Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Impact and Opportunity of Compliance and IT Governance - Robert E Stroud VP, Service Management ITSM & Governance Evangelist ISACA.

Published byAnnis Franklin Modified over 9 years ago

Similar presentations

Presentation on theme: "The Impact and Opportunity of Compliance and IT Governance - Robert E Stroud VP, Service Management ITSM & Governance Evangelist ISACA."— Presentation transcript:

1 The Impact and Opportunity of Compliance and IT Governance - Robert E Stroud VP, Service Management ITSM & Governance Evangelist Robert.Stroud@ca.com ISACA April 8, 2009 BLOG: www.ca.com/blogs/stroud

2 2 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Trademark Notice ITIL® is a registered trademark and a registered community trademark of the UK Office of Government and Commerce (OGC) and is registered in the U.S. Patent and Trademark Office. COBIT® is a registered trademark of ISACA/ITGI - Information Systems Audit and Control Association / IT Governance Institute® DISCLAIMER CA nor it’s speaker warrant or guarantee the concepts or the accuracy of information provided herein. © All rights reserved No part of this publication may be reproduced in any form by print, photo print, microfilm or any other means without written permission by CA.

3 3 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Robert Stroud >26 years in Industry Experience >15+ years banking industry >VP Service Management & ITSM & IT Governance CA >V3 – ITIL Advisory Group >V3 - Mentor & Reviewer >Executive Board itSMF International >Board Member USA itSMF >International Vice President ISACA\ITGI >Chair COBIT Steering Committee >IT Governance Committee >Contributor to COBIT V4 and V4.1 >Contributor to the Control Objectives for Basel II >Contributor to ITIL\COBIT\ISO17799 Management Overview

4 4 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud

5 5 5 Imperative – business and IT integration Management of Information IT Business Transformation of Business Business IT Business Automation of Work It’s no longer enough to align with the business

6 6 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud BUSINESSIT Business Value Maturity Engine for Competitive Advantage Service Provider Support Function Business Depends on IT for Competitive Advantage

7 7 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud7 Business Drivers Aligning IT with business priorities Improving service to end users Controlling IT costs IT process improvement Developing a proactive IT organization Managing IT complexity Making IT accountable and transparent Building an IT team focused on service Automation Virtualization Source: CIO Custom Solutions Group, nov. 2007

8 8 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Collaboration

9 Basel II Sarbanes-Oxley GLBA HIPAA Scope of IT control Integrity of Personal Information Integrity of Economic Information Focus of control Integrity of Entity Information External Internal Time CA SB 1386 US Patriot Act AML S352 DOD 5015.2 EUDP PIPEDA Compliance growing every day EU8 J-Sox Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud

10 Compliance must be part of your DNA! >Not a one-time event >An increasingly urgent topic of discussion >Penalties and fines for noncompliance are significant – both civil and criminal penalties >Multiple pieces of legislation Compliance with government regulations is no longer just a legal matter but, rather a critical business function Compliance with government regulations is no longer just a legal matter but, rather a critical business function Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud

11 11 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Familiar

12 12 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Business and IT integration

13 13 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud13 Risk and Compliance Big Challenge — Big Opportunity Things We Know About Risk and Compliance > It’s not going away > More regs are coming > Failure is not an option Turning Risk & Compliance to Advantage > Reduce the cost > Reduce the disruption > Use it to drive operational improvement

14 14 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud14 Compliance: The Early Days Internal Audit General Counsel IT Sales and Marketing Human Resources Finance Accounting Mfg. Systems

15 15 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud15 Enter SOX Internal Audit General Counsel IT Sales and Marketing Human Resources Finance Accounting Mfg. Systems SOX

16 16 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud16September 21, 2015 GRC Manager Business Presentation Next Come PCI, GLBA, Internal Policies (as well as Compliance Management) Internal Audit General Counsel IT Sales and Marketing Human Resources Finance Accounting Mfg. Systems SOX Internal Policies PCI GLBA CCO CRO

17 17 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud17 Risk and Compliance Is Fragmented, Complex IT Sales and Marketing Human Resources Finance Accounting Mfg. Systems Internal Audit General Counsel SOX Internal Policies PCI GLBA CCO CRO No unified view of risk and compliance across the organization. No single system of record SOX Hard to know the state of your Key Risk Indicators. CCO Risks are often not adjusted when controls fail.CRO Difficult to map controls to regulations. Systems

18 18 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud18 Risk and Compliance Is Costly IT Sales and Marketing Human Resources Finance Accounting Mfg. Systems Internal Audit General Counsel SOX Internal Policies PCI GLBA CCO CRO Wasted resources for redundant controls testing. IT Remediation projects are hard to track. CCO CRO No visibility into total compliance cost.

19 19 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Changing World Infrastructure Mid Tier Applications Mid Tier Business Processes

20 20 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud GRC is key >Organizations are sacrificing money, productivity and competitive advantage by not implementing effective GRC >Executives need a method to:  Direct IT for optimal advantage  Manage IT-related risks  Measure the value provided by IT

21 21 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Definition >Governance is more than compliance  Business strategy  Risk Appetite  Sound management  Business and IT alignment

22 22 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Definition of Governance >Development of policies, procedures and rules within the domains must be developed >Do not "make up" governance processes for each scenario >Clear, consistent, definition of governance Remember: To much governance may kill innovation!

23 23 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Definition of Governance >Definition of the domains that will be governed.

24 24 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Linking Business Goals to IT Goals

25 25 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Linking IT Goals to IT Processes

26 26 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Linking IT and Business Business Goal 6: Establish service continuity and availability IT Goal 10 Ensure mutual satisfaction of third-party relationships DS2 IT Goal 16 Reduce solution and service delivery defects and rework PO8AI4AI6AI7DS10 IT Goal 22 Ensure minimum business impact in the event of an IT service disruption or change PO6AI6DS4DS12 IT Goal 23 Make sure that IT services are available as required. DS3DS4DS8DS13

27 27 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Governance Ownership and Execution >Governance is about policy, procedure and rule definition; that those policies, procedures and rules must be agreed on by senior leadership >Management puts the governance processes in place and ensures that they're followed its individual groups.

28 28 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Measurement Governance without measurement is a waste of time!

29 29 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Measurement >Processes without measurement is not effective governance >Governance must have a set of processes that provide feedback loops to understand whether the processes status >Each of the major governance areas must have measures >Balanced scorecard\dashboards to define your key process indicators. >Responsibility for metrics must be allocated >Every organization must have a set of key measures to use when charting status and progress

30 30 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Measurement

31 31 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Measurement 012345 Non-existent InitialRepeatableDefinedManagedOptimised 0 - Management processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated.

32 32 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Measurement Management of the process of Monitor and evaluate IT performance that satisfies the business requirement for IT of transparency and understanding of IT cost, benefits, strategy, policies and service levels in accordance with governance requirements is: 0 Non-existent when The organisation has no monitoring process implemented. IT does not independently perform monitoring of projects or processes. Useful, timely and accurate reports are not available. The need for clearly understood process objectives is not recognised. 1 Initial/Ad Hoc when Management recognises a need to collect and assess information about monitoring processes. Standard collection and assessment processes have not been identified. Monitoring is implemented and metrics are chosen on a case- by-case basis, according to the needs of specific IT projects and processes. Monitoring is generally implemented reactively to an incident that has caused some loss or embarrassment to the organisation. The accounting function monitors basic financial measures for IT.

33 33 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Measurement

34 34 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Measurement

35 35 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud GRC Automation >Governance processes require integration of information from multiple data sources >Process collection manually is full of errors, develop the process and automate for consistent results >IFRS must will mandate more controls around financial processes

36 36 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Control Cycle

37 37 Example: Change Management Change Proposal (optional) Create RFC Record the RFC Review RFC Assess and evaluate Change Authorise Change Plan updates Co-ordinate change implementation Review and close change record Authorise Change proposal Update change and configuration information in CMS Evaluation report Work orders ready for evaluation requested ready for decision authorised scheduled implemented closed ITIL v3 activity AI6.1Change Standards and Procedures CobiT Control obj AI6.2 Impact Assessment, Prioritisation and Authorisation AI6.4 Change Status Tracking and Reporting AI6.5 Change Closure and Documentation 10.1.2 Change management ISO 27002 Control Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud

38 38 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Governance and Frameworks COBIT ISO 9000 ISO 27000 series ITIL COSO WHAT HOW VAL IT ISO/IEC 20000 ISO/IEC38500 COBIT Risk

39 39 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Summary, Recommendations and Next Steps

40 40 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Summary >Established Frameworks give you the descriptive guidance >Use Standards to document, guide and measure the implementation  Maturity Models  Where do I need to be?  Industry Yardstick >Quality  Reduce Errors >Pick the components YOU require in YOUR Business.

41 41 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Summary >"Just enough" should be the approach to governance in terms of "what" is governed and to what depth. >Governance processes are the purview of senior management >Your Management processes are how resources are used effectively every day

42 42 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud Business Imperative Action Plan >When you get back to the office  Visit www.isaca.org and download the guidance  Assess your current level of process maturity  Develop your metrics  Identify the gaps  Plan the implementation  Get moving!

43 43 Copyright © 2009 CA - Robert E Stroud – Robert.Stroud@ca.com - BLOG: www.ca.com/blogs/stroud GRC Ownership and Execution >GRC must be the purview of the senior management team >Accountability - senior management team >Senior Management must ensure that the people working in their organization are doing the right things >CIO is accountable execution >Audit must be involved to ensure processes are followed >Learn from others!

44 The Impact and Opportunity of Compliance and IT Governance - Robert E Stroud VP, Service Management ITSM & Governance Evangelist Robert.Stroud@ca.com ISACA April 8, 2009 BLOG: www.ca.com/blogs/stroud

Download ppt "The Impact and Opportunity of Compliance and IT Governance - Robert E Stroud VP, Service Management ITSM & Governance Evangelist ISACA."

Similar presentations

Project Cycle Management

Project Cycle Management
A BPM Framework for KPI-Driven Performance Management

A BPM Framework for KPI-Driven Performance Management
Alignment of Enterprise Governance and IT Governance

Alignment of Enterprise Governance and IT Governance
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Copyright 2005 CMMI and ITIL Alison Adams & Kieran Doyle.

Copyright 2005 CMMI and ITIL Alison Adams & Kieran Doyle.
COBIT - II.

COBIT - II.
IT Governance Capability Maturity within Government

IT Governance Capability Maturity within Government
Using COBIT and ITIL Robert E Stroud CGEIT

Using COBIT and ITIL Robert E Stroud CGEIT
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works

Security Controls – What Works
Improving IT Governance Through Formal Change Management

Improving IT Governance Through Formal Change Management
Program Management Overview (An Introduction)

Program Management Overview (An Introduction)
1 Transforming Enterprise IT Speaker Name/Title Date.

1 Transforming Enterprise IT Speaker Name/Title Date.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
ITIL: Why Your IT Organization Should Care Service Support

ITIL: Why Your IT Organization Should Care Service Support
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
THE PRINCIPLES OF QUALITY MANAGEMENT. DEFINING QUALITY Good Appearance? High Price? The Best? Particular Specification? Not necessarily, but always: Fitness.

THE PRINCIPLES OF QUALITY MANAGEMENT. DEFINING QUALITY Good Appearance? High Price? The Best? Particular Specification? Not necessarily, but always: Fitness.
How can projects be controlled?

How can projects be controlled?
Integrated IT Service Management

Integrated IT Service Management

Similar presentations

Ads by Google