There are challenges that need to be overcome and issues that need to be addressed if GEIT is to be implemented successfully.

• COBIT 5: Implementation provides guidance on how to do this


116


• COBIT 5: Implementation covers the following subjects:

• Positioning GEIT within an enterprise

• Taking the first steps towards improving GEIT

• Implementation challenges and success factors

• Enabling GEIT-related organisational and behavioural change

• Implementing continual improvement that includes change enablement and programme management

• Using COBIT 5 and its components


117

Value of GEIT


The Value of CGEIT

118

CGEIT recognizes a wide range of professionals for their knowledge and application of enterprise IT governance principles and practices. As a CGEIT certified professional, you demonstrate that you are capable of bringing IT governance into an organization—that you grasp the complex subject holistically, and therefore, enhance value to the enterprise.

http://www.isaca.org/Certification/CGEIT-Certified-in-the-Governance-of-enterprise-it/Pages/default.aspx


The Value of CGEIT

119


GRC

120


GRC Magic Quadrant

121


Top 10 GRC challenges

122

1. Management complexity of risk and compliance programs

2. Organisational alignment of risk and compliance metrics and control across functional domains

3. Managing regulatory complexity to reduce the cost of compliance

4. Privacy and intelectual property protection

5. Cybersecurity risks

6. BYOD and mobile strategy

7. Supplyvalue chain risk

8. Building out infrastructure to enable situational awareness and predictive analytics

9. Aligning operational security with risk and compliance programs

10. Aligning business continuity and availability with risk management


123

Quote

“The only place success comes before work is in the dictionary”

Vince Lombardi


124

Case Study

Please follow instructions to review the Case Study.


Conclusions

125

• The world is changing and the IT departments need to get adapted to that

• Governance of Enterprise IT is mandatory, complexity in compliance, value requirements, innovation and transformation needs, support its implementation

• Effective governance requires a committed organisation

• ISO 38500 and COBIT 5 can be the frameworks for implementing this


Final Thoughts

126

http://www.slideshare.net/sap/99-facts-on-the-future-of-business

http://www.slideshare.net/sap/99-facts-on-the-future-of-business


Final Thoughts

127


Final Thoughts

128


Final Thoughts

129


Final Thoughts

130


Final Thoughts

131

SAP & Vuzix Augmented Reality


Final Thoughts

132


Final Thoughts

133


Final Thoughts

134


Questions and Answers

135

Carlos Chalico

CISA, CISSP, CISM, CGEIT, CRISC, ISO27000 LA, PbD Ambassador

Ouest Business Solutions Inc.

[email protected]

(647)6388062

twitter: @CarlosChalicoT

LinkedIn: ca.linkedin.com/in/carloschalico/

mailto:[email protected]

http://ca.linkedin.com/in/carloschalico/


Thank You!