Chapter 5
advertisement
What is IT Governance? • Corporate governance – Processes, customs, rules, procedures, policies, and traditions – Determine how to direct and control management activities • People involved in corporate governance – Board of directors, CEO, senior executives, and shareholders • Interest in corporate governance has grown due to recent accounting scandals Information Technology for Managers 1 What is IT Governance? (continued) • IT governance – Decision-making process – Involves investments in IT – Includes defining: • • • • Decision-making process itself Who makes the decisions Who is held accountable for results How the results of decisions are communicated, measured, and monitored Information Technology for Managers 2 What is IT Governance? (continued) • Primary goals of effective IT governance – Ensuring that an organization achieves good value from its investments in IT – Mitigating IT-related risks Information Technology for Managers 3 What is IT Governance? (continued) Information Technology for Managers 4 Ensuring that an Organization Achieves Good Value from its Investments in IT • Many parts of the organization could not operate without IT • Governance must be applied to the management of IT – Effective IT strategic planning process ensures close alignment between business and IT goals – Apply good project management principles Guide to Microsoft Virtual PC 2005 and Virtual Server 2007 5 Mitigating IT-Related Risks • Use good internal controls and management accountability • Internal control – Provide reasonable assurance for: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations • Improper conduct of senior managers and failure to hold managers accountable can circumvent internal controls Information Technology for Managers 6 Mitigating IT-Related Risks (continued) • Rules and regulations – Hold senior management accountable for the integrity of financial data and internal controls • Accounting, consulting, and software firms can provide products and services • Five key activities needed for effective IT governance Information Technology for Managers 7 Information Technology for Managers 8 Why Managers Must Understand IT Governance • Universal goal for businesses – Leveraging IT to transform an enterprise and create value-added services, increased revenue, and decreased expenses • IT-related initiatives are seldom simple and straightforward • Good IT governance – IT organization is better aligned and integrated with the business – Risks and costs are reduced – IT helps the company gain a business advantage Information Technology for Managers 9 IT Governance Frameworks • IT Infrastructure Library (ITIL) – Provides best practices and criteria for effective IT services • Control OBjectives for Information and Related Technology (COBIT) – COBIT provides guidelines for more than 30 processes that span a wide range of IT-related activities • Frameworks are complementary, not competing Information Technology for Managers 10 IT Infrastructure Library (ITIL) • Set of guidelines initially formulated by the UK government – Widely used today throughout Europe and the United States • Standardize, integrate, and manage IT service delivery • Consists of five distinct volumes Information Technology for Managers 11 IT Infrastructure Library (ITIL) (continued) • Addresses – – – – – Strategy and value planning Roles and responsibilities of key players Planning and implementing service strategies Business planning and IT strategy linkage Risks and critical success factors for implementing ITIL Information Technology for Managers 12 Control OBjectives for Information and Related Technology (COBIT) • Set of guidelines • Goal – Align IT resources and processes with business objectives, quality standards, monetary controls, and security needs • Issued by the IT Governance Institute – www.isaca.org/cobit.htm • Provides guidance for more than 30 IT-related processes grouped into four major categories Information Technology for Managers 13 Information Technology for Managers 14 Information Technology for Managers 15 Information Technology for Managers 16 Control OBjectives for Information and Related Technology (COBIT) (continued) • Each of the processes is described in terms of: – – – – – – The process inputs The process description The process outputs The goals and metrics The RACI chart The maturity model Information Technology for Managers 17 Control OBjectives for Information and Related Technology (COBIT) (continued) Information Technology for Managers 18 Control OBjectives for Information and Related Technology (COBIT) (continued) • “Maturity level” of management processes – Scale of 0 to 5 • Use the scale for each process to evaluate a number of items • Use this information to choose: – Which processes have priority for improvement – Which can be addressed later Information Technology for Managers 19 Using PDCA and an IT Governance Framework • • • • Plan-Do-Check-Act (PDCA) model Tried and proven method Can be applied to a specific targeted process Each step in the model has specific objectives Information Technology for Managers 20 Information Technology for Managers 21 Information Technology for Managers 22 A Manager Takes Charge: Audatex Uses PDCA and ITIL to Improve Its Service Offerings • Operates as a service provider for body shops and insurance companies – Offers an integrated suite of software to support auto insurance collision repair shops • Firm must invest heavily in product development, new technology, and improved products and services • Ross McEleny, IT services director at Audatex – Formed a process improvement team – Established a continuous improvement loop Information Technology for Managers 23 Business Continuity Planning • Disaster – Unplanned interruption of normal business operations for an unacceptable period of time • Can result in many negative consequences • Key planning assumptions – Must be built into an organization’s business continuity plan Information Technology for Managers 24 Business Continuity Planning (continued) Information Technology for Managers 25 Information Technology for Managers 26 Business Continuity Planning (continued) • Business continuity plan – People and procedures required to ensure resumption of an organization’s essential, timesensitive processes with minimal interruption • Due diligence – Effort made by an ordinarily prudent or reasonable party to avoid harm to another party – Failure to make this effort may be considered negligence • Scope of a full business continuity plan Information Technology for Managers 27 Business Continuity Planning (continued) • Disaster recovery plan – Subset of the business continuity plan – Focuses on keeping components of the IT infrastructure functioning during a disaster or recovering them quickly afterward Information Technology for Managers 28 Information Technology for Managers 29 Process for Developing a Business Continuity Plan • Identifying vital records and data – Determine where and how they are being stored and backed up – Must assess the adequacy of the current data storage plan – Offsite backup recommended • Conducting a business impact analysis – Recovery time objective • Time within which a business function must be recovered Information Technology for Managers 30 Information Technology for Managers 31 Defining Resources and Actions Required to Recover • AAA priority business functions – Document all the resources needed to recover the business function within the recovery time objective – Identify the sequences of steps that must occur to recover from a disaster – Specific features to consider for inclusion in the recovery of a AAA priority business function • When all the preceding tasks have been completed for the AAA priority business functions: – Repeat the process for all the AAA priority business functions, then for all AA priority, etc. Information Technology for Managers 32 Defining Emergency Procedures • Emergency procedures define the steps to be taken during a disaster and immediately following • Planning and practice of such procedures – Minimize loss of life and injuries as well – Reduce the impact on the business and its operations • Develop in conjunction with professional first responders • Computer, data, and equipment backup processes should be triggered automatically Information Technology for Managers 33 Identifying and Training Business Continuity Teams • Business continuity teams – Control group – Emergency response team • Includes members of the fire department, police department, and other first responders – Business recovery team • Members of these teams should be carefully selected – Wise to cross-train people Information Technology for Managers 34 Training Employees • Employees should be trained to recognize and respond to various types of disaster warnings • Good practice to identify “floor wardens” • Most organizations conduct one or two disaster drills per year Information Technology for Managers 35 Practicing and Updating the Plan • Test business continuity plan – Ensure that it is effective and that people can execute it • Employees are expected to exercise the business continuity plan and restore operations within the desired recovery time • Capture problems or issues not addressed by the plan – Revise it to incorporate solutions • Plan must be continually updated to account for changes Information Technology for Managers 36 Information Technology for Managers 37 Summary • IT governance – Decision-making process that involves investments in IT – Responsibility of executive management – Five central themes of IT governance • Use frameworks as a basis to develop their own governance model • Each organization must perform an objective assessment of its unique risks and develop a comprehensive plan Information Technology for Managers 38
