Microsoft Operations Framework (MOF) 4.0 Copyright © 2011 Microsoft Corporation. This documentation is licensed to you under the Creative Commons Attribution License.  To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.  When using this documentation, provide the following attribution: The Microsoft Operations Framework 4.0 is provided with permission from Microsoft Corporation.  This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS". Your use of the documentation cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that user’s particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM. Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual property. Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious.  Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback. You will not give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your Feedback in them. GRC and the IT Service Lifecycle microsoft.com/MOF

What’s Included in This Presentation GRC in MOF 4.0 Take a comprehensive look at governance, risk, and compliance through MOF 4.0 Service Management Functions Get a basic understanding of how the MOF model can help show you immediate results MOF in Context Learn more about how MOF fits into the bigger picture Compliance Challenges Look at new compliance challenges and how MOF deals with them GRC Guidance Understand how addressing GRC affects your organization Connect Governance, Risk, and Compliance See how MOF connects and addresses governance, risk, and compliance GRC Throughout the Lifecycle Learn how MOF incorporates GRC into each lifecycle phase Focus on G, R, and C Get a closer look at governance, risk, and compliance GRC Applied & Integrated See how the elements of GRC are applied and integrated into the lifecycle phases Make GRC Work for You Learn how MOF’s features produce results Resources Link to helpful GRC resources Slide Goal The goal of this slide is to outline the content included in this presentation. Slide Notes The goal of this presentation is to provide you with foundational knowledge of MOF 4.0 as it relates to governance, risk, and compliance. We’ll examine how elements of MOF 4.0 address GRC, provide specific examples of MOF’s guidance, and discuss how GRC influences each of MOF’s lifecycle phases. Let us show you how MOF can help your organization address governance, risk, and compliance issues with ease. Use these slides for an in-depth look at GRC issues Sum It Up: MOF & GRC Learn how MOF provides examples of ‘good’ GRC dealings and influences all phases of the lifecycle

MOF 4.0 – Addressing the IT Service Lifecycle Slide Goal The goal of this slide is to take a look at what’s new and different in MOF 4.0. Slide Notes The core content of MOF 4.0 moves beyond operations to address the entire IT service lifecycle. The easy-to-reference structure for its Service Management Functions (SMFs) emphasize outcomes, results, and roles. Because every organization is unique, the SMFs are anchored by questions a user faces. Lastly, a central component of MOF 4.0 is its online community—it provides a platform for IT pros to exchange ideas, contribute their own guidance, and communicate with Microsoft experts. This version of MOF was developed to: Reflect a single, comprehensive IT lifecycle. Connect service management theory to everyday tasks and activities. Align IT with business needs and goals. Address governance, risk, policy, and compliance. Support continuous improvement through community involvement. In short, MOF was created to help overburdened IT pros quickly access useful, relevant content. MOF 4.0 was designed to provide you with a clear look at how the entire IT lifecycle is interrelated, what decisions are required, and what outcomes are vital.

MOF 4.0 Connects Service Management Standards to Practical Applications for the Community Goals and objectives: ISO 20000 Management perspective: COBIT Industry Standards Process description: ITIL v3 MOF 4.0 Guidance Process guidance: MOF 4.0 Control Frameworks Concepts, Practices Solution Accelerators Slide Goal The goal of this slide is to show how MOF fits into the big picture, helping you address GRC issues before they become problems. Slide Notes MOF 4.0 is backward-compatible with all previous versions of MOF. It also supports the integration of any policies, tasks, or activities based on other frameworks, such as ISO 20000, COBIT, and ITIL. What exactly does that mean? ISO is an independent standards organization. The ISO 20000 standard defines goals and objectives that can be used to certify an organization. COBIT has become the accepted set of controls for IT and is used for audit purposes to ensure compliance with regulatory requirements such as Sarbanes-Oxley. ITIL v3 identified rich concepts and practices and has expanded its process description for the entire IT lifecycle. MOF 4.0 provides guidance that can be used to meet ISO objectives, implement COBIT controls, and support ITIL processes. By using MOF, an organization like yours can immediately identify the outcomes, measures, accountabilities, and required activities to meet its service management goals. Processes + Guidance + Tools (for Specific Scenarios) System Center Infrastructure Automation Community

Directives, Policy, Controls GRC Guidance Governance Risk Management Directives, Policy, Controls Slide Goal The goal of this slide is to illustrate MOF’s GRC guidance. Slide Notes Governance, risk, and compliance are addressed in the foundational Manage Layer. GRC guidance becomes increasingly more prescriptive as you move along the continuum from governance to risk management to compliance. MOF helps clarify your organization’s directives, policy, and controls as you consider risk management. The goals of MOF’s GRC are to: Establish clear and effective decision making in the management of IT assets. Manage risk effectively. Comply with applicable policies, laws, and regulations. Proper attention to GRC activities will help your IT better contribute to your organization’s viability and improvement, allowing you to clearly say, “This is how we run IT and manage risk.” Compliance More prescriptive

Connect Governance, Risk, and Compliance Addresses strategic planning, business/IT alignment, policy creation, and vision setting Risk tradeoff decisions Compliance with governance rules Who decides, and process to follow Risk tolerance rules Risk Addresses system threats, system vulnerability, protection of IT assets, and risks to management objectives Risk tradeoff decisions (how they were made) Impact of not complying Compliance Addresses adherence to laws, regulations, policies, standards, best practices, and frameworks Slide Goal The goal of this slide is to demonstrate how governance, risk, and compliance connect. Slide Notes The 3 practices that make up GRC—governance, risk, and compliance—share common and interrelated tasks. Because they have overlapping areas of responsibility and processes, they’re more effective when integrated and dealt with as combined practices. Combining can streamline processes and provide transparency and accountability. To review, let’s break it down: How does addressing GRC impact your business? Governance. Addresses strategic planning, business/IT alignment, policy creation, and vision setting. Risk. Addresses system threats, system vulnerability, protection of IT assets, and risks to management objectives. Compliance. Addresses adherence to laws, regulations, policies, standards, best practices, and frameworks. Working on an integrated GRC plan improves the alignment of IT and business goals because the right people are making the right decisions at the right time.

GRC Influences All Lifecycle Phases Aiding decision making, balancing risk/benefit tradeoffs, identifying accountabilities Creating a strategy that manages risks and ensures risk management is appropriate for the activities at hand Establishing guardrails for behaviors, communicating expectations, and validating performance Slide Goal The goal of this slide is to demonstrate how GRC influences all of the lifecycle phases. Slide Notes The GRC SMF belongs to the Manage Layer of MOF’s IT service lifecycle because GRC activities comprise the foundation of an organization. The practices described in the GRC SMF, and GRC issues in general, are useful for those who: Make trade-off decisions for how IT resources will be used to meet goals and deliver business value. Need to manage risk from many sources, not only IT security risk. Make sure IT activities comply with regulations and directives. MOF 4.0 contains objectives for each phase that establish the context for the discussions that are relevant to that part of the lifecycle. MOF GRC creates organized process flows in all phases of the lifecycle by: aiding decision making, balancing trade-offs, and creating a strategy that manages risk and ensures risk management is appropriate for the activities performed.

Governance, Risk, and Compliance Applied Identifies decision makers and stakeholders Determines accountability for actions and responsibility for outcomes Addresses how expected performance will be evaluated Risk Employs risk management throughout the IT lifecycle: • Business decisions • Policy adherence • Application development • Operational procedures Compliance Guides behavior to make sure what takes place is what was intended Shows how IT is performing against objectives Slide Goal The goal of this slide is to illustrate how each component of GRC is applied in the lifecycle. Slide Notes While GRC make sense when grouped together, it’s also important to understand each component independently and its specific role in the lifecycle. Governance This component identifies decision makers and stakeholders, determines accountability for actions and responsibility for outcomes, and addresses how expected performance will be evaluated. In short, governance relates to who’s doing what and how they’re held accountable. Risk Employed from start to finish, risk management applies to business decisions, policy adherence, application development, and operations procedures. What does this mean for you? Effectively assessing, monitoring, and controlling risk by determining what controls need to be in place. Compliance Compliance with applicable regulations is achieved by guiding behavior to make sure what takes place is what was intended. Addressing compliance helps show how IT is performing against your organization’s set objectives.

IT Governance Governance determines how IT makes investments, contributes to value, and achieves goals and management objectives Good Governance: Manages IT services in a regulatory environment Focuses on cost efficiencies and value contribution Provides insight into organizational processes that result in continuous improvement and optimization initiatives Slide Goal The goal of this slide is to identify what governance means and what “good” governance looks like. Slide Notes GRC influences the entire lifecycle by helping organizations make good decisions, balance trade-offs, manage risks, and ensure risk management is relevant. Governance determines how IT makes investments, contributes to value, and achieves goals and management objectives. Good governance: Manages IT services in a regulatory environment. Focuses on cost efficiencies and value contribution. Provides insight into organizational processes that result in continuous improvement and optimization initiatives.

Risk Management Good risk management: Risk management drives a structured approach to identifying, assessing, and managing potential threats to assets or the achievement of strategic goals Good risk management: Drives consistent, recurring, and comprehensive reviews of IT plans, initiatives, projects, and activities Results in clear risk management decisions Produces activities and internal controls that reduce risk likelihood or impact Slide Goal The goal of this slide is to identify what risk management means and what “good” risk management looks like. Slide Notes Risk management drives a structured approach to identifying, assessing, and managing potential threats to assets or the achievement of management or strategic goals. It’s guided by a determination of risk tolerance and can be used to make varied decisions. Good risk management: Drives consistent, recurring, and comprehensive reviews of IT plans, initiatives, projects, and activities. Results in clear risk management decisions. Produces activities and internal controls that reduce risk likelihood or impact.

Compliance establishes rules, guidelines, and communications to ensure an organization’s requirements are known and followed Good compliance: Ensures management intentions are realized Establishes evaluation when expectations are set Allows for effective monitoring Compliance Slide Goal The goal of this slide is to identify what compliance means and what “good” compliance looks like. Slide Notes Compliance establishes rules, guidelines, and communications to ensure that an organization’s requirements are known and followed. Requirements are documented and communicated through policies. Good compliance: Ensures managements intentions are realized. Establishes evaluation when expectations are set. Allows for effective monitoring.

Make MOF GRC Work for You Features: Specific goals, outcomes, and measures in each SMF Clearly identified accountabilities and role types for each SMF Objectives, risks, and controls outlined for each phase Management reviews function as management controls Slide Goal The goal of this slide is to show how to make MOF GRC work for you. Slide Notes MOF effectively connects governance, risk, and compliance through: Specified goals, outcomes, and measures in each SMF. Clearly identified accountabilities and role types. Phase-appropriate objectives, risks, and controls. Management reviews that function as controls. The benefits of these features include clearly established accountabilities, effective risk management, and compliance with policies, laws, and regulations. Benefits: Clearly established accountabilities Effective risk management Compliance with policies, laws, and regulations

Resources MOF Home Page: www.microsoft.com/mof Compliance Home Page: www.microsoft.com/compliance IT Compliance Management Guide: www.microsoft.com/downloads/details.aspx?FamilyId=B D930882-0D39-4900-9A79- B91F213ED15D&displaylang=en Solution Accelerators Home Page: www.microsoft.com/solutionaccelerators Contact Email: MOFpm@microsoft.com Slide Goal The goal of this slide is to list additional GRC resources. Slide Notes Online resources for MOF and GRC include the MOF, Compliance, and Solution Accelerators home pages, as well as the IT Compliance Management Guide. And, as always, you can contact us directly at MOFpm@microsoft.com.

Thank you for taking the time to learn more about how MOF considers GRC throughout the IT service lifecycle. We hope we’ve shown you the value of incorporating MOF’s guidance into your organization’s approach to addressing governance, risk, and compliance issues. Remember, you can find MOF at www.microsoft.com/MOF. Now get MOF, and get to work! www.microsoft.com/mof