MIS 5202 Welcome to IT Governance
A look at the semester schedule Dive into the Stars Ambulance case MIS 5202 IT Governance Welcome to the course A look at the syllabus A look at the semester schedule Dive into the Stars Ambulance case Review the definition of IT Governance Review COBIT 5
Weekly Rhythm for Online Class Weekday Responsibilities Wednesday Discussion posts on the coming week’s topic & case analysis will be posted at 6:00 am Thursday Reading and case posts welcome Friday Saturday Quiz for last Tuesday’s topic posted on Canvas @ 6:00 am Sunday Quiz for last weeks topic closes on Canvas @ 11:59 pm Monday Tuesday Reading and case posts are welcome before 11:59 pm Webex’s held on 8/30, 9/6, 9/27,10/11, 11/1, 11/29 & 12/6
https://www.polleverywhere.com/free_text_polls/UYjCQcB5xwuS6es
What is IT Governance?
Top Down Governance Layers Corporate IT Security
IT Security exists where Governance, Risk and Compliance overlap
Corporate Governance Top-down management Overall strategic direction Alignment with business strategy Asset Value Culture Risk tolerance Legal obligations Market conditions
IT Governance
AIM: To establish a stable security governance …. Develop information security strategy Management commitment Roles and responsibilities Reporting Identify legal issues and access impact Establish and maintain security policies Develop procedures and guidelines Develop a business case
How do you “see” Governance? Strategic Board Level CIO CISO Operations System Admins Subject Matter Experts Holistic vs targeted
What is the concept of governance? Governance has been defined to refer to structures and processes that are designed to ensure accountability, transparency, responsiveness, rule of law, stability, equity and inclusiveness, empowerment, and broad-based participation.
What does governance framework mean? Governance frameworks structure and delineate power and the governing or management roles in an organization. They also set rules, procedures, and other informational guidelines. In addition, governance frameworks define, guide, and provide for enforcement of these processes.
Right Things, Done Right Good IT Governance = Right Things, Done Right
Its about doing the right thing… What is IT Governance? Its about doing the right thing… Who gets to decide? Are we working on things that will produce the most value to the organization? Are we protecting the organization? and then, doing them right. Do we conform to all laws and regulations? Do we use our resources well? Are we meeting our service objectives?
The Star Air Ambulance Case Case study
The Star Air Ambulance Case Read the case As groups discuss the answers to these questions: Identify three or four of the most critical challenges facing the new CIO? What is the overall issue facing the new CIO? What questions would you, as CIO, want senior management to answer? Case Notes: Stars Air Ambulance ASK CLASS TO CONSIDER THESE QUESTIONS Identify three or four of the most critical challenges facing the new CIO? Staffing: People’s jobs were not well defined and expensive consultants were not properly utilized. Project planning was not done. Solution: Establish clear job responsibilities and use consultants in a purposeful way. Evaluating whether “consultants” should be used in staffing roles. Support: Too many projects were considered critical (24). The “fight fires” mindset resulted in little forethought or planning. And therefore they were unlikely to ever break new ground and improve efficiency or effectiveness. Solution: Establish a PMO to prioritize and implement projects. Distributed activities: Other departments ran their own IT operations. Central IT didn’t not participate, although they used the company’s infrastructure. Different development methodologies, but an expectation of support from IT group. Much of the technology was outdated and expensive security breaches occurred. Solution: Leverage the PMO. Use the departments for idea generation and include them on projects, but IT should manage development and implementation. What is the overall problem? Overall issue – there seems to be no sense of the entire organization. Everyone operates in a vacuum. There is no IT Governance Changes may have unintended consequences (good or bad) that we’d never realize because things are siloed and everyone is in defensive mode. How would you proceed as the new CIO? Establish a governance structure with the CEO Identify who gets to make what decisions Establish a way to request new work Encourage functional areas to generate ideas and be involved in projects Insist that the IT group run all IT projects. The IT group should help the business look at the whole, not the parts The IT group must understand the business’ processes Get control of the operational aspects of the IT function. Understand and manage (or at least influence) all IT costs. Establish defined roles and responsibilities. Understand the staff, get rid of any who can’t perform. Investigate consultants, and probably fire many of them. Review all projects and kill all but 4 or 5. Establish a standard approach to project execution. Should balance innovative thinking with a standard framework for implementation. This is a way to control costs, increase stability, while still not stifling good ideas.
COBIT 5 Framework
Builds on more than 15 years of practical usage COBIT 5 provides the next generation of ISACA’s guidance on the enterprise governance and management of IT. Builds on more than 15 years of practical usage Evolved from an auditing framework to controls Now to a governance for enterprise IT (GEIT) framework, showing a management strategy for enterprise IT. Reference document with 27 processes You will not remember all of them and use COBIT 5 as a reference
Theme: Where are we? Where do we need to be? Are we making progress?
Business Framework for Governance of Enterprise IT
What is COBIT 5? Its about best practice framework It tries to cover IT end-to-end What you need to be thinking about when running (or auditing) IT Its not about the technology, its about the processes used to deliver technology Its about how to decide what you do (Right Things) then how to do them in an efficient, effective and secure manner (Done Right) It is critical that you understand the processes it recommends
“Enablers” Anything that can help achieve the objectives Reference document with 27 processes You will not remember all of them and use COBIT 5 as a reference We will choose only a few to do a deeper dive into during this class. Will show up in later courses
Based on 5 Principles Generic in language Applicable to organizations of all sizes
COBIT 5 Governance Board is Accountable, CEO, CFO, Business Executives, CIO are responsible Add CRiskOfficer if there is one Management: CEO is accountable, CIO and IT leadership team is responsible, sometime include CFO, Business Exec’s etc Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.
Cascade for Enterprise Stakeholders needs into actionable goals
Two Security Specific COBIT topics Align, Plan, Organize APO13: Manage Security Define, operate and monitor systems for IT Management Five goals Support IT & Business Support Management of IT and enterprise risk Transparency of IT costs and benefits Ensure security of information infrastructure Reliable information for decision making
DSS05: Operational Processes Protect Enterprise Information Maintain acceptable level of risk Establish and maintain roles and access Security monitoring
7 Control Objectives Protect against malware Manage network connectivity and security Manage endpoint security Manage user ID and access Control physical access to IT Manage sensitive documents Monitor infrastructure for security events