The Impact and Opportunity of Compliance and IT Governance -
Robert E Stroud
VP, Service ManagementITSM & Governance Evangelist
ISACA April 8, 2009
BLOG: www.ca.com/blogs/stroud
4 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
5 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud 5
Imperative – business and IT integration
Management ofInformation
ITBusiness
Transformation of Business
Business
IT
ITBusinessAutomation of
Work
It’s no longer enough to align with the business
6 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
BUSINESS IT
Bu
sin
ess
Valu
e
Maturity
Engine for Competitive
Advantage
ServiceProvider
Support Function
Business Depends on IT for Competitive Advantage
7 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud 7
Business Drivers
Aligning IT with business priorities
Improving service to end users
Controlling IT costs
IT process improvement
Developing a proactive IT organization
Managing IT complexity
Making IT accountable and transparent
Building an IT team focused on service
Automation
Virtualization
Source: CIO Custom Solutions Group, nov. 2007
8 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Collaboration
Basel II
Sarbanes-Oxley
GLBA
HIPAA
Scop
e o
f IT
con
trol
Integrity of Personal
Information
Integrity of Economic
InformationFocu
s o
f con
trol
Integrity of Entity
Information
External
Internal
Time
CA SB 1386
US Patriot Act
AML S352
DOD 5015.2
EUDP
PIPEDA
Compliance growing every day
EU8
J-Sox
Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Compliance must be part of your DNA!
> Not a one-time event
> An increasingly urgent topic of discussion
> Penalties and fines for noncompliance are significant – both civil and criminal penalties
> Multiple pieces of legislation
Compliance with government regulations is no longer just a legal matter but,
rather a critical business function
Compliance with government regulations is no longer just a legal matter but,
rather a critical business function
Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
11 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Familiar
12 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Business and IT integration
13 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud 13
Risk and ComplianceBig Challenge — Big Opportunity
Things We Know About Risk and Compliance
> It’s not going away
> More regs are coming
> Failure is not an option
Turning Risk & Compliance to Advantage
> Reduce the cost
> Reduce the disruption
> Use it to drive operational improvement
14 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud 14
Compliance: The Early Days
Internal
Audit
General
Counsel
IT
Sales and
Marketing
Hu
man
Resou
rces
Fin
an
ce
Accounting
Mfg.
Systems
15 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud 15
Enter SOX
Internal
Audit
General
Counsel
IT
Sales and
Marketing
Hu
man
Resou
rces
Fin
an
ce
Accounting
Mfg.
Systems
SOX
16 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud 16 April 21, 2023 GRC Manager Business Presentation
Next Come PCI, GLBA, Internal Policies(as well as Compliance Management)
Internal
Audit
General
Counsel
IT
Sales and
Marketing
Hu
man
Resou
rces
Fin
an
ce
Accounting
Mfg.
Systems
SOX
Inte
rnal
Polic
ies
PC
I
GLBA
CCO
CRO
17 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud 17
Risk and Compliance Is Fragmented, Complex
IT
Sales and
Marketing
Hu
man
Resou
rces
Fin
an
ce
Accounting
Mfg.
Systems
Internal
Audit
General
Counsel
SOX
Inte
rnal
Polic
ies
PC
I
GLBA
CCO
CRO
No unified view of risk and compliance across the organization. No single system of record
SOX
Hard to know the state of your Key Risk Indicators.
CCOCCO
Risks are often not adjustedwhen controls fail.
CROCRO
Difficult to map controlsto regulations.
Systems
18 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud 18
Risk and Compliance Is Costly
IT
Sales and
Marketing
Hu
man
Resou
rces
Fin
an
ce
Accounting
Mfg.
Systems
Internal
Audit
General
Counsel
SOX
Inte
rnal
Polic
ies
PC
I
GLBA
CCO
CRO
Wasted resources for redundant controls testing.
ITRemediation projectsare hard to track.
CCO
CRO
No visibility into totalcompliance cost.
19 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Changing World
Infrastructure
Mid Tier
Applications
Mid Tier
Business Processes
20 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
GRC is key
> Organizations are sacrificing money, productivity and competitive advantage by not implementing effective GRC
> Executives need a method to: Direct IT for optimal advantage Manage IT-related risks Measure the value provided by IT
21 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Definition
> Governance is more than compliance Business strategy
Risk Appetite
Sound management
Business and IT alignment
22 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Definition of Governance
> Development of policies, procedures and rules within the domains must be developed
> Do not "make up" governance processes for each scenario
> Clear, consistent, definition of governance
Remember:To much governance may kill innovation!
23 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Definition of Governance
>Definition of the domains that will be governed.
Resource Management
IT IT GovernanceGovernance
DomainsDomains
Resource Management
IT IT GovernanceGovernance
DomainsDomains
24 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Linking Business Goals to IT Goals
25 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Linking IT Goals to IT Processes
26 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Linking IT and Business
Business Goal 6:Establish service
continuity and availability
IT Goal 23
Make sure that IT services are available
as required.
IT Goal 22
Ensure minimum business impact in the event of an IT service disruption or change
IT Goal 16
Reduce solution and service delivery
defects and rework
IT Goal 10
Ensure mutual satisfaction of
third-party relationships
DS2 PO8 AI4 AI6 AI7 DS10 PO6 AI6 DS4DS12 DS3DS4 DS8 DS13
27 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Governance Ownership and Execution
> Governance is about policy, procedure and rule definition; that those policies, procedures and rules must be agreed on by senior leadership
> Management puts the governance processes in place and ensures that they're followed its individual groups.
28 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Measurement
Governance without measurement is a waste of time!
29 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Measurement
> Processes without measurement is not effective governance
> Governance must have a set of processes that provide feedback loops to understand whether the processes status
> Each of the major governance areas must have measures
> Balanced scorecard\dashboards to define your key process indicators.
> Responsibility for metrics must be allocated
> Every organization must have a set of key measures to use when charting status and progress
30 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Measurement
31 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Measurement
0 1 2 3 4 5
Non-existent Initial Repeatable Defined Managed Optimised
0 - Management processes are not applied at all.1 - Processes are ad hoc and disorganised.2 - Processes follow a regular pattern.3 - Processes are documented and communicated.4 - Processes are monitored and measured.5 - Best practices are followed and automated.
32 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
MeasurementManagement of the process of Monitor and evaluate IT performance that satisfies the business requirement for IT of transparency and understanding of IT cost, benefits, strategy, policies and service levels in accordance with governance requirements is:
0 Non-existent whenThe organisation has no monitoring process implemented. IT does not independently perform monitoring of projects or processes. Useful, timely and accurate reports are not available. The need for clearly understood process objectives is not recognised.
1 Initial/Ad Hoc whenManagement recognises a need to collect and assess information about monitoring processes. Standard collection and assessment processes have not been identified. Monitoring is implemented and metrics are chosen on a case-by-case basis, according to the needs of specific IT projects and processes. Monitoring is generally implemented reactively to an incident that has caused some loss or embarrassment to the organisation. The accounting function monitors basic financial measures for IT.
33 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Measurement
34 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Measurement
35 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
GRC Automation
> Governance processes require integration of information from multiple data sources
> Process collection manually is full of errors, develop the process and automate for consistent results
> IFRS must will mandate more controls around financial processes
36 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Control Cycle
Assess Environment
Implement & Operate
Monitor& Report
Maintain IT Controls Framework
Develop & Refine
Governing Documents
Process owners operate and oversee controls
Repository
Plan
BuildRunTools
Measure& Validate
Enforce
ApplicationsDatabasesPlatformsNetworks
IT Processes
· Top-Down, Risk-based Approach
· Process-based· CobiT®-based
Division Policies(e.g. “What” IT
must do)
Division Standards(e.g. “How” to do in every or any
instance)
ProceduresProcedures
Procedures(e.g. “How” to do in an instance)
IT Division Policy Compliance
IT Division Standard Conformance
Dep
t. Pr
inci
ples
Communicate & Train
Sustain
37 37
Example: Change Management
ChangeProposal (optional)
Create RFC
Record the RFC
Review RFC
Assess and evaluate Change
Authorise Change
Plan updates
Co-ordinate change implementation
Review and close change record
Authorise Change proposal
Update change and configuration inform
ation in CM
S
Evaluation report
Work orders
Work orders
ready for evaluation
requested
ready for decision
authorised
scheduled
implemented
closed
ITIL v3 activity
AI6.1Change Standards and
Procedures
CobiTControl obj
AI6.2 Impact Assessment,
Prioritisation and Authorisation
AI6.4 Change Status Tracking and Reporting
AI6.5 Change Closure and Documentation
10.1.2Change
management
ISO 27002 Control
Investment Management (IM)
Portfolio Management (PM)
Value Governance (VG)
Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
38 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Governance and Frameworks
COBIT
ISO 9000
ISO 27000series
ITIL
COSO
WHAT HOW
VAL IT
ISO/IEC 20000
ISO/IEC38500COBIT
Risk
39 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Summary, Recommendations and Next Steps
40 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Summary
> Established Frameworks give you the descriptive guidance
> Use Standards to document, guide and measure the implementation
Maturity Models Where do I need to be? Industry Yardstick
> Quality Reduce Errors
> Pick the components YOU require in YOUR Business.
41 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Summary
> "Just enough" should be the approach to governance in terms of "what" is governed and to what depth.
> Governance processes are the purview of senior management
> Your Management processes are how resources are used effectively every day
42 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Business Imperative Action Plan
> When you get back to the office Visit www.isaca.org and download the guidance
Assess your current level of process maturity
Develop your metrics
Identify the gaps
Plan the implementation
Get moving!
43 Copyright © 2009 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
GRC Ownership and Execution
> GRC must be the purview of the senior management team
> Accountability - senior management team
> Senior Management must ensure that the people working in their organization are doing the right things
> CIO is accountable execution
> Audit must be involved to ensure processes are followed
> Learn from others!
The Impact and Opportunity of Compliance and IT Governance -
Robert E Stroud
VP, Service ManagementITSM & Governance Evangelist
ISACA April 8, 2009
BLOG: www.ca.com/blogs/stroud
Top Related