it governance – leveraging best practices for governance success greg charles, ph.d. area senior...
TRANSCRIPT
IT Governance – Leveraging Best Practices for Governance SuccessGreg Charles, Ph.D.Area Senior Technology Specialist Western U.S. ITIL, Governance & Best Practices Lead CA, Inc.
December 2007
April 21, 2023 Copyright © 2007 CA
IT Governance
Defined as: The management of risk & compliance.
“The overall methodology by which IT is directed, administered and controlled”
ComplianceGovernance
April 21, 2023 Copyright © 2007 CA
Three Pillars of IT Governance
IT Governance
InfrastructureManagement
IT Use/Demand Management
IT Project Management
April 21, 2023 Copyright © 2007 CA
Managing Ever-Increasing Complexity
April 21, 2023 Copyright © 2007 CA
Identity Manage
r
The Real World View?
FirewallNetwork
Applications
Switch
Load Balancer Porta
l
SAP
PSFT
Siebel
Web Services
3rd Party applications
End User
Web Servers
Databases
Router
Mainframe
DatabaseBlack Box
April 21, 2023 Copyright © 2007 CA
The Cruel Reality
ScreenScrape
ScreenScrape
ScreenScrape
ScreenScrape
MessageQueue
MessageQueue
MessageQueue
DownloadFile
DownloadFile
DownloadFile
TransactionFile
TransactionFile
TransactionFile
ORB
ORB
CICS Gateway
CICS Gateway
APPC
APPCRPC
RPC
TransactionFile
Sockets
Sockets
Message
Message
Application
Application
Application
Application
Application
Application
Application
Application
Application
Application
Source: Gartner
April 21, 2023 Copyright © 2007 CA
Addressing These Challenges:Improving Engagement and Efficiency
WHAT IS ENGAGEMENT?
Doing the Right Things
IT’s ability to partner with the business to maintain alignment and maximize return from IT investments
WHAT IS EFFICIENCY?
Doing Things Right
IT’s ability to make the best use of its people, budgets and assets
April 21, 2023 Copyright © 2007 CA
IT Seen as Black Box:- Business lacks visibility
- Poor customer satisfaction
Overwhelming Demand:- Unstructured capture of requests and ideas
- No formal process for prioritization and trade-offs
- Reactive vs. proactive
IT and Biz Divide- Business thinks in IT services – IT
delivers in technology terms
- Costs disassociated with services
$
$ $
Obstacles Prevent Effective Engagement
April 21, 2023 Copyright © 2007 CA
Disparate Systems Reduce Efficiency
- No Single System of Record for Decision-Making
- IT Management systems siloed
- Relevant Metrics Hard to Obtain
- Disparate Systems Costly to Maintain and Upgrade
April 21, 2023 Copyright © 2007 CA
IT Governance Landscape
April 21, 2023 Copyright © 2007 CA
Comprehensive Portfolio Management- Services, projects, assets, applications
- Systematic evaluation and prioritization
- Map controls to compliance requirements
- 100% visibility into strategic initiatives
- A single invoice to the customer for all services
Integrated Demand Management- Capture, catalog, and prioritize all demand
- Manage service requests from help desks
- Match resources to highest-value initiatives
How to Improve Engagement?Structured IT Governance Process
Business Intelligence for the BRM- Visibility into all services that support LOB
- Detailed cost invoices
April 21, 2023 Copyright © 2007 CA
How to Improve Efficiency?Comprehensive Management
Comprehensive Resource Management- Drive maximum utilization of in-house
and outsourced resources
- Capture time and allocate staff for any type of investment
- Advance Resource Mgmt capabilities
Scalable, Transparent Status Capture- Capture time and cost of all activities in a
single repository for charge-backs and reporting
- Capture asset costs through integration with Asset Management Solution
World-Class Project Execution- Leverage best practices across
entire project portfolio
- Rapid time to value
Empower the PMO- Automate, enforce, and report on
process compliance
April 21, 2023 Copyright © 2007 CA
Approaches Currently In Use
> Business As Usual - “Firefighting”
> Legislation - “Forced”
> Best Practice Focused
April 21, 2023 Copyright © 2007 CA
COBIT®
IT OPERATIONS
Audit Models
Quality Systems & Mgmt. Frameworks
Service M
gm
t.
Ap
p. D
ev. (SD
LC
)
Pro
ject Mg
mt.
IT P
lann
ing
IT S
ecurity
Qu
ality System
IT Governance Model
COSO
ISO17799
PMIPMBOK
PRINCE2
ISO
SixSigma
TSOIS
Strategy
ASL
CMMi
Sarbanes- Oxley
US Securities & Exchange Commission
ITIL®
BS 15000
ISO 20000
April 21, 2023 Copyright © 2007 CA
Best Practices
•What is not defined cannot be controlled
•What is not controlled cannot be measured
•What is not measured cannot be improved
Quality & Control Models• ISO 900x• COBIT®• TQM• EFQM• Six Sigma• COSO• Deming• etc..
Process Frameworks• ITIL®• Application Service Library • Gartner CSD• IBM Processes• EDS Digital Workflow • Microsoft MOF• Telecom Ops Map• etc..
April 21, 2023 Copyright © 2007 CA
ITIL® v2 to v3
Planning To Implement Service Management
Service Management
ServiceSupport
ServiceDelivery
The
Business
The Business
Perspective
Application Management
ICTInfrastructureManagement
The
Technology
Security Management
Introduction to ITIL
Software Asset Management
Small-Scale Implementation
April 21, 2023 Copyright © 2007 CA
CMDB
IncidentsProblems
Known Errors Changes Releases
MonitoringTools
Incidents
Incidents
ChangeManagement
ReleaseManagement
Release scheduleRelease statisticsRelease reviewsSecure library’Testing standardsAudit reports
ConfigurationManagement
ProblemManagement
IncidentManagement
Customer Survey reports
CommunicationsUpdates
Work-arounds
Releases
DifficultiesQueries
Enquiries
CMDB reportsCMDB statisticsPolicy standardsAudit reports
Change scheduleCAB minutesChange statisticsChange reviewsAudit reports
Problem statisticsProblem reportsProblem reviewsDiagnostic aidsAudit reports
Service reportsIncident statisticsAudit reports
Changes
ClsRelationships
Service Desk
Customer Surveyreports
The Business, Customers or Users
ITIL Service Support Model
April 21, 2023 Copyright © 2007 CA
ITIL Service Delivery ModelBusiness, Customers and Users
QueriesEnquiries
Service LevelManagement
AvailabilityManagement
CapacityManagement
FinancialManagement
For IT Services
IT ServiceContinuity
Management
CommunicationsUpdatesReports
RequirementsTargets
Achievements
SLAs, SLRs OLAsService reportsService catalogueSIPException reportsAudit reports
IT continuity plansBIS and risk analysisRequirements definedControl centersDR contractsReportsAudit reports
Financial planTypes and modelsCosts and chargesReportsBudgets and forecastsAudit reports
Capacity planCDVTargets/thresholdsCapacity reportsSchedulesAudit reports
Availability planAMDBDesign criteriaTargets/ThresholdsReportsAudit reports
Alerts and ExceptionsChanges
ManagementTools
April 21, 2023 Copyright © 2007 CA
COBIT® (Control Objectives for IT)
> Focused on IT Standards and Audit, CobIT is jointly “owned/maintained” by ITGI and ISACA (Information Systems Audit and Control Association)
> Based on over 40 International standards
> Supported by over 150 IT Governance Chapters
– www.itgi.org
– www.isaca.org
Best Practices:Industry and CA best practices are applied to all of our solutions to maximize standardization and quality
April 21, 2023 Copyright © 2007 CA
The COBIT® Cube
4 Domains
34 Processes
318 Control Objectives
(Business Requirements)
____
215 in COBIT® 4.0
April 21, 2023 Copyright © 2007 CA
Delivery & Support(DS Process Domain)
Delivery & Support(DS Process Domain)
Monitoring(M Process Domain)Monitoring
(M Process Domain)
Acquisition & Implementation(AI Process Domain)
Acquisition & Implementation(AI Process Domain)
Planning & Organization(PO Process Domain)
Planning & Organization(PO Process Domain)
The Four COBIT® Domains
April 21, 2023 Copyright © 2007 CA
Planning & Organization
PO 1 Define a Strategic IT Plan
PO 2 Define the Information Architecture
PO 3 Determine the Technological Direction
PO 4 Define the IT Organization and Relationships
PO 5 Manage the IT Investment
PO 6 Communicate Management Aims and Direction
PO 7 Manage Human Resources
PO 8 Ensure Compliance with External Requirements
PO 9 Assess Risks
PO 10 Manage Projects
PO 11 Manage Quality
April 21, 2023 Copyright © 2007 CA
Delivery & Support(DS Process Domain)
Delivery & Support(DS Process Domain)
Monitoring(M Process Domain)Monitoring
(M Process Domain)
Acquisition & Implementation(AI Process Domain)
Acquisition & Implementation(AI Process Domain)
Planning & Organization(PO Process Domain)
Planning & Organization(PO Process Domain)
The Four COBIT® Domains
April 21, 2023 Copyright © 2007 CA
Acquisition & Implementation
AI 1 Identify Solutions
AI 2 Acquire and Maintain Application Software
AI 3 Acquire and Maintain Technology Architecture
AI 4 Develop and Maintain IT Procedures
AI 5 Install and Accredit Systems
AI 6 Manage Changes
April 21, 2023 Copyright © 2007 CA
Delivery & Support(DS Process Domain)
Delivery & Support(DS Process Domain)
Monitoring(M Process Domain)Monitoring
(M Process Domain)
Acquisition & Implementation(AI Process Domain)
Acquisition & Implementation(AI Process Domain)
Planning & Organization(PO Process Domain)
Planning & Organization(PO Process Domain)
The Four COBIT® Domains
April 21, 2023 Copyright © 2007 CA
Delivery and SupportDS 1 Define Service Levels
DS 2 Manage Third-Party Services
DS 3 Manage Performance and Capacity
DS 4 Ensure Continuous Service
DS 5 Ensure Systems Security
DS 6 Identify and Attribute Costs
DS 7 Educate and Train Users
DS 8 Assist and Advise IT Customers
DS 9 Manage the Configuration
DS 10 Manage Problems and Incidents
DS 11 Manage Data
DS 12 Manage Facilities
DS 13 Manage Operations
April 21, 2023 Copyright © 2007 CA
DS5 – Ensure Systems SecurityDS5 Ensure Systems Security
DS 5.1 Manage Security Measures
DS 5.2 Identification, Authentication and Access
DS 5.3 Security of Online Access to Data
DS 5.4 User Account Management
DS 5.5 Management Review of User Accounts
DS 5.6 User Control of User Accounts
DS 5.7 Security Surveillance
DS 5.8 Data Classification
DS 5.9 Central Identification and Access Rights Management
DS 5.10 Violation and Security Activity Reports
DS 5.11 Incident Handling
DS 5.12 Reaccreditation
DS 5.13 Counterparty Trust
DS 5.14 Transaction Authorization
DS 5.15 Non-Repudiation
DS 5.16 Trusted Path
DS 5.17 Protection of Security Functions
DS 5.18 Cryptographic Key Management
DS 5.19 Malicious Software Prevention, Detection and Correction
DS 5.20 Firewall Architectures and Connections with Public Networks
DS 5.21 Protection of Electronic Value
April 21, 2023 Copyright © 2007 CA
Delivery & Support(DS Process Domain)
Delivery & Support(DS Process Domain)
Monitoring(M Process Domain)Monitoring
(M Process Domain)
Acquisition & Implementation(AI Process Domain)
Acquisition & Implementation(AI Process Domain)
Planning & Organization(PO Process Domain)
Planning & Organization(PO Process Domain)
The Four COBIT® Domains
April 21, 2023 Copyright © 2007 CA
Monitoring
M 1 Monitor the Processes
M 2 Assess Internal Control Adequacy
M 3 Obtain Independent Assurance
M 4 Provide for Independent Audit
April 21, 2023 Copyright © 2007 CA
Delivery & Support(DS Process Domain)
Delivery & Support(DS Process Domain)
Monitoring(M Process Domain)Monitoring
(M Process Domain)
Acquisition & Implementation(AI Process Domain)
Acquisition & Implementation(AI Process Domain)
Planning & Organization(PO Process Domain)
Planning & Organization(PO Process Domain)
COBIT® Summary
April 21, 2023 Copyright © 2007 CA
How to Make IT a Reality?
Key Success Factors
Theory – ITIL® / COBIT® / etc.Theory – ITIL® / COBIT® / etc.
Guidelines for Best Practices Provides the theory but not
always defines the process Education is an important
component
Guidelines for Best Practices Provides the theory but not
always defines the process Education is an important
component
Technology – CA and othersTechnology – CA and others
Provide the technology that enables & automates the process
Repeatability, compliance & notifications
Implement processes impossible without technology
Provide the technology that enables & automates the process
Repeatability, compliance & notifications
Implement processes impossible without technology
Process Process
Convert theory to process that is applicable to the unique needs of the organization
Training & Education Tool configuration
Convert theory to process that is applicable to the unique needs of the organization
Training & Education Tool configuration
April 21, 2023 Copyright © 2007 CA
Tools to Aid Success
CISOIncident Manager
IT Operations Manager
Customer / Partner
Business Manager
Facilities Security Manager
Application Manager
EmployeeCustomer Relationship
Manager
HR
NewHire
User BuildingAccess
Provisioned Automatically
Approve Access
Identity verified &Entered in HR
New Hire Has Access to Business
Applications
CustomerDefined
Incldent Opened (ifrequired by policy)
Authorized Customer /Partner
Employees haveAccess
Customer/PartnerChanges Business
Relationshipe.g. Buys New
Product/ServiceDelegated
Request Change inApplication Access
Request Change inApplication Access
for New ProjectWorkflow Approval
Change inApplication Access
Access NewApp Resource Access New
App Resource
Customer/PartnerForgets Password
Use NewPassword
Self-serveReset Password
Use NewPassword
Customer/PartnerUser No LongerNeeds Access Employee
Terminated/Retired
Employee removedfrom HR System
DelegatedRequest removal
of Access
AutomaticallyProvide List
of Employeesfrom HR System
User EntitlementsExceptions Report
Generated Automatically
Periodic Security Audit
Scheduled
AutomatedSynchronization
Process Compares Authoritative User & Role
List with LAN & AppUser accounts
Excess Entitlements /
Accounts?
[N]
Workflow toRequest
Remediation
[Y]
New App
Develop/AcquireApp
Produce OperationsManual for App
Customeraccess
removedEmployee
accessremoved
AuditReports
Completed
IncidentClosed
Obtain LAN/AppID & Passwords
User AccessReviewed /
Set-upIncident Closed
IncidentOpened
UserAccess
ChangedIncidentClosed
Self-serveSet New Password
IncidentClosed
Incident OpenedPassword Reset
Define Policies & Stds for IDProvisioning,
and Reporting
Define CorporateIdentity Directory
Entitlement Mgt, &Security Web Services
Define ID andPassword Stds
Workflow forSecurity Review
of Application
Validate App UsingDirectory Services
Define IAM Policies,Processes,
Workflows & Owners
Integration with ProductionDirectory & Security
Web Svcs
ManageApplication Security
IncidentOpened
ID AllocatedAutomatically
Periodic PolicyReview
New Customer
(or Partner)
Development Manager
Identity andAccess
AutomaticallyProvisioned to- LAN, - Email,
- Corporate Directory,
- AuthenticationTechnology,
- Security WebServices,- Security
Infrastructure,- Business Apps
- ExternalFederated Services
Define Role MgtStds
Validate App With Role Stds
User AccessEnabled
Automatically
Approve Access
AutomatedProcess to
Deprovision Userfrom Systems/Apps
User DeprovisionedIncident Closed
Incident OpenedAutomatedProcess to
Deprovision Userfrom Facilities
Access
Customer Entered in Customer/Partner
Relationship System
Define FederatedTrust Stds
Obtain Authoritative List ofAll Users/Roles Automatically
Delegated User
Creation
CMDB ChangeImpacting App deployment,
Ownership, Access etc
Reviewcurrent reports
Customer/Partner
EmployeeEnters Data
Via Self-ServeRegister
SPML Request
FromCustomer/
Partner
Validate App withProvisioning System
Validate App withID / Passwd Stds
Validate with SPML
Solution Sheets
Transitional MaturityROI Tool
Process Model
Profilers
4-Business-Driven
3-Responsive
2-Efficient
1-Active
Ability toshare yourIT resourcesthroughoutthe supplychain anddynamicallyreallocateresourcesbased uponchangingbusiness needs
Ability tomanageservice levelsand providethe services that areimportant tothe business
Ability toautomateresponses,streamlineprocesses,consolidateresources
Ability torespond toproblemsand faults
ROIROI
ROI
4-Business-Driven
3-Responsive
2-Efficient
1-Active
Ability toshare yourIT resourcesthroughoutthe supplychain anddynamicallyreallocateresourcesbased uponchangingbusiness needs
Ability tomanageservice levelsand providethe services that areimportant tothe business
Ability toautomateresponses,streamlineprocesses,consolidateresources
Ability torespond toproblemsand faults
ROIROI
ROI
Maturity Model
Blueprints
Assessments
0
Service Support
Service Delivery
Infrastructure MgmtApplication Mgmt
Implementing IT Svc Mgmt
Importance Capability
0
Service Support
Service Delivery
Infrastructure MgmtApplication Mgmt
Implementing IT Svc Mgmt
Importance Capability
Business-DrivenEfficient
• Dedicated Security Staff
• CISSP Training
• Security Awareness Training
• Certified Security Staff
• Security Awareness Training (IT, HR, Dev)
• Certified Security & IT Ops Staff
• Security Awareness Training (IT, HR, Dev)
• Staff trained in Threat Detection
• End User technology training in Anti-Spam prevention
Ser
vic
es a
nd
So
luti
on
sT
ech
nic
al C
apab
iliti
esO
rgan
izat
ion
al
Ch
ara
cter
isti
cs
Attack andPenetration
Testing
Basic SecurityPolicy
ResponsiveActive
Anti-VirusScanning
Identify & ClassifyAssets
Manual LoadOS Patches
Backup/Recovery
Business ImpactAnalysis
DevelopedStandard OSConfiguration
Integrated VMAnd Helpdesk
Agent-basedVulnerabilityManagement
Agent-basedConfigurationManagement
BusinessImpact Correlation
& Reporting
Integrated Forensics
Investigation
Compliance Management &
Reporting
IT GovernanceManagement
SecurityRoad Map
Assessment
eTrust VMService
Security Policies&
Procedures
CISSP TrainingAttack &
PenetrationAssessment
VulnerabilityAssessment
CERTTraining
ITIL TrainingeTrust VM
Service
BusinessCorrelation Rule
Development
Policy and Process
Monitoring
SecurityBusiness PortalDevelopment
ComplianceOriented
Architecture
Incident ResponseProgram
Development
ForensicInvestigation
Training
PeriodicVulnerabilityAssessments
Technology Design, Implementation,and Integration Services
(AV, VM, etc.)
Technology, Design, Implementation& Integration Services
(VM, Backup/Recovery, Service Desk, etc.)
Identify & ClassifyAssets
Tracking ofVulnerability
Activities
CERT & IncidentResolutionProcess
Tracking of Threat&
Forensics Events
BCP/DRManagement
ITIL Compliant ITOperations
Process
AutomatedSoftware Distribution
Patch Process
ComplianceManagement &
Reporting
Security Roadmap& Strategy
Development
Attack &PenetrationAssessment
ISO17799Program
Development
SecurityStandards
Development
ComplianceArchitectureDevelopment
Anti-SpywareMalwareSolutions
Technology, Design, Implementation& Integration Services
(Audit, SCC, Forensics, SCM, IDS, Pest Patrol.)
ConfigurationManagement
Process
Technology, Design, Implementation& Integration Services
(Compliance Oriented Architecture.)
Audit CollectorsIntegrated
Security Event Prioritization
Business-DrivenBusiness-DrivenEfficient Efficient
• Dedicated Security Staff
• CISSP Training
• Security Awareness Training
• Certified Security Staff
• Security Awareness Training (IT, HR, Dev)
• Certified Security & IT Ops Staff
• Security Awareness Training (IT, HR, Dev)
• Staff trained in Threat Detection
• End User technology training in Anti-Spam prevention
Ser
vic
es a
nd
So
luti
on
sT
ech
nic
al C
apab
iliti
esO
rgan
izat
ion
al
Ch
ara
cter
isti
cs
Attack andPenetration
Testing
Basic SecurityPolicy
ResponsiveActive
Anti-VirusScanning
Identify & ClassifyAssets
Manual LoadOS Patches
Backup/Recovery
Business ImpactAnalysis
DevelopedStandard OSConfiguration
Integrated VMAnd Helpdesk
Agent-basedVulnerabilityManagement
Agent-basedConfigurationManagement
BusinessImpact Correlation
& Reporting
Integrated Forensics
Investigation
Compliance Management &
Reporting
IT GovernanceManagement
SecurityRoad Map
Assessment
eTrust VMService
Security Policies&
Procedures
CISSP TrainingAttack &
PenetrationAssessment
VulnerabilityAssessment
CERTTraining
ITIL TrainingeTrust VM
Service
BusinessCorrelation Rule
Development
Policy and Process
Monitoring
SecurityBusiness PortalDevelopment
ComplianceOriented
Architecture
Incident ResponseProgram
Development
ForensicInvestigation
Training
PeriodicVulnerabilityAssessments
Technology Design, Implementation,and Integration Services
(AV, VM, etc.)
Technology, Design, Implementation& Integration Services
(VM, Backup/Recovery, Service Desk, etc.)
Identify & ClassifyAssets
Tracking ofVulnerability
Activities
CERT & IncidentResolutionProcess
Tracking of Threat&
Forensics Events
BCP/DRManagement
ITIL Compliant ITOperations
Process
AutomatedSoftware Distribution
Patch Process
ComplianceManagement &
Reporting
Security Roadmap& Strategy
Development
Attack &PenetrationAssessment
ISO17799Program
Development
SecurityStandards
Development
ComplianceArchitectureDevelopment
Anti-SpywareMalwareSolutions
Technology, Design, Implementation& Integration Services
(Audit, SCC, Forensics, SCM, IDS, Pest Patrol.)
ConfigurationManagement
Process
Technology, Design, Implementation& Integration Services
(Compliance Oriented Architecture.)
Audit CollectorsIntegrated
Security Event Prioritization
April 21, 2023 Copyright © 2007 CA
Governance: Meeting Customer Needs Leveraging Best Practices
Best Practices:Industry and CA best practices are applied to all of our solutions to maximize standardization and quality
Best Practices: ITIL®, COBIT®, COSO, ITAM, ITSM, Six Sigma, etc.
IT Governance – Leveraging Best Practices for Success
Greg Charles, Ph.D.Area Senior Technology Specialist Western U.S. ITIL & Best Practices Lead CA, Inc.
December 2007