Time
2 hours 3 minutes
Difficulty
Advanced
CEU/CPE
5

Video Description

This lesson discusses decoding the strategy for IT. Basically, for each department that generates revenue for a company, we must know their responsibilities. This lesson also discusses strategies: - Advisory - Regulatory - Informational This unit also discusses project and program management along with project and quality control management models, IT strategies and sourcing methods.

Video Transcription

00:04
all right, So it's talk now about how we decode strategy for I t.
00:09
Lots of things to think about here.
00:12
One of those top priorities is having a step by step workflow.
00:17
This means that for each area of the organization that generates some kind of revenue, we should know
00:24
step by step,
00:25
how that happens
00:27
and who's involved one of their tasks. Were there one of the responsibilities,
00:33
huh?
00:34
As relates to that work. So we need to think about where the risks are
00:38
in each of those steps
00:41
could be that certain areas of the workflow are problematic
00:46
because you're dealing with some sensitive information. Or maybe there's some time delays and different things, so so there's some risk associated with that that needs to be understood. Any kind of triggers for events need to be understood undocumented.
01:00
So if a uh
01:03
unforeseen event happens,
01:06
how does that affect the the chief strategy?
01:08
Or maybe you've got another perspective where you're thinking while we've got a regular review or regular audit, regular self assessment
01:17
and now we have to understand that kind of an event scheduled event and how it relates to
01:23
strategy for I T. If events do happen and we have to deal with them. We should think about contingencies.
01:30
What do you do with
01:30
the
01:33
if your primary source of information, your primary mechanism for achieving your workflow goes away,
01:40
especially if you've got third parties involved? That's a that's an extra level of risk to consider.
01:48
And ultimately, if you can do this step by step analysis, it might be possible to find areas where improvements can be made
01:55
or some optimization or
01:57
or more efficient way of doing things could be uncovered just by doing. The analysis
02:02
of the work flows themselves. There's different ways to fund your I t strategy.
02:07
The typical way that a lot of organizations do this is sharing the cost.
02:13
So this is a great way to,
02:15
uh, to make things a little bit simple.
02:19
And that way, everyone that's part of the organization get some benefit from
02:24
the expenditure of resource is for I t.
02:29
They all just sort of get their piece of the pie, so to speak.
02:34
Other organizations might use a charge back mechanism.
02:37
I've seen this in several places that I've worked where you've got
02:40
maybe a systems engineering or network engineering group
02:46
that fields requests from other areas of the organization. We need, Ah, new firewall set up. We need a new system built to house our applications.
02:55
So one organization does the work they come up with. The mechanism
03:00
took place a value on that, you know,
03:04
some building unit, whatever it is. And they charge the other business unit for that time.
03:08
So the money's moving around within the organization, from one budget to another.
03:14
On last option that you might see, is where the sponsor
03:17
pays the bills.
03:20
And this is, ah, another effective way to do this because now you're
03:23
you're
03:25
being more specific as faras, who's paying for the effort,
03:30
having a tighter linkage to who benefits from the effort,
03:34
with the possible disadvantage
03:37
that people that are part of that organization or that division might benefit from some of this expenditure without actually having to,
03:45
uh,
03:46
contribute any resource is to make it happen.
03:50
So really, just understanding the three basic mechanisms here is is the most important thing
03:55
most likely as an auditor, you're not going to be in a position to influence the choices of the management one way or the other as far as the way they like to do things.
04:04
We have to consider different types of policies,
04:08
much like the policies and guidelines and standards that we talked about in the previous module. We have to think about the different levels of enforcement here,
04:17
so something that's an advisory policy
04:20
is just giving advice right.
04:23
It's not
04:24
considered
04:26
Thio
04:27
hard requirement,
04:29
but is more about
04:30
suggestion suggesting best practices or the best way to do things
04:35
in a given situation.
04:38
Regulatory policy, on the other hand, means that now we're dealing with laws.
04:43
And of course this is something that is mandatory
04:46
and cannot easily be avoided.
04:47
And the consequences should be well understood for not following a regulatory policy
04:54
and then when last we have is informational policies.
04:58
So these are things that
05:00
that help
05:01
users off service's and products
05:04
or other people within the same organization actually
05:08
to do their job better. This is more information, more detail,
05:13
and that should be considered a helpful thing.
05:15
But again, not mandatory, not necessarily enforced,
05:19
and we have to think about program management.
05:24
So I mentioned the project management office earlier,
05:27
and this this kind of relates to that in a sense that
05:30
we're trying to make sure that
05:33
that all the different projects that are in progress
05:36
that are supporting business objectives
05:40
are being managed correctly.
05:42
This management would include things like budgeting, timeline, personnel resource is and so on.
05:50
So the project management or the program Andrew and Effort
05:55
needs to keep tabs on all these details
05:58
to make sure the organization is doing what it's supposed to do in the time frame and budget that's been allocated.
06:05
So as long as an organization is in business, there will be some need for
06:11
management of its projects and programs.
06:14
There might be cases where certain things are actually,
06:17
uh,
06:18
ceased or terminated, and now
06:21
the program management office would have to adjust its priorities accordingly.
06:28
So what are the kinds of things are programs that are that are going to be sustained for long term? We have marketing
06:33
HR payroll, obviously off your accounting and bookkeeping, the maintenance of your facility,
06:41
making sure that you've got compliance with all the laws and regulations. These are things that are always going to be
06:47
required as long as the organization is in business
06:50
and we have project management.
06:54
This is a way to deal with
06:56
the programs that the organization is is involved in,
07:00
like trying to measure the rest, trying to manage it,
07:02
trying to understand
07:04
whether or not the resource is that have been allocated, are adequate
07:08
and are being properly
07:11
utilized.
07:12
We have different considerations. If you've got a capital project
07:16
that's dealing with the entire enterprise
07:19
versus something that's much smaller, that might just be for a particular team or summary or a
07:26
ah business division within the organization.
07:30
So some examples might be new product development
07:33
updates to systems and software
07:38
audits of individual systems
07:41
or even
07:42
individuals themselves. So the PMO, the Project Management office,
07:46
tries to
07:48
keep track of all the projects,
07:50
maintained visibility to the people that need to know about them basically stakeholders
07:58
and as a project manager,
08:01
keeping tabs on all that new individuals doing their various tasks
08:05
and trying to make sure that people meet their deadlines and their delivery. Bols,
08:09
you might have a
08:11
ah PMO that works in a generic sense for the organization and says that
08:16
any new project that gets initiated
08:18
must get reviewed by the by the PMO to decide who will work on it which subject matter experts are appropriate.
08:26
And there should be some agreement on
08:28
different aspects of how long the projects you take and what kind of funding might be required.
08:35
We have a master project register for mature organizations.
08:39
That's sort of like another consideration of remained in your portfolio.
08:45
If I've got 15 projects in progress,
08:48
I want to be able to look at the Master Project register and see all the details that are needed to understand
08:56
who's responsible for this project. When did it start? How much money is allocated, When will it be expected to be completed and so on?
09:03
So just some different models we can consider.
09:07
We have the PM I, the Project Manager Institute,
09:11
so people that achieve
09:13
P. M. My certification would would get that from this organization.
09:18
So these air projects that are unique or things that repeat
09:22
and using the maturity model
09:24
of level zero through three
09:28
we know that we'll see this in a little bit of the the capability. Maturity model goes from 0 to 5.
09:33
They're just dealing with level zero through three. Typically
09:37
eso 42 process areas, looking at what the project manager does how their methodologies and techniques
09:45
are used in order to further the goals of each individual projects.
09:50
Then we have prints to otherwise known as P, too.
09:54
This is, ah, standard for the UK
09:56
again for unique or repeating projects
09:58
and targets the same capability, maturity levels that the PM I does.
10:05
They've have a slightly different makeup with nine process areas instead of 42.
10:11
But with a focus on the methodology to try to achieve the goals of each
10:15
project owner,
10:18
then we have total quality management or cheek you em,
10:22
referring more to the quality management of each individual project. That's why it targets levels three through five of the capability maturity model.
10:31
So
10:33
this this wouldn't be used until a project is in a more mature stage and you're trying to get to the point where your refining and optimizing
10:41
Then we've got six Sigma, something that was created by Motorola to tryto reduce defects.
10:48
For instance, 16,000
10:50
defects per 1,000,000 was reduced to 3.4 million, or 3.4 defects per 1,000,000.
10:56
That's a six Sigma or otherwise known as the five Nines. So it's 99.999% perfect.
11:05
It's very high standard to achieve on Motorola did this when they were
11:09
developing their mobile phones
11:13
back in the days when they were the world leader in mobile phone production.
11:16
And then, lastly, we have the ice. 0 9001 Siri's
11:22
again related to quality control, just like Six Sigma and total quality management.
11:26
This is to say that if we want to have a repeatable quality control efforts
11:31
that deal with CMM three through five, just like
11:35
Six Sigma in total quality control does,
11:39
and it tries to incorporate all the ISO 9000 quality standards
11:45
in international context. All right, so now let's talk about planning our I T strategy. How do we implement?
11:54
Huh?
11:54
The strategy from a planning perspective,
11:58
the organization needs to consider
12:00
operational
12:01
long term in strategic goals.
12:05
Or you could say short term midterm and long term goals if you want to use a different language for that.
12:11
So
12:11
if that's the
12:15
contacts that urine than when you're creating a new I T project,
12:20
it should be clearly identified whether this is a short term, mid term or long term project
12:26
that would affect the level of resource is required to achieve
12:31
the completion of the project,
12:33
a long term project or a strategic project
12:37
would understandably take more time and money
12:41
and potentially
12:41
more people as well.
12:45
So having a plan for how the data will be managed and handled,
12:50
you know what, the data that's being transmitted, processed and stored? Where is that happen? How does it happen
12:56
that should be well understood and documented accordingly.
13:01
There should be a plan from aging all the applications that the environment uses.
13:07
This not only includes money for purchasing
13:11
new new software, but
13:13
how do you deal with managing all the licenses that are currently in existence?
13:16
How is that
13:18
resource going to be allocated
13:22
on a short term, midterm and long term basis? We have to have a plan for technology.
13:26
A lot of organizations do what's called a tech refresh,
13:30
so every 2 to 3 years, maybe everybody gets new laptops or you upgrade all of your servers, you upgrade your firewalls or your proxies.
13:37
These are things that organizations do in order to make sure that
13:41
they're always using
13:43
something that state of the art or near state of the art,
13:46
as long as it's within their the resource is
13:50
that they've got available for spending on such items.
13:54
Then you have to think about the organisational plan.
13:56
So how does I t support the goals of the of the business? How does it align itself
14:03
with the business strategy to produce products and service is
14:05
that can further the goals of the organization to attract new customers,
14:11
to continue to grow the business and increase revenues?
14:16
And you might also consider a facilities plan.
14:20
In this day and age, when more and more organizations are using managed service is or cloud computing
14:26
facilities Plan needs toe to take those kinds of things into account.
14:31
Are you going to
14:33
continue to host all of your servers within your own data center? Or you're going to outsource some of this?
14:39
There are tradeoffs, of course, to both scenarios. What about Kobe? It
14:45
This isn't a sokka
14:48
developed standard the control objectives for information related technology.
14:54
So this gives a
14:56
a comprehensive way to deal
14:58
with the strategy formulation, monitoring your processes
15:03
and developing procedures to help an I G organization move forward.
15:09
Currently, uh, this is Kobe is in its fourth revision or addition,
15:16
and of course, we'll talk a little bit more about this in some later sections as well.
15:20
So sourcing locations, what do we mean by a sourcing location?
15:24
This means we're thinking about whether a resource can be achieved from within the organization. So that's called insourcing
15:33
or in house?
15:35
Or do we want to get some
15:37
product service or other resource from outside the organization, where an recall that outsourcing
15:45
there are different advantages to both?
15:48
Typically, we're looking at operating costs
15:52
and labor costs when making these kinds of decisions.
15:58
If you move your production of the
16:00
are you, uh,
16:03
creation of products of factories
16:04
and any kind of labor like that,
16:07
Ah, lot of organizations will move those things
16:10
to countries where the labor is cheaper,
16:12
like China. For instance, a lot of products are made in China because it's the cost of production, are much lower there.
16:21
But of course there are some disadvantages.
16:23
If you move too many things on
16:26
offshore or outsource, then you may lose control of some of your little intellectual property,
16:32
other maybe quality control issues that don't get addressed in a timely fashion,
16:37
and now you you're taking
16:41
shipments of products that have defects and they have to be reworked or sent back to the manufacturer.
16:48
So these are stories that probably everyone has seen in the news regarding, you know. Example, I used an earlier chapter where
16:57
Children's toys were produced that contained lead paint.
17:00
So they had to be pulled from the market,
17:03
and the manufacturer lost a lot of money on that because they outsourced it to a Chinese company. Might, perhaps, and
17:11
the Chinese company took shortcuts. And now there are problems because of that. So something to think about the pros and cons here saving money, but possibly other headaches later. What about service is
17:22
that gets the Philip from remote locations?
17:26
Uh,
17:27
one of the most common ways that we come in contact with this is when you call
17:32
Tech support for a given company
17:33
and you get someone on the phone who doesn't appear to be ah, English Speaker as a first language.
17:41
Maybe maybe they speak okay English, but it's not their first language. So there might be some communication challenges,
17:48
um, again, cheaper labor,
17:51
but
17:52
potentially dissatisfied customers if they can't communicate very well
17:56
with the person on the other end of the line,
17:59
huh?
18:00
But other sources
18:02
rather other service's can also be outsourced. We can outsource accounting and bookkeeping
18:07
data entry.
18:11
Tell us the telephone support. I Already I already talked about
18:14
doing your printing or software development
18:17
might be ideal things. Printing might be something that's that's Ah
18:22
ah, lower risk choice. Since there, there might be less things that can go wrong in that kind of a context.
18:27
Perhaps
18:29
so, be aware of the types of service is that could be used and some of the pros and cons
18:36
of of insourcing versus outsourcing.
18:38
So we can also, in addition to insourcing, are outsourcing, have what's called a hybrid
18:45
or you do some things and how some things
18:48
done outside of the organization.
18:51
You know, it is their advantage of sending something offshore for additional processing or additional manufacturing steps
18:59
that might be a consideration.
19:02
Or maybe the
19:03
a lot
19:03
a very complex product is built. The components are built,
19:08
uh,
19:10
and within the organization, and they're assembled somewhere else
19:15
because the labor for assembly is cheaper.
19:18
But we're not worrying about the
19:19
the design aspect because we're gonna take care of that in house. So there's trade offs again for different ways that that might be done. You have to think about legal issues.
19:30
If you're using
19:32
workers from another country, they might have different expectations, different legal rights
19:37
compared to the home country where the organization is located. So that's something to consider
19:44
as far as a
19:47
a way of doing business. For instance,
19:49
the European Union has very different privacy laws than we have in the U. S.
19:55
In many ways, their privacy laws are actually superior to ours.
19:59
You got more protection for your privacy in some ways in the you than you do in America,
20:04
uh,
20:07
China with with basically non existent intellectual property laws.
20:11
Their idea of
20:14
producing a product
20:15
that is effectively an exact copy of someone else's is much different than what we think of here in the U. S.
20:22
We think someone that does that is stealing,
20:23
and from their perspective, they're not stealing. They're just trying to compete with you the best way they know how.
20:30
So there
20:30
we have to be aware of those differences, culturally and legally between different countries. They're doing business together.
20:37
What about using subcontractors?
20:41
This entails some liability.
20:44
Subcontractor makes a mistake,
20:48
or they are doing
20:49
something illegal.
20:52
It may be the case that the organization that hired the subcontractor ends up with the penalty or the blame.
20:59
Some contractor may not be legally liable or even in a position to be prosecuted or approached for reparations or damages.
21:10
So there could be some gray areas that need to be well understood before engaging
21:15
in certain types of
21:18
of activities with subcontractors or third parties.
21:22
So be aware of some of those pitfalls and how they might apply to an organization.
21:26
You will see questions on the exam
21:29
asking about some of these
21:32
kinds of situations.
21:33
You might be able to get certain types of insurance
21:37
to help with
21:38
protecting the organization in the event of certain problems
21:44
occurring.
21:45
But the insurance may have limitations as far as where it's enforceable
21:48
and where where might be unenforceable.

Up Next

IT Governance and Management

What does CISA Domain 2 cover? Domain 2 of the CISA surrounds the governance and management of IT, with included topics ranging from IT monitoring and assurance practices.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor