IT Governance
advertisement
IT Governance – Leveraging Best Practices for Governance Success Greg Charles, Ph.D. Area Senior Technology Specialist Western U.S. ITIL, Governance & Best Practices Lead CA, Inc. December 2007 IT Governance Defined as: The management of risk & compliance. “The overall methodology by which IT is directed, administered and controlled” Governance Compliance March 24, 2016 Copyright © 2007 CA Three Pillars of IT Governance IT Governance Infrastructure Management March 24, 2016 Copyright © 2007 CA IT Use/Demand Management IT Project Management Managing Ever-Increasing Complexity March 24, 2016 Copyright © 2007 CA The Real World View? SAP Identity Manager PSFT Siebel Network Load Balancer Firewall Router End User Switch Portal Mainframe Black Box Web Servers Database Applications Web Services Databases 3rd Party applications March 24, 2016 Copyright © 2007 CA The Cruel Reality Application Screen Scrape Application Download File Application Message Queue Sockets Screen Scrape Transaction File Screen Scrape Transaction File CICS Gateway Download File Application Application Sockets RPC Application Message ORB Application Transaction File Application Source: Gartner March 24, 2016 Copyright © 2007 CA ORB APPC Application Message Queue Application Screen Scrape Transaction File CICS Gateway Message Download File Message Queue APPC RPC Addressing These Challenges: Improving Engagement and Efficiency WHAT IS ENGAGEMENT? WHAT IS EFFICIENCY? Doing the Right Things Doing Things Right IT’s ability to partner with the business to maintain alignment and maximize return from IT investments IT’s ability to make the best use of its people, budgets and assets March 24, 2016 Copyright © 2007 CA Obstacles Prevent Effective Engagement $ $ $ Overwhelming Demand: - Unstructured capture of requests and ideas - No formal process for prioritization and trade-offs - Reactive vs. proactive IT and Biz Divide - Business thinks in IT services – IT delivers in technology terms - Costs disassociated with services March 24, 2016 Copyright © 2007 CA IT Seen as Black Box: - Business lacks visibility - Poor customer satisfaction Disparate Systems Reduce Efficiency - No Single System of Record for Decision-Making - IT Management systems siloed - Relevant Metrics Hard to Obtain - Disparate Systems Costly to Maintain and Upgrade March 24, 2016 Copyright © 2007 CA IT Governance Landscape March 24, 2016 Copyright © 2007 CA How to Improve Engagement? Structured IT Governance Process Integrated Demand Management - Capture, catalog, and prioritize all demand - Manage service requests from help desks - Match resources to highest-value initiatives Comprehensive Portfolio Management - Services, projects, assets, applications - Systematic evaluation and prioritization - Map controls to compliance requirements - 100% visibility into strategic initiatives - A single invoice to the customer for all services Business Intelligence for the BRM - Visibility into all services that support LOB - Detailed cost invoices March 24, 2016 Copyright © 2007 CA How to Improve Efficiency? Comprehensive Management Empower the PMO - Automate, enforce, and report on process compliance World-Class Project Execution - Leverage best practices across entire project portfolio - Rapid time to value Comprehensive Resource Management - Drive maximum utilization of in-house and outsourced resources - Capture time and allocate staff for any type of investment - Advance Resource Mgmt capabilities Scalable, Transparent Status Capture - Capture time and cost of all activities in a single repository for charge-backs and reporting - Capture asset costs through integration with Asset Management Solution March 24, 2016 Copyright © 2007 CA Approaches Currently In Use > Business As Usual - “Firefighting” > Legislation - “Forced” > Best Practice Focused March 24, 2016 Copyright © 2007 CA IT Governance Model Audit Models SarbanesOxley COSO US Securities & Exchange Commission COBIT® Quality System IT Planning Project Mgmt. BS 15000 IT Security ITIL® App. Dev. (SDLC) CMMi Service Mgmt. Quality Systems & Mgmt. Frameworks IT OPERATIONS ASL ISO 20000 March 24, 2016 Copyright © 2007 CA ISO 17799 PMI PMBOK PRINCE2 TSO IS Strategy ISO Six Sigma Best Practices Quality & Control Models • ISO 900x • COBIT® • TQM • EFQM • Six Sigma • COSO • Deming • etc.. Process Frameworks • ITIL® • Application Service Library • Gartner CSD • IBM Processes • EDS Digital Workflow • Microsoft MOF • Telecom Ops Map • etc.. •What is not defined cannot be controlled •What is not controlled cannot be measured •What is not measured cannot be improved March 24, 2016 Copyright © 2007 CA ITIL® v2 to v3 Introduction to ITIL T h e Planning To Implement Service Management Service Management Service B The ICT Support u Business Infrastructure s Perspective Management i Service n Small-Scale Delivery Security eImplementation Management s s Application Management Software Asset Management March 24, 2016 T h e Copyright © 2007 CA T e c h n o l o g y ITIL Service Support Model The Business, Customers or Users Monitoring Tools Difficulties Queries Enquiries Communications Updates Work-arounds Incidents Incidents Incident Management Problem Management Service reports Incident statistics Audit reports Customer Service Desk Survey reports Changes Customer Survey reports Releases Change Problem statistics Management Problem reports Problem reviews Diagnostic aids Change schedule Audit reports Release CAB minutes Management Change statistics Change reviews Audit reports Release schedule Release statistics Release reviews Secure library’ Testing standards Audit reports Incidents Problems Known Errors Changes CMDB March 24, 2016 Copyright © 2007 CA Releases Configuration Management CMDB reports CMDB statistics Policy standards Audit reports Cls Relationships ITIL Service Delivery Model Business, Customers and Users Communications Updates Reports Queries Enquiries Availability Management Availability plan AMDB Design criteria Targets/Thresholds Reports Audit reports Service Level Management Capacity Management Capacity plan CDV Targets/thresholds Capacity reports Schedules Audit reports Requirements Targets Achievements Financial Management For IT Services Financial plan Types and models Costs and charges Reports Budgets and forecasts Audit reports Management Tools March 24, 2016 Alerts and Exceptions Changes Copyright © 2007 CA SLAs, SLRs OLAs Service reports Service catalogue SIP Exception reports Audit reports IT Service Continuity Management IT continuity plans BIS and risk analysis Requirements defined Control centers DR contracts Reports Audit reports COBIT® (Control Objectives for IT) > Focused on IT Standards and Audit, CobIT is jointly “owned/maintained” by ITGI and ISACA (Information Systems Audit and Control Association) > Based on over 40 International standards > Supported by over 150 IT Governance Chapters – www.itgi.org – www.isaca.org Best Practices: Industry and CA best practices are applied to all of our solutions to maximize standardization and quality March 24, 2016 Copyright © 2007 CA The COBIT® Cube (Business Requirements) 4 Domains 34 Processes ____ 318 Control Objectives 215 in COBIT® 4.0 March 24, 2016 Copyright © 2007 CA The Four COBIT® Domains Planning & Organization Acquisition & Implementation (AI Process Domain) (PO Process Domain) Monitoring (M Process Domain) Delivery & Support (DS Process Domain) March 24, 2016 Copyright © 2007 CA Planning & Organization PO 1 Define a Strategic IT Plan PO 2 Define the Information Architecture PO 3 Determine the Technological Direction PO 4 Define the IT Organization and Relationships PO 5 Manage the IT Investment PO 6 Communicate Management Aims and Direction PO 7 Manage Human Resources PO 8 Ensure Compliance with External Requirements PO 9 Assess Risks PO 10 Manage Projects PO 11 Manage Quality March 24, 2016 Copyright © 2007 CA The Four COBIT® Domains Planning & Organization Acquisition & Implementation (AI Process Domain) (PO Process Domain) Monitoring (M Process Domain) Delivery & Support (DS Process Domain) March 24, 2016 Copyright © 2007 CA Acquisition & Implementation AI 1 Identify Solutions AI 2 Acquire and Maintain Application Software AI 3 Acquire and Maintain Technology Architecture AI 4 Develop and Maintain IT Procedures AI 5 Install and Accredit Systems AI 6 Manage Changes March 24, 2016 Copyright © 2007 CA The Four COBIT® Domains Planning & Organization Acquisition & Implementation (AI Process Domain) (PO Process Domain) Monitoring (M Process Domain) Delivery & Support (DS Process Domain) March 24, 2016 Copyright © 2007 CA Delivery and Support DS 1 Define Service Levels DS 2 Manage Third-Party Services DS 3 Manage Performance and Capacity DS 4 Ensure Continuous Service DS 5 Ensure Systems Security DS 6 Identify and Attribute Costs DS 7 Educate and Train Users DS 8 Assist and Advise IT Customers DS 9 Manage the Configuration DS 10 Manage Problems and Incidents DS Data March11 24, 2016Manage Copyright © 2007 CA DS5 – Ensure Systems Security DS5 Ensure Systems Security DS 5.1 Manage Security Measures DS 5.2 Identification, Authentication and Access DS 5.3 Security of Online Access to Data DS 5.4 User Account Management DS 5.5 Management Review of User Accounts DS 5.6 User Control of User Accounts DS 5.7 Security Surveillance DS 5.8 Data Classification DS 5.9 Central Identification and Access Rights Management DS 5.10 Violation and Security Activity Reports DS 5.11 Incident Handling DS 5.12 Reaccreditation DS 5.13 Counterparty Trust DS 5.14 Transaction Authorization DS 5.15 Non-Repudiation DS 5.16 Trusted Path DS 5.17 Protection of Security Functions DS 5.18 Cryptographic Key Management DS 5.19 Malicious Software Prevention, Detection and Correction DS 5.20 Firewall Architectures and Connections with Public Networks MarchDS 24,5.21 2016 Copyright © 2007 CA Protection of Electronic Value The Four COBIT® Domains Planning & Organization Acquisition & Implementation (AI Process Domain) (PO Process Domain) Monitoring (M Process Domain) Delivery & Support (DS Process Domain) March 24, 2016 Copyright © 2007 CA Monitoring M 1 Monitor the Processes M 2 Assess Internal Control Adequacy M 3 Obtain Independent Assurance M 4 Provide for Independent Audit March 24, 2016 Copyright © 2007 CA COBIT® Summary Planning & Organization Acquisition & Implementation (AI Process Domain) (PO Process Domain) Monitoring (M Process Domain) Delivery & Support (DS Process Domain) March 24, 2016 Copyright © 2007 CA How to Make IT a Reality? Key Success Factors Theory – ITIL® / COBIT® / etc. Guidelines for Best Practices Provides the theory but not always defines the process Education is an important component Process Convert theory to process that is applicable to the unique needs of the organization Training & Education Tool configuration Technology – CA and others Provide the technology that enables & automates the process Repeatability, compliance & notifications Implement processes impossible without technology March 24, 2016 Copyright © 2007 CA Tools to Aid Success Maturity Model Solution Sheets 4-Business-Driven Ability to share your IT resources throughout the supply chain and dynamically reallocate resources based upon changing business needs 3-Responsive 2-Efficient 1-Active Ability to manage service levels and provide the services that are important to the business Ability to automate responses, streamline processes, consolidate resources Ability to respond to problems and faults ROI ROI ROI Transitional Maturity ROI Tool Process Model Customer / Partner Assessments SPML Request From Customer/ Partner Delegated User Creation Customer Relationship Manager New Customer (or Partner) Customer Defined HR Employee Business Manager Incident Manager Facilities Incident Closed Customer Entered in Customer/Partner Relationship System Obtain LAN/App ID & Passwords User Building Access Provisioned Automatically Efficient Service Delivery 0 Application Mgmt Infrastructure Mgmt Importance March 24, 2016 Capability Copyright © 2007 CA Services and Solutions Implementing IT Svc Mgmt Technical Capabilities Organizational Characteristics Active Service Support User Access Reviewed / Set-up Incident Closed Integration with Production Directory & Security Web Svcs • Certified Security Staff • Certified Security & IT Ops Staff • CISSP Training • Security Awareness Training (IT, HR, Dev) • Security Awareness Training (IT, HR, Dev) • Security Awareness Training Identify & Classify Assets Anti-Virus Scanning Manual Load OS Patches Identify & Classify Assets Configuration Management Process Tracking of Vulnerability Activities IT Governance Management Compliance Management & Reporting Integrated VM And Helpdesk CERT & Incident Resolution Process Tracking of Threat & Forensics Events Business Impact Correlation & Reporting Integrated Forensics Investigation Audit Collectors Integrated Security Event Prioritization Agent-based Vulnerability Management BCP/DR Management Automated Software Distribution Patch Process Periodic Vulnerability Assessments Agent-based Configuration Management ITIL Compliant IT Operations Process Compliance Management & Reporting Vulnerability Assessment CERT Training ISO17799 Program Development Security Standards Development Compliance Oriented Architecture Incident Response Program Development Attack and Penetration Testing Attack & Penetration Assessment CISSP Training Attack & Penetration Assessment Security Roadmap & Strategy Development Security Business Portal Development Policy and Process Monitoring Security Policies & Procedures eTrust VM Service ITIL Training Anti-Spyware Malware Solutions Compliance Architecture Development Business Correlation Rule Development Forensic Investigation Training eTrust VM Service Technology Design, Implementation, and Integration Services (AV, VM, etc.) Technology, Design, Implementation & Integration Services (VM, Backup/Recovery, Service Desk, etc.) Technology, Design, Implementation & Integration Services (Audit, SCC, Forensics, SCM, IDS, Pest Patrol.) Technology, Design, Implementation & Integration Services (Compliance Oriented Architecture.) Define Policies & Stds for ID Provisioning, and Reporting Define Corporate Identity Directory Entitlement Mgt, & Security Web Services Define Federated Trust Stds Workflow for Security Review of Application User Access Enabled Automatically Delegated Request removal of Access Automated Synchronization Process Compares Authoritative User & Role List with LAN & App User accounts [Y] Incident Opened User Deprovisioned Incident Closed Employee access removed Automated Process to Deprovision User from Facilities Access Automated Process to Deprovision User from Systems/Apps Develop/Acquire App Validate App Using Directory Services Validate App With Role Stds Validate App with Provisioning System Validate with SPML Periodic Security Audit Scheduled Workflow to Request Remediation Employee Terminated/Retired New App Validate App with ID / Passwd Stds Produce Operations Manual for App Excess Entitlements / Accounts ? Incident Closed Use New Password Development Manager Periodic Policy Review Obtain Authoritative List of All Users/Roles Automatically Incident Opened Password Reset Employee removed from HR System Customer access removed Define Role Mgt Stds Incident Opened Access New App Resource Self-serve Set New Password Use New Password Developed Standard OS Configuration Backup/Recovery Security Road Map Assessment Workflow Approval Change in Application Access • Staff trained in Threat Detection Business Impact Analysis CISO Define ID and Password Stds Manage Application Security User Access Changed Incident Closed Self-serve Reset Password Customer/Partner User No Longer Needs Access Identity and Access Automatically Provisioned to - LAN, - Email, - Corporate Directory, - Authentication Technology, - Security Web Services, - Security Infrastructure, - Business Apps - External Federated Services Approve Access Request Change in Application Access for New Project Delegated Request Change in Application Access Access New App Resource • End User technology training in Anti-Spam prevention Basic Security Policy CMDB Change Impacting App deployment, Ownership, Access etc Customer/Partner Forgets Password Business-Driven Responsive • Dedicated Security Staff Approve Access Incldent Opened (if required by policy) New Hire Has Access to Business Applications Automatically Provide List of Employees from HR System Blueprints Security Manager Define IAM Policies, Processes, Workflows & Owners Authorized Customer / Partner Employees have Access Profilers IT Operations Manager Incident Opened ID Allocated Automatically Identity verified & Entered in HR Customer/ Partner Employee Enters Data Via Self-Serve Register Customer/Partner Changes Business Relationship e.g. Buys New Product/Service Application Manager New Hire User Entitlements Exceptions Report Generated Automatically Review current reports [N] Audit Reports Completed Governance: Meeting Customer Needs Leveraging Best Practices Best Practices: ITIL®, COBIT®, COSO, ITAM, ITSM, Six Sigma, etc. Best Practices: Industry and CA best practices are applied to all of our solutions to maximize standardization and quality March 24, 2016 Copyright © 2007 CA IT Governance – Leveraging Best Practices for Success Greg Charles, Ph.D. Area Senior Technology Specialist Western U.S. ITIL & Best Practices Lead CA, Inc. December 2007
