ITGovernanceFrameworks
BillPankey TunitasGroup
RealityCheck
CGEITdomaintaskrequirementsnecessitate
Some knowledgeabout:
COBIT,ValIT thescope,objectiveandbenefitsof:
ITpractices,standardsandframeworks,suchasITIL,CMMI, PRINCE2,PMBOK,TOGAF,ISO17799/27000series,andtheIT BalancedScorecard ofcontinuousprocessimprovement,suchasSixSigma,Total QualityManagementandtheBalancedScorecard
butnot,Detailedknowledgeorexpertise
Internalsoftheframework Abilitytoimplementormanagetheuseof
CGEITEXAMPREP#5 GovernanceFrameworks
RealityCheck2
Frameworkdomaintasksemphasizeskillsthatenableanorganization tooperateholisticallyonemission,onevision,onestrategy,oneset ofpriorities
DrivetheestablishmentofITgovernancefortheenterprisethat: considersthevalues,philosophy,managementstyle,ITawareness, organizationalstructure,standardsandpolicies. Establishspecializedgovernancestructures,suchasanenterprise investmentcommittee,aresourceforecastingprocess,anERM Ensurethatappropriateroles,responsibilitiesandaccountabilities aredefined,assignedandenforcedforinformationrequirements, dataandsystemownership,ITprocesses,andbenefitsandvalue realization.
RealityCheck3
Domaintasksemphasizeuseofframeworkstoprovideassurancethat: ITgovernanceframeworkenablestheenterprisetoachieve optimalvalue ITconformswithexternalrequirements;contractualterms; organizationalpolicies;plansandprocedures;generallyaccepted practices;andtheeffectiveandefficientpracticeofIT ITgovernancemonitoring(consideringcost/benefitsanalysesof controls,returnoninvestmentforcontinuousmonitoring,etc.), anapproachtotrackallITgovernanceissuesandremedial actionstoclosure,andalessonslearnedprocess.
SuccessfulITgovernancerequiresthemeansandmethodsofmanaging andcoordinatingacrossdepartmentsandITboundaries.
CGEITEXAMPREP#5 GovernanceFrameworks
TodaysAgenda
Organizationalfactorsinframeworkadoption
Howanorganizationoperatesisimportant
DriversforITGovernanceinitiative Preferencefortypeofgovernancestructures
FrameworksSurvey
Howeachframeworkdefines
Areaofapplication Appropriateroles,responsibilities,accountabilitiesand ownership [IT]processes,thebenefitsandvaluerealizedfromthem
ORGANIZATIONALFACTORS
CGEITEXAMPREP#5 GovernanceFrameworks
SentinelEvents
Aslikelyornot,newITgovernanceprogramwillbedrivenbyoneor moreadverseevents: PoorPerformance
PoorreturnonITinvestments ProgramFailures Compliance/securityissues Userdissatisfaction Rigidinfrastructure Processfailures Risksnotidentifiedornotaddressed Skillsnotbeingrefreshed Changetoodifficult
Auditorrecommendation
8
Linkedinto Linked,inturn,toCOBIT controlobjectives controlobjectives
CGEITEXAMPREP#5 GovernanceFrameworks
PoorCulturalPatternstoOvercome
GoingitaloneITcultureofselfgovernance
failstoreachouttobusinessorgetinputandbuyintoITdirectionsandstrategies
Failuretorecognizebusinessunitshavealternatives
unresponsiveITwilldrivebusinessunitstooutsourcedsolutions
Cultofpersonality
afewdominateorderailplanninganddecisionmaking
ManysilosofITactivity
failuretousestrategyasanaligningforce;failuretocommunicateormeasure
Historicalratherthanfuturebasedplanning
failuretotakeariskmanagementperspectiveindefiningnewbudgetsandprograms
Toomanystrategiesorfrequentstrategychanges
failuretomeasureprogress,communicatestrategy,ensurekeyinitiativesaretiedto strategy
10
KeyQuestionsforITGovernance
Whatdrivesthegovernanceinitiative?
FinancialsGrowth,profit,returnonassets NonfinancialsReputation,culture,marketplace
Whowilldecide?
Board Sr.Executives BusinessUnits ITManagement
Governancevaluesinterdisciplinary decisionmakingnotastricthierarchical topdownapproach
WhatisthelevelofCorporate&ITMaturity
Evolutionary/revolutionarychange Controlvs autonomy Largescalevs intimate
CGEITEXAMPREP#5 GovernanceFrameworks
11
Actors
Board&Sr.Executives
Proxyforstakeholders Accountablefortheproductionofvalue|deliveryof service Dutytoprotectcorporateasset
the Business
Managersoftheproductionanddeliveryofcustomer value
Technology
SupportstheBusinesswithappropriateinformation& ITrelatedservices
12
Howdecisionsaremade
1. Characteristicdecisionpatternsreflectthe variousimportanceofthedifferentactorsin makingdecisions 2. Enterprisemayadoptdifferentpatternsfor differentdecisions 3. Differentpatternsworkbetterorworsein differentcompaniesandfordifferentdecisions 4. Noaprioripreferenceforonepatternover another,althoughindustryresultsmay recommendonepatternoveranother
CGEITEXAMPREP#5 GovernanceFrameworks
13
DecisionStructures(aka,patterns,archetypes)*
Pattern Business Monarchy ITMonarchy Feudal Federal ITDuopoly Anarchy Input&Decision Rights Groupofsenior businessexecutives(CXO)actingindividuallyorin committees.PrecludesITexecutivesactingindependently Group ofITexecutivesactingindependentlyorincommittees Businessunitsleadersorkeyprocessowners Sr.Executives andbusinessunitleaders|processownersandpossibly ITexecutives. ITexecutivesandoneothergroup(businessunit leader,process owner,orSr.executives) Eachindividualuser
*Wiell&Ross,ITGovernance
14
ATypicalDecisionPattern
AProfilecharacterizesthefirmsITgovernance Principles Decision Input Architecture Decision Input Infrastructure Decision Input Application Decision Input Priorities Decision x x x x x Input
x x x x x
x x
CGEITEXAMPREP#5 GovernanceFrameworks
AcademicResearch:* CharacteristicsoftheBest|WorstGovernance
Significant positive (+)&negative(0)correlationwithgovernancequality Principles Decision Input Architecture Decision Input Infrastructure Decision Input Application Decision Input Priorities Decision Input
15
0 + 0 0 + 0 0 + 0 0 +
bp1
AcademicResearch:* CharacteristicsofTopFinancialPerformers
PatternsmostusedbyfirmswithhighROA(returnofassets), growth,orprofit Principles Decision Business Monarchy ITMonarchy Feudal Federal ITDuopoly Anarchy Mostcommonpatternsforallfirms
ROAreturnonassets *MITCenterforInformationSystemsResearch
16
Profit Growth
ROA ROA
ROA
typicalbutsuspect
Slide 16 bp1
bpankey, 5/2/2011
CGEITEXAMPREP#5 GovernanceFrameworks
17
BoardBriefing
ISACAIdentifiedStructures
Businessdominance |profitoriented
Principles Architecture Infrastructure Application Priorities
Decision
Decision
Decision
Decision
ITStrategyCommittee (Business Monarchy) ITSteeringCommittee (Business Monarchy) TechnologyCouncil (IT Monarchy) ITArchitecturalReview Board(ITMonarchy)
x x x x x x x x x x
Decision
Input
Input
Input
Input
Input
18
FRAMEWORKS
CGEITEXAMPREP#5 GovernanceFrameworks
10
19
Whatisaframework?
FrameworksinSoftwareEngineering*
softwareframework,incomputerprogramming,isanabstractioninwhichcommon codeprovidinggenericfunctionalitycanbeselectivelyoverriddenorspecialized byusercodeprovidingspecificfunctionality.Frameworksareaspecialcaseof softwarelibrariesinthattheyarereusableabstractionsofcodewrappedinawell definedApplicationprogramminginterface(API),yettheycontainsomekey distinguishingfeaturesthatseparatethemfromnormallibraries. Softwareframeworkshavethesedistinguishingfeaturesthatseparatethemfrom librariesornormaluserapplications: inversionofcontrol Inaframework,unlikeinlibrariesornormaluser applications,theoverallprogram'sflowofcontroldictated bytheframework. defaultbehavior Aframeworkhasadefaultbehavior.Thisdefaultbehaviormust actuallybesomeusefulbehaviorandnotaseriesofnoops. extensibility Aframeworkcanbeextendedbytheuserusuallybyselective overridingorspecializedbyusercodeprovidingspecificfunctionality. nonmodifiable frameworkcode Theframeworkcode,ingeneral,isnotallowed tobemodified.Userscanextendtheframework,butnotmodifyitscode.
*Wikipedia:SoftwareFramework
20
FrameworksconceptappliedtoIT
Aframeworkisawayoforganizingactivityto include:
Taskdefinition(libraryfunctions) Workflow(programflow) Rolesandresponsibilities(libraryfunctions) Defaultbehavior Standards&Principles(nonmodifiablecode) Extensibility
AFrameworkcommunicatesmanagementsexpectation astohowmanagementtaskswillbecompleted.
CGEITEXAMPREP#5 GovernanceFrameworks
11
21
WhatisaGovernanceFramework?
WayoforganizingthecomponentactivitiesofITgovernance
Strategy,tactics,objectives,controls,metrics,assessments,audit, communication,accountabilities
Asimplemented,aGovernanceFrameworkscanbegoodorbad. StandardTests:
Existence
Welldefinedincorporatepolicyandprocedure Activeparticipationofaccountableparties Adequatelycovergovernanceobjectivesofalignment,valuedelivery, risk&resourcemanagement,performancemeasurement Minimumcontrolssuitableforobjective Appropriatereuseofprocessinputs/outputs Supportindustrybestpractice Readilycomprehendedbyrelevantparties AccomplishthegovernanceobjectivesofITvaluecreationand preservation
Completeness Efficiency
Effectiveness
22
ITGovernanceLifeCycle
1. Board/ExecutiveAwareness
Recognition BoardQuestions ITGovernanceCharter Select Adapt Integrate Implement Use Improve
2. EstablishITGovernanceFramework(s)
3. MonitorPerformance
CGEITEXAMPREP#5 GovernanceFrameworks
12
ISO38500:FrameworkRoles
Board: direct,evaluate, monitorITtosupportthe businesses Executives: Manage activitiestodeliverend toendprocess Select Adapt Integrate ITPractitioners:design,assess, control&deliverITsupport forbusiness Implement Use Improve
CalderMoir ITGovernanceLifeCycle
2.AddressRisk\ setconstraints
24
1.Develop strategy
3.Architecture& Plans
6.Operate
4.Makechanges /implement
5.Verification
CGEITEXAMPREP#5 GovernanceFrameworks
13
25
11
FrameworkScope(1)
Category
IT Governance
Type
Focus on how to manage information, information and communication technology efficiently and effectively How to perform and organize IT management, such as service delivery & support IT domains
Examples
COBIT, ValIT
Service Management
ITIL, Generic Framework ISO 9000, ISO 20000, IT BSC, CMM, Six-Sigma PMBOK, MSP, PRINCE2 ISO 2700x, RiskIT, OCTAVE, FIRM, AS/NZ 4360
Risk Management
CGEITEXAMPREP#5 GovernanceFrameworks
14
27
ITFrameworks
OverlappingContentw/varyingpurpose/specificity
COSO COBIT
WHAT
ISO 17799
BreathofApplication
13
FrameworkSpecificity
Forexample,varyinglevelsofsecurityguidance
CGEITEXAMPREP#5 GovernanceFrameworks
15
29
SomeGovernanceFrameworks
Topics
FrameworkConcepts&Organization
CalderMoir/ISO38500
Survey Strategy:BalancedScorecard Risk&Compliance:COSO |COBIT |ISO2700x| PCIDSS Architecture&Plans:TOGAF |Zachman Implement&ManageChange:PMBOK |PRINCE2| COBIT Verify:BalancedScorecard,Zachman Operate:ITIL |ISO9000 |SixSigma
14
HowISACAPositionsCOBIT
COBITistheapplicationofCOSOtoIT
CGEITEXAMPREP#5 GovernanceFrameworks
16
31
COBITSupportsMultipleAudiences Management
Helpgovern,direct,manageandmonitorIT activities Arewedoingtherightthings
IT&BusinessUsers
Implementbettermanaged ITsolutions
Auditors/Consultants
Substantiateopinions&adviceoninternal controls
18
HowCOBITHelpsGovernanceProcess
COBIT links IT & business goals COBIT framework provides common understanding of IT role
Provide Direction
SET OBJECTIVES
*IT business alignment * IT enables business & mgmt benefits * IT resources used responsibly * IT risks are managed appropriately
IT ACTIVITIES COMPARE
*Increase automation * Decrease Cost * Manage Risk
Measure Performance
COBIT KGIs and KPIs enable measurement
CGEITEXAMPREP#5 GovernanceFrameworks
17
33
COBITSupportforGovernanceObjectives
COBIT Feature Business & IT KGI Governance Target Align IT strategy w/ business goals Cascade strategy down into organization Set up functions that facilitate strategy implementation COBIT Framework Adopt control & governance framework Provide IT infrastructure that facilitates creation & sharing of business information Embed responsibility for risk management IT Processes Mgmt Guidelines KPI CMM Focus on important IT processes and core competence Measure performance Identified areas where improvement needed Appreciate consequences of incorrect or no action
18
COBITFramework
CGEITEXAMPREP#5 GovernanceFrameworks
18
35
Digression
Whatisprocess?
Organizedsetofactivities
a. Producespecificresults/outcome b. Respondstospecificevents(triggers) c. Hasidentifiedcustomerreceivingthebenefitofthe process(ITILperspective) d. Performanceismeasurable
Definedroles(COBITPerspective)
ProcessOwner,responsibleforresults ProcessManager,responsibleforrealizationand structure;reporttoPO ProcessOperatives,responsibleforspecifcprocess activities,reporttoPM
20
ProcessControl
Measurement&Control isanessentialaspectofCOBIT process
CGEITEXAMPREP#5 GovernanceFrameworks
19
21
COBITFramework:RequirementsCascade
BusinessRequirements=>ProcessDefinition=>ResourceManagement
38
ExpressingBusinessRequirementsforIT
StandardizationofinformationandITproperties
Businessrequirementsarespecifiedintermsof thefollowinginformationproperties
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability
Informationrequirementscascadeto requirementsforIT
CGEITEXAMPREP#5 GovernanceFrameworks
20
39
InformationCriteria
Criteria Effectiveness Requirements for: Information being relevant and pertinent to business process delivered in a timely, correct, consistent and reliable manner Most productive and economical use of resources Protection from unauthorized disclosure Accuracy and completeness of information | validity in accordance with business values & expectations Being available when required by the business process. Safeguarding resources and capability. Conformance with laws, regulations and contractual requirements Provisioning of appropriate information to management to operate in exercise fiduciary & governance responsibilities.
40
COBITOUTPUT
ListoftherequiredITprocesses
Eachassociatedahighlevelobjective Catalogisintendedtobecomplete Detailedsequenceofactivity Affectedinformationproperties Resourceutilization Processinputsandoutputs Goalsandmetrics Roles Competency
BestPracticeProcessdefinition
CGEITEXAMPREP#5 GovernanceFrameworks
21
25
ProcessCatalogue
Domains=>Processes=>Activities
42
OtherFrameworksComplementCOBIT
CGEITEXAMPREP#5 GovernanceFrameworks
22
43
GovernanceFrameworks
Topics
FrameworkConcepts&Organization
COSOCube
Survey COBIT COSOERM|ISO2700x |M_O_R|OCTAVE| ISO3100 ITIL ISO9000 |SixSigma BalancedScorecard |TOGAF |Zachman CMMI PMBOK |PRINCE2
44
ISO2700xInfosecFramework
CGEITEXAMPREP#5 GovernanceFrameworks
23
45
46
SomeGovernanceFrameworks
Topics
FrameworkConcepts&Organization
CalderMoir/ISO38500
Survey Strategy:BalancedScorecard Risk&Compliance:COSO |COBIT |ISO2700x| PCIDSS Architecture&Plans:TOGAF |Zachman Implement&ManageChange:PMBOK |PRINCE2| COBIT Verify:BalancedScorecard,Zachman Operate:ITIL |ISO9000 |SixSigma
CGEITEXAMPREP#5 GovernanceFrameworks
24
47
TOGAFFourArchitectureDomains
TheOpenGroupArchitectureFramework (TOGAF)
framework forenterprisearchitecture acomprehensiveapproachtothedesign,planning,implementation,andgovernanceof anenterpriseinformationarchitecture
TOGAFisbasedonfourarchitecturedomains:
Businessarchitecture orbusinessprocessarchitecture :whichdefinesthe businessstrategy,governance,organization,andkeybusinessprocessesofthe organization Applicationsarchitecture whichprovidesablueprintfortheindividual applicationsystemstobedeployed,theinteractionsbetweentheapplication systems,andtheirrelationshipstothecorebusinessprocessesofthe organization Dataarchitecture whichdescribesthestructureofanorganization'slogical andphysicaldataassetsandtheassociateddatamanagementresources Infrastructureor Technicalarchitecture orTechnologyarchitecture which describesthehardware,softwareandnetworkinfrastructureneededto supportthedeploymentofcore,missioncriticalapplications
48
TOGAFFramework
Thearchitectureframework isatoolsetorsetoftoolswhichcanbeusedfor developingabroadrangeofdifferentarchitectures.It describeamethodfordefininganinformationsystemintermsofasetof buildingblocks showhowthebuildingblocksfittogether containasetoftools provideacommonvocabulary includealistofrecommendedstandards includealistofcompliantproductsthatcanbeusedtoimplementthe buildingblocks
CGEITEXAMPREP#5 GovernanceFrameworks
25
49
50
TOGAFADM
CGEITEXAMPREP#5 GovernanceFrameworks
26
51
SomeGovernanceFrameworks
Topics
FrameworkConcepts&Organization
CalderMoir/ISO38500
Survey Strategy:BalancedScorecard Risk&Compliance:COSO |COBIT |ISO2700x| PCIDSS Architecture&Plans:TOGAF |Zachman Implement&ManageChange:PMBOK |PRINCE2| COBIT Verify:BalancedScorecard,Zachman Operate:ITIL |ISO9000 |SixSigma
52
PMBOK
Generalprojectmanagementbookofknowledge
MaintainedbyProjectManagementInstitute(PMI)
BasisofPMPcertification E.g.,managementofprojectriskoccursasanartifactofthe development,maintenanceandmonitoringofaprojectrisk managementplan E.g.,samesamequalitymanagement,qualitymanagementplan
Plancentricapproachtoprojectmanagement
CGEITEXAMPREP#5 GovernanceFrameworks
27
53
StandardizedProjectPhases
Initiation
Feasibility,scoping&projectcharter
Planning
ProjectManagementPlantomanagenumeroussubordinateplans
PlanExecution
Deliveronplan Requestandimplementchangestoplan
Monitoring&ControllingPlans
Approvalofchangerequests Updateplan Statusreports&forecasts
Closing
Verification,deliveryandsignoff
54
PMBOKBestPractices
Definesinputs,toolsandtechniquesandoutputsfor9project managementareas
IntegrationManagement Scopemanagement TimeManagement CostManagement QualityManagement HumanResourceManagement CommunicationsManagement RiskManagement ProcurementResourceManagement
AllPMBOKmapstoasingleCOBITprocess,PO10|Manage Projects
CGEITEXAMPREP#5 GovernanceFrameworks
28
55
SomeGovernanceFrameworks
Topics
FrameworkConcepts&Organization
CalderMoir/ISO38500
Survey Strategy:BalancedScorecard Risk&Compliance:COSO |COBIT |ISO2700x| PCIDSS Architecture&Plans:TOGAF |Zachman Implement&ManageChange:PMBOK |PRINCE2| COBIT Verify:BalancedScorecard,Zachman Operate:ITIL |ISO9000 |SixSigma
56
ITInfraStructureLibrary(ITIL)
StandardizationofITservicedelivery
DerivedfromeffortwithinBritishGovernment (1980s)tostandardizemanagementofservices
serviceisthemeansofdeliveryofvaluewhereby customers getdesiredoutcomesw/ohavingownership ofcertaincostsorrisks
CGEITEXAMPREP#5 GovernanceFrameworks
29
57
ServiceLifeCycle
ITILv3organizedaroundtheconceptofaservice lifecycle
58
ITILv3CoreBooks
CGEITEXAMPREP#5 GovernanceFrameworks
30
59
ITILGuidance
Foreachphase,defines:
KeyPrinciples KeyDocuments Requiredprocesses
Targets(processoutcomes|deliverables|metrics) RolesandResponsibilities Artifacts(policy|SOP|documentation)
60
ITILIdentifiedManagementProcesses
Phase Management processes
Strategy Generation Risk Management Financial Management Service Portfolio Management Demand Management
Service Catalog Management Service Level Management Supplier Management Availability Management Capacity Management Info Security Management Service Continuity Management Release & Deployment Management Change Management Transition Planning & Support Knowledge Management Evaluation Management Asset & Configuration Management Service Validation & Testing Management Request Fulfillment Incident Management Access Management Problem Management Event Management Functions {Service Desk Mgmt | IT Ops Mgmt | Technical Mgmt | Apps Mgmt} 7 Step Improvement Service Reporting Service Measurement
Service Transition
Service Operation
CSI
CGEITEXAMPREP#5 GovernanceFrameworks
31
61
ISO900x
StandardforQualityManagementSystems(QMS)
Supportsdemonstrationthataproduction processiscontrolled
Preventionoferrors/fault Assurequalitytocustomers ISO9000:QMS FundamentalsandVocabulary ISO9001:QMS Requirements
BasisforISO9000certification
3CoreSectionsapplicabletoallareas
ISO9003:QMS SoftwareEngineering
62
ISO9000Evolution:EmphasisonProcess
http://www.praxiom.com/principles.htm
ISO9000:2000versionemphasisonevidenceof compliancewithdocumentedprocedures
TyrannyoftheISObureaucracy
ISO9000:2004versionemphasisonprocess management
documentedsystemvs.systemofdocuments Continualprocessimprovementbasedoncustomer satisfaction
CGEITEXAMPREP#5 GovernanceFrameworks
32
63
64
ISO9000BestPracticeTopics
http://tinyurl.com/cgeitISO9000
EightQMSPrinciples:
CGEITEXAMPREP#5 GovernanceFrameworks
33
ISACAResource:ITGovernanceRoundtables
governancechallenges&trends;frameworks;value;staffing
65
Obtainfromisaca.orgdownloadspage
66
NextWeek:
VALUEMANAGEMENT