it governance – leveraging best practices for governance success greg charles, ph.d. area senior...

IT Governance – Leveraging Best Practices for Governance SuccessGreg Charles, Ph.D.Area Senior Technology Specialist Western U.S. ITIL, Governance & Best Practices Lead CA, Inc.

December 2007

April 21, 2023 Copyright © 2007 CA

IT Governance

Defined as: The management of risk & compliance.

“The overall methodology by which IT is directed, administered and controlled”

ComplianceGovernance


Three Pillars of IT Governance

IT Governance

InfrastructureManagement

IT Use/Demand Management

IT Project Management


Managing Ever-Increasing Complexity


Identity Manage

r

The Real World View?

FirewallNetwork

Applications

Switch

Load Balancer Porta

l

SAP

PSFT

Siebel

Web Services

3rd Party applications

End User

Web Servers

Databases

Router

Mainframe

DatabaseBlack Box


The Cruel Reality

ScreenScrape

ScreenScrape

ScreenScrape

ScreenScrape

MessageQueue

MessageQueue

MessageQueue

DownloadFile

DownloadFile

DownloadFile

TransactionFile

TransactionFile

TransactionFile

ORB

ORB

CICS Gateway

CICS Gateway

APPC

APPCRPC

RPC

TransactionFile

Sockets

Sockets

Message

Message

Application

Application

Application

Application

Application

Application

Application

Application

Application

Application

Source: Gartner


Addressing These Challenges:Improving Engagement and Efficiency

WHAT IS ENGAGEMENT?

Doing the Right Things

IT’s ability to partner with the business to maintain alignment and maximize return from IT investments

WHAT IS EFFICIENCY?

Doing Things Right

IT’s ability to make the best use of its people, budgets and assets


IT Seen as Black Box:- Business lacks visibility

- Poor customer satisfaction

Overwhelming Demand:- Unstructured capture of requests and ideas

- No formal process for prioritization and trade-offs

- Reactive vs. proactive

IT and Biz Divide- Business thinks in IT services – IT

delivers in technology terms

- Costs disassociated with services

$

$ $

Obstacles Prevent Effective Engagement


Disparate Systems Reduce Efficiency

- No Single System of Record for Decision-Making

- IT Management systems siloed

- Relevant Metrics Hard to Obtain

- Disparate Systems Costly to Maintain and Upgrade


IT Governance Landscape


Comprehensive Portfolio Management- Services, projects, assets, applications

- Systematic evaluation and prioritization

- Map controls to compliance requirements

- 100% visibility into strategic initiatives

- A single invoice to the customer for all services

Integrated Demand Management- Capture, catalog, and prioritize all demand

- Manage service requests from help desks

- Match resources to highest-value initiatives

How to Improve Engagement?Structured IT Governance Process

Business Intelligence for the BRM- Visibility into all services that support LOB

- Detailed cost invoices


How to Improve Efficiency?Comprehensive Management

Comprehensive Resource Management- Drive maximum utilization of in-house

and outsourced resources

- Capture time and allocate staff for any type of investment

- Advance Resource Mgmt capabilities

Scalable, Transparent Status Capture- Capture time and cost of all activities in a

single repository for charge-backs and reporting

- Capture asset costs through integration with Asset Management Solution

World-Class Project Execution- Leverage best practices across

entire project portfolio

- Rapid time to value

Empower the PMO- Automate, enforce, and report on

process compliance


Approaches Currently In Use

> Business As Usual - “Firefighting”

> Legislation - “Forced”

> Best Practice Focused

http://www.firerescuediscount.com/photogallery/photos/photo7.jpg


COBIT®

IT OPERATIONS

Audit Models

Quality Systems & Mgmt. Frameworks

Service M

gm

t.

Ap

p. D

ev. (SD

LC

)

Pro

ject Mg

mt.

IT P

lann

ing

IT S

ecurity

Qu

ality System

IT Governance Model

COSO

ISO17799

PMIPMBOK

PRINCE2

ISO

SixSigma

TSOIS

Strategy

ASL

CMMi

Sarbanes- Oxley

US Securities & Exchange Commission

ITIL®

BS 15000

ISO 20000


Best Practices

•What is not defined cannot be controlled

•What is not controlled cannot be measured

•What is not measured cannot be improved

Quality & Control Models• ISO 900x• COBIT®• TQM• EFQM• Six Sigma• COSO• Deming• etc..

Process Frameworks• ITIL®• Application Service Library • Gartner CSD• IBM Processes• EDS Digital Workflow • Microsoft MOF• Telecom Ops Map• etc..


ITIL® v2 to v3

Planning To Implement Service Management

Service Management

ServiceSupport

ServiceDelivery

The

Business

The Business

Perspective

Application Management

ICTInfrastructureManagement

The

Technology

Security Management

Introduction to ITIL

Software Asset Management

Small-Scale Implementation


CMDB

IncidentsProblems

Known Errors Changes Releases

MonitoringTools

Incidents

Incidents

ChangeManagement

ReleaseManagement

Release scheduleRelease statisticsRelease reviewsSecure library’Testing standardsAudit reports

ConfigurationManagement

ProblemManagement

IncidentManagement

Customer Survey reports

CommunicationsUpdates

Work-arounds

Releases

DifficultiesQueries

Enquiries

CMDB reportsCMDB statisticsPolicy standardsAudit reports

Change scheduleCAB minutesChange statisticsChange reviewsAudit reports

Problem statisticsProblem reportsProblem reviewsDiagnostic aidsAudit reports

Service reportsIncident statisticsAudit reports

Changes

ClsRelationships

Service Desk

Customer Surveyreports

The Business, Customers or Users

ITIL Service Support Model


ITIL Service Delivery ModelBusiness, Customers and Users

QueriesEnquiries

Service LevelManagement

AvailabilityManagement

CapacityManagement

FinancialManagement

For IT Services

IT ServiceContinuity

Management

CommunicationsUpdatesReports

RequirementsTargets

Achievements

SLAs, SLRs OLAsService reportsService catalogueSIPException reportsAudit reports

IT continuity plansBIS and risk analysisRequirements definedControl centersDR contractsReportsAudit reports

Financial planTypes and modelsCosts and chargesReportsBudgets and forecastsAudit reports

Capacity planCDVTargets/thresholdsCapacity reportsSchedulesAudit reports

Availability planAMDBDesign criteriaTargets/ThresholdsReportsAudit reports

Alerts and ExceptionsChanges

ManagementTools


COBIT® (Control Objectives for IT)

> Focused on IT Standards and Audit, CobIT is jointly “owned/maintained” by ITGI and ISACA (Information Systems Audit and Control Association)

> Based on over 40 International standards

> Supported by over 150 IT Governance Chapters

– www.itgi.org

– www.isaca.org

Best Practices:Industry and CA best practices are applied to all of our solutions to maximize standardization and quality


The COBIT® Cube

4 Domains

34 Processes

318 Control Objectives

(Business Requirements)

____

215 in COBIT® 4.0


Delivery & Support(DS Process Domain)


Monitoring(M Process Domain)Monitoring

(M Process Domain)

Acquisition & Implementation(AI Process Domain)


Planning & Organization(PO Process Domain)


The Four COBIT® Domains


Planning & Organization

PO 1 Define a Strategic IT Plan

PO 2 Define the Information Architecture

PO 3 Determine the Technological Direction

PO 4 Define the IT Organization and Relationships

PO 5 Manage the IT Investment

PO 6 Communicate Management Aims and Direction

PO 7 Manage Human Resources

PO 8 Ensure Compliance with External Requirements

PO 9 Assess Risks

PO 10 Manage Projects

PO 11 Manage Quality





(M Process Domain)







Acquisition & Implementation

AI 1 Identify Solutions

AI 2 Acquire and Maintain Application Software

AI 3 Acquire and Maintain Technology Architecture

AI 4 Develop and Maintain IT Procedures

AI 5 Install and Accredit Systems

AI 6 Manage Changes





(M Process Domain)







Delivery and SupportDS 1 Define Service Levels

DS 2 Manage Third-Party Services

DS 3 Manage Performance and Capacity

DS 4 Ensure Continuous Service

DS 5 Ensure Systems Security

DS 6 Identify and Attribute Costs

DS 7 Educate and Train Users

DS 8 Assist and Advise IT Customers

DS 9 Manage the Configuration

DS 10 Manage Problems and Incidents

DS 11 Manage Data

DS 12 Manage Facilities

DS 13 Manage Operations


DS5 – Ensure Systems SecurityDS5 Ensure Systems Security

DS 5.1 Manage Security Measures

DS 5.2 Identification, Authentication and Access

DS 5.3 Security of Online Access to Data

DS 5.4 User Account Management

DS 5.5 Management Review of User Accounts

DS 5.6 User Control of User Accounts

DS 5.7 Security Surveillance

DS 5.8 Data Classification

DS 5.9 Central Identification and Access Rights Management

DS 5.10 Violation and Security Activity Reports

DS 5.11 Incident Handling

DS 5.12 Reaccreditation

DS 5.13 Counterparty Trust

DS 5.14 Transaction Authorization

DS 5.15 Non-Repudiation

DS 5.16 Trusted Path

DS 5.17 Protection of Security Functions

DS 5.18 Cryptographic Key Management

DS 5.19 Malicious Software Prevention, Detection and Correction

DS 5.20 Firewall Architectures and Connections with Public Networks

DS 5.21 Protection of Electronic Value





(M Process Domain)







Monitoring

M 1 Monitor the Processes

M 2 Assess Internal Control Adequacy

M 3 Obtain Independent Assurance

M 4 Provide for Independent Audit





(M Process Domain)





COBIT® Summary


How to Make IT a Reality?

Key Success Factors

Theory – ITIL® / COBIT® / etc.Theory – ITIL® / COBIT® / etc.

Guidelines for Best Practices Provides the theory but not

always defines the process Education is an important

component

Guidelines for Best Practices Provides the theory but not

always defines the process Education is an important

component

Technology – CA and othersTechnology – CA and others

Provide the technology that enables & automates the process

Repeatability, compliance & notifications

Implement processes impossible without technology

Provide the technology that enables & automates the process

Repeatability, compliance & notifications

Implement processes impossible without technology

Process Process

Convert theory to process that is applicable to the unique needs of the organization

Training & Education Tool configuration

Convert theory to process that is applicable to the unique needs of the organization

Training & Education Tool configuration


Tools to Aid Success

CISOIncident Manager

IT Operations Manager

Customer / Partner

Business Manager

Facilities Security Manager

Application Manager

EmployeeCustomer Relationship

Manager

HR

NewHire

User BuildingAccess

Provisioned Automatically

Approve Access

Identity verified &Entered in HR

New Hire Has Access to Business

Applications

CustomerDefined

Incldent Opened (ifrequired by policy)

Authorized Customer /Partner

Employees haveAccess

Customer/PartnerChanges Business

Relationshipe.g. Buys New

Product/ServiceDelegated

Request Change inApplication Access

Request Change inApplication Access

for New ProjectWorkflow Approval

Change inApplication Access

Access NewApp Resource Access New

App Resource

Customer/PartnerForgets Password

Use NewPassword

Self-serveReset Password

Use NewPassword

Customer/PartnerUser No LongerNeeds Access Employee

Terminated/Retired

Employee removedfrom HR System

DelegatedRequest removal

of Access

AutomaticallyProvide List

of Employeesfrom HR System

User EntitlementsExceptions Report

Generated Automatically

Periodic Security Audit

Scheduled

AutomatedSynchronization

Process Compares Authoritative User & Role

List with LAN & AppUser accounts

Excess Entitlements /

Accounts?

[N]

Workflow toRequest

Remediation

[Y]

New App

Develop/AcquireApp

Produce OperationsManual for App

Customeraccess

removedEmployee

accessremoved

AuditReports

Completed

IncidentClosed

Obtain LAN/AppID & Passwords

User AccessReviewed /

Set-upIncident Closed

IncidentOpened

UserAccess

ChangedIncidentClosed

Self-serveSet New Password

IncidentClosed

Incident OpenedPassword Reset

Define Policies & Stds for IDProvisioning,

and Reporting

Define CorporateIdentity Directory

Entitlement Mgt, &Security Web Services

Define ID andPassword Stds

Workflow forSecurity Review

of Application

Validate App UsingDirectory Services

Define IAM Policies,Processes,

Workflows & Owners

Integration with ProductionDirectory & Security

Web Svcs

ManageApplication Security

IncidentOpened

ID AllocatedAutomatically

Periodic PolicyReview

New Customer

(or Partner)

Development Manager

Identity andAccess

AutomaticallyProvisioned to- LAN, - Email,

- Corporate Directory,

- AuthenticationTechnology,

- Security WebServices,- Security

Infrastructure,- Business Apps

- ExternalFederated Services

Define Role MgtStds

Validate App With Role Stds

User AccessEnabled

Automatically

Approve Access

AutomatedProcess to

Deprovision Userfrom Systems/Apps

User DeprovisionedIncident Closed

Incident OpenedAutomatedProcess to

Deprovision Userfrom Facilities

Access

Customer Entered in Customer/Partner

Relationship System

Define FederatedTrust Stds

Obtain Authoritative List ofAll Users/Roles Automatically

Delegated User

Creation

CMDB ChangeImpacting App deployment,

Ownership, Access etc

Reviewcurrent reports

Customer/Partner

EmployeeEnters Data

Via Self-ServeRegister

SPML Request

FromCustomer/

Partner

Validate App withProvisioning System

Validate App withID / Passwd Stds

Validate with SPML

Solution Sheets

Transitional MaturityROI Tool

Process Model

Profilers

4-Business-Driven

3-Responsive

2-Efficient

1-Active

Ability toshare yourIT resourcesthroughoutthe supplychain anddynamicallyreallocateresourcesbased uponchangingbusiness needs

Ability tomanageservice levelsand providethe services that areimportant tothe business

Ability toautomateresponses,streamlineprocesses,consolidateresources

Ability torespond toproblemsand faults

ROIROI

ROI

4-Business-Driven

3-Responsive

2-Efficient

1-Active

Ability toshare yourIT resourcesthroughoutthe supplychain anddynamicallyreallocateresourcesbased uponchangingbusiness needs

Ability tomanageservice levelsand providethe services that areimportant tothe business

Ability toautomateresponses,streamlineprocesses,consolidateresources

Ability torespond toproblemsand faults

ROIROI

ROI

Maturity Model

Blueprints

Assessments

0

Service Support

Service Delivery

Infrastructure MgmtApplication Mgmt

Implementing IT Svc Mgmt

Importance Capability

0

Service Support

Service Delivery

Infrastructure MgmtApplication Mgmt

Implementing IT Svc Mgmt

Importance Capability

Business-DrivenEfficient

• Dedicated Security Staff

• CISSP Training

• Security Awareness Training

• Certified Security Staff

• Security Awareness Training (IT, HR, Dev)

• Certified Security & IT Ops Staff


• Staff trained in Threat Detection

• End User technology training in Anti-Spam prevention

Ser

vic

es a

nd

So

luti

on

sT

ech

nic

al C

apab

iliti

esO

rgan

izat

ion

al

Ch

ara

cter

isti

cs

Attack andPenetration

Testing

Basic SecurityPolicy

ResponsiveActive

Anti-VirusScanning

Identify & ClassifyAssets

Manual LoadOS Patches

Backup/Recovery

Business ImpactAnalysis

DevelopedStandard OSConfiguration

Integrated VMAnd Helpdesk

Agent-basedVulnerabilityManagement

Agent-basedConfigurationManagement

BusinessImpact Correlation

& Reporting

Integrated Forensics

Investigation

Compliance Management &

Reporting

IT GovernanceManagement

SecurityRoad Map

Assessment

eTrust VMService

Security Policies&

Procedures

CISSP TrainingAttack &

PenetrationAssessment

VulnerabilityAssessment

CERTTraining

ITIL TrainingeTrust VM

Service

BusinessCorrelation Rule

Development

Policy and Process

Monitoring

SecurityBusiness PortalDevelopment

ComplianceOriented

Architecture

Incident ResponseProgram

Development

ForensicInvestigation

Training

PeriodicVulnerabilityAssessments

Technology Design, Implementation,and Integration Services

(AV, VM, etc.)

Technology, Design, Implementation& Integration Services

(VM, Backup/Recovery, Service Desk, etc.)


Tracking ofVulnerability

Activities

CERT & IncidentResolutionProcess

Tracking of Threat&

Forensics Events

BCP/DRManagement

ITIL Compliant ITOperations

Process

AutomatedSoftware Distribution

Patch Process

ComplianceManagement &

Reporting

Security Roadmap& Strategy

Development

Attack &PenetrationAssessment

ISO17799Program

Development

SecurityStandards

Development

ComplianceArchitectureDevelopment

Anti-SpywareMalwareSolutions


(Audit, SCC, Forensics, SCM, IDS, Pest Patrol.)


Process


(Compliance Oriented Architecture.)

Audit CollectorsIntegrated

Security Event Prioritization

Business-DrivenBusiness-DrivenEfficient Efficient

• Dedicated Security Staff

• CISSP Training

• Security Awareness Training

• Certified Security Staff


• Certified Security & IT Ops Staff


• Staff trained in Threat Detection

• End User technology training in Anti-Spam prevention

Ser

vic

es a

nd

So

luti

on

sT

ech

nic

al C

apab

iliti

esO

rgan

izat

ion

al

Ch

ara

cter

isti

cs

Attack andPenetration

Testing

Basic SecurityPolicy

ResponsiveActive

Anti-VirusScanning


Manual LoadOS Patches

Backup/Recovery

Business ImpactAnalysis

DevelopedStandard OSConfiguration

Integrated VMAnd Helpdesk

Agent-basedVulnerabilityManagement

Agent-basedConfigurationManagement

BusinessImpact Correlation

& Reporting

Integrated Forensics

Investigation

Compliance Management &

Reporting

IT GovernanceManagement

SecurityRoad Map

Assessment

eTrust VMService

Security Policies&

Procedures

CISSP TrainingAttack &

PenetrationAssessment

VulnerabilityAssessment

CERTTraining

ITIL TrainingeTrust VM

Service

BusinessCorrelation Rule

Development

Policy and Process

Monitoring

SecurityBusiness PortalDevelopment

ComplianceOriented

Architecture

Incident ResponseProgram

Development

ForensicInvestigation

Training

PeriodicVulnerabilityAssessments

Technology Design, Implementation,and Integration Services

(AV, VM, etc.)


(VM, Backup/Recovery, Service Desk, etc.)


Tracking ofVulnerability

Activities

CERT & IncidentResolutionProcess

Tracking of Threat&

Forensics Events

BCP/DRManagement

ITIL Compliant ITOperations

Process

AutomatedSoftware Distribution

Patch Process

ComplianceManagement &

Reporting

Security Roadmap& Strategy

Development

Attack &PenetrationAssessment

ISO17799Program

Development

SecurityStandards

Development

ComplianceArchitectureDevelopment

Anti-SpywareMalwareSolutions


(Audit, SCC, Forensics, SCM, IDS, Pest Patrol.)


Process


(Compliance Oriented Architecture.)

Audit CollectorsIntegrated

Security Event Prioritization


Governance: Meeting Customer Needs Leveraging Best Practices

Best Practices:Industry and CA best practices are applied to all of our solutions to maximize standardization and quality

Best Practices: ITIL®, COBIT®, COSO, ITAM, ITSM, Six Sigma, etc.

IT Governance – Leveraging Best Practices for Success

Greg Charles, Ph.D.Area Senior Technology Specialist Western U.S. ITIL & Best Practices Lead CA, Inc.

December 2007

it governance – leveraging best practices for governance success greg charles, ph.d. area senior...

Documents

governance best practices

governance processcopyright

controlled copyright

governance successgreg

best use

effective engagement

caitil v2

cait governancedefined