CGEITEXAMPREP#5 GovernanceFrameworks

ITGovernanceFrameworks
BillPankey TunitasGroup

RealityCheck
CGEITdomaintaskrequirementsnecessitate
Some knowledgeabout:
COBIT,ValIT thescope,objectiveandbenefitsof:
ITpractices,standardsandframeworks,suchasITIL,CMMI, PRINCE2,PMBOK,TOGAF,ISO17799/27000series,andtheIT BalancedScorecard ofcontinuousprocessimprovement,suchasSixSigma,Total QualityManagementandtheBalancedScorecard

butnot,Detailedknowledgeorexpertise
Internalsoftheframework Abilitytoimplementormanagetheuseof

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

RealityCheck2
Frameworkdomaintasksemphasizeskillsthatenableanorganization tooperateholisticallyonemission,onevision,onestrategy,oneset ofpriorities
DrivetheestablishmentofITgovernancefortheenterprisethat: considersthevalues,philosophy,managementstyle,ITawareness, organizationalstructure,standardsandpolicies. Establishspecializedgovernancestructures,suchasanenterprise investmentcommittee,aresourceforecastingprocess,anERM Ensurethatappropriateroles,responsibilitiesandaccountabilities aredefined,assignedandenforcedforinformationrequirements, dataandsystemownership,ITprocesses,andbenefitsandvalue realization.

RealityCheck3
Domaintasksemphasizeuseofframeworkstoprovideassurancethat: ITgovernanceframeworkenablestheenterprisetoachieve optimalvalue ITconformswithexternalrequirements;contractualterms; organizationalpolicies;plansandprocedures;generallyaccepted practices;andtheeffectiveandefficientpracticeofIT ITgovernancemonitoring(consideringcost/benefitsanalysesof controls,returnoninvestmentforcontinuousmonitoring,etc.), anapproachtotrackallITgovernanceissuesandremedial actionstoclosure,andalessonslearnedprocess.
SuccessfulITgovernancerequiresthemeansandmethodsofmanaging andcoordinatingacrossdepartmentsandITboundaries.

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

TodaysAgenda
Organizationalfactorsinframeworkadoption
Howanorganizationoperatesisimportant
DriversforITGovernanceinitiative Preferencefortypeofgovernancestructures

FrameworksSurvey
Howeachframeworkdefines
Areaofapplication Appropriateroles,responsibilities,accountabilitiesand ownership [IT]processes,thebenefitsandvaluerealizedfromthem

ORGANIZATIONALFACTORS

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

SentinelEvents
Aslikelyornot,newITgovernanceprogramwillbedrivenbyoneor moreadverseevents: PoorPerformance
PoorreturnonITinvestments ProgramFailures Compliance/securityissues Userdissatisfaction Rigidinfrastructure Processfailures Risksnotidentifiedornotaddressed Skillsnotbeingrefreshed Changetoodifficult

Auditorrecommendation

8
Linkedinto Linked,inturn,toCOBIT controlobjectives controlobjectives

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

PoorCulturalPatternstoOvercome
GoingitaloneITcultureofselfgovernance
failstoreachouttobusinessorgetinputandbuyintoITdirectionsandstrategies

Failuretorecognizebusinessunitshavealternatives
unresponsiveITwilldrivebusinessunitstooutsourcedsolutions

Cultofpersonality
afewdominateorderailplanninganddecisionmaking

ManysilosofITactivity
failuretousestrategyasanaligningforce;failuretocommunicateormeasure

Historicalratherthanfuturebasedplanning
failuretotakeariskmanagementperspectiveindefiningnewbudgetsandprograms

Toomanystrategiesorfrequentstrategychanges
failuretomeasureprogress,communicatestrategy,ensurekeyinitiativesaretiedto strategy

10

KeyQuestionsforITGovernance
Whatdrivesthegovernanceinitiative?
FinancialsGrowth,profit,returnonassets NonfinancialsReputation,culture,marketplace

Whowilldecide?
Board Sr.Executives BusinessUnits ITManagement
Governancevaluesinterdisciplinary decisionmakingnotastricthierarchical topdownapproach

WhatisthelevelofCorporate&ITMaturity
Evolutionary/revolutionarychange Controlvs autonomy Largescalevs intimate

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

11

Actors
Board&Sr.Executives
Proxyforstakeholders Accountablefortheproductionofvalue|deliveryof service Dutytoprotectcorporateasset

the Business
Managersoftheproductionanddeliveryofcustomer value

Technology
SupportstheBusinesswithappropriateinformation& ITrelatedservices

12

Howdecisionsaremade
1. Characteristicdecisionpatternsreflectthe variousimportanceofthedifferentactorsin makingdecisions 2. Enterprisemayadoptdifferentpatternsfor differentdecisions 3. Differentpatternsworkbetterorworsein differentcompaniesandfordifferentdecisions 4. Noaprioripreferenceforonepatternover another,althoughindustryresultsmay recommendonepatternoveranother

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

13

DecisionStructures(aka,patterns,archetypes)*
Pattern Business Monarchy ITMonarchy Feudal Federal ITDuopoly Anarchy Input&Decision Rights Groupofsenior businessexecutives(CXO)actingindividuallyorin committees.PrecludesITexecutivesactingindependently Group ofITexecutivesactingindependentlyorincommittees Businessunitsleadersorkeyprocessowners Sr.Executives andbusinessunitleaders|processownersandpossibly ITexecutives. ITexecutivesandoneothergroup(businessunit leader,process owner,orSr.executives) Eachindividualuser

*Wiell&Ross,ITGovernance

14

ATypicalDecisionPattern
AProfilecharacterizesthefirmsITgovernance Principles Decision Input Architecture Decision Input Infrastructure Decision Input Application Decision Input Priorities Decision x x x x x Input

Business Monarchy IT Monarchy Feudal Federal ITDuopoly Anarchy x

x x x x x

x x

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

AcademicResearch:* CharacteristicsoftheBest|WorstGovernance
Significant positive (+)&negative(0)correlationwithgovernancequality Principles Decision Input Architecture Decision Input Infrastructure Decision Input Application Decision Input Priorities Decision Input

15

Business Monarchy IT Monarchy Feudal Federal ITDuopoly Anarchy *MITCenterforInformationSystemsResearch

0 + 0 0 + 0 0 + 0 0 +

bp1

AcademicResearch:* CharacteristicsofTopFinancialPerformers
PatternsmostusedbyfirmswithhighROA(returnofassets), growth,orprofit Principles Decision Business Monarchy ITMonarchy Feudal Federal ITDuopoly Anarchy Mostcommonpatternsforallfirms
ROAreturnonassets *MITCenterforInformationSystemsResearch

16

Architecture Decision Profit

Infrastructure Application Decision Profit Profit Decision Growth

Priorities Decision Profit Growth Growth

Profit Growth

ROA ROA

Profit ROA ROA

ROA

typicalbutsuspect

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

Slide 16 bp1
bpankey, 5/2/2011

CGEITEXAMPREP#5 GovernanceFrameworks

17

BoardBriefing

ISACAIdentifiedStructures
Businessdominance |profitoriented
Principles Architecture Infrastructure Application Priorities

Decision

Decision

Decision

Decision

ITStrategyCommittee (Business Monarchy) ITSteeringCommittee (Business Monarchy) TechnologyCouncil (IT Monarchy) ITArchitecturalReview Board(ITMonarchy)

x x x x x x x x x x

Decision

Input

Input

Input

Input

Input

18

WhatisanITFramework? CalderMoir FrameworkofFrameworks(ISO38500) COBIT ITIL ISO17799 ISO900x

FRAMEWORKS

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

10

19

Whatisaframework?

FrameworksinSoftwareEngineering*
softwareframework,incomputerprogramming,isanabstractioninwhichcommon codeprovidinggenericfunctionalitycanbeselectivelyoverriddenorspecialized byusercodeprovidingspecificfunctionality.Frameworksareaspecialcaseof softwarelibrariesinthattheyarereusableabstractionsofcodewrappedinawell definedApplicationprogramminginterface(API),yettheycontainsomekey distinguishingfeaturesthatseparatethemfromnormallibraries. Softwareframeworkshavethesedistinguishingfeaturesthatseparatethemfrom librariesornormaluserapplications: inversionofcontrol Inaframework,unlikeinlibrariesornormaluser applications,theoverallprogram'sflowofcontroldictated bytheframework. defaultbehavior Aframeworkhasadefaultbehavior.Thisdefaultbehaviormust actuallybesomeusefulbehaviorandnotaseriesofnoops. extensibility Aframeworkcanbeextendedbytheuserusuallybyselective overridingorspecializedbyusercodeprovidingspecificfunctionality. nonmodifiable frameworkcode Theframeworkcode,ingeneral,isnotallowed tobemodified.Userscanextendtheframework,butnotmodifyitscode.

*Wikipedia:SoftwareFramework

20

FrameworksconceptappliedtoIT
Aframeworkisawayoforganizingactivityto include:
Taskdefinition(libraryfunctions) Workflow(programflow) Rolesandresponsibilities(libraryfunctions) Defaultbehavior Standards&Principles(nonmodifiablecode) Extensibility

AFrameworkcommunicatesmanagementsexpectation astohowmanagementtaskswillbecompleted.

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

11

21

WhatisaGovernanceFramework?
WayoforganizingthecomponentactivitiesofITgovernance
Strategy,tactics,objectives,controls,metrics,assessments,audit, communication,accountabilities

Asimplemented,aGovernanceFrameworkscanbegoodorbad. StandardTests:
Existence

Welldefinedincorporatepolicyandprocedure Activeparticipationofaccountableparties Adequatelycovergovernanceobjectivesofalignment,valuedelivery, risk&resourcemanagement,performancemeasurement Minimumcontrolssuitableforobjective Appropriatereuseofprocessinputs/outputs Supportindustrybestpractice Readilycomprehendedbyrelevantparties AccomplishthegovernanceobjectivesofITvaluecreationand preservation

Completeness Efficiency

Effectiveness

22

ITGovernanceLifeCycle
1. Board/ExecutiveAwareness
Recognition BoardQuestions ITGovernanceCharter Select Adapt Integrate Implement Use Improve

2. EstablishITGovernanceFramework(s)

3. MonitorPerformance

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

12

ISO38500:FrameworkRoles
Board: direct,evaluate, monitorITtosupportthe businesses Executives: Manage activitiestodeliverend toendprocess Select Adapt Integrate ITPractitioners:design,assess, control&deliverITsupport forbusiness Implement Use Improve

CalderMoir ITGovernanceLifeCycle
2.AddressRisk\ setconstraints

24

1.Develop strategy

3.Architecture& Plans

6.Operate

4.Makechanges /implement

5.Verification

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

13

25

11

FrameworkScope(1)
Category
IT Governance

Type
Focus on how to manage information, information and communication technology efficiently and effectively How to perform and organize IT management, such as service delivery & support IT domains

Examples
COBIT, ValIT

Service Management

ITIL, Generic Framework ISO 9000, ISO 20000, IT BSC, CMM, Six-Sigma PMBOK, MSP, PRINCE2 ISO 2700x, RiskIT, OCTAVE, FIRM, AS/NZ 4360

Quality Management Quality standards applied to Quality Improvement Improvement of processes or

performance

Project Management Portfolio, program & project

management

Risk Management

Identifying & managing risk

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

14

27

ITFrameworks
OverlappingContentw/varyingpurpose/specificity
COSO COBIT

WHAT

ISO 17799

ITIL ISO 9000 HOW

BreathofApplication

13

FrameworkSpecificity
Forexample,varyinglevelsofsecurityguidance

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

15

29

SomeGovernanceFrameworks
Topics
FrameworkConcepts&Organization
CalderMoir/ISO38500

Survey Strategy:BalancedScorecard Risk&Compliance:COSO |COBIT |ISO2700x| PCIDSS Architecture&Plans:TOGAF |Zachman Implement&ManageChange:PMBOK |PRINCE2| COBIT Verify:BalancedScorecard,Zachman Operate:ITIL |ISO9000 |SixSigma

14

HowISACAPositionsCOBIT
COBITistheapplicationofCOSOtoIT

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

16

31

COBITSupportsMultipleAudiences Management
Helpgovern,direct,manageandmonitorIT activities Arewedoingtherightthings

IT&BusinessUsers
Implementbettermanaged ITsolutions

Auditors/Consultants
Substantiateopinions&adviceoninternal controls

18

HowCOBITHelpsGovernanceProcess
COBIT links IT & business goals COBIT framework provides common understanding of IT role

Provide Direction

COBIT process & maturity models focus on IT capability

SET OBJECTIVES
*IT business alignment * IT enables business & mgmt benefits * IT resources used responsibly * IT risks are managed appropriately

IT ACTIVITIES COMPARE
*Increase automation * Decrease Cost * Manage Risk

Measure Performance
COBIT KGIs and KPIs enable measurement

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

17

33

COBITSupportforGovernanceObjectives
COBIT Feature Business & IT KGI Governance Target Align IT strategy w/ business goals Cascade strategy down into organization Set up functions that facilitate strategy implementation COBIT Framework Adopt control & governance framework Provide IT infrastructure that facilitates creation & sharing of business information Embed responsibility for risk management IT Processes Mgmt Guidelines KPI CMM Focus on important IT processes and core competence Measure performance Identified areas where improvement needed Appreciate consequences of incorrect or no action

18

COBITFramework

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

18

35

Digression
Whatisprocess?

Organizedsetofactivities
a. Producespecificresults/outcome b. Respondstospecificevents(triggers) c. Hasidentifiedcustomerreceivingthebenefitofthe process(ITILperspective) d. Performanceismeasurable

Definedroles(COBITPerspective)
ProcessOwner,responsibleforresults ProcessManager,responsibleforrealizationand structure;reporttoPO ProcessOperatives,responsibleforspecifcprocess activities,reporttoPM

20

ProcessControl
Measurement&Control isanessentialaspectofCOBIT process

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

19

21

COBITFramework:RequirementsCascade
BusinessRequirements=>ProcessDefinition=>ResourceManagement

38

ExpressingBusinessRequirementsforIT
StandardizationofinformationandITproperties

Businessrequirementsarespecifiedintermsof thefollowinginformationproperties
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability

Informationrequirementscascadeto requirementsforIT

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

20

39

InformationCriteria
Criteria Effectiveness Requirements for: Information being relevant and pertinent to business process delivered in a timely, correct, consistent and reliable manner Most productive and economical use of resources Protection from unauthorized disclosure Accuracy and completeness of information | validity in accordance with business values & expectations Being available when required by the business process. Safeguarding resources and capability. Conformance with laws, regulations and contractual requirements Provisioning of appropriate information to management to operate in exercise fiduciary & governance responsibilities.

Efficiency Confidentiality Integrity

Availability Compliance Reliability

40

COBITOUTPUT
ListoftherequiredITprocesses
Eachassociatedahighlevelobjective Catalogisintendedtobecomplete Detailedsequenceofactivity Affectedinformationproperties Resourceutilization Processinputsandoutputs Goalsandmetrics Roles Competency

BestPracticeProcessdefinition

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

21

25

ProcessCatalogue
Domains=>Processes=>Activities

42

OtherFrameworksComplementCOBIT

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

22

43

GovernanceFrameworks
Topics
FrameworkConcepts&Organization
COSOCube

Survey COBIT COSOERM|ISO2700x |M_O_R|OCTAVE| ISO3100 ITIL ISO9000 |SixSigma BalancedScorecard |TOGAF |Zachman CMMI PMBOK |PRINCE2

44

ISO2700xInfosecFramework

ISMSmonitoringandreviewguidelines ISMSinternalauditing ISMScontinualimprovements

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

23

45

Digression:SecurityFramework RelatedIssues forCGEITStudy

Knowledgeofdetailshasnotbeenonthetest KnowthedifferencebetweenaCodeofPracticeanda CertificationStandard SecurityStandardsLeadotherdisciplinesintherigorand approachofavailablestandards contrastwithproject management Knowwhystandardsareimportantinthecontextof governance
Insomecases,theyoffercertification Inallcasestheyofferwidelyacceptedlanguageandmethodsforaparticular discipline InthecaseofISO,integrationwithotherstandardsandaholisticapproach

46

SomeGovernanceFrameworks
Topics
FrameworkConcepts&Organization
CalderMoir/ISO38500

Survey Strategy:BalancedScorecard Risk&Compliance:COSO |COBIT |ISO2700x| PCIDSS Architecture&Plans:TOGAF |Zachman Implement&ManageChange:PMBOK |PRINCE2| COBIT Verify:BalancedScorecard,Zachman Operate:ITIL |ISO9000 |SixSigma

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

24

47

TOGAFFourArchitectureDomains
TheOpenGroupArchitectureFramework (TOGAF)
framework forenterprisearchitecture acomprehensiveapproachtothedesign,planning,implementation,andgovernanceof anenterpriseinformationarchitecture

TOGAFisbasedonfourarchitecturedomains:
Businessarchitecture orbusinessprocessarchitecture :whichdefinesthe businessstrategy,governance,organization,andkeybusinessprocessesofthe organization Applicationsarchitecture whichprovidesablueprintfortheindividual applicationsystemstobedeployed,theinteractionsbetweentheapplication systems,andtheirrelationshipstothecorebusinessprocessesofthe organization Dataarchitecture whichdescribesthestructureofanorganization'slogical andphysicaldataassetsandtheassociateddatamanagementresources Infrastructureor Technicalarchitecture orTechnologyarchitecture which describesthehardware,softwareandnetworkinfrastructureneededto supportthedeploymentofcore,missioncriticalapplications

48

TOGAFFramework
Thearchitectureframework isatoolsetorsetoftoolswhichcanbeusedfor developingabroadrangeofdifferentarchitectures.It describeamethodfordefininganinformationsystemintermsofasetof buildingblocks showhowthebuildingblocksfittogether containasetoftools provideacommonvocabulary includealistofrecommendedstandards includealistofcompliantproductsthatcanbeusedtoimplementthe buildingblocks

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

25

49

ArchitectureDevelopmentMethod TOGAF ArchitectureDevelopmentMethod

TheArchitectureDevelopmentMethod(ADM)isappliedtodevelopanenterprise architecturewhichwillmeetthebusinessandinformationtechnologyneedsofan organization.Itmaybetailoredtotheorganization'sneedsandisthenemployed tomanagetheexecutionofarchitectureplanningactivities. Theprocessisiterativeandcyclic.EachstepcheckswithRequirements.PhaseC involvessomecombinationofbothDataArchitectureandApplications Architecture.AdditionalclaritycanbeaddedbetweenstepsB.andC.inorderto provideacompleteinformationarchitecture. Performanceengineering workingpracticesareappliedtotheRequirements phase,andtotheBusinessArchitecture,InformationSystemArchitecture,and Technologyarchitecturephases.WithinInformationSystemArchitecture,itis appliedtoboththeDataArchitectureandApplicationArchitecture.

50

TOGAFADM

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

26

51

SomeGovernanceFrameworks
Topics
FrameworkConcepts&Organization
CalderMoir/ISO38500

Survey Strategy:BalancedScorecard Risk&Compliance:COSO |COBIT |ISO2700x| PCIDSS Architecture&Plans:TOGAF |Zachman Implement&ManageChange:PMBOK |PRINCE2| COBIT Verify:BalancedScorecard,Zachman Operate:ITIL |ISO9000 |SixSigma

52

PMBOK
Generalprojectmanagementbookofknowledge
MaintainedbyProjectManagementInstitute(PMI)
BasisofPMPcertification E.g.,managementofprojectriskoccursasanartifactofthe development,maintenanceandmonitoringofaprojectrisk managementplan E.g.,samesamequalitymanagement,qualitymanagementplan

Plancentricapproachtoprojectmanagement

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

27

53

StandardizedProjectPhases

Initiation
Feasibility,scoping&projectcharter

Planning
ProjectManagementPlantomanagenumeroussubordinateplans

PlanExecution
Deliveronplan Requestandimplementchangestoplan

Monitoring&ControllingPlans
Approvalofchangerequests Updateplan Statusreports&forecasts

Closing
Verification,deliveryandsignoff

54

PMBOKBestPractices
Definesinputs,toolsandtechniquesandoutputsfor9project managementareas
IntegrationManagement Scopemanagement TimeManagement CostManagement QualityManagement HumanResourceManagement CommunicationsManagement RiskManagement ProcurementResourceManagement

AllPMBOKmapstoasingleCOBITprocess,PO10|Manage Projects

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

28

55

SomeGovernanceFrameworks
Topics
FrameworkConcepts&Organization
CalderMoir/ISO38500

Survey Strategy:BalancedScorecard Risk&Compliance:COSO |COBIT |ISO2700x| PCIDSS Architecture&Plans:TOGAF |Zachman Implement&ManageChange:PMBOK |PRINCE2| COBIT Verify:BalancedScorecard,Zachman Operate:ITIL |ISO9000 |SixSigma

56

ITInfraStructureLibrary(ITIL)
StandardizationofITservicedelivery

DerivedfromeffortwithinBritishGovernment (1980s)tostandardizemanagementofservices
serviceisthemeansofdeliveryofvaluewhereby customers getdesiredoutcomesw/ohavingownership ofcertaincostsorrisks

Publishedasseriesofbooksdealingwithdifferent aspectsofITmanagement CurrentlyatVersion3 Certificationoforganizationsandpractitioners

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

29

57

ServiceLifeCycle
ITILv3organizedaroundtheconceptofaservice lifecycle

58

ITILv3CoreBooks

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

30

59

ITILGuidance
Foreachphase,defines:
KeyPrinciples KeyDocuments Requiredprocesses
Targets(processoutcomes|deliverables|metrics) RolesandResponsibilities Artifacts(policy|SOP|documentation)

60

ITILIdentifiedManagementProcesses
Phase Management processes
Strategy Generation Risk Management Financial Management Service Portfolio Management Demand Management

Service Strategy Service Design

Service Catalog Management Service Level Management Supplier Management Availability Management Capacity Management Info Security Management Service Continuity Management Release & Deployment Management Change Management Transition Planning & Support Knowledge Management Evaluation Management Asset & Configuration Management Service Validation & Testing Management Request Fulfillment Incident Management Access Management Problem Management Event Management Functions {Service Desk Mgmt | IT Ops Mgmt | Technical Mgmt | Apps Mgmt} 7 Step Improvement Service Reporting Service Measurement

Service Transition

Service Operation

CSI

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

31

61

ISO900x
StandardforQualityManagementSystems(QMS)

Supportsdemonstrationthataproduction processiscontrolled
Preventionoferrors/fault Assurequalitytocustomers ISO9000:QMS FundamentalsandVocabulary ISO9001:QMS Requirements
BasisforISO9000certification

3CoreSectionsapplicabletoallareas

ISO9004:QMS GuidelinesforPerformance Improvement

ISO9003:QMS SoftwareEngineering

62

ISO9000Evolution:EmphasisonProcess
http://www.praxiom.com/principles.htm

ISO9000:2000versionemphasisonevidenceof compliancewithdocumentedprocedures
TyrannyoftheISObureaucracy

ISO9000:2004versionemphasisonprocess management
documentedsystemvs.systemofdocuments Continualprocessimprovementbasedoncustomer satisfaction

ISO9000:2005 ISO9000:2008expandsQMStoincludes outsourcedprocesses

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

32

63

ISO9000GenericProcesses Managementofresources ProductQuality MaintenanceofQualityRecords ContinualImprovement

64

ISO9000BestPracticeTopics
http://tinyurl.com/cgeitISO9000
EightQMSPrinciples:

Correctimplementation Customerfocus Leadership Involvementofpeople,e.g.

Peopleunderstandingtheimportanceoftheircontributionandroleintheorganization. Peopleidentifyingconstraintstotheirperformance. Peopleacceptingownershipofproblemsandtheirresponsibilityforsolvingthem. Peopleevaluatingtheirperformanceagainsttheirpersonalgoalsandobjectives. Peopleactivelyseekingopportunitiestoenhancetheircompetence,knowledgeand experience. Peoplefreelysharingknowledgeandexperience. Peopleopenlydiscussingproblemsandissues

Processapproach Continualimprovement Factualapproach Supplierrelationships

Mutualbenefit

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.

CGEITEXAMPREP#5 GovernanceFrameworks

33

ISACAResource:ITGovernanceRoundtables
governancechallenges&trends;frameworks;value;staffing

65

Obtainfromisaca.orgdownloadspage

66

NextWeek:

VALUEMANAGEMENT

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby participantsinSFISACAs2011CGEITPreparationClass. Nootheruseispermittedwithoutexpresswritten authorization.