A CIO’s Perspective on Compliance &
Risk Management
Keeping Stakeholders and Auditors Happy with ICT Value
Contributions and Controls
Steve Sanazaro
For TACUA
April 8, 2010
1
Topline Summary
 Objective: improve your understanding and your ability to team with IT
leaders to implement and manage a robust and meaningful compliance
regime
 Briefly describe the general and college/university environment
 Discuss IT Governance – where teamwork and cohesion begins
 Describe the role, agenda and cross-pressures on CIOs and their
organizations
 Demonstrate some of the sources of dysfunctional friction between
compliance and achieving the IT agenda
 Provide a roadmap to:
 IT – Compliance collaboration and integration for efficiency and productivity
2
My Background…welcome to my day job
 Executive and technology roles in all three aspects of information and communications
technology:




Commercial technology product development – e-business, data communications, reservations
technology, business applications
Corporate executive – business strategy and operations, technology planning and implementation and
managing ICT (CIO/CTO/CEO/COO)
Professional services provider: advising corporations in a range of industries on business-technology
opportunities and managing strategic initiatives (consultant)
Educator and mentor of the next generation of business-technology leaders (the 110% factor)
 Diverse industry experience in the US and other countries:





Software, telecom, e-commerce, distribution and supply chain management, hospitality, transportation,
consumer products, manufacturing, health, broadcasting, business process outsourcing, consulting
Companies in all stages: mature Global 500, mid-size growth, early-stage and startup companies, not-forprofits
Responsible for international initiatives and technology management with multiple companies
Instrumental in 2 successful IPOs
Founder of multiple companies, including two profitable professional services businesses
 Today I advise companies on business and ICT strategy, major program
implementations, competency development, change management and other subjects
companies explore to maximize the competitive standing and value of the enterprise.

Special focus: strategic readiness, organizational health and sustainment, total supply chain, performance
management, turnarounds, rejuvenation efforts
 All of my engagements today require a strong background in international business,
Information Technology, business operations, compliance and risk management,
strategic planning, performance management, cross-cultural business and social
experience and travel.
3
A More Detailed Overview
 1 - The unique environment of colleges and universities and the environment we all share
 2 - The IT Value Proposition



Automation, Information, Communication, Collaboration
Routine performance and innovation
Performance and institutional sustainment
 3 - IT Governance





Integration, not alignment – team sport
Expectations, priorities and targets
Performance and organizational sustainment
Financial stewardship
Risk management and controls
 4 - What do CIOs do anyway?

Agenda and cross pressures
 5 - Friction and Dysfunction in IT Compliance Implementation


Risks – the infinite spectrum
IT control regimes
•
Integrating compliance into IT
 6 – A Roadmap to IT-Compliance Harmonization




Compliance as connective tissue, not a separate organ
Integration, not alignment
Implementing Practical Compliance
Where IT and Auditing need to collaborate the most today
4
1 - The Unique Environment of Colleges
and Universities Today
5
The 21st Century Economy
 Global & relentlessly competitive:
talent, products, customers, suppliers
 Fast & Unforgiving – time is the enemy
 Continuous innovations & imitations
– new products, new competitors, new
technologies, imitators everywhere
 Digital – information is replacing
physical goods
 Customers are in command
 Choice: access to global
information, access to peer
opinions
 Fluid loyalties
 Suppliers - Partners - Customers
 Results-driven
 Financial
 Other
Emerging global culture – the new
cosmopolitans
6
Management in the Global Reality
Management’s great task will be taking
strategic control of companies and
simultaneously decentralizing
operational control—loosening controls
without losing control.
 “Strategic Discontinuity,” McKinsey, 2002
7
Enterprise Purpose: Convert Assets to Goals
Assets
Value-Generating
Processes
Generate or Raise
Cash (Endowment,
Grants, Building
Projects…)
Ideas
Cash
Talent
(People)
Results
Enterprise Execution
Model
- Performance
- Health &
Sustainment
Graduates – stature
& market
acceptance
Attract Talent, Allies
and Partners
Facilities
Grow and
Strengthen the
Institution
Allies &
Partners
Build Brand Loyalty
8
Cash Results from Doing the Right Things Right
Management
Decisions
• Strategy
• Execution
planning
• Oversight &
monitoring
• Adjusting
•
•
•
•
What to sell
Where to sell
How to sell
How much to
sell
• Organizational
development
Activities /
Processes
• R&D
• Production
• Marketing
• Sales
• IT
• Finance
• Classes
• Research
Results
• Revenue
• Expenses
• Income
• Debt
• Stock
valuation
• Fundraising
• Grants
• Students
• Donors
• Businesses begin with assets and try to grow them over time
• Assets become sales
• Sales minus expenses become profits
• Profits become cash flow
• Cash flow becomes assets
• There’s no reason to grow the asset base except to generate higher revenue, more sales, etc.
• ICT must adopt the same attitude
• The purpose of IT assets is to grow revenue (effectiveness) and net income (efficiency
9
Globalization Has Enlarged the Enterprise
Focus & Risk Management Agenda















Talent development: attract, recruit, retain, develop, place
Economics and Free Trade
Tradition, Sovereignty and Cultural Preservation
The Role of Information, Communications and Collaboration
Education, Opportunity and Participation
Population Shifts and Mass Migrations
Human Rights
Crime & Safety
Environmental Concerns and Pollution
Transborder Disease
Corporate Social Responsibility and the Digital Divide
Compliance
Corruption and Governance
Intellectual Property Rights
Representation and Participation
10
Colleges and Universities Face Additional Challenges
 Some are common to institutions; some are unique to educational institutions
 Further gradients of issues are by public/private, size, target curricula, etc.
 Just a few of the many Big questions:













What is the 21st century college and university value proposition?
Autonomy and centralization issues
What new programs or capabilities do we need?
Performance targets – what to measure, what to do with the results?
Customers and colleagues: Students, academics, administrators, other stakeholder
interests
How do we improve distance and continuing education?
How do IT technologies, applications and services change curricula, delivery methods,
target audience, student and prospective student expectations?
The special function of university research
Endowments , special gifts, programs and other fundraising
Talent management – faculty, administration
Community support
Peer standing among other colleges and universities
Mastering legal and regulatory mandates
11
College and University ICT Challenges




Centralized core systems and supporting infrastructure
Fragmented departmental and functional systems by discipline
High variability in governance policies and effectiveness
Non-standardized user technology
 PCs and laptops, smart phones, game consoles, sensors, video cameras…
 An “open” information culture – with information integrity and protection
 Inherent resistance to centralized authority
 Diverse investor (contributor/user) base with different objectives





Facility or discipline-specific gifts
Endowment
Student/parent payments
Industry/corporate gifts
Gifts in-kind
 Net net: mandates from on high will not achieve the objective of a controlled ICT
environment in a fragmented, decentralized institution
 Challenge: how to get critical mass on the compliance team
12
Institutions Balance Today with Tomorrow
Performance (today)
 Doing the work; working the plan
 The academic year cycle
 The financial cycle
 Fund raising campaigns
 Incremental improvements
 Security, applications
 Delivering on commitments
 Meeting deadlines
 Operations reliability and continuity
 Meeting goals and objectives
 Managing controls; conducting
compliance audits
Organizational Health
(tomorrow)
 Reinforcing desired culture
 Respect, curiosity, integrity, diversity,
excellence
 Strategic assessments
 Where do we want to be in the
future? When does the future begin?
 Planning
 New programs, facilities,
relationships, etc.
 Skills and competency improvements
(people)
 Job and organizational structure
reviews
 Building compliance and risk
management competencies
13
Where’s your Line between Performance &
Institutional Sustainment Initiatives
Performance:
What’s your institution's Optimal Golden
Mean?
Do you have a way to get there?
[Time, talent & treasure]
• Execution
• Operations
• Continuous
Improvement
• Monitoring
• Measuring
• Adjusting
• Controlling
Institutional Health & Sustainment:
• New Capabilities - dynamic compliance, resilient disaster recovery
• New Methods and Processes – administration, customer interaction
• New Subject Areas – performance management and reporting
• New Relationships – complementary; virtual institutions
•Strategic Planning & Investment - programs, facilities, faculty, locations
14
Innovation – the New – Is Hard to “Control”
Today
Legacy Systems: financial, email,
registration, Blackboard, payments,
grading, Internet access, etc.
Controls in place & audited
Today+
Emerging systems:
Social Networks, Smart
Phone apps, new
academic apps
Controls in development
Continuous
Future
Innovative Apps &
Services
The Wild Wild West
Process and Accountabilities to Develop & Oversee Controls
New and Enhanced Regulatory Regimes: Privacy, Intellectual Property Rights,
Security, Disclosure, Transparency, Statistical Mandates…
Therefore, to jump ahead, the competence to develop, operate and improve
controlled processes in a timely manner is MORE – MUCH MORE – important than
developing a protocol for any one regulatory regime. [ I know: easier said than
done…]
15
University Compliance Missions Are Inconsistent
 To support the University’s fundamental commitment to the highest standards of
ethics, education, integrity, lawful conduct, and responsible citizenship by complying
with all laws, regulations, and internal policies. This makes sense to me.
 Columbia University
 To reinforce and support a culture at UNT which builds compliance consciousness into
its daily activities and operations of the University and encourages each employee to
conduct UNT business with the highest standards of honesty and integrity. This makes
sense to me
 University of North Texas
 The mission of internal audit is to assess and monitor the university community in the
discharge of their oversight, management, and operating responsibilities in relation to
governance processes, the systems of internal controls, and compliance with laws,
regulations and University policies including those related to ethical conduct by
providing relevant, timely, independent, and objective assurance, advisory and
investigative services using a systematic, disciplined approach to evaluate risk and
improve the effectiveness of control and governance processes. Huh?
 - University of California system
16
2 – The ICT Value Proposition
17
Pervasive IT – Who’s In Charge? In Control?
 ICT today serves every aspect of institutional life, and numerous personal ones as well
 Universities have an exceptional Venn overlay of these two domains
 Transcends organizational boundaries – tremendous interaction with external
individuals and institutions
 Continues to permeate organizations at every level and scale
 Is encompassing more devices (Smart phones, object sensors, what’s next?)
 Includes all types of data (text, numbers, video, audio, all digitally translatable analog
data, real time, hyper-aggregated, images…)
 Includes both staged, asynchronous and real-time information events
 The proportion of IT activity that happens outside of IT continues to grow




Consumer devices – iPhone, Blackberry, Xbox, Playstation
Social networking – Facebook, online games, Twitter, Foursquare
Embedded systems – device sensors and controllers, cars
Non-IT business functions - every enterprise function has some “independent” IT, whether
they admit it or not (think Excel)
 Consider everything your faculty and students are doing with Information,
Communications and Collaboration tools today? What’s coming tomorrow?
 Content, devices, communications channels, users, collaborators, intelligent agents
18
The ICT Value-Building Cycle
Plan
Execute
Assess
Move On
Environment
Business
Strategy Differentiators
Enabling
Initiatives &
Execution
IT
Governance,
Portfolio
Management
& Alignment
Priorities,
Projects &
Service
Levels
Assess
Delivery
Measurement
Operations
Vision &
Mission
Performance
Managemen
t - Measures
& Targets
Capabilities &
Competencies
Adjust & Adapt –
Flexibility & Resilience
Issue: What are the decision rights, accountabilities, responsibilities
and metrics for each component and the overall cycle? Hint: no
answers = no controls = ineffective risk management
19
Four Sources of New IT Value
Improve
Decision
Making
Internal Informing
External Informing
Provide information to improve
Operational decisions
Embed information into
Products and services
Reshaping
Optimizing
Improve
Process
Improve or transform internal
Processes through technology
Change how customers and
Partners interact with the
Enterprise and its
Products / services
Source: The Real Business of IT, Hunter & Westerman , Harvard Business Press 2009
20
The IT Value Proposition
 Information, communications and collaboration
 Automation of existing work












Blackboard
Accounting: AP, AR, GL, Asset Management
Funds management
Grants administration
Research
Admissions
Financial aid
Payment
Improvement and optimization
Innovation (new, unknown, speculative, experimental)
External integration
Risk management (assets, security, data, services continuity, liability)
21
3 – ICT Governance
GETTING A RETURN ON YOUR ICT
INVESTMENTS
22
ICT Governance
 Governance is the process of ensuring that an institutions
financial investments yield the desired returns and are “well
managed”
 A subset of the overall institutional governance function
• Strategy (direction), institutional integration and oversight
• Priorities and investments
• Focus on projects, performance (overall operations) and sustainment
 Integration, not alignment – a team sport
 Expectations, priorities and targets
 Setting expectations, priorities and targets
 Focused, at heart, on ensuring that the enterprise receives an
appropriate return for the money and other resources invested in
IT
 Financial stewardship
 Balancing performance with organizational sustainment
 Integrating strategy, operations and IT
23
Governance: Analysis, Decision, Follow-through
Strategy,
Competencies,
Expectations,
ICT Structure –
“On the Org”
[CobiT]
Enablers:
- Clear accountabilities
- Shared purpose & goals
- Smooth collaboration
- Measures & targets
- Org sustainment
-
Monitoring
and
Measurement
Portfolio
Management,
Priorities
[Balanced
Scorecard]
“In the Org”
Operations
[ITIL]
Project
Delivery
[Project
Management
Office; CMMI]
24
Risk Management is Integral to IT Governance
 Internal control is a process
 Not a department, organization or function – a genuine team sport
 There is no ultimate destination or rest for the weary
 It focuses in an ideal world on insuring that the institution is being managed
and operated in reasonable accord (not a perfect world) with regard to:





Effectiveness (right things) and efficiency (right level of resources)
Integrity and reliability of reporting – not just financial
Compliance with a growing list of laws and regulations
Being able to deliver priority projects and services
Being able to keep services running (continuity) or to recover from a disaster
 This makes well-managed risk management and compliance a key enabler
of institutional processes – IT and other – that operate to move the
enterprise towards its goals
25
ICT Governance Cross Currents
Goal: Achieving, maintaining and improving strategic and operational integration
among all internal and external entities and stakeholders to deliver value and improve
enterprise health and sustainability
Strategy & Integration:
Setting & Managing
Direction
Governance:
Oversight & Risk
Management
Priorities and
Delivery
Foundation
• Strategy and opportunity
management
• Core competencies
• Management
• Talent management
• CobiT, ITIL, CMMI,
Balanced Scorecard
Focus
• Continuously scan the
environment, find
opportunities & make
adjustments
• Set priorities and
targets
• Oversee progress
• Keep business in
sync
• Delivery excellence
(CMMI)
• Operations
excellence (ITIL)
• Solutions
identification (what)
• Enterprise
architecture (how)
• Project delivery
• Increase enterprise value
• Outcomes
assessment
(Balanced scorecard)
• Delivering &
demonstrating IT
value
• Continuous
enhancements
• Innovative leaps
Finish
• Frontline IT
• Collaboration &
teamwork across
distance and cultures
The IT Agenda
• Global core
competencies
• Attract and retain
talent
• Reliable operations
26
IT Investment Profiles
“Rethinking IT
Strategy,”
McKinsey,
Aug 2006
27
ICT Portfolio Allocations
IT Strategy
& Alignment
Technology
Selection &
Implementa
CIO
tion
IT
Operations,
Support &
Continuity
Source: Based on Gartner Group, 2004
Talent & Career
Management
Organizational
Health
Projects
Core
Competencies
ICT Structure
Investment
Allocations
(Capex & Opex)
Bus-Tech
Architecture
Risk
Management
Measures
& Targets
Business
Technology
Projects
Innovation
Competitive
Parity or
Advantage
Service Levels
Operations
Capacity
Planning
28
ICT’s Role Is Changing
August 2006, Trends “Is There A Career Future In Enterprise IT?”
29
4 – What do CIOs Do Anyway?
30
CIO Career Growth Stages
Source: “CIO Success Factors,” TechExecs, Nov 2009
31
The CIO’s Universe
Stakeholders &
Business Partners
General &
Business
Environment
ICT
Environment
ICT Competencies,
Processes & Staff
Emerging &
Future
Technologies
Strategy
Governance
Integration & Alignment
Portfolio
Mgmt
ICT
Environment
Compliance & Risk Mgmt
Architecture
Measures & Targets
Financial Mgmt
Projects
Enterprise
Environment
ICT Infrastructure & Operations
32
The CIO Meta-Agenda
 Shaping and Meeting Enterprise Expectations – a translation layer
between institutional needs and technology capabilities and
talents
 Providing reliable and effective IT services
 Planning: Insight and Foresight
 Doing the right things the right way
•
•
•
•
Operations – running what is already in place
Projects – delivering extended, enhanced or innovative improvements
Institution building / organizational health
Financial and compliance stewardship / risk management
 Communicating value: the iceberg report
 Building and reinforcing a High Performance culture
 Net net: provide more value, continuously improve and
extending IT into new areas to increase value/benefit provided for
investment made
33
Sample ICT Agenda Items Today
Item
Performance
Organizational Health
Innovation & Enhancement
Reduce % of Ops spending
Develop strong Operations
processes & innovation
processes
Integrate with paying customers
Transaction integration
Customer conversations
End-to-end business process
mastery – adding business
capabilities
Improve operational results
Strengthen resilience, flexibility,
external relationships, etc.
Actionable information
Predictive analytics &
performance monitoring
Strategic planning and
adjustments
Green Computing
Reduce energy consumption;
recycling responsibly
Culture of thrift and conscious
spending
Architecture & Technology
Integration
Cloud computing, virtualization,
mobile, social, etc.
Flexible & rapidly adaptive
infrastructure & services
Decide what’s important and
concur on expectations with the
leadership team
Short-term priority setting &
targets
Longer term capabilities
Integration architecture
Process optimization
New opportunities with external
partners; faster initiatives
34
A BRIEF ASIDE ON CONTROLS AND
CONTROLLED ENVIRONMENTS…
35
Compliance Regimes












SB1386 (California privacy breech disclosure
law)
Internal & proprietary regimes
FERC/NRC (Energy)
FERPA – Controls on student grade and other
personal information
Jeanne Cleary Act (1990) – campus crimes
disclosure
FISMA – Federal Information Security Act
PCI – Payment Card Industry control
objectives
Access – systems access controls
Sarbanes Oxley (SEC, PCAOB, COSO,
CobiT, ITIL)
SAS 70 – external service provider control
regime
Graham-Leach-Bliley – Consumer information
privacy safeguards
HIPAA – Protection of personal health
information











SysTrust & WebTrust – AICPA assessment of
IT risks and opportunities – can substitute for
a Sox audit
Government Accountability Office
Securities and Exchange Commission
NIST – National Institute of Standards and
Technology
ISO 27000 – Security techniques
Office of Thrift Supervision
ITIL – Information Technology Infrastructure
Library
FIPS 140-1 & 140 2 – Federal standards for
cryptographic software implementation
CMMI – Capabilities Maturity Model
Integration
GAAP/FASB – Generally Accepted
Accounting Principles / Financial Accounting
Standards Board
IFRS / IASB (International Accounting
Standards Board) – convergence projects
with FASB underway
Source: Students enrolled in EMIS 7360 Executive program, May 2008
36
The Purposes of Controls
 Safeguarding assets – essentially the cash-to-result value chain
 Checking the accuracy, integrity and reliability of operational and
financial data
 Promoting operational efficiency through rigorous process definition,
measurement, assessment and continuous improvement
 Encouraging and ensuring that official policies and procedures are
followed
 Demonstrating legal compliance by contemporaneous, current process,
role and proof-of-adherence documentation
37
Look at the Regulatory Storm We All Face
Missing:
• PCI
• FERPA
• Security breech
reporting (CA SB
1386)
• CA SB 25 re
SSN use
•Graham Leach
Bliley
• DMCA
• CAN-SPAN
• Fed Privacy Act
1974 – RMP-8
• Electronic Gov
Act of 2002
• OMP Circular
A-130
• NIST security
standards – FIPS
200, 800-53A
• Cyber Security
R&D Act
38
Relationship of Control Regimes
COCO
COSO
COBIT
ITIL
Strategy
Finance
Applications
Operations
University control regimes are derived from frameworks originally
developed for businesses and need tweaking to fit comfortably.
39
COSO Enterprise Risk Management Model
Graphical Representation
Monitoring
Information
&
Communication
Control
Activities
Information
&
Communication
Risk
Assessment
Control
Environment
40
The COSO ERM Framework

Entity objectives can be
viewed in the context of four
categories





Strategic
Operations
Reporting
Compliance
ERM considers activities at
all levels of the organization



Enterprise-level
Division or subsidiary
Business unit processes
Source: COSO Enterprise Risk Management Framework; Draft Version, July 2003
41
Internal Environment










Risk Management Philosophy
Risk Culture
Board of Directors
Integrity and Ethical Values
Commitment to Competence
Management’s Philosophy and Operating Style
Risk Appetite
Organizational Structure
Assignment of Authority and Responsibility
Human Resource Policies and Practices
42
Internal Auditors’ ERM Responsibilities per COSO
 Do not have primary responsibility for establishing or
maintaining ERM
 Play an important role in monitoring ERM
 Regarding the ERM process - assist management and the
Board or Audit Committee by:
 Monitoring - Examining
 Evaluating – Reporting On
 Recommending improvements
CIO comment: ICT needs assistance too.
43
ICT Vulnerabilities Are Increasing
 Scale (Pervasive IT) creates complexity; complexity
generates opportunities to breech security
 Security is a moving target
 Security is a people issue, not a “technical” issue
 Complexity of Software and “open” development
philosophy
 Microsoft windows & most major league applications
 Linux / Open source
 Macintosh (yes, Macintosh)
 New processing:




Wireless devices; open wireless connections
Unencrypted environment
Web based processing-immature security
More send/receive devices (Smart phones)
 Decentralized infrastructures / physical and logical
access control complexity
44
Follow the Frameworks – Minimize “Roll
Your Own” Controls
The policies, procedures, practices, and organizational
structures that are designed to provide reasonable
assurance that business objectives will be achieved and
that undesired events will be prevented, detected and
corrected.
*
* [formerly known as the Information Systems Audit and Control
Association and, prior to that, the EDP Auditors Association]
45
Control Frameworks and ICT
 Control Environment – as much the culture of integrity and
ethics as the official policies and procedures. Roles and
responsibilities.
 Risk Assessment – internal and external; controllable
(prevent) and uncontrollable (anticipate and recover);
observe and report only
 Control Activities – policies and procedures that transparently
ensure that management directives are carried out
 Information and Communication – includes all information
being controlled. Includes ensuring that everyone knows their
role and responsibility.
 Monitoring – timely assessment of adherence and
effectiveness of controls
46
CobiT Processes by Domain
Monitoring
Delivery &
Support
Planning &
Organization
Acquisition &
Implementation
47
Integrated CobiT Schematic
48
The 34 Defined CobiT Processes
1
2
3
4
49
The 7 CobiT Principles
50
Elements of a Controlled ICT Environment
 Defined and effective governance
 Defined & executed change management & systems implementation
process
 Software controls – configuration management
 Hardware access & asset controls
 Computer operations controls
 Data security: access, CRUD, password management, storage, retention,
recovery
 Administrative control (new and exiting employees, etc.)
 Balancing high availability and widespread use with security & integrity
 Policy-based, not technology-based control environment
51
5 - Friction and Dysfunction in IT
Compliance Implementation
52
Risks – the infinite spectrum
 Every ICT manager lives somewhat in fear of outages and
disruptions
 Who defines risks and who assigns the cost of addressing risks?
 Who pays? What doesn’t happen because of risk management
expenditures?
 What gets taken off the ICT plate because of compliance? (Hint:
not much, if anything)
 Real risk management versus mandated risk management
 Random versus controlled activity – process definition and
discipline versus mandate meeting
 Expected versus actual outcomes – measures and targets defined
in advance
 Multi-perspective verification – evidence versus anecdotes
53
Sources of Auditor-ICT Conflict: a Sampler
 These may apply more to commercial businesses than colleges and
universities but some all-too-common sore points include:
 Surprise, surprise – Gomer Pyle, repeatedly
 Showing up with a deliverable and a deadline with no prior relationship
 Mandating a regime-specific set of controls to meet a deadline
 Asking for a control to be documented multiple ways
 Assuming CIOs have never thought of this stuff before (security, privacy,
data integrity…)
 Criticizing the ICT program without offering specific suggestions on how to
design, implement or improve a control
 Priority stuffing (10 pounds of sugar in a 5 pound bag…)
 Leveraging senior management or the external auditor against ICT without
developing a clear understanding with ICT of any problems
 Expecting ICT to allocate labor to the mandate with no support for who
pays the bill
 Blaming ICT for whatever goes wrong
54
6 – A Roadmap to IT-Compliance
Harmonization
55
Compliance as connective tissue,
not a separate organ
 The Compliance Challenge: Making
performance and compliance complimentary
(Let’s skip the synergy thing…)
56
IT and Auditing Share Mutual Compliance Challenges
Today
 IT demand is shifting towards mobile and social services
 Objective: obtain any information or communicate with anyone via
any channel, anytime, anywhere
 Technologies: iPhone, Blackberry, netbooks, pervasive wireless
 Applications: Facebook, Twitter, Linkedin,….
 Challenges:
 Standards – security is often a matter of technology currency as well as
programmatic actions. How to allocate budget for technology refreshes?
 Privacy of personal information – e.g., unencrypted public wireless;
lost or stolen devices
 Security and retention of confidential data – what IP is in that email
attachment?
 Inappropriate behavior or postings on social networking sites (things
that impugn your institution’s reputation or enable someone to
cause harm to another, for instance)
57
Integration, not alignment
 Compliance – like information and communications – has to be part of
core institutional processes to be effective
 Built-in quality versus post-incident inspection
 Compliance and IT share the need for an enterprise – and extraenterprise – perspective
 Both require some formal oversight group to bring expertise and
attention – not a pickup band of departmental assignees
58
The Compliance Challenge
 Making performance and compliance complimentary
 Getting IT Work Done
 Doing the right things the right way
• Operations
• Projects
• Organizational health
 Implementing Compliance Regimes
 Compliance and Risk Management Roles
• The lineup
• Responsibilities and accountabilities
• Team work, collaboration and productivity
 Defining and refining processes and practices
 Training and incentives
 Performance management and feedback
 Overhead, Co-existence or Leverage?
 Synthesizing Compliance and ICT Goals
59
We need to overcome our professional vocabularies
PSTN
DNS
IP
EA
HTTPS
NTFS
FTP
GSM
CMMi
Extreme Programming
CSS
Ocxx
ACL
SATA
SSL
LDAP
DFD
API
Peering
SMTP
LAMP
PHP
OSPF
Risk Assessment
Attest
Segregation of Duties
Control Risk
FERPA
Footnotes
Materiality
Significant
Controls
Confirmation
Reperformance
Substantive Tests
HIPAA
PCI
Monitoring
Year
Fraud
Reasonable Assurance
Unqualified Report
Independence
PCAOB
AICPA
Enrollment
Applicants
Transcript
Financial Aid
Registrar
Major
Academic Advisor
Syllabus
Convocation
Endowment
Trusts and Gifts
Transfer
Intern
Distance Learning
Postgraduate
SAT
Credit Unit
Tuition
Withdrawal Deadline
Incomplete
Plagiarism
Wait List
Year
60
CobiT Processes by Domain
Monitoring
Delivery &
Support
Planning &
Organization
Acquisition &
Implementation
61
Process Categories
Process Management
Organizational Process Focus
Organizational Process Definition
Organizational Training
Organizational Process Performance
Organizational Innovation and
Deployment
Engineering
Requirements Development
Requirements Management
Technical Solution
Product Integration
Validation
Verification
Project Management
Project Monitoring and Control
Project Planning
Supplier Agreement Management
Integrated Project Management
Risk Management
Quantitative Project Management
Support
Configuration Management
Measurement and Analysis
Process and Product Quality Assurance
Decision Analysis Resolution
Causal Analysis and Resolution
62
CMM: Maturity Levels
5. Optimizing. Continuous process
improvement.
4. Managed. Detailed measures of
the software process and
product quality are collected.
3. Defined. Management and
engineering activities are
documented, standardized,
institutionalized.
2. Repeatable. Basic project
management tracks cost,
schedule, and functionality.
Successes can be repeated
for similar projects.
1. Initial. Ad hoc. Success depends
on individual effort and
heroics.
63
Compliance Regimes Overlap with ICT Processes
Regime>>
IT Implications
PCI
HIPPA SAS70
FERPA
Sox 404
FIPS
Governance
X
X
X
X
X
X
Project
Management
X
X
X
X
X
X
Security & Access
Control
X
X
X
X
X
X
Data Integrity
X
X
X
X
X
X
Business
Continuity
X
X
X
X
X
X
Patch
Management
X
X
X
X
X
X
Change Control
X
X
X
X
X
X
Monitoring &
Measuring
X
X
X
X
X
X
Operations SLAs
X
X
X
X
X
X
Friction Point: ICT needs to control an overall process; not
build a process to accommodate an individual mandate
64
The Special Case of ICT Operations and ITIL
 IT Infrastructure
Library, Office of
Government
Commerce, UK
 Focus:
 Service Delivery
 People
 Process
 Technology
 Service Support
Many compliance issues manifest
themselves in ITSM (IT Service
Management) although the root
cause is often way upstream.
 Service Level
Management
 Availability Management
 Capacity Management
 IT Service Continuity
Management




Incident Management
Problem Management
Change Management
Configuration
Management
 Release Management
65
The V3 Lifecycle
Governance Methods
St
a
s
ow
n
K
l
ed
ge
&
ill
Sk
Continual Service
Improvement
CMMI
T op
ics
Service
Design
SOX
Certified
Training
ISO/IEC
17799
ISO/IEC
19770
Co
Sc
a
lab
ilit
y
Service
Transition
n
Im tinu
pr al
ov S
em erv
en ice
t
alty
Spe
ci
ITIL
on
cti
du
ice
erv
l S nt
ua eme
in
nt rov
Co Imp
ro
nt
M_o_R
eI
tiv
cu
COBIT
e
Ex
SOA
Templates
Service
Operation
ISO/IEC
20000
ies
Service
Strategies
PMBOK
PRINCE2
nm
en
t
d
Stu
Six Sigma
Al
ig
se
eTOM
rd
s
Ca
TOGAF
nd
a
St
ud
y
ins
ic
Qu
Ai
ds
kW
Qualifications
66
Collaborate on the Basics of Effective Controls
 Authority and responsibility – clear, communicated and
documented
 Authorization of transactions - documented
 Adequate accounting records - a good audit trail
 Segregation of duties
 Independent verifications
 Limited access and physical protection of assets



Physical
Electronic
Virtual
 Cosign and co-deliver the defining documents
67
Complexity
 Complexity is built in; don’t add your own
 Complexity is as much organizational as technical
 Unnecessary technical complexity challenges timeliness,
functionality and performance as long as it persists
 Changes must be made within the “changeability index” of
your institution
 Scale: optimization or a true re-engineering
• Materiality of the changes – risk quotient





Readiness – management, process, education, communications
Openness and willingness of the culture to change
Skill and history – prior projects and risk management efforts
Persistence – the willingness to stay on task until it is right
Leadership more than management
 Plan B
68
Key Ingredients of the Success Recipe (1)
 ICT is inseparable from the enterprise – integration, not alignment
 Build on-going relationships; don’t make compliance the basis of creating
relationships
 Auditor-ICT co-responsibility
 Clear responsibilities and accountabilities
 On-going programs, not projects
 Rely on control frameworks where possible to reduce the time necessary
to define and implement regimes
 Select and tailor the regime – CobiT, ITIL, etc. – to fit your circumstances
 Simplify ICT: Leverage compliance to make ICT more efficient
 Lower unit costs, fewer labor specialties, less manual labor, etc.
 Engineer and manage processes; don’t organize
around individual regimes
 Build-in, don’t bolt-on measures through design and refinement
69
Key Ingredients of the Success Recipe (2)
 Collaborate on defining and seeking funding for automated
tools and any other resources necessary to leverage efficiency
efforts and controls
 Backup/recovery, patch management, intrusion detection, access
management, employee hire/termination, logging…
 Spend each dollar once and track pay-offs
 Standardize reporting and evidentiary documentation
 Hold regular “unofficial” compliance meetings
 Project reviews
 Upcoming regulation
 Network with other institutions – auditors and ICT together
 Work together to improve ICT governance effectiveness
70
Triangulate to Succeed Mutually
“The Powers that Be”
Auditor /
Compliance Authorities
CIO /
IT Authorities
71
A Final Word
 We know that more and more compliance measures are
heading towards all of us – let’s get ready
 Compliance implementations and controls are tremendous
opportunities for institution building, teamwork, operational
improvements (performance) and greater transparency
 Compliance is a team sport and everyone on the team has to
feel valued and know their role and responsibilities.
 Make compliance-ICT relationships and integration a regular
part of your work cycle
 Synthesis can generate triple wins – for your institutions, for
Audit and for ICT.
72
Thank You.
COMMENTS, Q & A
73