Rocky Mountain Information Security
Conference – May 2012
Presented by:
Chad Stowe, Experis SME Professional

Experis Finance, SME Professional.

17 years audit experience. (15 as a CISA)


Former VP of IT Audit at a large multi-billion
dollar financial institution.
MBA Honors Graduate from Regis University.



Understand a successful methodology,
structure, and approach for IT Governance.
Understand example successful methods for
analyzing IT Governance.
Understand critical success factors in
performing an IT Governance review in your
organization.

Insert clip.
Methodology






Is a subset of Corporate Governance.
Defines how IT resources are managed on
behalf of stakeholders.
Helps to assure stakeholders that
investments in IT generated business value.
Monitors and mitigates IT risks related to
achieving a desired business value.
Assigns accountability within the IT
organization.
Guided by the culture of the organization.


IT governance processes should align with
the entire organization.
Focused on the risks and values of
governance processes.

Guided by regulatory compliance
requirements.

Defined by SOX controls.

A checklist activity.
Strategy
Metrics/
SLAs
Tactics
Risk Mgmt
ME4 - Provide IT Governance
1. Establishment of an IT
Governance Framework
Strategy
2
2. Strategic Alignment
3
3. Value Delivery
4. Resource Management
5. Risk Management
Metrics/
6
SLAs
1
4
6. Performance Measurement
5
Risk Mgmt
SOURCE: Information Systems Audit and
Control Association - COBIT v4.1
www.isaca.org
Tactics
1 - Establishment of an IT Governance
Framework Value Drivers:
• IT decisions in line with the business’s
strategies and objectives.
• A consistent approach for a governance
framework achieved and aligned with the
business approach.
• Processes overseen effectively and
transparently
• Compliance with legal and regulatory
requirements confirmed.
• Stakeholder requirements for governance
likely to be met.
2 - Strategic Alignment Value Drivers:
• IT more responsive to the business’s
objectives.
• IT resources helping to facilitate the business
goals in an efficient and effective manner.
• IT capabilities enabling opportunities for the
business strategy.
• Efficient allocation and management of IT
investments.
SOURCE: Information Systems Audit and
Control Association - COBIT v4.1
Strategy
2
Metrics/
SLAs
1
Risk Mgmt
Tactics
3 - Value Delivery Value Drivers:
• Cost-efficient delivery of solutions and
services.
• Optimized use of IT resources.
• Business needs supported efficiently.
• Increasing support for use of IT by business
stakeholders.
• Increased value contribution of IT to
business objectives.
• Reliable and accurate picture of costs and
likely benefits.
4 - Resource Management Value Drivers:
• Efficient and effective prioritization and
utilization of IT resources.
• IT costs optimized.
• Increased likelihood of benefit realization.
• IT planning supported and optimized.
• Readiness for future change.
SOURCE: Information Systems Audit and
Control Association - COBIT v4.1
Strategy
3
Metrics/
SLAs
Tactics
4
Risk Mgmt
5 - Risk Management Value Drivers:
• Risks identified before they materialize.
• Increased awareness of risk exposures.
• Clear accountability and responsibility for
managing critical risks.
• Effective approach for managing IT risks.
• IT risk profile aligned with management’s
expectations.
• Minimized potential for compliance failures.
6 – Performance Measurement Value Drivers:
• Increased process performance.
• Areas of improvement identified.
• IT objectives and strategies being and
remaining in line with the business’s strategy.
• Processes overseen effectively and
transparently.
• Timely and effective management reporting
enabled.
SOURCE: Information Systems Audit and
Control Association - COBIT v4.1
Strategy
Metrics/
6
SLAs
Tactics
5
Risk Mgmt
Source: COBIT 5 Draft
Assessment







Obtain sponsorship and agreement with
executive management prior to performing any
assessment.
Set clear expectations and scope for the
assessment
Identify both Business and IT personnel at the
executive and lower level manager level to
interview during the assessment.
Set a defined interview schedule.
Know your interviewees and their responsibly
within in the organization.
Consider pre-interview surveys.
Develop standardized assessment questions for
each objective.






Customize standard assessment questions to the
interviewee while retaining the point of the
question.
Research potential answers to questions by
interviewees prior to the interview.
Understand the current business value drivers.
Benchmark projects and systems to $ spent by IT
in relation to its’ strategic relevance.
Understand how IT and the business benchmark
themselves internally and in relation to their
industry.
Research emerging trends and ITGI Global Status
Report. (www.isaca.org/ITGI-Global-SurveyResults )
Objective
IT utilizes a collaborative approach with
the business to develop an IT strategic
plan with a shared focus on IT
investments.
Risk
The business strategic plan does not exist
or is not clearly defined to enable the
development of an IT strategic plan.
The IT strategic plan does not exist or is
not aligned with the business strategy.
CIO and key stakeholders, including
The IT strategic plan is not clearly
Board of Directors, are fully informed of IT communicated to key stakeholders.
objectives and strategies.
Objective
Risk
IT activities are optimized a) The IT strategic plan is not defined clearly to enable tactical
towards execution of the plans.
IT strategic plan.
b) The IT process framework does not support the execution of
the IT strategic plan.
c) Vehicles are not in place to support IT governance activities.
IT has been allocated the d) The tactical plan does not identify which projects enable
resources to execute the realizing IT strategy and business goals.
strategic plan.
e) The tactical plan does not identify which projects enable
realizing IT strategy and business goals.
f) Technology policies have not been established and
implemented to support key governance activities.
g) The IT strategic and tactical plans do not include day to day
activities (e.g. implementation and maintenance of infrastructure
and application portfolio to meet established business
requirements and technological direction).
h) The IT strategic and tactical plans do not include mergers
and acquisitions.
i) The IT strategic and tactical plans do not include emerging
technologies and innovation.
Objective
Risk
IT risk framework is in alignment with the
company's overall risk management
processes.
a) Risk is not clearly identified and understood by the key
stakeholders.
b) An IT risk framework does not align with the IT policies
and the company's risk and control framework.
Significant IT project risks (obstacles to
achieving objectives and strategies) are
identified, addressed in a timely manner,
and optimally managed.
c) Risk management is not incorporated in strategic
planning, performance management, project management
and day-to-day decision making.
d) IT risks that require responses are not identified,
managed or monitored timely.
e) Risks related to IT processes and activities are not
assessed in relation to their ability to impact the
achievement of business objectives.
CIO and key stakeholders, including Board f) Management and the board are not informed timely of
of Directors, are fully informed on IT risks. significant risks.
Objective
Risk
Performance metrics focus on the most
important measures relevant to the overall
business strategy.
a) The business does not evaluate ROI's on IT
initiatives.
b) Lack of strategic focused performance
measures that assess the success of IT
delivered value (e.g. SLAs are defined and
agreed upon with the business).
The Board receives timely information and
c) Performance measures are not monitored
communication on IT to carry out their oversight and reported to management.
duties.
Initiatives and assets that do not create value
are identified and eliminated.
IT detects and corrects deviations from, or
weaknesses in execution of the IT strategic plan.
d) Remedial actions are not initiated based on
performance indicators.



Baseline interview results
to a risk level immediately
after the interview.
Continually revisit
predefined baseline and
rating criteria when
summarizing and rating
interview results.
Track and review interview
document requests when
performing final
assessment.
Risk
Level
Definition
High Processes and controls are not
documented, communicated,
understood, or measured.
MediumProcesses and controls are
identified or documented, but
may not be communicated, well
understood, or measured.
Low Processes and controls are well
documented, communicated,
understood, and measured.

Summary Heat Map
Objective Area
Objective
Related Risk
1. Strategic
IT utilizes a collaborative The business strategic
Alignment - Strategy approach with the
plan does not exist or is
business to develop an IT not clearly defined to
strategic plan with a
enable the development
shared focus on IT
of an IT strategic plan.
investments.
The IT strategic plan
does not exist or is not
aligned with the business
strategy.
CIO and key
The IT strategic plan is
stakeholders, including not clearly communicated
Board of Directors, are to key stakeholders.
fully informed of IT
objectives and strategies.
Residual Risk Score
Business Business Business
Scope
Scope
Scope
Residual
Area 1
Area 2
Area 3 Risk Score
1-Low
2-Medium
3-High
2.0
1-Low
3-High
2-Medium
2.0
1-Low
3-High
2-Medium
2.0
1.0
2.7
2.3
2-Medium
Quest Audit
Risk
ion Area
Y/N Questions
Open Ended (H, M, L)
1B
1
S
1C
2
S
How well do you feel the linkage between the business's and IT's
strategic goals / objectives is communicated?
High- The linkage is clearly, consistently and formally
communicated to all key stakeholders
Medium- The linkage is occasionally communicated informally to
some, but not all, key stakeholders
Low- The linkage is rarely communicated to very few key
stakeholders, if any
1B
3
4
S
S
What is IT governance in your mind?
What process do you use to define/work with the IT Strategy? (Ask if
supporting info is available to show what vehicle is used to align
with IT strategy).
1B/1C 5
S
1B/1C 5
1B
6
S
S
1B
1A
6
7
S
S
1A
7
S
1B
8
S
1B
8
S
1A/1B 9
S
Interview Notes
Scope
Area
Result
(Y/N or
H/M/L)
Overall Auditor
Audit Notes (Ties to
Summary (H, M, L and
Interview Results tab)
Overall Assessment)
Do you feel there is
alignment between the
business's strategic goals /
objectives and IT's
strategic goals /
objectives?
Do you know the IT
strategic objectives?
Strategic Alignment:
(High, Medium, Low)
If yes, please explain the strategic objectives.
Are you a part of approving
IT strategic objectives?
If yes, please explain the approval process.
Have you defined and
communicated your
business strategic
objectives to IT?
If yes, please explain the process. (Ask for supporting
documentation)
Are your business strategic
objectives aligned with the
IT strategic objectives?
If yes, please explain the process. (Ask if there is supporting
documentation for alignment)
How do you organize your department with IT to realize technical
solutions that meet business objectives? (Ask if supporting info is
available, and obtain examples like org chart)
Supporting
Documentation
Reference
Business Scope Area 1
Question Description (Green = Preliminary
Risk Area Exec 1
Question #
Survey)
ID
Do you feel there is alignment between the
Q1 Flag
1B
business's strategic goals / objectives and
(N=1;Y=0)
IT's strategic goals / objectives?
Q1 Notes
How well do you feel the linkage between the Q2 Flag
1C
business's and IT's strategic goals /
(H=1;M=2;L
objectives is communicated?
=3)
High- The linkage is clearly, consistently and Q2 Notes
formally communicated to all key
stakeholders
Medium- The linkage is occasionally
communicated informally to some, but not all,
key stakeholders
Low- The linkage is rarely communicated to
very few key stakeholders, if any
What is IT governance in your mind?
Q3 Flag Ove
(H=1;M=2;L rall
=3)
Q3 Notes
What process do you use to define/work with
Q4 Flag
1B
the IT Strategy? (Ask if supporting info is
(H=1;M=2;L
available to show what vehicle is used to
=3)
align with IT strategy).
Q4 Notes
Do you know the IT strategic objectives?
Q5 Flag
(N=1;Y=0)
Q5 Notes
1B
1C
Director 1
Director 2
Summary of Results
Business Scope Area 1
Question
Description
(Green =
Preliminary
Survey)
Strategic
Alignment
Area Executive 1
Low
Director 1
Low
Director 2
Medium
Summary of Results
Low
Strong partnership Business and IT sit on the Using a managed Good partnering between IT and
between IT and
Leadership Team as one. service for
the business in understanding
business. Roles Business analyst sit in the transaction
projects, prioritization, and overall
and responsibilities business and only focuses monitoring;
IT needs as both the IT Directors
defined. IT is at on business area’s related however, Director and Executive and Directors were
the table when
projects and providing
2 meets with IT rated high. Personnel with low
discussing
requirements to IT, thus, Director to
rating results are Managers whose
business strategy. enabling IT execute
validate needs
systems are provided through
against specific, clear
are being met.
software obtained through a
business area’s
Managed Service provider and is
requirements that are
not directly supported by IT. Much
aligned with the business
of the communication is through a
area’s objectives.
close partnership. Is helpful that IT
sits in all leadership meetings.

Summary Heat Map
Objective Area
Objective
Risk
1. Strategic
IT utilizes a collaborative The business strategic
Alignment - Strategy approach with the
plan does not exist or is
business to develop an IT not clearly defined to
strategic plan with a
enable the development
shared focus on IT
of an IT strategic plan.
investments.
The IT strategic plan
does not exist or is not
aligned with the business
strategy.
CIO and key
The IT strategic plan is
stakeholders, including not clearly communicated
Board of Directors, are to key stakeholders.
fully informed of IT
objectives and strategies.
Residual Risk Score
Business Business Business
Scope
Scope
Scope
Residual
Area 1
Area 2
Area 3 Risk Score
1-Low
2-Medium
3-High
2.0
1-Low
3-High
2-Medium
2.0
1-Low
3-High
2-Medium
2.0
1.0
2.7
2.3
2-Medium

IT Governance assessment presentations to
executives which provided:
◦ Value opportunities from both an IT and a business
perspective.
◦ IT and business residual risks should the value
opportunities not be addressed.
◦ Improvement recommendations which apply to both IT
and the business.
◦ Value propositions for improvement recommendations.
◦ Supporting research articles for recommendations.
◦ Where possible, baselines against industry standards,
metrics, best practices, and the ITGI Survey.
Presenting Assessment Results
A. Strategic and Tactical
Communication
B. Project Management and
Prioritization
C. Resource Management
D. Risk Management & Monitoring
Key Definitions:
Related IT Governance Area: Related IT
Governance Value Objective(s).
Key Values Achieved: Benefits achieved
by IT and the business from good IT
Governance practices.
Key Value Opportunities: Areas where IT
Governance and business value could
be improved.
Potential Residual Risks: Potential risks
to IT Governance if the Key Value
Opportunities are not addressed.
Strategy
A
Metrics/
SLAs
B
Tactics
C
D
Risk Mgmt
Scope Area 1 Value Strengths & Opportunities for IT Governance
A. Strategic and Tactical Communication
Related IT Governance Area(s):
1 - Establishment of an IT Governance Framework
2 - Strategic Alignment
Key Values Achieved:
• IT decisions in line with the business’s strategies and objectives.
• A consistent approach for a governance framework achieved and
aligned with the business approach.
• Processes overseen effectively and transparently.
• Stakeholder requirements for governance likely to be met.
• IT more responsive to the business’s objectives.
• IT resources helping to facilitate the business goals in an efficient
and effective manner.
• IT capabilities enabling opportunities for the business strategy.
Key Value Opportunities:
• Integrate IT objectives within a 3-5 year business strategic plan.
• Introduce tools and processes to formalize communication of a
business and IT strategic plan.
Potential Residual Risks:
• The IT strategic plan may not be clearly communicated to all key
stakeholders.
• The IT portfolio may fail to support the business’s objectives and
strategies.
• Remedial actions to maintain and improve IT process effectiveness
and efficiency may not be identified or implemented.
Strategy
A
Metrics/
SLAs
Tactics
Risk Mgmt
Benchmarked using COBIT v4.1,
Maturity Model for ME4: Provide IT
Governance






Tone at the Top!
Enable thought leadership in people under the
Executive level.
Clearly define and communicate value
opportunities of IT Governance.
Incorporate involvement by both IT and the
business to ensure collaboration and defined
partnership.
Ensure agreement and understanding of IT
Governance processes by both IT and the
business.
Relate business and IT strategies and objectives
back to their technology enablers.

Implement an IT Governance culture as a
continual self-assessment process that:
 Understands and aligns business strategies to
tactics.
 Understands the associated risks related to the
business strategies and tactics.
 Monitors risks through metrics in order to identify
business unacceptable risk levels.
 Changes the business’s strategies and tactics when
management’s ‘risk appetite’ reaches unacceptable
levels.
QUESTIONS??????