Time
8 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Description

This lesson covers managing IT governance and discusses the issues surrounding IT governance. This lessons discusses the following: - High level management objectives to be verified by the auditor - Strategic planning - Long term planning - Operational Planning This lesson also discusses the business process and measuring key performance indicators (KPIs).

Video Transcription

00:04
Okay, so let's look at our objectives for Chapter two.
00:07
Again, we're talking about managing I t. Governance,
00:11
a lot of things to talk about here. We need to define what
00:14
governance really is,
00:16
knowing a little bit about the scope and purpose of our I t. Controls our security controls.
00:24
How we use reference standards
00:27
to make the governance more effective.
00:30
Who's responsible for implementing governance? That's a really important question.
00:34
Sometimes when there's confusion on a point like this causes other problems due to the ripple effect of people making decisions on their own,
00:43
maybe they weren't authorized to make.
00:47
What about fiduciary responsibility?
00:50
Who's who's responsible for holding the purse strings as it relates to protecting assets?
00:56
And how do you deal with
00:57
requests for more money
01:00
defining our executive strategy?
01:02
What is that going to be for the organization? What direction are you going to head in? How will that be implemented?
01:10
Looking at portfolios programs
01:12
and the Project Management Office
01:15
trying to understand the differences between those those concepts? How does management control
01:23
the i t. Aspect of the organization?
01:26
What measurements are relying on?
01:29
Well, look, a look at some considerations. There
01:32
Also management has to protect
01:34
the transactions. Financial transactions, database transactions.
01:40
Anything that's that's occurring between a client and the organization or within
01:47
the organization itself needs to be understood,
01:49
especially from the auto perspective,
01:53
where you're looking at low level processes and mechanisms to make sure they're they're effectively working and can be measured in monitor
02:00
and then lastly, will cover
02:02
business process reengineering.
02:06
This is the idea that
02:08
if you're monitoring and measuring the performance of your organization
02:13
inevitable, you're going to come across something that's not working as well as it should be.
02:17
So what do you do in that case, and how do you manage that?
02:22
All right, starting off with our strategy for for organizational control planning.
02:28
The idea here is that the auditor is trying to to understand the high level objectives for management
02:36
if we know that
02:37
there should be an alignment between what manager wants to do,
02:40
the resources they have available thio spend to make those goals happen and what the actual organization
02:47
the organization's charter is,
02:51
so it could be a difficult task
02:53
to deal with all these variables.
02:55
But the simplified way of saying is that the leadership in the organization needs to understand how tow expend their resource is to achieve the goals of the organization as a whole. What happens when there are
03:09
problems with
03:12
management not being involved at the right level?
03:15
This is another call back to our monitoring requirements.
03:21
If Manager is too involved, you know, the typical micromanager that presents its own problems.
03:29
But what we need to think about is what kinds of automated
03:32
detective controls can be used
03:36
in a typical typical environment.
03:38
To make sure that certain things are discovered when needed, without the need for somebody to actually manually look att at items and constantly be asking questions
03:49
that that sort of dovetails into the idea of continuous monitoring why that's so important
03:53
for the typical organization.
03:55
Another thing to think about here is that we want to make sure that
03:59
when problems do get discovered
04:00
that a mature organization can quickly decide what to do about it.
04:06
You shouldn't have a
04:09
ah discovery of a of a security issue that goes
04:13
un remediated for any length of time. That would be poor management,
04:17
and obviously there are different problems that will result from that kind of the pattern of behavior
04:25
What about an I T steering committee?
04:28
Steering committees are trying to decide
04:30
how to maneuver the organization through different
04:33
tasks or different challenges
04:36
as it relates to I t.
04:39
This means Where do we spend our money?
04:41
Do we buy
04:43
more firewalls? Do we buy more licenses for
04:46
our intrusion protection system?
04:49
Do we send more people to training? These are the kinds of questions that might get answered in a typical steering committee meeting.
04:57
Each member of the steering committee should have a,
05:00
uh,
05:02
representation within the steering committees charter
05:05
showing what the purpose of the group is and what each member's contribution is expected to be.
05:13
Each member also needs to be granted the appropriate level of authority to make some decisions.
05:18
So a steering committee might be composed of the managers or directors
05:24
or or different business units within the organization, so that they are guaranteed to have the authority required
05:30
to say yes, this is a problem. We can deal with it because I can make the decision to allocate some resource is to this particular challenge. So what kinds of people do we need? Any steering committee, someone from marketing?
05:45
That's a good idea
05:46
their. Their goal is to try to get more customers for the products and service is that the organization offers.
05:53
They will definitely have some interesting input
05:56
as far as what makes sense
05:57
from from a marketing perspective, to spend money on or to spend time on
06:02
people that are involved in producing a product or developing software. Also important to have a steering committee
06:11
some representation of in this area would be useful because now you can
06:17
have that person decide whether or not it's worth the effort to do something.
06:23
If it's going to take a year to develop software to solve a problem, is that really makes sense, or should we buy something off the shelf? You know those kind of this
06:30
discussions you might expect to have
06:33
sales. They go hand in hand with marketing
06:38
sales people need their own resource is to try to attract new customers,
06:42
sure, or to increase the amount of purchases by existing customers. So these air things to think about
06:49
finance is also involved,
06:51
since they've got
06:53
the, uh,
06:54
the purse strings, as I mentioned earlier, and should understand the connections between
06:59
the resource allocation requirements within the organization
07:03
coming up with effective budgets, knowing that
07:06
God,
07:08
certain things require money. The idea that you have to spend money to make money should not be, ah,
07:14
that unusual,
07:15
having some legal representation.
07:18
This is important as well as I mentioned earlier. We want to make sure we stay on the right side of the law.
07:25
There might be a great idea that sales marketing has
07:28
for generating new business,
07:30
but there could be legal repercussions if it's done in the improperly.
07:35
You know, things like data mining or,
07:40
uh, you know, social
07:42
media marketing,
07:44
our typical areas where there are some legal considerations to make sure that
07:47
things were being done correctly.
07:49
Quality control
07:53
ties again into some resource allocation considerations.
07:57
But this is the idea that someone should be there in the room that could look a TTE initiatives and projects to say that
08:05
we can't get this ready in the time frame that you want because we need time to test it. We need time to make sure that this is
08:11
up to the standards that the organization demands
08:16
Research and development or R d.
08:18
They're trying to find new ways to
08:22
create new products and service is for the organization,
08:26
so
08:28
it makes sense to have some representation here because they might have ideas
08:31
that need to be discussed among other members of the steering committee.
08:35
And then we have our project management office.
08:39
The PMO is in charge of
08:41
the portfolio of projects, trying to understand what each project requires
08:48
regarding
08:50
personnel and financial resource is
08:52
and of course, tracking each of those projects from
08:56
initiation to completion.
08:58
Well, some more people in the steering committee, business continuity or in disaster recovery.
09:03
This is an important thing to think about
09:07
when,
09:07
yeah,
09:09
an idea comes across
09:11
the table to say that we want to do something different. We want to expand this.
09:15
We wander. We organize that
09:18
business. Continuity experts might say. Well, that's going to present challenges for some of the the
09:24
requirements to keep the business running.
09:26
Maybe, maybe the
09:30
The idea that's being proposed is very complex
09:33
and would require a lot of work to ensure continuity if your primary facility goes down or offline. For some reason kept, forget, I t.
09:41
That's where your C I o. Plays a large role
09:45
to know that. Okay, we've got all these great ideas we've got some money to spend
09:50
now, Does the IittIe infrastructure
09:52
actually exist to support these efforts?
09:56
Or do we have to buy some new equipment or expand somehow what we've already been doing in order to support these initiatives?
10:03
HR is involved
10:05
making sure that we've got the right people
10:09
in the organization, that they've been properly vetted, properly checked
10:13
and that we've got that we're treating people with the respect that they deserve and,
10:18
ofcourse, being careful to avoid any kind of discrimination
10:24
and, uh, treating P i I properly and so on
10:28
Labor management sort of related to HR
10:33
maybe a little bit more specified if you're involved in the organization that's dealing with unions
10:41
and then lastly, we have administration,
10:43
and this is just a general term
10:46
t think about the people that helped keep all the moving parts working efficiently.
10:52
You've got administrative assistance. You've got secretaries,
10:56
executive assistants, people that are trying to help
11:01
others get their job done more effectively.
11:03
All right, so
11:05
what is the difference between a strategic plan,
11:09
a long term plan or operational plan?
11:11
There's different kinds of timeframes involved here.
11:15
A strategic plan?
11:16
Um, we normally would think of that something that's three years or longer,
11:20
and it's a time frame.
11:24
So the strategy is something that's more the long term vision.
11:28
We know that tactics make up strategies, so tactical planning
11:33
is more akin to operational planning
11:37
or that something that's maybe a year or less in time frame.
11:41
These are smaller steps that are done in order to support the long term vision, which is your strategic planning.
11:48
But then we have long term planning, which is sort of the middle ground.
11:50
123 years
11:54
we can see in all these different cases of the board directors. We have various people for strategic planning, CEO, the CEO,
12:01
the CFO.
12:03
In our long term planning, some of the same people are involved. But now we've got department directors
12:09
that are looking at the components of the business, trying to understand
12:11
whether the products and services that are being offered are effective, or if there's room for improvement
12:18
and then again, with the operational planning.
12:20
These are the smaller day to day tasks
12:24
and initiatives that support the long term in strategic planning.
12:28
So they kind of all have their inter relationships with each other,
12:31
and we have the concept of the bounced scorecard or the BSC.
12:37
This helps business executives
12:39
defined the metrics that they can use to see if the organization is performing as expected. We're looking the various things customer perception,
12:46
the processes of the business.
12:50
What are the prospects for growth for the organization?
12:54
How how would you measure those things
12:58
in order to manage them?
12:58
I like using that.
13:01
Measure it to manage it. Idea here. So we look at the methodology for the BSC of the bound sport scorecard. We conceive from a customer perspective.
13:09
If they're thinking,
13:13
What is it about this organization that makes them stand out? Why are they important? What is it that they provide
13:20
that
13:20
makes customers want to do business with that
13:26
from the business process perspective you're thinking about? What is it that we do?
13:30
How can we improve
13:31
our products and service is to get an advantage in the marketplace? How how could we gain more market share?
13:37
What are the key performance indicators?
13:41
You're KP eyes
13:43
if you can't measure those things and you're is very difficult to know if you're doing well. Just measuring profits is only one indicator
13:50
for how well our organization's doing.
13:54
We have to consider financial goals.
13:56
If you're supporting shareholders. That's a consideration
14:01
because you have to
14:01
act on their behalf as well as as the owners of the organization or the employees.
14:07
Is the
14:09
company generating a lot of profit? A lot of cash
14:11
or they heavily in debt. These or other
14:15
KP eyes that are not keep you guys but
14:18
scorecard items that might be considered
14:22
Then we have to think about the growth of the organization.
14:24
If you're trying to gain market share or increased sales, how is that going to be done?
14:30
What kinds of metrics
14:31
would need to be examined in order to understand if you're doing a good job now or where you might find areas for improvement?
14:41
You know, how would you, uh,
14:43
attract new new workers? Or how would you get those people trained in order to advance the goals of the organization?
14:50
So there are some advantages and disadvantages to using the Bounce scorecard method.
14:56
Advantages are
14:58
are pretty obvious
15:00
because it gives executives away to focus on the metrics that they think are most important to the way the organization functions.
15:07
Having some understanding of
15:09
the relationship between the financial aspect as well.
15:13
So we're measuring things. We see the linkages between those things were measuring and the money that we're spending to generate those numbers, right?
15:22
Ah, and this is another interesting concept here. If this is fully implemented,
15:28
none of the departments should have their own budget.
15:31
That means that the
15:33
the budget is being decided at the enterprise level
15:37
and,
15:37
uh,
15:37
therefore being controlled more centrally.
15:41
That means that your your organization might be a more mature state.
15:46
Disadvantages. However,
15:48
the initiatives that are that are actually put on the scorecard have to be chosen carefully so that you're not
15:56
blending things that are high priority with moderate or low priority.
16:00
They should be categorized correctly
16:03
and grouped accordingly, so that
16:07
when you're measuring,
16:07
uh,
16:08
performance and other indicators that makes sense. To do that
16:12
off
16:14
within that particular category or group,
16:17
you have to worry about politics.
16:19
If politics are a knish, you within your organization that might derail certain initiatives because they're not popular with certain individuals.
16:30
So trying to have a a powerful sponsor who can remove obstacles is one of the being goals here.
16:37
So we look at some different perspectives for abound scorecard we can see we've got
16:41
Aah! Financial perspective, process
16:44
growth and learning and customer perspective.
16:47
And we've got some relationships between these different things.
16:49
So between financial and customer,
16:52
you know, the customers looking for the vision of the company or the organization and financial
16:59
considerations are looking to the customers for growth.
17:02
Then we have strategy, an improvement between the financial aspects and the processes that the organization
17:07
uses to run itself,
17:11
that we got refinement and definitions between the process
17:15
processes that are the organizations using and initiatives to grow the company and to expand its customer base.
17:25
And then, lastly, between growth and learning in the customer
17:27
we wanted, the customer needs to know that they've got a good support
17:32
mechanism in place.
17:33
And we want to know that we can link the growth of the the company to expanding customer base.
17:42
So it's a nice, nice way of putting these four concepts together
17:47
to think about how abound Scorecard might look.
17:49
This isn't the way it would look on
17:52
on the actual documentation. Just more of a conceptual,
17:56
uh,
17:57
idea here. So information technology
18:00
is a part of your balance scorecard as as you would expect.
18:04
So the scorecard is created, and then the the IittIe management would then fill in some gaps as far as the details for how certain things are going to be accomplished.
18:15
For instance, the Mission
18:18
I G needs to support the mission of the organization as a whole.
18:21
So that means that you've got the right people available
18:25
with the correct level of training
18:29
and that they know what to do when when problems occurred or when new requirements are are discussed. Knowing how to control the strategy for I T.
18:41
Is an important thing to think about
18:42
a CZ, especially as it relates to the financial consideration.
18:48
You could have a fantastic strategy, but if the finances aren't available to achieve
18:52
those goals, then you might have to deal with some kind of compromise along the way
18:56
to say that we're gonna have to do more with less. And that's a common theme in this day and age,
19:03
doing more with less.
19:04
But in general, money spent on I T initiatives should provide
19:10
some value to the organization's bottom line.
19:12
Maybe your data is now more secure, so you've got less customers leaving because of problems
19:18
or or your
19:22
you're improving. The performance of your products and service is so that customers are happy and they buy more of them or they spread the word
19:30
two there.
19:30
They're our friends
19:33
to use your product and service is so there's some linkages there as well.
19:37
And then, of course, we can't forget metrics.
19:41
If we if we can't see how the expenditure of time and money
19:45
N i t. Is really affecting the organization overall,
19:49
then we can't manage that. We need to measure it first.

Up Next

Certified Information System Auditor (CISA)

In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor