all right, So it's talk now about how we decode strategy for I t.
Lots of things to think about here.
One of those top priorities is having a step by step workflow.
This means that for each area of the organization that generates some kind of revenue, we should know
and who's involved one of their tasks. Were there one of the responsibilities,
As relates to that work. So we need to think about where the risks are
in each of those steps
could be that certain areas of the workflow are problematic
because you're dealing with some sensitive information. Or maybe there's some time delays and different things, so so there's some risk associated with that that needs to be understood. Any kind of triggers for events need to be understood undocumented.
unforeseen event happens,
how does that affect the the chief strategy?
Or maybe you've got another perspective where you're thinking while we've got a regular review or regular audit, regular self assessment
and now we have to understand that kind of an event scheduled event and how it relates to
strategy for I T. If events do happen and we have to deal with them. We should think about contingencies.
if your primary source of information, your primary mechanism for achieving your workflow goes away,
especially if you've got third parties involved? That's a that's an extra level of risk to consider.
And ultimately, if you can do this step by step analysis, it might be possible to find areas where improvements can be made
or some optimization or
or more efficient way of doing things could be uncovered just by doing. The analysis
of the work flows themselves. There's different ways to fund your I t strategy.
The typical way that a lot of organizations do this is sharing the cost.
So this is a great way to,
uh, to make things a little bit simple.
And that way, everyone that's part of the organization get some benefit from
the expenditure of resource is for I t.
They all just sort of get their piece of the pie, so to speak.
Other organizations might use a charge back mechanism.
I've seen this in several places that I've worked where you've got
maybe a systems engineering or network engineering group
that fields requests from other areas of the organization. We need, Ah, new firewall set up. We need a new system built to house our applications.
So one organization does the work they come up with. The mechanism
took place a value on that, you know,
some building unit, whatever it is. And they charge the other business unit for that time.
So the money's moving around within the organization, from one budget to another.
On last option that you might see, is where the sponsor
And this is, ah, another effective way to do this because now you're
being more specific as faras, who's paying for the effort,
having a tighter linkage to who benefits from the effort,
with the possible disadvantage
that people that are part of that organization or that division might benefit from some of this expenditure without actually having to,
contribute any resource is to make it happen.
So really, just understanding the three basic mechanisms here is is the most important thing
most likely as an auditor, you're not going to be in a position to influence the choices of the management one way or the other as far as the way they like to do things.
We have to consider different types of policies,
much like the policies and guidelines and standards that we talked about in the previous module. We have to think about the different levels of enforcement here,
so something that's an advisory policy
is just giving advice right.
suggestion suggesting best practices or the best way to do things
in a given situation.
Regulatory policy, on the other hand, means that now we're dealing with laws.
And of course this is something that is mandatory
and cannot easily be avoided.
And the consequences should be well understood for not following a regulatory policy
and then when last we have is informational policies.
So these are things that
users off service's and products
or other people within the same organization actually
to do their job better. This is more information, more detail,
and that should be considered a helpful thing.
But again, not mandatory, not necessarily enforced,
and we have to think about program management.
So I mentioned the project management office earlier,
and this this kind of relates to that in a sense that
we're trying to make sure that
that all the different projects that are in progress
that are supporting business objectives
are being managed correctly.
This management would include things like budgeting, timeline, personnel resource is and so on.
So the project management or the program Andrew and Effort
needs to keep tabs on all these details
to make sure the organization is doing what it's supposed to do in the time frame and budget that's been allocated.
So as long as an organization is in business, there will be some need for
management of its projects and programs.
There might be cases where certain things are actually,
ceased or terminated, and now
the program management office would have to adjust its priorities accordingly.
So what are the kinds of things are programs that are that are going to be sustained for long term? We have marketing
HR payroll, obviously off your accounting and bookkeeping, the maintenance of your facility,
making sure that you've got compliance with all the laws and regulations. These are things that are always going to be
required as long as the organization is in business
and we have project management.
This is a way to deal with
the programs that the organization is is involved in,
like trying to measure the rest, trying to manage it,
trying to understand
whether or not the resource is that have been allocated, are adequate
and are being properly
We have different considerations. If you've got a capital project
that's dealing with the entire enterprise
versus something that's much smaller, that might just be for a particular team or summary or a
ah business division within the organization.
So some examples might be new product development
updates to systems and software
audits of individual systems
individuals themselves. So the PMO, the Project Management office,
keep track of all the projects,
maintained visibility to the people that need to know about them basically stakeholders
and as a project manager,
keeping tabs on all that new individuals doing their various tasks
and trying to make sure that people meet their deadlines and their delivery. Bols,
ah PMO that works in a generic sense for the organization and says that
any new project that gets initiated
must get reviewed by the by the PMO to decide who will work on it which subject matter experts are appropriate.
And there should be some agreement on
different aspects of how long the projects you take and what kind of funding might be required.
We have a master project register for mature organizations.
That's sort of like another consideration of remained in your portfolio.
If I've got 15 projects in progress,
I want to be able to look at the Master Project register and see all the details that are needed to understand
who's responsible for this project. When did it start? How much money is allocated, When will it be expected to be completed and so on?
So just some different models we can consider.
We have the PM I, the Project Manager Institute,
so people that achieve
P. M. My certification would would get that from this organization.
So these air projects that are unique or things that repeat
and using the maturity model
of level zero through three
we know that we'll see this in a little bit of the the capability. Maturity model goes from 0 to 5.
They're just dealing with level zero through three. Typically
eso 42 process areas, looking at what the project manager does how their methodologies and techniques
are used in order to further the goals of each individual projects.
Then we have prints to otherwise known as P, too.
This is, ah, standard for the UK
again for unique or repeating projects
and targets the same capability, maturity levels that the PM I does.
They've have a slightly different makeup with nine process areas instead of 42.
But with a focus on the methodology to try to achieve the goals of each
then we have total quality management or cheek you em,
referring more to the quality management of each individual project. That's why it targets levels three through five of the capability maturity model.
this this wouldn't be used until a project is in a more mature stage and you're trying to get to the point where your refining and optimizing
Then we've got six Sigma, something that was created by Motorola to tryto reduce defects.
For instance, 16,000
defects per 1,000,000 was reduced to 3.4 million, or 3.4 defects per 1,000,000.
That's a six Sigma or otherwise known as the five Nines. So it's 99.999% perfect.
It's very high standard to achieve on Motorola did this when they were
developing their mobile phones
back in the days when they were the world leader in mobile phone production.
And then, lastly, we have the ice. 0 9001 Siri's
again related to quality control, just like Six Sigma and total quality management.
This is to say that if we want to have a repeatable quality control efforts
that deal with CMM three through five, just like
Six Sigma in total quality control does,
and it tries to incorporate all the ISO 9000 quality standards
in international context. All right, so now let's talk about planning our I T strategy. How do we implement?
The strategy from a planning perspective,
the organization needs to consider
long term in strategic goals.
Or you could say short term midterm and long term goals if you want to use a different language for that.
contacts that urine than when you're creating a new I T project,
it should be clearly identified whether this is a short term, mid term or long term project
that would affect the level of resource is required to achieve
the completion of the project,
a long term project or a strategic project
would understandably take more time and money
more people as well.
So having a plan for how the data will be managed and handled,
you know what, the data that's being transmitted, processed and stored? Where is that happen? How does it happen
that should be well understood and documented accordingly.
There should be a plan from aging all the applications that the environment uses.
This not only includes money for purchasing
new new software, but
how do you deal with managing all the licenses that are currently in existence?
resource going to be allocated
on a short term, midterm and long term basis? We have to have a plan for technology.
A lot of organizations do what's called a tech refresh,
so every 2 to 3 years, maybe everybody gets new laptops or you upgrade all of your servers, you upgrade your firewalls or your proxies.
These are things that organizations do in order to make sure that
they're always using
something that state of the art or near state of the art,
as long as it's within their the resource is
that they've got available for spending on such items.
Then you have to think about the organisational plan.
So how does I t support the goals of the of the business? How does it align itself
with the business strategy to produce products and service is
that can further the goals of the organization to attract new customers,
to continue to grow the business and increase revenues?
And you might also consider a facilities plan.
In this day and age, when more and more organizations are using managed service is or cloud computing
facilities Plan needs toe to take those kinds of things into account.
continue to host all of your servers within your own data center? Or you're going to outsource some of this?
There are tradeoffs, of course, to both scenarios. What about Kobe? It
developed standard the control objectives for information related technology.
a comprehensive way to deal
with the strategy formulation, monitoring your processes
and developing procedures to help an I G organization move forward.
Currently, uh, this is Kobe is in its fourth revision or addition,
and of course, we'll talk a little bit more about this in some later sections as well.
So sourcing locations, what do we mean by a sourcing location?
This means we're thinking about whether a resource can be achieved from within the organization. So that's called insourcing
Or do we want to get some
product service or other resource from outside the organization, where an recall that outsourcing
there are different advantages to both?
Typically, we're looking at operating costs
and labor costs when making these kinds of decisions.
If you move your production of the
creation of products of factories
and any kind of labor like that,
Ah, lot of organizations will move those things
to countries where the labor is cheaper,
like China. For instance, a lot of products are made in China because it's the cost of production, are much lower there.
But of course there are some disadvantages.
If you move too many things on
offshore or outsource, then you may lose control of some of your little intellectual property,
other maybe quality control issues that don't get addressed in a timely fashion,
and now you you're taking
shipments of products that have defects and they have to be reworked or sent back to the manufacturer.
So these are stories that probably everyone has seen in the news regarding, you know. Example, I used an earlier chapter where
Children's toys were produced that contained lead paint.
So they had to be pulled from the market,
and the manufacturer lost a lot of money on that because they outsourced it to a Chinese company. Might, perhaps, and
the Chinese company took shortcuts. And now there are problems because of that. So something to think about the pros and cons here saving money, but possibly other headaches later. What about service is
that gets the Philip from remote locations?
one of the most common ways that we come in contact with this is when you call
Tech support for a given company
and you get someone on the phone who doesn't appear to be ah, English Speaker as a first language.
Maybe maybe they speak okay English, but it's not their first language. So there might be some communication challenges,
um, again, cheaper labor,
potentially dissatisfied customers if they can't communicate very well
with the person on the other end of the line,
rather other service's can also be outsourced. We can outsource accounting and bookkeeping
Tell us the telephone support. I Already I already talked about
doing your printing or software development
might be ideal things. Printing might be something that's that's Ah
ah, lower risk choice. Since there, there might be less things that can go wrong in that kind of a context.
so, be aware of the types of service is that could be used and some of the pros and cons
of of insourcing versus outsourcing.
So we can also, in addition to insourcing, are outsourcing, have what's called a hybrid
or you do some things and how some things
done outside of the organization.
You know, it is their advantage of sending something offshore for additional processing or additional manufacturing steps
that might be a consideration.
a very complex product is built. The components are built,
and within the organization, and they're assembled somewhere else
because the labor for assembly is cheaper.
But we're not worrying about the
the design aspect because we're gonna take care of that in house. So there's trade offs again for different ways that that might be done. You have to think about legal issues.
workers from another country, they might have different expectations, different legal rights
compared to the home country where the organization is located. So that's something to consider
a way of doing business. For instance,
the European Union has very different privacy laws than we have in the U. S.
In many ways, their privacy laws are actually superior to ours.
You got more protection for your privacy in some ways in the you than you do in America,
China with with basically non existent intellectual property laws.
that is effectively an exact copy of someone else's is much different than what we think of here in the U. S.
We think someone that does that is stealing,
and from their perspective, they're not stealing. They're just trying to compete with you the best way they know how.
we have to be aware of those differences, culturally and legally between different countries. They're doing business together.
What about using subcontractors?
This entails some liability.
Subcontractor makes a mistake,
It may be the case that the organization that hired the subcontractor ends up with the penalty or the blame.
Some contractor may not be legally liable or even in a position to be prosecuted or approached for reparations or damages.
So there could be some gray areas that need to be well understood before engaging
of activities with subcontractors or third parties.
So be aware of some of those pitfalls and how they might apply to an organization.
You will see questions on the exam
asking about some of these
kinds of situations.
You might be able to get certain types of insurance
protecting the organization in the event of certain problems
But the insurance may have limitations as far as where it's enforceable
and where where might be unenforceable.