Common Frameworks

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

10 hours 8 minutes
Video Transcription
Hi, everybody. Welcome back to our siege. It sort of certification course. I'm Kelly Hander hands. So I'll be your instructor for throughout the course for the weeks to come and will be discussing the requirements to become certified in the governance of enterprise I t.
And of course, our first class was on Tuesday. But I want to go back and just review a little bit
to make sure that we remember everything that we talked about. And I do mean everything. I expect every word that came out of my mouth to have gone immediately to your brain and been absorbed.
Um, but if that did not happen, at least the important stuff. So let's go back and let's just review a little bit that we saw for
ah, the first little bit. So we talked about what to expect from the exam. Absolutely. And I really do hope those of you that are sitting this class do take the exam, that you do have that in mind if not immediately, then down the line,
because this really is a very helpful certification tohave
if you have your eyes on governance and perhaps becoming a C. I s o down the line. It's one of those things that just separates out your resume from others, so I think it's a good certification. I saca's a world reknown institution,
so any of their certifications are always gonna have a high degree of value.
Now we talked about I t. Governance. And so if you'll recall, when we're looking at governance just for the organization as a whole were thinking about the board of directors were talking about, senior managers were talking, perhaps steering committees. But ultimately what we're looking to do is to
meat. Well, I won't say Meet the needs of all of our stakeholders but address
all of the needs of our stakeholders, essentially making sure that we have set about for predetermined agreed upon enterprise wide objectives that are balanced. Looking at the needs of the business versus the need for security and really understanding the to our
one in the same two sides of the same coin
and governments, governance is going to require setting the direction for the organization as a whole, where we looking to go when we look at when we get into the long term. So we're thinking strategic objectives were thinking, setting the tone and vision for the organization. Where do we want to be in five years
now? I t governance is, of course, a subset of enterprise governance. It's not
separate from its not in, ah, you know, opposition to I t. Governance is a portion of enterprise governance, and what we're looking to do there is to ensure that our information technology supports the organization, that it's used efficiently and effectively
that we get our cost benefit. We get our value from the use of I t. And making sure that we're maximizing our value and maximizing our return on investment.
So, of course, we're still thinking broad picture, but ultimately making sure that I tease in alignments with the goals of the business.
All right, so we moved along and talked about the requirements. What is needed for I t. To be successful. We talked about the significance of roles and responsibilities to be well defined, ongoing governance. And again, of course, part of the organization as a whole.
Many be benefits from governance. You know, um, we want to make sure that we're meeting our objectives. We want to maintain compliance with laws and regulations we want to reduce risk. We want to deliver more value.
So effective information technology governance is gonna bring that to us. And that's certainly our goal. Now, um,
strategic alignment, value delivery, risk management, resource management, performance management. I hope I've talked about all those you know, those five areas that were focused on for I t. Governance.
Because what we're ultimately looking to do is to provide that strategic alignment that supports the organization.
We want to deliver our value to the stakeholders while adequately managing risks and ensuring that we provide mitigation to the degree that's required. No more, no less.
All right, manage. Our resource is efficiently and effectively. And then, of course, measure our performance because we don't just implement controls without expectations. We want to determine. Are we meeting our objectives that we have said, if apart for our goals.
All right, um, we've talked about those resource management performance, and if I'm not mistaken, we wrapped up by talking about understanding frameworks and governance frameworks and what those frameworks are going to do for us.
And we said, Frank works. We're going to bring in
the foundational structure for the organization, right? We need that foundation. We need the the structure that set up to support security and to support the I T department in supporting the business, if you will. So that elements of our frameworks
we're gonna enforce a control environment, which really is kind of what it sounds like.
An environment in which we set up processes and procedures and structures to support our organizational controls. To control our organizational environments will use risk assessment to determine how much is enough.
Um, that balance between business and security will implement control activities where we have mechanisms in place to provide that risk management
we communicate with their employees are stakeholders are shareholders, you know, throughout the organization. And again we monitor. And I know we talked about all this on Tuesday, but sometimes I think it helps to just get back into the swing of things by doing a little review. So I'm gonna Paul's
and sip my pumpkin spice latte
sort of while you, you know, bring back
all the information from last week.
Excuse me. All right. So
the control environment, we've talked about risk assessment. We talked about those areas and that brought us to a review
So where we are now is we're gonna have the opportunity to look at some common frameworks that are in use and these are testable. Not every framework that's on this list is gonna be testable, but certainly some more so than others. So we're gonna look at these common frameworks,
the one that I, the ones I think you'll see
our most testable.
We have to talk about ice. 0 27,000 Siri's particularly I. So 27,001 and two, These are the most commonly used frameworks in the world because they're developed by the International Organization of Standards.
We also have our capability maturity model Integrated,
which comes to us from Carnegie Mellon and all it addresses the, um
the maturity of your project management processes will look at Kobe. It, which also comes from my Sacha, as does Val I. T. And Val. I t is essentially an extension of Kobe.
We'll also just mention co so and toe gabs, Ackman and SAB za as they are other very popular frameworks. But I don't want you to spend a lot of time. We'll just have kind of a, um
ah, high area off understanding okay, It looks like I have a question. Isn't there 1/6 focus area from the last section? I'm assuming that was focus area for governance.
Uh, as far as I recall, no, there should just be five focus areas.
There might be other things that we've talked about as being significant, but I don't really have, um
I don't have 1/6 area for focus for i t. Governance Focus area. If anyone out there that's following along, uh might know the reference to 1/6 element here, there's nothing that's on my mind.
But ah, you know what? By the time it becomes three o'clock and ah, the coffee starting to wear off, it's very possible.
And I do want to just pause here for second and say Thank you for asking a question. We really appreciate when you guys jump in and participate, give, you know, some discussion back and forth because it's extremely helpful, Teoh
to to keep everybody involved and engaged. And if you've got a question you're asking,
chances are really good. Somebody else does, and I think it's a great thing to really maximize the value of what we're doing here in class because otherwise you could just watch videos or read a book. Right? So we've got this dynamic discussion, and that's a really that provides a real value. Um
uh, Let's see here.
I went back just to make sure I didn't, um, miss a piece.
That's where we were. I'll pause for second. Are there any other questions in relation to what we talked about on Tuesday? Um, before we move on your teaching very much focused on the siege, it certification.
And then all of a sudden, I hear some of my son's toys making noise
in the other room. He's got a little piano. I'm starting here. Clink, clink, clink. And I'm here in the house alone. So that was a little in Irving made me think of that movie, that horror movie were the doll. Chuckie
came to life and I just thought, you know, it's really not cool. If I'm gonna be murdered by child's toy tow, have that happened right in the middle of a siege? It class. So I had to stop and I had to check out, make sure everything was OK. Somehow I had left Thea the door to the basement open
and I have I have I have four dogs.
Temporarily. I'm watching my mom's dogs, so, uh, chaos reigns. So I apologize for that little distraction. I am delighted to know there's no poltergeist in the house, and I think I can focus a little better there. All right, so what we're ready to do? We've talked about why frameworks. We've talked about the basis,
what we need, what we expect. You know that
guidance in that structure. So let's look at some of the frameworks that exist today and let's compare and contrast them and talk about him a little bit. So
the 1st 1 we want to start with his eyes. So 27,001 in 27,001 really is the set of it really is the framework, and we would be certified to this framework. So what that would indicate is that we follow and we have the structure for I. So 27,001.
Now, this is the most widely used security standard in the world. And the term I want you to associate with this is an I S.
M. S, an information security management system, An information security management system now this
particular course governance of enterprise. I t isn't necessarily focusing in on information security with that laser focus we see in the C S SP and some of the others. However,
when you're looking at governing enterprise, i t. It is always at the forefront of our mind that we want to make sure that we safeguard our information
to the degree that's required by the value of the information. So absolutely looking at the configuration in the structure and foundation for an eye SMS is very, very relevant. Basically, I so 27,001 puts the responsibility squarely on the shoulders
of senior minute management.
And it references how it's their role to lead by example, to look at or incorporate information security into the enterprise to focus on the C. I. A. Confidentiality, integrity and availability of information
and, um, uh, to do so
in such a way that we implement risk management. We look at something called the Plan Do Check Act model. If you're familiar with that, that was popularized by Demming in relation to quality, and it's exactly what it sounds like. A plan do check act.
It's almost funny to me that that has to be a formalized model, because that's the way we live our lives.
I plan to do something. I do it. I check to see if it worked, and then I asked act upon it. Right. So, um,
by so 27,001 specifies all of those elements and ultimately it covers the development of an I s Imette's all the way through into the initial processes of research and establishment
all the way to the point where we look for continuous improvement. So
the governs essentially the entire lifespan oven i SMS. Now, the nice thing about frameworks is that frameworks usually are not particular to an industry. Now, there might be an industry for which a framework was designed,
but usually frameworks are pretty portable across industries
because they don't dictate the methodology. You know, they give you a framework that you're working towards your working to be compliant with 27,001 or with other frameworks, but they don't get to the nitty gritty details that are gonna be different from organization organization. So, yes,
this is gonna address information security across the industry,
and it's going to specify a wide range of controls that are put in place to protect information.
Now, I so 27,000 to actually have a little love
typo here. I just want to correct
Uh, I So 27,002 is the set of practices that will help you accomplish I So 27,001.
So that gets a little bit weird. So the two kind can go hand in hand.
So with ice or 27,000 we've got a list of requirements that ultimately have to be men. We've gotta address access control. We've got address, business continuity. We've got address, physical security and risk management in all of these elements. But ultimately, these frameworks are so broad,
you know, we have to take steps to protect our network. Well,
that could be any number of ways that we're gonna protect our network, right? We have to conduct vulnerability assessments. We'll give me more information. Frameworks are broad in nature.
So I so 27,002 is the nitty gritty of how we get to 27,001. It's almost like 27,001 is what we want. 27,002 is how we get there. But I do want to stress that
I so 27,002 is not the only way you can accomplish
being I. So, 27,001 certified. There are other best practices that you can implement that will take you to that ultimate destination of being certified in ISO 27,001. And this is but one way. Now
when you look at this idea, you know, we've got
to bring our organization and make sure that senior management leads by example top down management. And it's there
gold to influence the culture and the environment of the organization, which they govern
that has to come from the top. That's not one of those things that trickles up right. Culture, ethics. The environment comes down from the top,
all right. And so elements that we're looking to bring in is we're going to focus on security awareness because
I'll ask you where is the greatest threat to my organization? Or we could say what is my greatest vulnerability? And usually when we talk about our frameworks, we talk about the support for people, technology and processes.
So our people, our organizational processes in our technology, where do you think the greatest vulnerability is what's the biggest weakness by far its people, right? And, you know, is something like 2/3 of all security incidents are not malicious in nature.
They're simply accidental in nature.
So that's where awareness and training comes in. You can think of awareness and training to keep the honest people honest, right, but also to really lay the groundwork down for accountability as well. We train our folks, we implement polit well, we implement policy, we train our folks,
and then we enforce our policy
and ensure our employees are within compliance policies only as good as its enforcement. And if you want to change the culture in an organization, start enforcing policy and see how quickly things change. Start having there be repercussions for letting someone else in On a card swipe,
repercussions for opening up files that aren't digitally signed, you know, whatever that may be. Senior management. Once we step up senior managers and start enforcing policy, we'll see that change we're looking for, and I don't know of any other,
quicker way to see a change in my organization than it is to start enforcing policy. Now, please hear me. I don't mean, you know, we've had kind of a lax environment. All of a sudden, I'm gonna, you know, hide behind a post and jump out and get you. If you're doing something wrong,
you know, we need to come in. We need to address the fact that,
you know, it's been brought to our attention that there's been somewhat of a lax enforcement policy and effective today, effective tomorrow. You know, people have to know ahead of time. You can't just pull out a policy and decide to enforce it. One day when you haven't in the past, but with proper notice,
there's gonna be a change in how we're doing things.
Policies will be enforced. Please check the employee manual to understand compliance versus non compliance in the repercussions. Right. We got those policies that air in writing. We have to enforce them
all right, identifying our assets. We've got to start with figuring out what we're protecting because what we're protecting is going to drive how we protect it. So if we're protecting health care, information, financial information, we have higher value data. So we need to know that
in order to drive how we configure our I SMS
Alright, we gotta consider continuous improvement, you know, at some point in time work out of where we want to be. Now let's get better. Let's find those ways to continually move forward and provide better service.
We want confidence with our internal employees and with our external stakeholders are vendors are stockholders, our customers. We want them to have confidence. And I'm not saying that being certified is the be all and end all. Just like you guys know because I have a certification or some letters by my name.
It doesn't mean that I'm the most knowledgeable person, or even that I'm knowledgeable it all. However,
when you have a well respected certification as a business, as an organization or as an individual, that does speak to my knowledge of best practices, my commitment to adhering the best practices in adhering to a standard so yeah, being certified is very helpful.
Now. I so 27,002
currently has 15 elements of its code of practice that may have increased. That may actually have increased to 16 or 17. You know the bottom line and you don't need to memorize thes by any stretch. But like I said, where is so? 27,001 is ultimately what you want to accomplish.
Here's where you come to the best practices
and where you begin to implement
or get instruction on how to implement. So we've got information on how to manage our assets, how to manage physical security and HR security access control. And these really are the significant elements of,
Ah, an information security management system. Actually, you know what? I think that this structure has 12. A total of 12 the only to scope terms and definitions. The 1st 3 are just preliminary information. I do think that it currently has 12 domains, if you will, for their code of practice.
All right, um, now
I so 27,001 certified. It goes across industries. It's a respected certification when, which means I adhere to the framework
that supports an information security management system, and I have found a methodology that will help me accomplish that goal. That methodology might be 27,002. It might be I till it might be other standards, but ultimately
I am accomplishing theater here. It's too uninjured, nationally recognized standard.
Okay, all right now, The next the next element or the next framework that we would look at is the C M M I. A and the C M M I skins for capability, maturity model, integrated capability, maturity model integrated. And this comes to us from Carnegie Mellon,
specifically the Software Engineering Institute.
And, um, it is geared towards system security engineering.
Um, you could call it, um you could also expand that to software engineering and software development
and the whole premise of this and it really is a good premise. And it's essentially show me a good process and you'll produce a good product
so the focus isn't on. You know, if you're developing software, I don't want to read two million lines of code. I'm not is concerned about your code. Show me how your projects are managed to produce that code, and that'll let me know if you're producing good code. If that makes sense, show me
what your processes are. Show me how code is planned.
Show me how functional requirements are determined how security requirements are integrated to the system design. Show me where you include, um,
in the baseline security requirements. Show me how you test your product, Show me how you handled. Changes your change management strategy. Right? So show me. And not just that. But show me how you manage this as a project. Show me your repeatable
processes. Show me your defined documents.
Show me the processes that you use that you adhere to in order to accomplish your goals. So, you know, in one of the things that probably goes without saying is there has to be a business driver in order for me to determine to become compliant with one of these frameworks.
because often they cost money. They take time, they introduce a lot of overhead to the organization. You know, we're gonna wind up if anybody's ever been like ice. 0 9000 compliant or cmm I compliant or 27,001 compliant.
You know, when you go from not compliant to compliant,
you're going to see a lot of things change very drastically. I remember with the ice 0 9000 It was document if you had to find one word for I. So 9000 documents
and we used to say, Do what you dio document what you do. Do what you document documented any variance. I suggest very documentation heavy, and we're gonna put a lot of processes in place. But the idea behind that is these processes are tried and true.
They're structured,
they are universal throughout our organization. And they provide standardization. They provide stability. We have that understanding and that capability of
having a universal format across our departments. If I as the project manager, or I mean, you know, this really is in relation to project management. FIEs, the project manager. I am no longer able, you know, Maybe I have, ah, family emergency and I have to leave my project for six weeks.
Matt can step in right behind me
and pick up going because you know and hit the ground running because he knows the documents that I have in place. He knows the mechanisms that we use he knows are standard procedures. So this speaks to customers by saying that we're seeing in my level three or whatever because it says that we have methodology.
Methodical process is in place now. This tends to be for the software development units of an organization. You don't generally talk about an entire agency being seem em. I rated this that or the other. But,
um, usually, you know, if if I'm, you know, system. And if I'm in,
I'm gonna get coffee. Since my mouth doesn't seem to work,
you don't generally see agencies see him in my circle
certified. But you see departments that are involved in engineering systems engineering software engineering,
Um, one of the main driver, certainly here in the D. C area is that if you want to sell, if you want your software to go into a government environment, you need at least a level three. That's not even for a classified environment. So if I want to sell product to the government, I have to be certified.
You know it might be certified per the common criteria might be certified
through Some other avenue might be certified through CMM I, but ultimately there's some sort of business driver that's moving me this direction. Now the capability maturity model has five. Level zero really isn't a level it all. It's just not even
we don't have control processes in place.
So I really think of this is from 1 to 5,
and you can remember phrase. I really don't mind oranges.
I really don't mind oranges. I r D m o initial repeatable, defined, managed optimized.
And those are the five steps. Now, as the numbers increase, you have much more. You have more maturity in your processes.
So with level one, which is thean initiating process were very informal organization. We don't have security integrated securities, usually an afterthought. We don't have a backup plan, you know, phrases that are often associated with level one chaotic.
So I can assure you nobody is shooting for a Level one. You know, nobody's like Whoa were chaotic, right? But many organizations come into the game at Level one, a chaotic environment. Other terms would be heroic efforts,
meaning I might meet the requirements of the project.
But this is the type of environment where it's not unusual for me to have somebody working 13 14 hour days here. A the end to meet those deadlines so we don't have a formally defined set of controls. This really isn't a control environment. We're making it up as we go along,
not where we want to be,
and certainly an organization that manages projects in developed software in such an informal manner. I'm not looking to buy their product,
All right, level to planned in tracked. So at this level, we are starting toe work in the realm of project management. Were not really where we want to be yet. But we're starting to talk in terms of the budget, the scope of work, the schedule.
And we have an understanding of how those three elements relate to each other.
We understand that we have to address risks in project management. We plan ahead of time. You know, it's not just this ad hoc environment. We plan our performance. We have, um,
expectations of performance. That's repeatable, meaning that will manage projects a certain way again and again. We're not
where we wanna be, but we're getting there. This would be, um,
an organization that really does start to value project management. We start with defining the project than we plan the project than we do the projects that we're starting to see some of these more formalized steps. But most organizations, as I mentioned, are really looking to get to Level three
defined well defined
set of processes, procedures, documents, templates, and we have standard implements, a implementation. We have a standard engineering process across the organization. We have a competent and well trained staff audits, air performed
and audits air used in order to track performance and then as a springboard to improve performance. Um, we measure against the processes, so we have expectations metrics in place, and we measure to determine Are we meeting our objectives?
So a lot of processes come into,
um, getting Level three certified. Many organizations stop here because that's what their clients require. And with each level we increase. It takes time. It costs money. It increases overhead to the business. So I really have to be able to justify it as I go further.
All right, quantitatively controlled. Now It's interesting if you go back across the slides and look at this. This is the first level that addresses quality. Now,
that doesn't mean this is the first time we care about quality or the first time that we work towards quality. But this level were very quantitative in relation to our quality metrics,
setting up the process in place to meet quality requirements to measure for quality requirements. We have a change control plans in case plan in case we're not meeting our quality requirements and we have a very quantitative understanding of how a change in process effects a change in quality.
So we're really getting
into the focus on quality,
but all the way up the top, this level was sometimes referred to as caisson K a i Z e n and its continuous improvement at the optimized level, continuous improvement. And that term kaizen was is a Japanese term in origin. And, uh,
ah took some of the principles of continuous process improvement and brought it into the American automobile industry from the Japanese automobile industry. So it's a philosophy. It's a way of looking at,
um every project is an opportunity to improve, right. We want to get a higher return on investment. We want to meet our metrics with less effort, right? We want to become more efficient. We wanna have the capability to implement new technology and new strategies
that will help us perform better.
All right, so that's what the C M m IES all about. And it comes to us again from the software engineering institute, um,
again, all the frameworks that we're going over, I do believe or testable. So, um, cmm eyes definitely one of those things you want to know tends to be geared towards software development. Now, one of the things that I'll tell you about these frameworks
and, you know, some of these air framework Some of these are best practices and strategies, and so on. Generally, what these air used for
is for Gap analysis. Um,
so when I become involved in governance with an organization I'm hired for, a company is there, says Oh, or their chief security officer or information office or whatever that is. And I'm brought into an organization at the governance level.
It's rare that I walk into a vacuum, right. I don't just walk in, and there no policies in place. There's no strategy or procedures. There's absolutely a structure.
So what I have to do when I come in this figure out if that structure is what we need,
So I have to understand the business. I meet with the other chief officers. I understand the context of the business, the objectives, the strategies of the business, and then
in that context, I look at the controls that we have in place. What am I protecting? What's it worth?
What are the threats
what are the controls we have in place to mitigate those threats? And then what are the leftover vulnerabilities? What's the residual risk? And based on that, that gives me my current state. Here's where I am
well, current states. One thing, but where I wanna be is the desired state I want to be. See him in my level three compliant
or whatever.
So the Gap Analysis says, Here's where I am current state. Here's where I want to be.
Let's figure out how we're gonna close that gap. So certainly in the CMM I were provided with guidance on how to go from Maybe are level one chaotic environment to a Level three a defined environment.
All right, Now, um, when we look at CMM, I we said software and from the Software Engineering Institute, we're gonna look at Kobe, it next
and cope. It stands for control objectives, for I t. And we're currently on co bit five.
So what? We're looking to control objectives for i t. That's exactly what Kobe it is about is let's figure out what the objectives are for our I t controls. What are we trying to accomplish? How do we know when we get there. So
the philosophy is
that our objectives should always be traceable back to an enterprise objective.
If what I'm doing, an I t. Doesn't somehow support or enhance the business than it's a waste of time.
So everything that we do should feed back into the business. Well, how do we make that work? Well, we look at our enterprise objectives and map them all the way down to specific actions within the I T department. And if it doesn't have that support, then there's no purpose doing it.
So what we're trying to do with Kobe it and again, I think I mentioned that it comes from my sacha. So anything that comes from the same company, same organization rather that puts out the exam, you know, is gonna be tested. So ultimately, what we have here is we're looking for a way
to balance the costs and benefits. It all comes back to value delivery,
our resource usage, and we're focusing on those elements that have the greatest impact on the business.
It's a generic framework. It's not specific for one industry or another, and it's made up of five main principles 34 processes again. The granularity of these frameworks on the exam,
they're not really nit picky. What's the 17th process of code? You don't need that.
But an overview of it, which is exactly how have presented in the slides, I think is, is more than sufficient for what you need.
All right, So what are the five principles of cope it? What are our control objectives for? I t What's that going to give me? What's it all about?
All right. So principle number one, we got to meet the needs of our stakeholders. And again, not all stakeholders are created equally, and not all stakeholders are going to have their needs met. You know, you can't please everybody all the time.
what can you do? Well, we have to have a way of identifying stakeholders, prioritizing stakeholders, documenting their needs, taking those needs to requirements, evaluate them, have pre defined means to determine how we
figure out the objectives of the organization.
Okay, so, um, meeting stakeholders needs is part of what the business does deliver value to our shareholders. And it looks like I just saw a question. Let me take a look at this. Um student asked in Gap analysis. Do you rate each control on a business function based on
iron D M O.
And so initiating repeated defined, managed Not too much. So I'm not 100% sure that I've got the context of your question. But let me answer what I think you're asking. So at each level, there are defined set of processes and controls that have to be put in place.
So with gap analysis, I look at where we are.
I figure out, you know, are we for you know, I decide that we've had this environment. Now I'm gonna move and expand my horizons. I want customer recommend, uh, recognition to the certifications. I want to get confidence. I decide that I want to be see him in my level three.
All right, so the Gap analysis piece is
I've collected information. I've done my due diligence. I see where we are is an organization. Then I have an auditor come in, that really doesn't just it's really not just an auditor. I have someone come in that helps me make the transition from where I am now to meeting the requirements
off the level that I want to be certified to,
so it's ultimately it's not an analysis uncontrolled by control, but at each level I have a certain degree of control that has to be put in place. We're getting more and more formalized at each level.
So with Gap analysis, I can take a look at what's required of level three and I can say, OK, we've gotta have these defined processes were all using the same template for a project charter were all approaching project management in this way.
So now I've got to figure out what we gotta do from this unstructured environment
to a very well defined environment. And let me know if that answers your question. Sometimes the shorthand gets lost between the student in our moderator and the moderator and me. So if I ever answer question and don't really provide you what you were looking for,
just jump back in and say, Well, what I really meant was this.
So I think that's what we were asking there.
All right, so the five Principles as an organization, we exist to meet the needs of our stakeholders.
Okay, Onda, we have four additional principles, but
here's the suspense. I'm building towards a dramatic conclusion. So we were talking about some of the frameworks that are very commonly used in an enterprise to govern enterprise governance.
Ah, we looked at eso 27,000. We looked at CMM I and we just gotten into cope it control objectives for i t. And so the idea here is like we've said to provide this framework so that the enterprise
accomplishes their objectives
through the value of what I t delivers. Thanks. So we talked about the five principles. We only looked at the first, which was meeting stakeholder needs. Wow, that is some really tiny font. And I bet
that the next time I used the slide that fought will be larger, but ultimately, this is just a highlight. Just the review of what we've said is really
ultimately making sure that the integration of I t
into the business delivers the value. And I'm guessing you're hearing that is a trend, right? Value, value value. Now, if you're like I am and I've you know, I've spent my career in I t. Of course there's a value for I t. Yeah, well,
the thing is, is that many organizations haven't historically known that
you know when when you look at some of the breaches that we've seen, you know, these breaches from banks or hotels or retail facilities or international hardware suppliers?
You know, what we're seeing is this comes from these air leftovers from an environment where
organizations want to focus on the business, and I t is an afterthought. I don't know that I mentioned this to you guys before. I think I told this to another class. But there was an organization that, um, very large, hard hardware retailer
that had paid vulnerability assessors to come in and evaluate the security of their environment.
Now they did that because they were required to do so. Ah, based on the type of information, the financial information they had to be compliant with, BC idea says. And I'm sure there were other areas compliance they needed to meet. So they had to conduct vulnerability assessments, and it had to be from 1/3 party.
So ultimately what happened is the vulnerability assessors
came in and essentially said, you know, here the vulnerabilities that we find here are the problems, and one of the senior executives that was in that meeting essentially said, Look,
we just want to sell hammers. We want to sell more hammers to more people. We want to sell hammers and profit.
We want to do what we do,
and that is just a pure and very clear example of the traditional
focus on I t. It's a necessary evil. And I tell you, that term really grates on my nerves, and I've heard it more than once. I t is a necessary evil. Well, see what happens to the organization without I t.
You know you can exist in this environment. Today we are all technology driven
when it works, it's great. And when it doesn't, it's terrible. So
we've got to stop looking at the I t. As a separate business within the organization.
All right, so our first principle waas
work with your stakeholders, meet your stakeholder needs. Now we have all sorts of stakeholders. A stakeholder really is any entity that's affected or impacted by our business by our enterprise.
So of course we have internal stakeholders. We have our senior leaders, we have our employees,
we have managers. We have, you know, in all sorts of different managers. We have audit. We have a ton of internal stakeholders.
when we're looking at meeting their needs, what are their needs? Well, you know, most people want to know what's in it for me. How does this help me? I see where I am now. Tell me how what you provide makes my life easier. So as part of our stakeholder strategy,
you know, not just listing our stakeholders, but finding out,
you know, how do we make, uh, how do we make their lives easier? How is automating some of these processes protected so that not just they get the ease of use, but they also get confidence in the manipulation of their information?
Um, how does this make me more viable to customers?
And then, of course, we have external stakeholders as well. We had vendors. We have business partners, customers, clients, shareholders. So, again, what's in it for them?
So can we
uda's our stock increase or does it decrease? Shareholders really want to know that That's really important. Do I have a retirement fund or don't I on? We don't want that vary from day to day
customers. Do they trust us with their information with their credit card numbers with their personal information. They want to be able to do so. Can I give them the assurance that that's valid? So ultimately, what we have is we have value for those stakeholders.
That's one that is the first principle of cope. It
deliver value and another way to say value is benefits benefit delivery.
Now, after, um and And let me just mention when we talk about benefit it not always being dollars, but we want quality.
We want to deliver what we say we're going to deliver. We want our product to meet the requirements of the customer. And ultimately, we want our stakeholders to be satisfied with the quality of the product that we produce.
All right, so value creation stakeholder needs. Of course, we're gonna look at what those needs are and find a way to deliver that value. And ultimately, you know, we'll see that through them, realizing the benefits,
optimizing the risk optimization and really
cost benefit analysis and then resource optimization as well.
Uh, let me get back. I got ahead of myself here. Okay? So
when we look at the Cascade goal,
the the goals cascade Rather, this is what Kobe it's known for.
Okay, so the idea is we spend a minute talking about stakeholders who my stakeholders are and what their needs will. Stakeholder. Um, you know, stakeholders needs are driven by drivers.
Hence the name driven by drivers. And what I mean by that is
what my employees need. There's some sort of external influence, you know. Employees need job security. They need ah consistent salary. They need salary commensurate with the work that they do. Our managers need to fill.
Ah, they need those same
things for salary. But they also want to feel like they're making a difference in our environment. They want an opportunity to grow. So these are things that drive what my stakeholders want to see,
you know, internal or external.
Those needs then become
requirements for the enterprise or goals for the enterprise. So stakeholders have drivers that give them needs. Those stakeholder needs become the basis for the goals of the enterprise.
The enterprise goals need to map down toe I t related goals
A. And then the I T related goals cascade to what we refer to as enabler goals. So, you know, this is just very high level. There's a much more detailed set of processes on how this works, but ultimately it should make sense.
Stakeholder needs become the goals of the enterprise. Goals of the enterprise
should be mapped toe i t goals. I t goals should be mapped to specific controls or mechanisms that we put in place in order to accomplish the goals. So just this visually, you know, seeing the stakeholder drivers give the needs stakeholder needs, you know,
maximize cost benefit. Give me the benefit that I want. Let's make sure resource is air used wisely. Let's make sure we deal with risks. My goals toe I t to enablers.
All right. Ah, we've already kind of talked about the idea that stakeholders have drivers that use their needs or that influence their needs New technology, compliance with laws, um, opening in the market. You know the need to
increase market share, increase brand recognition for our external stakeholders, or insert internal stakeholders
All right, which become enterprise goals.
And ultimately, these goals should be fairly genetic. A generic like, uh, not too specific weaken gettinto objectives that are more specific. But we want those broad goals we want to see Ah, market share increase.
Ah, within the next year.
You know, maybe a little more specific than that. But it's still very broad. And what we're gonna do is we're going to determine, um,
we want to be able to figure out if we're on track for meeting those goals were gonna be able to assess our organization and kind of figure out how this works.
So one of the things that will use and we're gonna look at 17 generic goals of the Enterprise in a minute. But one of the things that we can use to kind of assess our progress
is something called the Balanced Scorecard.
So when I look at my program as a whole, there are, you know, the score cards going to say, Let's look at what we're doing from four different perspectives.
So the first perspective is from a financial perspective that generally tends to be the one that people go to immediately from a financial perspective. Where do we stand? Are we doing well or we generating revenue? Are we generating more revenue than our expenses? Are we making more than we're spending?
What about compliance? Are we spending money because we're not in compliance with quality standards. Are we doing rework? Do we have warranty work? Are we paying fines and liabilities?
Then we think about where we stand from a customer perspective. How to customer. See us. Are we in compliance to customers? Have confidence in us. Do we generate goodwill in our community? You know
our program. If we're not saying yes to these questions, then we need to go back and figure out where a program is lacking.
All right, then, internal processes.
Are we efficient?
Are we doing what we want to be doing? Are we accomplishing the goals? Are we doing so efficiently? Are we, um, maintaining compliance? Are we doing it well?
So how are we performing internally? And we can look at things like, you know, number of compromises, incident response time, times to restoration. Right? But where do we stand?
And then last but not least, learning and growth. We want to make sure that ultimately, users understand users were given the opportunity to grow and learn, and that the growth and learning of our internal users leads to a better security posture.
Right? So if we're assessing our security program,
our organizational program. These are some perspectives that we need to consider.
Okay, now the Kobe It five goals
that looks very, very familiar, right? And we said 17 generic goals. So we want to deliver stakeholder value. We want a portfolio of products that are competitive. We want continuity. You see how generic thes are just very, very broad.
Now, as we move forward,
what we'll see is CO but then takes thes 17 generic strategies and is going to bring this end to the relationship off our stakeholders,
um, or our asset control, or are risk management. And so ultimately, what you'll see is you'll see the elements of, um,
of how we're gonna map these. And so if alignment of business strategies is my responsibility or is my focus, then we know that's going to impact our stakeholders, and it's gonna infect price effect, prioritization and so on. So,
yeah, basically, um,
this little chart is going to kind of give us those tangible elements on what we need to do.
All right, enablers. So we said, ultimately we need enablers. Well, in order to accomplish these objectives while in a blurs or the things that make it work,
right? How does this all come together and wind up working out? Well, enablers, principles, policies, frameworks. This is the direct result of governance, right? Take this desired behavior and
create guidance. Build my policies, build my procedures in my standards around
what we want. What is the desired behaviour? And again we enforce those policies. We also have processes and these tend to be more detailed oriented procedures processes. So specific processes that we put in place
more specific, more detailed than just policy organizational structure. We have clearly defined roles and responsibilities within my organization. The decision making in these air clearly identified,
um, the authority of those entities has identified We have the supporting structure
to move towards a stronger framework.
Culture. Ethics behavior
comes from the top
culture influences our ethics, ethics, influence, our behavior,
information, communications. Do we have
open and honest, transparent communications between our employee, so Oh, my goodness. Excuse me.
Apparently there's not going to be another sneeze, but I thought there might. I was holding off. I thought I could find it, but I couldn't. All right, So information and then services, infrastructure applications. That's what a lot of us in the I t you know that come from technical or really, most focus on.
Do we have that infrastructure in place? Is it supported appropriately? Is it funded?
And then last? We've got people skills and competencies. Do we have the right people with the right skills for the right jobs, the right responsibilities. So those are our enablers with Kobe,
So I'm just going to kind of go right back to
thought I was gonna go right back.
Ah, let's go right back to
just again, remembering that we have stakeholder needs come down to enterprise goals, enterprise goals come down to I t goals. And then those i t goals come down to enabler goals. So when we talk about those enablers,
our I t goals were gonna be satisfied. You can think of the enablers is ways that we satisfy the objectives of i t we implement principles or processes. We put the structure in place, the culture and so on. So that's ultimately co bit.
Excuse me
again. I don't think you need to go brutally deep into it, but I do think you have a good understanding
of an overview level.
Okay? a few other frameworks that we need to talk about thou I t.
So it's based on the idea that
or what it stands for is value i t.
And it's kind of based on the idea that
within an organization
we know we need technology.
The business should ultimately be responsible for
the information technology
element of a business. And in what I mean by that is
the business needs to take some ownership with
still not saying that. Great. I'm trying to think how I want to say it,
that ultimately the i t department serves the business,
and that's how it should work. So the business has accountability in supporting the I t department,
right? An I T department that serving the business ultimately has to provide value. But sometimes that value is hard to trace, right? I mean,
if I were to ask you when you are most aware of the i T department,
wouldn't you say when things go wrong?
And so what happens is many times we look at the problems and we look at the issues and then we take for granted when things were running smoothly, you know, the best I t we never talk about because we never have reason to talk about it. So it's often not clear the value that I t brings to the organization.
Sometimes it's difficult to map,
So the idea behind value I t. Is making sure that we have well defined, demonstrably, all value and that we can actually track it to justify because if where we have these expenditures for i t. But we can't link that to a value
Well, then, it appears to our shareholders has wasted money. We don't understand the value.
excuse me,
I'm coming down with a cold. Every single person in my family has had this cold, and I'm like, last person standing. And so I'm walking around while they're all sniffling drinking chicken soup. And I'm like, See you guys, I'm going out to look at the Christmas lights. Hope you feel better, and it's like all of a sudden I've got that tickle in my throat. I know what's coming,
so it anywhere
value I t. And really moving towards any of thes frameworks usually is driven by what we call pain points. Something's happening that were uncomfortable with, you know, as a general rule. We don't make changes unless there's pain involved. And that's
enterprise. And that's personally something has to motivate us to change.
So we may find that we can't deliver the technical capabilities from the I T department that we would expect to be able to. We're not providing the degree of redundancy or availability. We may not be able to restore critical operations as quickly as we need to, so something isn't working.
The i t.
We're talking about it, right, because we talk about them when they're not meeting our expectations.
is no understanding of I t. Expenditures, no understanding of what the I T department even does. We had 30 people working downstairs in the basement. What did they do?
What are the purpose of these I t driven projects that we keep having to fund what's going on? We don't really see the value of what they deliver
business just abdicating responsibilities.
You know what, Let I t deal with security. We've got to do what we want to do. We're here to perform a specific function. This kind of you know, just goes back to the idea of somebody else's problem and remember we've talked about with governance. We want
an integrated control and in a get graded philosophy and integrated were
approach to risk management. We don't ever want one department saying it's on them right. This should be an equal and shared responsibility. And really, when it comes down to it, whose ultimate responsibility is the security of information?
Well, it's the owners of the information, right? So it's the business owners. They're the ones that have the final say in the choices, and they have the ultimate responsibility. So we can't be an environment where business says I just wash my hands of this
something that happens all the time. Gaps between I t and the business
then questioning the value of I t again. You know, what do we pay them for? I don't even see that
or another thing that happens a lot is a major investment failure.
We spend a lot of money on a new firewall or data loss prevention system or some new security technology or mechanism, and it fails and we suffer a major breach despite the fact that we have all this money output in relation to security and we still have a breach.
We have an investment failure.
So these are the elements that drive us to move towards thes frameworks right where there's always a pain point.
with Val I t.
we want to be able to make the value that I t delivers more tangible mawr empirical. We want to be able to provide information that says, Here's what we do And here's how that impacts the business. So thou I t provides us a structure and a framework
so that we can examine our I t related investments and determine what their impact is. And Matt that to the business. OK,
excuse me, I'm gonna have to break open the Diet Coke.
I wasn't going to do this, but
I've got something going on here.
All right, So
it's one of those things in my head. I'm pleading. Just let me make it 10 more minutes. So the seven principles of Val I t.
Our I t investments should be managed as a portfolio of investments. We need to be able to look at these investments as we would other business investments, and we need to manage them accordingly.
We will talk about the full scope of activities that these investments provide to the business will make sure that they're managed throughout the full economic life cycle. So, for instance, we've got to think about total cost of ownership.
Um, it may feel very good to go from capital expenditures, the operational expenditures. But what if those operational expenditures wind up being significantly larger than the initial investment? You know, think about moving to the cloud in the investment that it takes to transfer operations to the cloud.
And we certainly see value in that. And when you ask people wide to my great almost everybody will say it saves money. We do it because of cost. But if you don't examine that migration and that new structure across the duration across the full life cycle, if you will,
then we may not be getting the value that we anticipate
keep in mind values and always dollars.
Okay, um, delivery, uh, practices. What type of value we anticipate delivering is going to determine what we monitor. Right. But we have to monitor our our I T investments,
our controls providing the value. Well, what does that mean? Why did we implement it in the first place
and How do we know if it is meeting those objectives?
Accountability within the organization. You know, in a organization you go into, there's a lot of fat that could be tripped. You know, there are a lot of things that are happening because it's the way we've always done it. They're not happening because they're the most efficient or effective. It's just that we've done it this way,
right? You see
departments. One of things that I find is I am really busy the last portion of the fiscal year because there are a lot of agencies that have certain money allotted for training, and if they don't use it, they'll lose it. So let's hurry up and train everybody on underwater basket weaving
right? That's not really recognizing the value.
So it catching some accountability to what we're spending, how we're working. Are we making the good decisions
that bring the business benefits
and then our value delivery practices must be monitored, evaluated and continuously improved. So this is just another framework and what you'll see is all of these frameworks air working towards the same goals. We want more value,
and especially for those of us in I t that air seeing so many I t jobs being outsourced because of migrations to the cloud.
Once we're able to deliver a higher value,
then we're gonna be marketable wherever we go.
So we want to make sure that we as individuals and we as an I t department, we as an agency and it is an enterprise are delivering value to our customers.
All right, Val, I t essentially breaks this down into three major processes value governance, portfolio management and investment management.
So what we see is with value governance, making sure that we have committed leadership is leadership really on board?
Do they really get it that they get the significance? Are we on board to really take our i t and bring it into the next level and to really make sure that we're tied and were well defined
portfolio management again, our investments are gonna be managed as a portfolio as opposed to just individual expenditures. We want to make sure that we have control over what projects we fund.
What type of investments are we willing to make? What's our return,
and then our investment management, you know, again, kind of along the same lines. We want to make sure that and our investments are supporting the You know, that we have the appropriate business cases that were planned, that we're providing protection and value throughout the life cycle.
Just exactly what we've been talking about in this section.
All right, And then last but not least, I til I t service library.
And so ultimately, with I till you know, the easy terminology for I till is service management. I t service management. So ultimately, the ideas every organization produces services or products, some sort of results. So for every product,
every service that we deliver,
we have to have managed delivery. We have to provide support
from inception all the way to the retirement.
So the way we get that is by, uh, monitoring and structuring people processes technology have already talked about kind of that trio of people,
technology and processes. People use processes to access our technology, so ultimately, we have five, uh, main stages
the strategy, the design transition operation, and then continual approval improvement. And then, ultimately, each one of thes domains. If you will have certain services associated with him and well, actually, I'm gonna skip over. I think I'm gonna skip over, um,
and just kind of show you the mapping. So when we talk about our I t service strategy,
we're thinking Broad. Were thinking big picture were thinking Not in term of projects, but in term of portfolios, right, Our strategic operations down the line.
Then how do we design it? What service level are we trying to provide? Do we have scale ability to We have continuity of the organization.
Then we moved to transition. How are we handling changes in the project? How do we transition this service over to the customer? What sort of testing do we go through before that? Transition
service operations. So the day today, How do we deal with incidents that come up? How do we do with, um, problem management, incident response. How do we deal with issues that come up failures, redundancy issues and so on?
And then the last piece. Continual service improvement,
always working towards improving. Now there are some terms with I t. And with I till and just the idea about services, what we deliver
the management of those services maximizing the value, um, utility and warranty utility is the purpose, making sure the product or service performs the function it was supposed to, where his warranty doesn't do so reliably.
And then we have processes that are sets of activities.
Okay, so, somehow coughing and sniffling as it may be, we have made it through the second session of siege it. And, uh, just to do a quick review and just make sure we've taken away what we wanted to take away
ask you a few questions. And, um,
first question I would ask you would be What do we mean by Gap analysis? How would you define a gap analysis and its purpose?
So if you think about that term, how would you define a gap analysis so we can define that kind of easily by saying we're analyzing the current state versus the desired site state and figuring out how to transfer from current state to desire to stay
So what would be some tools or a tool specifically, we could use for gap analysis in the software development world.
Only think about software development and we think about gap analysis. We want the CMM I to come to our mind capability, maturity model, integrated
and If you'll recall the five levels of CMM I I really don't mind oranges. I r d m o initiating, repeatable, defined, managed and optimized and working towards that more mature project management process.
We also talked about, um s 0 27,001 didn't excuse me as being the most common framework. That's a new security standard for establishing an eye SMS.
We talked a little bit about Kobe it and we said, Kobe, it comes to us from I t from my Sacha.
And if you'll remember, it's all about mapping enterprise goals all the way down to I t. Objectives were enablers. So taking with the organization needs overall and then figuring out how we can practically implement that. Remember, Kobe, it has five principles,
and you'll see we really focused on the stakeholder needs because that's the objectives piece.
But this idea of covering the enterprise from end to end comprehensive, the entire enterprise is covered by cope. It were working together
that single integrated framework so that even if we're managing projects based on the PM I standard that fits nicely into Copan, the holistic approach is we are inherently working towards security and value delivery.
And this fifth principle separate governance from management. You have governance that determines what we're doing. Management figures out how
and then that led us to the end, where we mentioned Vow. I t talking about being able to document map out the value that I t actually brings,
and that's a role of I t. Governance is being able to justify what we're doing. You know, we're not just an understanding that that's not always easy to do. And then I till again, I t service management managing I t. As a service to our customers.
All right, so for some reason, I'm having ah, scrolling issues there. But ultimately, that leads us to the end of the section for today.
Really appreciate you spending your day your afternoon with me, talking about I t governance. And I wanna let you know that tomorrow, which is Friday,
I'm gonna be around, sort of, ah, accessible. For those of you that might have questions I have sort of on ask Kelly anything. Session at 8 30 and then another one at 2 p.m. So if you'd like to stop by and ask questions, you certainly can,
um someone I just noticed. I had a question about as in the state of what? Oh, okay. I see where you are. So when we say current state versus desired state,
usually what we're thinking about that is in terms of risk management and risk profile. What we're exposed to from a risk structure
are from a risk perspective, where we still vulnerable and where do we want to be? So if we have more residual risk than is acceptable to senior management, what is the level of acceptability to close that gap? Another context is just a operational functionality,
right? Or as in where we are with their customer base,
our customer base may find that, you know, as I mentioned with CMM, I some agencies can't do business with my organization unless we're CMM I certified. I can assure you your organization is not gonna have an instant transfer to being CMM. I compliant
if you haven't worked towards it. So we see where the company is and then where we want to be. And that's the Gap analysis piece. So what state? The state of what the state of whatever you want is gap analysis, but often when we talk about it in relation to I t governance, it's either
moving towards compliance with the regulation or standard
getting certified by ice so or some other in organization. Or we think that in terms of risk. And I hope that answers your question.
Um, if you have another question jump in if I don't get to answer it today, like I said, I'll be in the office tomorrow 8 30 also to, and I really, really, really want to ask you guys a favour. Sai Buri is working on
continuous improvement. Were in that phase of everything that we're doing we're looking at, and we're figuring out how to make it better
because we're delivering a lot of services to our customers, and we want to make sure that you guys were really getting the benefit. So every course when you access you'll have access to
an online survey doesn't take very long. We just need a little information from you. But what we're looking to figure out is, what is it that we're doing that you like? And what are some ways you feel like we can improve?
So if you just take a moment and complete that poor survey for us, it would help tremendously. You know, part of the reason that are part of the way we determine what courses we offer is whether or not it's meeting the needs of our students. So please take a minute and fill that out. It would really, really help.
All right, folks, Other than that, we're going to wrap it up and call it a day will meet again on Tuesday. Same time and channel.
I wish you a happy weekend. I look forward to seeing you next week. Take care.
Up Next