IT Governance

1
Welcome

• IT Governance

2
Presenter

• M S Muthukrishnan
• M.Sc., degree in Mathematics
• 19 Years of IT experience
• CSQA, CISA, PMP, cVa, ISO270012005-LA
• 10 years in Project development/Management
• 8 years in Quality and Security Management

3
Agenda

• What is IT, Governance, IT-Governance? And Why IT
  Governance?
• COBIT
• Attributes of IT Governance
• Security Governance and Risk Management
• Processes and Audits
• Resources
• Training and Reviews
• Metrics
• Concerns of IT Governance
• Conclusion

4
What is IT, Governance, IT-Governance?

• Information technology (IT) is the study, design,
  development, implementation, support or
  management of computer-based information systems,
  particularly software applications and computer
  hardware.
• Information Technology Association of America
  (ITAA)?

5
What is IT, Governance, IT-Governance?

• Governance
• Governance relates to decisions that define
  expectations, grant power and verify performance
• Governance means consistent management, cohesive
  policies, processes and decision-rights for a
  given area of responsibility

6
What is IT, Governance, IT-Governance?

• Information Technology Governance, IT Governance
  is a subset discipline of Enterprise Governance
  focused on Information Technology systems, Risk
  Management and Performance.
• Enterprise Governance also has
• HR
• Finance and
• Marketing

7
Why IT Governance?

• Initial days, Success of the organization depends
  on the Person.
• Later, success of the organization depends on the
  Processes.
• Now, success of the organization depends on the
  Systems,
• Technical Systems
• Management Systems
• IT governance is a key to an organization growth.
  It is the brain for the entire nerve system.

8
Why IT Governance?

• Top management is started realising the
  significant impact that information can have on
  the success of the enterprise.
• IT has become a major enabler to almost all
  business transformation initiatives.
• Organisations should satisfy the quality,
  fiduciary and security requirements for their
  information, as for all assets.

9
COBIT

• For IT to be successful in delivering against
  business requirements, management should put an
  internal control system or framework in place.
• To govern IT effectively, it is important to
  appreciate the activities and risks within IT
  that need to be managed. They are
• Plan and Organise (PO)?
• Acquire and Implement (AI)?
• Deliver and Support (DS)?
• Monitor and Evaluate (ME)?
• 34 high-level control objectives
• 300 detailed control objectives

10
COBIT

• COBIT supports IT governance by providing a
  framework to ensure that
• IT is aligned with the business
• IT enables the business and maximises benefits
• IT resources are used responsibly
• IT risks are managed appropriately

11
COBIT

• IT Governance Focus Areas
• Strategic alignment
• Value delivery
• Resource management
• Risk management
• Performance measurement

12
COBIT

• COBITS Information Criteria
• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Reliability

13
COBIT

• The IT resources identified in COBIT can be
  defined as follows
• Applications
• Information
• Infrastructure
• People

14
Controls

• Control is defined as the
• policies,
• procedures,
• practices and
• organisational structures
• designed to provide
• reasonable assurance that business objectives
  will be achieved and
• undesired events will be prevented or detected
  and corrected.

15
Processes

• Processes are one of the Key factors for the IT
  governance
• Generally Processes will have a PDCA cycle
• Every process step should have check point and
  owner
• Every process should have the objectives and
  metrics
• Process Structure
• Generic inputs and outputs
• Activities and guidance on roles and
  responsibilities in a Responsible, Accountable,
  Consulted and Informed (RACI) chart
• Key activity goals (the most important things to
  do)?
• Metrics

16
PDCA Process/Control Model

• Example Room Air conditioner
• Set the required temperature (Plan)?
• Cool the room as per requirement(Do)?
• Monitor the temperature against the setting
  (Check)?
• Cool or stop cooling against setting (Action)?

17
COBIT

• Understanding the roles and responsibilities for
  each process is key to effective governance.
  COBIT provides a RACI chart for each process.
• Accountable means the buck stops herethis is
  the person who provides direction and authorises
  an activity.
• Responsibility is attributed to the person who
  gets the task done.
• The other two roles (consulted and informed)
  ensure that everyone who needs to be is involved
  and supports the process.

18
Benefits of COBIT

• Using the maturity models developed for each of
  COBITs 34 IT processes, management can identify
• The actual performance of the enterpriseWhere
  the enterprise is today
• The current status of the industryThe comparison
• The enterprises target for improvementWhere the
  enterprise wants to be
• The required growth path between as-is and
  to-be

19
Security Governance

• Set of procedures implemented to prevent
• Unauthorised access (Confidentiality)?
• Abuse (Integrity)?
• Alteration (Integrity)?
• Denial of access (Availability)?
• To (Information)?
• Knowledge
• Data
• Resources

20
ISO/IEC 27001
Information Security Management Systems -
Requirements
21
Risk Management
Threat
Vulnerability
Asset
AdverseImpact
22
Risk assessment process
Threat
Treat the risk
Vulnerability
Avoid the risk
Asset
Accept the risk
AdverseImpact
Transfer the risk
What is the risk?
Mitigate the risk
What is the next step?
Select the controls
23
Risk Management

• IT governance is always having its own risks.  So
  effective risk management will minimize the risks
  and improve the benefits. 
• Internal controls helps to mitigate the risk.

24
Audits

• Audits are eyes and ears for management
• Audits should check for the compliance not for
  the non-compliance
• Audits should find faults against the system not
  the people
• Audit findings should lead into corrective and
  preventive actions

25
Resources

• CEO to End users, every one are ambassadors to
  the IT Governance
• Resources are a Gold chain in the system, none of
  the links should be weak.
• Strength of the system lies with the end users
• Every user in the system should feel they are
  part of the system, and they should believe the
  system helps them.

26
Training

• Training should be made mandatory for the IT
  Governance in all levels
• It is like a vaccination
• Continuous and repetitive trainings will improve
  the IT governance
• Training effectiveness should be measured and
  timely actions are to be made

27
Reviews

• Reviews will reduce the rework of any work
• Reviews will save time and cost
• Reviews will improve the work quality
• Reviewed outputs are easily accepted by all the
  levels
• Reviews enhances customer satisfaction

28
Metrics

• Importance of Performance Metrics for IT
  Governance - Benefits of performance metrics
  include
• Improvement in the quality of IT service
• Reduction in IT risks
• Enhanced delivery
• Reduction in costs of delivering IT Services

29
Metrics

• Examples of Performance Metrics for IT Governance
• IT costs by category and by activity
• IT staff numbers and costs analyzed by activity
• IT related operational risk incidents

30
Metrics

• Unless you know where you are, no map will help
• Progress report is the best example for the
  metrics
• Set the objectives, collect the metrics, decide
  the action
• People believe in numbersalways

31
Concerns of IT Governance

• IT Governance Risks
• Increasing regulatory compliance
• Critical dependency of many business processes on
  IT
• Senior Management Participation
• Poor Process and Project Ownership
• Poor Strategic Alignment
• Poor Internal Control and Risk management
• Ineffective Resource Management

32
Conclusion

• Without adequate IT governance, business process
  transformation will be very difficult
• IT governance is essential to mitigate IT related
  risks and avoid IT project failures
• If IT is not well perceived it will be another
  damn department in the organization.
• If we use IT with sense, if we use IT to Govern
  our organization with sense, it makes wonders
  otherwise, it will be an over head.

33
Conclusion

• Implementing the Management Systems smoothens the
  IT governance. 
• The Management and the process owners are playing
  the major roles in implementing the Management
  systems.  
• The success of the IT governance relies finally
  on end users.  
• The Audit is the checkpoint for the IT governance
  and helps organizations to make appropriate
  corrective and preventive actions on time.
• Use the frameworks like COBIT, ISO9001, ISO27001
  and ITIL for the IT governance to get better
  benefits

34

• Thank you
• Any Questions?