What is IT Governance? Corporate governance –Processes, customs, rules, procedures, policies, and...
-
Upload
junior-shelton -
Category
Documents
-
view
217 -
download
0
Transcript of What is IT Governance? Corporate governance –Processes, customs, rules, procedures, policies, and...
What is IT Governance?
• Corporate governance – Processes, customs, rules, procedures, policies, and
traditions – Determine how to direct and control management
activities
• People involved in corporate governance – Board of directors, CEO, senior executives, and
shareholders
• Interest in corporate governance has grown due to recent accounting scandals
Information Technology for Managers 1
What is IT Governance? (continued)
• IT governance – Decision-making process – Involves investments in IT– Includes defining:
• Decision-making process itself
• Who makes the decisions
• Who is held accountable for results
• How the results of decisions are communicated, measured, and monitored
Information Technology for Managers 2
What is IT Governance? (continued)
• Primary goals of effective IT governance– Ensuring that an organization achieves good value
from its investments in IT – Mitigating IT-related risks
Information Technology for Managers 3
What is IT Governance? (continued)
Information Technology for Managers 4
Ensuring that an Organization Achieves Good Value from its
Investments in IT• Many parts of the organization could not operate
without IT
• Governance must be applied to the management of IT– Effective IT strategic planning process ensures close
alignment between business and IT goals – Apply good project management principles
Guide to Microsoft Virtual PC 2005 and Virtual Server 2007 5
Mitigating IT-Related Risks
• Use good internal controls and management accountability
• Internal control – Provide reasonable assurance for:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
• Improper conduct of senior managers and failure to hold managers accountable can circumvent internal controls
Information Technology for Managers 6
Mitigating IT-Related Risks (continued)
• Rules and regulations – Hold senior management accountable for the
integrity of financial data and internal controls
• Accounting, consulting, and software firms can provide products and services
• Five key activities needed for effective IT governance
Information Technology for Managers 7
Information Technology for Managers 8
Why Managers Must Understand IT Governance
• Universal goal for businesses– Leveraging IT to transform an enterprise and create
value-added services, increased revenue, and decreased expenses
• IT-related initiatives are seldom simple and straightforward
• Good IT governance– IT organization is better aligned and integrated with
the business– Risks and costs are reduced– IT helps the company gain a business advantage
Information Technology for Managers 9
IT Governance Frameworks
• IT Infrastructure Library (ITIL) – Provides best practices and criteria for effective IT
services
• Control OBjectives for Information and Related Technology (COBIT)– COBIT provides guidelines for more than 30
processes that span a wide range of IT-related activities
• Frameworks are complementary, not competing
Information Technology for Managers 10
IT Infrastructure Library (ITIL)
• Set of guidelines initially formulated by the UK government – Widely used today throughout Europe and the
United States
• Standardize, integrate, and manage IT service delivery
• Consists of five distinct volumes
Information Technology for Managers 11
IT Infrastructure Library (ITIL) (continued)
• Addresses – Strategy and value planning– Roles and responsibilities of key players– Planning and implementing service strategies– Business planning and IT strategy linkage– Risks and critical success factors for implementing
ITIL
Information Technology for Managers 12
Control OBjectives for Information and Related Technology (COBIT)
• Set of guidelines
• Goal – Align IT resources and processes with business
objectives, quality standards, monetary controls, and security needs
• Issued by the IT Governance Institute– www.isaca.org/cobit.htm
• Provides guidance for more than 30 IT-related processes grouped into four major categories
Information Technology for Managers 13
Information Technology for Managers 14
Information Technology for Managers 15
Information Technology for Managers 16
Control OBjectives for Information and Related Technology (COBIT)
(continued)• Each of the processes is described in terms of:
– The process inputs– The process description– The process outputs– The goals and metrics– The RACI chart– The maturity model
Information Technology for Managers 17
Control OBjectives for Information and Related Technology (COBIT)
(continued)
Information Technology for Managers 18
Control OBjectives for Information and Related Technology (COBIT)
(continued)• “Maturity level” of management processes
– Scale of 0 to 5
• Use the scale for each process to evaluate a number of items
• Use this information to choose:– Which processes have priority for improvement
– Which can be addressed later
Information Technology for Managers 19
Using PDCA and an IT Governance Framework
• Plan-Do-Check-Act (PDCA) model
• Tried and proven method
• Can be applied to a specific targeted process
• Each step in the model has specific objectives
Information Technology for Managers 20
Information Technology for Managers 21
Information Technology for Managers 22
A Manager Takes Charge: Audatex Uses PDCA and ITIL to Improve Its
Service Offerings• Operates as a service provider for body shops and
insurance companies– Offers an integrated suite of software to support auto
insurance collision repair shops
• Firm must invest heavily in product development, new technology, and improved products and services
• Ross McEleny, IT services director at Audatex– Formed a process improvement team– Established a continuous improvement loop
Information Technology for Managers 23
Business Continuity Planning
• Disaster – Unplanned interruption of normal business
operations for an unacceptable period of time
• Can result in many negative consequences
• Key planning assumptions – Must be built into an organization’s business
continuity plan
Information Technology for Managers 24
Business Continuity Planning (continued)
Information Technology for Managers 25
Information Technology for Managers 26
Business Continuity Planning (continued)
• Business continuity plan – People and procedures required to ensure
resumption of an organization’s essential, time-sensitive processes with minimal interruption
• Due diligence – Effort made by an ordinarily prudent or reasonable
party to avoid harm to another party– Failure to make this effort may be considered
negligence
• Scope of a full business continuity plan
Information Technology for Managers 27
Business Continuity Planning (continued)
• Disaster recovery plan – Subset of the business continuity plan– Focuses on keeping components of the IT
infrastructure functioning during a disaster or recovering them quickly afterward
Information Technology for Managers 28
Information Technology for Managers 29
Process for Developing a Business Continuity Plan
• Identifying vital records and data– Determine where and how they are being stored and
backed up– Must assess the adequacy of the current data
storage plan– Offsite backup recommended
• Conducting a business impact analysis– Recovery time objective
• Time within which a business function must be recovered
Information Technology for Managers 30
Information Technology for Managers 31
Defining Resources and Actions Required to Recover
• AAA priority business functions– Document all the resources needed to recover the
business function within the recovery time objective– Identify the sequences of steps that must occur to
recover from a disaster– Specific features to consider for inclusion in the
recovery of a AAA priority business function
• When all the preceding tasks have been completed for the AAA priority business functions:– Repeat the process for all the AAA priority business
functions, then for all AA priority, etc.Information Technology for Managers 32
Defining Emergency Procedures
• Emergency procedures define the steps to be taken during a disaster and immediately following
• Planning and practice of such procedures – Minimize loss of life and injuries as well – Reduce the impact on the business and its
operations
• Develop in conjunction with professional first responders
• Computer, data, and equipment backup processes should be triggered automatically
Information Technology for Managers 33
Identifying and Training Business Continuity Teams
• Business continuity teams – Control group– Emergency response team
• Includes members of the fire department, police department, and other first responders
– Business recovery team
• Members of these teams should be carefully selected– Wise to cross-train people
Information Technology for Managers 34
Training Employees
• Employees should be trained to recognize and respond to various types of disaster warnings
• Good practice to identify “floor wardens”
• Most organizations conduct one or two disaster drills per year
Information Technology for Managers 35
Practicing and Updating the Plan
• Test business continuity plan – Ensure that it is effective and that people can execute
it
• Employees are expected to exercise the business continuity plan and restore operations within the desired recovery time
• Capture problems or issues not addressed by the plan – Revise it to incorporate solutions
• Plan must be continually updated to account for changes
Information Technology for Managers 36
Information Technology for Managers 37
Summary
• IT governance – Decision-making process that involves investments
in IT– Responsibility of executive management– Five central themes of IT governance
• Use frameworks as a basis to develop their own governance model
• Each organization must perform an objective assessment of its unique risks and develop a comprehensive plan
Information Technology for Managers 38