Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
This lesson covers managing IT governance and discusses the issues surrounding IT governance. This lessons discusses the following: - High level management objectives to be verified by the auditor - Strategic planning - Long term planning - Operational Planning This lesson also discusses the business process and measuring key performance indicators (KPIs). [toggle_content title="Transcript"] Okay, so let's look at our objectives for chapter 2. Again, we're talking about managing IT governance. So we've got a lot of things to talk about here. We need to define what IT governance really is; knowing a little bit about the scope and purpose of our IT controls, or security controls. How we use reference standards to make the governance more effective. Who is responsible for implementing governance? That's a really important question. Sometimes when there's confusion on a point like this, it causes other problems due to the ripple effect of people making decisions on their own that maybe they weren't authorized to make. What about fiduciary responsibility? Who's responsible for holding the purse strings as it relates to protecting assets? How do you deal with requests for more money? Defining our executive strategy and what is that going to be for the organization? What direction are you going to head in? How will that be implemented? Looking at portfolios, programs, and the project management office trying to understand the differences between those concepts, how does management control the IT aspect of the organization? What measurements are they relying on? We'll look at some considerations there. Also, management has to protect the transactions: financial transactions, database transactions, anything that's occurring between a client and the organization or within the organization itself needs to be understood, especially from an audit perspective where you're looking at low-level processes and mechanisms to make sure they're effectively working and can be measured and monitored. Then, lastly, we'll cover business process re-engineering. So this is the idea that if you're monitoring and measuring the performance of your organization, inevitably you're going to come across something that's not working as well as it should be. So what do you do in that case and how do you manage that? Alright, starting off with our strategy for organizational control planning. The idea here is that the auditor is trying to understand the high level objectives for management. If we know that there should be an alignment between what management wants to do, the resources they have available to spend, to make those goals happen, and what the actual organization's charter is. So it can be a difficult task to deal with all these variables, but the simplified way of saying it is that the leadership in the organization needs to understand how to expend their resources to achieve the goals of the organization as a whole. What happens when there are problems with management not being involved at the right level? This is another call-back to our monitoring requirements. If a manager is too involved, the typical micro manager, that presents its own problems, but what we need to think about is what kinds of automated detective controls can be used in a typical environment to make sure that certain things are discovered when needed without the need for somebody to actually manually look at items and constantly be asking questions? That sort of dovetails into the idea of continuous monitoring and why that's so important for the typical organization. Another thing to think about here is that we want to make sure that when problems do get discovered, that a mature organization can quickly decide what to do about it. You shouldn't have a discovery of a security issue that goes un-remediated for any length of time. That would be poor management. Obviously there would be different problems that would result from that kind of pattern of behavior. What about an IT steering committee? Steering committees are trying to decide how to maneuver the organization through different tasks, or different challenges. As it relates to IT, this means where do we spend our money? Do we buy more firewalls? Do we buy more licenses for our intrusion protection system? Do we send more people to training? These are the kinds of questions that might get answered in a typical steering committee meeting. Each member of the steering committee should have a representation within the steering committee's charter showing what the purpose of the group is and what each member's contribution is expected to be. Each member also needs to be granted the appropriate level of authority to make some decisions. So a steering committee might be composed of managers or directors of different business units within the organization, so that they are guaranteed to have the authority required to say, 'Yes, this is a problem. We can deal with it because I can make the decision to allocate some resources to this particular challenge.' So what kinds of people do we need in a steering committee? Someone from marketing. That's a good idea. Their goal is to try and get more customers for the products and services that the organization offers. They would definitely have some interesting input as far as what makes sense from a marketing perspective to spend money on or to spend time on. People that are involved in producing a product or developing software; also important to have in a steering committee. Some representation in this area would be useful because now you can have that person decide whether or not it's worth the effort to do something. If it's going to take a year to develop software to solve a problem, does that really make sense, or should we buy something off the shelf? Those are the kind of discussions you might expect to have. Sales: they go hand-in-hand with marketing. Sales people need their own resources to try to attract new customers, or to increase the amount of purchases by existing customers. So these are things to think about. Finance is also involved; since they've got the purse strings, as I mentioned earlier, and should understand the connections between the resource allocation requirements within the organization. Coming up with effective budgets, knowing that certain things require money. The idea that you have to spend money to make money should not be that unusual. Having some legal representation. This is important as well. We want to make sure we stay on the right side of the law. There might be a great idea that sales and marketing has for generating new business, but there could be legal repercussions if it's done improperly. Things like data mining or social media marketing are typical areas where there are some legal considerations to make sure that things are being done correctly. Quality control ties again into some resource allocation considerations. This is the idea that someone should be in the room that can look at initiatives and projects to say that, 'We can't get this ready in the timeframe that you want because we need time to test it. We need time to make sure that this is up to the standards that the organization demands.' Research and development, or R&D. They're trying to find new ways to create new products and services for the organization. So it makes sense to have some representation here because they might have ideas that need to be discussed among the other members of the steering committee. Then we have our project management office. The PMO is in-charge of the portfolio of projects, trying to understand what each project requires regarding personnel and financial resources, and, of course, tracking each of those projects from initiation to completion. There are some more people on the steering committee. Business continuity and/or disaster recovery. This is an important thing to think about. When an idea comes across the table to say that, 'We want to do something different. We want to expand this. We want to re-organize that,' business continuity experts might say, 'Well, that's going to present challenges for some of the requirements to keep the business running.' Maybe the idea that's being proposed is very complex and would require a lot of work to ensure continuity if your primary facility goes down or offline for some reason. You can't forget IT. That's where your CIO plays a large role; to know that, 'Okay, we've got all these great ideas. We've got some money to spend. Now, does the IT infrastructure actually exist to support these efforts? Or do we have to buy some new equipment, or expand somehow what we've already been doing in order to support these initiatives?' HR is involved; making sure that we've got the right people in the organization, that they've been properly vetted, properly checked, and that we're treating people with the respect that they deserve. Of course being careful to avoid any kind of discrimination and treating PII properly, and so on. Labor management is sort of related to HR. Maybe a little bit more specified if you're involved in an organization that's dealing with unions. Then, lastly, we have administration. This is just a general term to think about the people that help keep all of the moving parts working efficiently. You've got administrative assistants. You've got secretaries, executive assistants, people that are trying to help others get their job done more effectively. Alright, so what is the difference between a strategic plan, a long-term plan, or an operational plan? There's different kinds of timeframes involved here. A strategic plan; you would normally think of that as something that's three years or longer in its timeframe. So a strategy is something that's more of a long-term vision. We know that tactics make up strategies. So tactical planning is more akin to operational planning, or something that's maybe a year or less in timeframe. These are smaller steps that are done in order to support the long-term vision, which is your strategic planning. But then we have long-term planning, which is sort of the middle ground: one to three years. We can see, in all these different cases, on the board of directors we have various people for strategic planning: the CEO, the COO, the CFO. Our long-term planning, some of the same people are involved, but now we've got department directors that are looking at the components of the business, trying to understand whether the products and services that are being offered are effective, or if there's room for improvement. Then, again, with the operational planning, these are the smaller day-to-day tasks and initiatives that support the long-term and strategic planning. So they kind of all have their inter relationships with each other. Then we have the concept of the balanced scorecard, or the BSC. This helps business executives define the metrics that they can use to see if the organization is performing as expected. They're looking at various things: customer perception, the processes of the business. What are the prospects for growth for the organization? How would you measure those things in order to manage them? I like using that 'measure it to manage it' idea here. So if we look at the methodology for the BSC, or the balanced scorecard, we can see from a customer perspective, they're thinking, 'What is it about this organization that makes them stand out? Why are they important? What is it that they provide that makes customers want to do business with them?' From the business process perspective, you're thinking about, 'What is it that we do? How can we improve our products and services to get an advantage in the marketplace? How can we gain more market share?' What are the key performance indicators; your KPIs? If you can't measure those things, then it's very difficult to know if you're doing well. Just measuring profits is only one indicator for how well an organization's doing. Then we have to consider financial goals. If you're supporting shareholders, that's a consideration because you have to act on their behalf as well as the owners of the organization or the employees. IS the company generating a lot of profit, a lot of cash, or are they heavily in debt? These are other scorecard items that might be considered. Then we have to think about the growth of the organization. If you're trying to gain market share or increase sales, how is that going to be done? What kinds of metrics would need to be examined in order to understand if you're doing a good job now, or where you might find areas for improvement? You know, how would you attract new workers, or how would you get those people trained in order to advance the goals of the organization? So there are some advantages and disadvantages to using the balanced scorecard method. The advantages are pretty obvious because it gives executives a way to focus on the metrics that they think are most important to the way the organization functions. Having some understanding of the relationship between the financial aspect as well. So we're measuring things; we see the linkages between those things we're measuring and the money that we're spending to generate those numbers. This is an interesting concept here. If this is fully implemented, none of the departments should have their own budget. That means that the budget is being decided at the enterprise level and therefore being controlled more centrally. That means that your organization might be at a more mature state. Some disadvantages, however, the initiatives that are actually put on the scorecard have to be chosen carefully so that you're not blending things that are high priority with moderate or low priority. They should be categorized correctly and grouped accordingly so that when you're measuring performance and other indicators, it makes sense to do that within that particular category or group. You have to worry about politics. If politics are an issue within your organization, that might derail certain initiatives because they're not popular with certain individuals. So trying to have a powerful sponsor who can remove obstacles is one of the main goals here. So if we look at some different perspectives for a balanced scorecard, we can see we've got financial perspective; process; growth and learning and customer perspective. We've got some relationships between these different things. So, between financial and customer the customer is looking for the vision of the company, or the organization, and financial considerations are looking to the customers for growth. Then we have strategy and improvement between the financial aspects and the processes that the organization uses to run itself. Then we've got refinement and definitions between the processes that the organization's using and initiatives to grow the company and to expand its customer base. Then, lastly, between the growth and learning and the customer, the customer needs to know that they've got a good support mechanism in-place and we want to know that we can link the growth of the company to expanded customer base. So it's a nice way of putting these four concepts together to think about how a balanced scorecard might look. This isn't the way it would look on the actual documentation, just more of a conceptual idea here. So, information technology is a part of your balanced scorecard, as you would expect. So the scorecard is created and then the IT management would then fill in some gaps as far as the details for how certain things are going to be accomplished. For instance, IT needs to support the machine of the organization as a whole. So that means that you've got the right people available with the correct level of training and that they know what to do when problems occur, or when new requirements are discussed. Knowing how to control the strategy for IT is an important thing to think about, especially as it relates to the financial consideration. You can have a fantastic strategy but if the finances aren't available to achieve those goals, then you might have to deal with some kind of compromise along the way to say that, 'We're going to have to do more with less.' That's a common theme in this day and age, doing more with less. In general, money spent on IT initiatives should provide some value to the organization's bottom line. Maybe your data is now more secure so you've got less customers leaving because of problems. Or you're improving the performance of your products and services so that customers are happy and they buy more of them, or they spread the word to their friends to use your products and services. So there are some linkages there as well. Then, of course, we can't forget metrics. If we can't see how the expenditure of time and money in IT is really effecting the organization overall, then we can't manage that. We need to measure it first. [/toggle_content]