BIT2318-Topic3
description
Transcript of BIT2318-Topic3
Essential of IT in today’s business
Challenges and concerns are:
Aligning IT strategy with the business strategy Cascading strategy and goals down into the
enterprise Providing organizational structures that
facilitate the implementation of strategy and goals
Insisting that an IT control framework be adopted and implemented
Measuring IT's performance
IT without Governance
is reactive, unable to plan, acquire or develop the correct skills or understand priorities.
For instance, without a structured process, all projects are number-one priorities. With budgets being flat or minimally increasing, it is difficult to know where to focus.
IT Governance IT governance processes allow IT to understand and manage IT-enabled business
change.
IT governance framework addresses strategic alignment performance measurement risk management value delivery and resource management.
Effective application of ITG FW - responsibility of the board of directors and executive management.
Integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.
An IT governance framework, such as Control Objectives for Information and related Technology (COBIT) can be a critical element in ensuring proper control and governance over information and the systems that create, store, manipulate and retrieve it.
Best Practice of ITG leads to..
Align IT/IS goals with company’s goals – strategic role of senior management, not tactical
Establish accountability- Individuals be held responsible for their
action (clear process, procedures, job etc)
- Responsibility of employees and builds up to top management.
ITG Structure
How to establish ITG?- Create IT Strategy / Steering Committee: To evaluate IT strategy and process (DAIM) to
ensure it supports organization’s strategies – ALIGNMENT.
- Develop policies and procedures: DAIM of systems or IT-based projects.
- Define job rules- Execute good HR practices- Perform risk assessment and periodic audits:
to ensure management receive sufficiently & timely info about IT performance.
Auditor’s Role in IT Governance
Provide guidance & recommendations to senior management:
Learn the organization – goals & objectives, MS
Review IT Strategic Plan – IT project planning 3-5 years
Analyze Organizational Chart – roles and responsibilities of employees.
Study Job Description – level of responsibility and accountability of one’s actions.
Evaluate existing Policies & Procedures – approved activities of employees.
IT Steering Committee (Fig. 2.2)
Business Management – CEO IT Management – CIO or representative Legal – Legal Executive Finance – CFO for financial guidance Marketing Sales – Senior Manager Quality Control – IT usage meets required standard Research & Development – IT meet needs of new
products Human Resource – IT efforts benefit and fair to
employee
IT Steering Committee
Responsibility: Review major IT projects, budgets and
plans. Formal charter Provides strategic guidance but NOT
involve in daily activities of IT Department.
Organizational Structure Design structure of IT function is
influenced by cultural, political and economic forces.
Example:
VP Foreign Operations
VP Local Operations
R&DSales & Mktg
ManagerHR Manager
Finance & Accounting
IT Manager
VP IT
CEO
IT Organizational StructureIT Function Manager
Computer Security Manager
Computer Operations Manager
SD ManagerUser Services
Manager
-System Analysis
- Computer Programming
-DBA-QC
-Technical Support
-Application Support- User
Training- Help Desk
-Data Input-Info
Processing-Info Output
-Continuity of Operations
-SW Security-Info Security
-Network Security-Physical Security
Internal Control consideration- separation of duties
IT Strategy
IT Strategy must align with Business Strategic Plan. IT Function Objectives include: Create atmosphere that embraces innovation and change. Apply HW and SW technologies to opportunities that promote
prosperity. Incorporate enterprise wide system to facilitate coordination of
business activities. Develop technology-based communications network capable of
linking suppliers, customers and employees.
IT Strategy
IT Objectives set foundation for IT Strategy.
IT Strategy – details HOW IT function will achieve its objectives through organizational structure, relationship with others and IT configurations.
Ex: IT function will use a decentralized form of organization that is adaptable to dynamic nature of company. Consists of CIO, with delegates will strive to cooperate and coordinate with all internal information customer to ensure company’s information system is fully integrated, business processes and IT infrastructure meet ever changing demand…..
IT Function should
Develop Strategic IT Plan. Articulate information architecture. Find optimal fit between IT and company’s
strategy Maximize IT investment Communicate IT policies to user Conduct IT risk assessment Incorporate sound project management
techniques.
Organizational IT Policies, Standards and Procedures
Reflect management’s view of company. POLICY – to cover most aspect of organizational control to meet
legal and business requirements. Who is responsible and what standards must be upheld to meet
minimum CG requirements. Dictate how activities occur in each of the functional areas. Policy Development : Top down vs Bottom up Policies must address:
(i) Regulatory – organization’s standard meet local, state and federal laws.(ii) Advisory – consequences of employees’ behavior and actions eg. Internet use(iii) Informative – to inform employees/customers. Eg. Return policy for internet sales
Security Policy – dictates management’s commitment to the use, operation and security of IS and assets.
Disaster Recovery and Business Continuity Policy
Auditor’s part on Policy
- Look closely at policy to understand how specific process functions.
eg. DCRP policy: HW, SW, backup media, site
- Examine these critical documents, any findings be referenced back to the policy.
- Verify how well policy actually maps to activity.
- Reviewed to ensure policies are current.
Procedures
Step by step instruction, detailed documents tied to specific technologies and devices.
How policy should be carried out. Eg. DCRP More dynamic than policy – to stay relevant
with changes in processes, equipment etc.Auditor’s part?- Review relevant procedures and map to
employee behavior through observation or interview.
- Misalignment? No procedure / not effective / lack of training on procedures.
Standards and Guidelines
Standard – mandatory requirements to be adhere. Eg. E-mails encryption, password length.
Guidelines – statement in policy or procedure to determine a course of action.
- Best practices- Not mandatory
Reviewing Documentation
To verify that documents are being used as the way management has authorized and intended to be used.
Internal – HR document, QA document, Operation Manuals, IT forecast and budgets, Security policy, Organizational chart, Job details.
External – Vendor’s Contract, bidding process
Potential Problems
Excessive costs Budget overruns Late projects / aborted projects Unsupported HW changes Lack /outdated documentation Employees unaware about
documentation
PERFORMANCE MEASUREMENT Activities to ensure organizational goals are met effectively and
efficiently. Mechanism – financial and non financial Balanced Scorecard (Kaplan & Norton, 1996): Customer’s perspective: User’s Satisfaction towards system
reliability, ease of use, IT staff. Internal operations: Operational Performance eg. No. of security
breaches, no. of backlogged request, % of downtime. Innovation and learning: Adaptability and Scalability eg. Ease of
integrating new technology to existing architecture, IT growth. Financial evaluation: profit, market share, ROI, NPV, Transaction
cost pre and post IT project.
Performance Review
Performance review refers to the identification of a target to be monitored, tracked, and assigned to a responsible party, and the resolution of any open issues.
Existing systems require a regular review to determine the ongoing level of compliance to internal controls and the next steps to take.
Capability maturity Model (CMM)
The Capability Maturity Model (CMM) is a method for evaluating and measuring the maturity of processes in organizations.
A rating scale from 0 to 5 is used. A score of zero indicates that nothing is occurring.
Level 1 maturity indicates that the initial activity was successful and may later progress up to level 5, when the activity is statistically controlled for continuous improvement.
The CMM rating scale was developed by the Software Engineering Institute at Carnegie Mellon University and has been widely used for rating business process capabilities.
Level 0
Level 0 = Nothing yet The level of zero is implied in the CMM but may not be noticed. This is important when evaluating process maturity.
Missing processes and controls without evidence will be rated as zero. Many individuals assume that all controls are present when, in fact, some may be missing. A process or control must have occurred in order to reach a level of maturity (1–5).
Level 1
Level 1 = Initial Processes are unique and chaotic. The organization does not have a stable environment. Success is based on individual competencies and heroics. This level often produces products and services that work.
However, output may exceed the available resources or be dependent on specific individuals. At level 1, people have the most freedom and flexibility to make their own decisions.
Level 2
Level 2 = Repeatable Processes are repeatable. The organization uses project management to track projects. The project status is communicated by using milestones with a defined work breakdown structure.
The basic standards, processes, descriptions, and procedures are documented.
Level 3
Level 3 = Defined Processes are well documented and understood. Level 3 is more mature and better defined than level 2. Processes have objectives, measurements, improvement procedures, and standards.
The results in level 3 are predictable by qualitative measure.
Level 4
Level 4 = Managed Management can use precise measurement criteria to control the processes and identify ways to adjust the results.
Processes at level 4 are predictable by quantitative measure.
Level 5
Level 5 = Optimized This is the highest level, with continuous improvement of processes.
Objectives for improvement are defined and continually revised to reflect business needs and objectives. Products at CMM level 5 have been so well defined that they are effectively converted into a commodity.
Level 5 is the ideal maturity for the maximum level of control in outsourcing. It allows the company to switch to using less-skilled people who are told what to do, pay less, and demand unquestionable authority.
People have the least authority with the fewest decisions at level 5.
IT Resource Investment
Funding IT Operations Acquiring IT Resources Staffing IT Function- Hiring- Rewarding- Terminating
RISK MANAGEMENT
Risk Management Team Asset Identification Threat Identification Risk Analysis Method- Quantitative- Qualitative
Key Planning Risk Indicators
Strategic planning not used. IT risks not assessed. Investment analysis not performed. Quality assurance reviews not conducted Plans and goals not communicated IT personnel are disgruntled. Technology infrastructure inadequate. User unhappy with support. Management’s information needs not meet.
Monitoring and Assurance of IT Performance
Management Practices and Controls- Employee Management- Sourcing- Change Management and Quality
Improvement Personnel Roles and Responsibilities- Employees Roles and Duties- Segregation of Duties- Compensating Controls
Monitoring and Assurance of IT Performance
Controlling IT Functions1. Security Controls- Physical Security- Logical Security2. Information Controls- Input Controls- Process Controls- Database Controls- Output Controls
Monitoring and Assurance of IT Performance
3.Continuity Controls- Backup Controls- Data Backup- Hardware Backup- Disaster Recovery Controls
CONCLUSION
Effective management of IT Function is a critical success factor in ensuring economic viability of an organization.
ITG from Top to down Goals of IT/IS Function aligns with organization’s goals. Auditor’s Task:- Review documents, standards and policies to determine how
closely they match employees’ activities.- Review job roles and responsibilities to understand the risks
individual might poses to the company.