“What is it, and how does it benefit your Institution?”
Pre-Conference Seminar – June 23, 2007

CISA
Associate Director, IS Audit
Harvard University Risk Management and Audit Services
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 2

CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 3

• What does IT Governance mean to you?
• Is IT Governance happening in your university?
• What are your key challenges in IT Governance?
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 4

How do most research universities govern the large and rapidly evolving set of information technology initiatives that take place on their campuses?
ANSWER: Inefficiently, ineffectively and not as well as they should.
~ Source: Educause – IT Governance in Higher Education 2006 ~
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 5

• It’s about organization leadership
• Decision making that leads to better alignment of IT and the business
• IT delivering more business value
• IT resources are used responsibly
• IT risks are managed appropriately
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 6

Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goals of:
•Providing strategic direction
•Ensuring that objectives are achieved
•Ascertaining that risks are managed appropriately
•Verifying that the enterprise’s resources are used responsibly
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
©2007 IT Governance Institute
7

Enterprise Governance Drives IT Governance
Enterprise governance is about
:
 Conformance
•
Adhering to legislation, internal policies, audit requirements, etc.

Performance
•
Improving profitability, efficiency, effectiveness, growth, etc.
Performance
Conformance
Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board.
©2007 IT Governance Institute
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 8

IT Governance, as Defined by IT Governance Institute (ITGI)
RESOURCE
MANAGEMENT
IT governance is:
• The responsibility of the board of directors and executive management
• An integral part of enterprise governance, consisting of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives
2005
64% Doing something about it
2003
58%
36%
42% Not doing something about it
©2007 IT Governance Institute
Source: Surveys by PwC for the IT Governance Institute Sep-Oct 2003 and Sep-Oct 2005
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 9

Strategic alignment
Value delivery
Resource management
Risk management
IT Governance Domain
Focuses on ensuring the linkage of business and IT plans and on aligning IT operations with enterprise operations
IT delivers the promised benefits against the strategy , concentrating on optimizing costs and proving the intrinsic value of IT
Is about the optimal investment in , and the proper management of , critical IT resources : applications, information, infrastructure and people
Senior management, appetite for risk , compliance requirements , transparency about the significant risks to the organisation
Performance measurement
Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery to achieve goals measurable beyond conventional accounting
©2007 IT Governance Institute
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 10

Board and executive
Business management
IT management
IT audit
Risk and compliance
Set direction for IT, monitor results and insist on corrective measures
Defines business requirements for IT and ensures that value is delivered and risks are managed
Delivers and improves IT services as required by the business
Provides independent assurance to demonstrate that IT delivers what is needed
Measures compliance with policies and focuses on alerts to new risks
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
©2007 IT Governance Institute
11

CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 12

CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 13

• Wrong IT strategy precludes growth and operational sustainability
• False starts and wasted resources (i.e. money, time and productivity)
• Short-sighted planning
• Fragmented IT planning
• High project implementation failure rates
• Lack of disaster recovery planning
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 14

CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 15

The Need for IT Governance at Harvard
Aligning
IT with
Business
Security Keeping
IT Running
Managing
Complexity
Value/Cost
Regulatory
Compliance
• Millions of dollars on IT spending
• Decentralized IT computing and Business operations
• Increasing numbers of severe security breaches
• IT ability to scale and sustain operation
• Various IT delivery models
• Regulatory compliance SAS 112, FERPA, HIPAA, GLB, PCI, etc.
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 16

• IT strategy is aligned with school strategy
• Schools and IT are effectively communicating
• The organization is structured to facilitate the implementation of its strategy and goals
• Risks and opportunities are effectively managed
• Performance against objectives are transparent
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 17

CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 18

Joint Committee of
Inspection
VP Finance\CFO
Director, RMAS
Provost
Risk Management
Committee
Director, Insurance
Associate Director,
Information
Systems Audit
Associate Director,
Financial and
Operational Audit
Construction Audit
Senior Compliance
Officer
Manager of
Strategy &
Planning
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 19

2006
IT Governance Audit 2000
Pre-2000 Integrated Audit
System Base Audit
• Objective is to audit university critical systems based on high, medium or low risk criteria.
• Audit of network, servers, access controls, change controls, BCP/DR
Low
• Objective is to assure information technology controls are enabled to support the business process.
• Audit of applications, servers, access controls, change controls, BCP/DR
Level of Complexity
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
• Objective is to ensure
IT strategy is aligned with business objectives.
• Audit IT processes, management policy, procedures and compliance.
• Audit IT internal controls and security management.
High
20

Control Objectives IT (CoBIT) is an International standard in directing and controlling an enterprise’s information technology. CoBIT sets the standards of measuring IT Governance process maturity.
Business
Requirements
IT Processes
Basic CoBIT Principle
IT Resources
Process Maturity Domain
•Plan and Organize
•Acquire and Implement
•Delivery and Support
•Monitor and Evaluate
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 21

1. CoBIT offers an IT Governance Auditing
Framework
2. Internationally recognized standard for best management practices and processes
3. IT risks and IT controls are easily communicated to IT and non-IT professionals
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 22

C OBI T Framework
► The C OBI T framework was created with the main characteristics:

Business-focused

Process-oriented

Controls-based

Measurement-driven
C OBI T Framework Characteristics
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
©2007 IT Governance Institute
23

Where Does C
OBI
T Fit?
Drivers
PERFORMANCE:
Business Goals
Enterprise Governance
Balanced
Scorecard
IT Governance
Best Practice Standards
Processes and Procedures
CONFORMANCE
Basel II, Sarbanes-
Oxley Act, etc.
COSO
C OBI T
ISO
17799
ISO
9001:2000
ISO
20000
QA
Procedures
Security
Principles
ITIL
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
©2007 IT Governance Institute
24

CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 25

1. New Dean
2. Changes in academic curriculum
3. Aggressive recruitment of faculty
4. Campus expansion and facility improvements
5. Decentralized to centralized IT operations
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 26

Detailed review of the school IT Governance and internal controls within Information Technology Services.
Focus within two primary areas:

IT Governance that assessed technology organization’s performance against its responsibilities of delivering efficient and quality IT services measured against the School’s overall strategic business objectives

IT Assessment that evaluated the processes and systems of internal control and compliance
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 27

Planning
•Perform risk assessment
•Identify risks
Scoping
Testing
Identify Business Goals
IT Goals
Key IT processes and Key IT resources
Identify Control Objectives
• Inquire and confirm
• Inspect (walk-through and review)
• Observe
• Sampling and analyze
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 28

IT Governance Audit Objectives
Effectiveness
Information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner
Efficiency
Provision of information through the optimal (most productive and economical ) use of resources
Confidentiality
The protection of sensitive information from unauthorised disclosure
Relates to the accuracy and completeness of information
Integrity
Availability
Compliance
Information being available when required by the business process now and in the future; it also concerns the safeguarding of necessary resources and associated capabilities
Complying with those laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies
Reliability
The provision of appropriate information for management to operate the entity and to exercise its fiduciary and governance responsibilities
©2007 IT Governance Institute
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 29

IT Governance
• IT Enterprise Strategy
• Steering Committee effectiveness
• IT Budgeting & Investments
•
Identification & Prioritization IT initiatives
• IT Performance Metrics
• Incident Response, support calls & problem management
IT Governance
Strategy Process
IT Audit
Controls
IT Controls
•
Change Mgmt Framework
•
Project Mgmt
•
System Development Life Cycle
•
Incident Response
•
Mgmt of Third-Party Vendors Contracts
•
Business Continuity/Disaster Recovery
•
Data Center
Interviews
• ITS
• Office of Academic Affairs
• Student Office
• Office of Administration
• Faculty
• IT Steering Committee
Risk
Analysis
Observations and
Recommendations
Documentation
• Organizational charts
• ITS Budgets
• Third-party Contracts
• Helpdesk Reports
• Project Logs
• Training Materials
• Policy and Procedures
• Communications
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 30

•Plan and Organize
Business
•Acquire and Implement
•Delivery and Support
•Monitor and Evaluate
IT Resources
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 31

► Objectives:

Planning, communicating and managing the realization of the strategic vision

Implementing organizational and technological infrastructure
► Scope:

Is the enterprise achieving optimum use of its resources?

Does everyone in the organization understand the IT objectives?

Is the quality of IT systems appropriate for business needs?
Plan and Organize
PO1 Define a strategic IT plan.
PO2 Define the information architecture.
PO3 Determine technological direction.
PO4 Define the IT processes, organization and relationships.
PO5 Manage the IT investment.
PO6 Communicate management aims and direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
©2007 IT Governance Institute
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 32

► Objectives:

Identifying, developing or acquiring, implementing, and integrating IT solutions

Changes in and maintenance of existing systems
Acquire and Implement (AI)
► Scope:

Are new projects likely to deliver solutions that meet business needs?

Are new projects likely to be delivered on time and within budget?

Will the new systems work properly when implemented?
AI1 Identify automated solutions.
AI2 Acquire and maintain application software.
AI3 Acquire and maintain technology infrastructure.
AI4 Enable operation and use .
AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and changes.
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
©2007 IT Governance Institute
33

► Objectives:

The management of security, continuity, data and operational facilities

Service support for users
► Scope:

Are IT services being delivered in line with business priorities?

Is the workforce able to use IT systems productively and safely?

Are adequate confidentiality, integrity and availability in place?
Deliver and Support
DS1 Define and manage service levels.
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs.
DS7 Educate and train users.
DS8 Manage service desk and incidents.
DS9 Manage the configuration.
DS10 Manage problems.
DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.
©2007 IT Governance Institute
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 34

► Objectives:

Performance management

Monitoring of internal control
Monitor and Evaluate
► Scope:
 Is IT’s performance measured to detect problems before it is too late?

Does management ensure that internal controls are effective and efficient?

Can IT performance be linked to business goals?

Are risk, control, compliance and performance measured and reported?
ME1 Monitor and evaluate IT performance.
ME2 Monitor and evaluate internal control.
ME3 Ensure compliance with external requirements.
ME4 Provide IT governance.
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
©2007 IT Governance Institute
35

Align Business Goals with Key IT Goals
School Information Technology Governance
Legend: P = Primary Impact
S = Secondary Impact
Blank = No Impact
Content: Strategic Alignment
Information Criteria: Availability, Confidentiality, Compliance, Effectiveness, Efficiency, Integrity and Reliability
Risks: 1) Increasing business demands
2) IT’s inability to meet future business needs
3) Inadequate IT capability to develop new initiatives
4) Lack of committed or satisfied business sponsors for IT
5) Inability to measure ROI/value delivered
6) Poor communication of business and IT goals
7) Lack of strategic plans
8) Low level of attention given by senior management to IT Strategy
Business Goals IT Goals CoBIT 4.0 Processes
CoBIT
Maturity
Level
1 Improve faculty and student orientation and services
2 Improve business process functionality
3 Improve and maintain operational staff productivity
Ensure end users satisfaction of service offerings and service level. Ensure IT services are available as required.
P
CoBIT Maturity Rating:
Define how business functional and control requirements are translated in effective and efficient automation.
CoBIT Maturity Rating:
Ensure proper use and performance of the applications and technology solutions.
P
P
4 Obtain reliable and useful information for decision making
CoBIT Maturity Rating:
Ensure transparency and understanding of IT cost, benefits, strategy, policies and service levels. Maintain the integrity of information and processing infrastructure.
CoBIT Maturity Rating:
5 Compliance with external laws, regulations, and internal policies
Ensure IT compliance with laws and regulations. Ensure critical and confidential information is withheld from those who should not have access to it.
CoBIT Maturity Rating:
P
P
P
S
P
S
S
P
S
S
P
S
S
P
S
S
P08
1
DS7
1
DS8
DS2 DS7 DS8 DS10 DS13 DS3
1
P05
4
DS2
1
ME1
2
DS5
2 1
DS11 DS12
1
AI4
2
AI6
1
2
AI7
1
1 4
P06
3
2
AI6
1
2
DS5
1
0
DS4
0
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar
Overall IT Governance Maturity Rating:
1.6
1.0
2.0
1.7
1.0
1.44
36

Level 0
1.5
School Harvard Target
Using CoBIT’s Maturity Benchmark, ITS scored a 1.5, which is estimated to be in line with Harvard University’s other IT organizations.

School can gain significant benefits in operational efficiencies (i.e. productivity), effectiveness (i.e. operational costs) and compliance by operating within a target maturity level rating of 3.0.

Five Key IT Governance recommendations were identified to help the school to achieve the goals of reaching maturity level of 3.0.
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 37

Listed in priority order:
IT Governance
1.
Formalize a Strategic
Business/IT Plan
2.
Expand IT Steering
Committee responsibilities
3.
Institute a formal Change
Management process
4.
Establish a Project Portfolio
Management Process
* IT Controls
1.
Improve Data Center
Security
2.
Strengthen System
Authentication rules
3.
Log & Monitor server events
& incident management
4.
Develop and Document
Business Continuity &
Disaster Recovery procedures
5.
Create Performance
Management &
Communication Model
 IT Governance recommendations will require the School’s senior leadership team’s involvement, as it ultimately set the strategic direction.

*IT Control recommendations are the responsibility of the CIO.
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 38

• Clarify IT decision-making roles and responsibilities
• Clearly communicate who is accountable for decisions in academic and administrative computing
• Foster true partnership between IT and business leaders
• Strengthen general IT controls and security
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 39

• Auditing IT governance involves interaction at every level of the organization leadership and internal\external stakeholders
• IT governance scope must be clear and concise
• Appropriate risk and controls must be identified
• IT governance should be conducted with a senior auditor with appropriate consultative skill sets
• Internal audit plays a critical role in IT governance
IT GOVERNANCE AUDIT IS NOT FOR FAINT-HEARTED
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 40

CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 41

IT Governance Institute http://www.itgi.org/
ISACA http://www.isaca.org
/
IT Audit http://www.theiia.org/itaudit/
CAUBO ACPAU June 23, 2007 Pre-Conference Seminar 42