Hi, everybody. And welcome to I saca's siege. It course or really cyber Very lives siege it course. And this is, of course, a certification from Ice Hacker. We'll talk all about that in just a few minutes. But
this particular course focuses on being certified in the governance of enterprise I t.
And this would be sort of the logical successor to the CIA says peace certification or the schism certification. And this is for those of you that may have your eyes set on i t. Governance meaning perhaps being asses. Oh, somewhere along the line,
I'm your instructor. I'm Kelli Hand Erhan. And, uh,
what we're gonna talk about in this particular course this afternoon is we're gonna go through just brief welcome and introduction. We'll talk about who is I, Sacha? What's the siege it certification? Because I know many of you may be sitting this class not sure if the siege it's for you.
If it's something you had been a front benefit from or something you're interested in,
we'll talk about what the requirements are for the knowledge of siege. It will go through the exam registration process, the exam format. Talk about what it takes to be certified,
and then we'll move into the course agenda. This being our first day, we've got some preliminary work to get done first and then we'll get into the material. We certainly will be talking about the siege it information, but we're gonna spend the first part really understanding what this course is and what it's gonna be.
So has I mentioned before my name's Kelly Hander hand, and I'm gonna be the instructor for this course. I'm also the instructor for several other courses the cloud security courses um, CSS, PC risk and PMP as well. And perhaps mothers in the future. Who knows?
I am the owner of a company called Cyber Train dot i t. And you can reach me at Kelly H at cyber train dot i t
feel free to follow us on Facebook or sent me an email if there any questions or anything that I can help you with along the way. I'm certainly happy to help you with your studies.
I've been in the I T field for going on about 20 years now. I have, um I started out in North Carolina and the Research Triangle Park area way back in the day where you could actually make a living as a hardware
technician and ah moved into the networking team, moved into network architecture and design, moved over to security, Currently involved in doing a lot of consultants Consultations.
I moved up to the D. C area about 10 15 years ago in order to work for the Foreign Service Institute in ah, there, uh, department
in working and actually has brought into work on a migration that basically brought virtualization into our server rooms, going from having 17 servers down to five and virtual izing that environment. And of course now, a lot of the projects that I manage revolve around upgrading infrastructure's or migrations to the cloud. That tends to be what a lot of the work is.
Um, so the information in this course or, you know, so that's my background, the information this course is really going to be an extension of what you're going to see in some of the other courses.
Really a nice mix of what we do in CSS pieces. Um p and p, it all kind of comes together like in a giant blender, so I think you'll enjoy this course. It's a lot of good information, and even if you're not interested in becoming a says Oh, down the line, I think from the perspective off
someone who's technical or someone who is kind of bridging the gap between technical and managerial, I think there's a lot of good information.
All right, so this course ah being examination prep for the siege it certification and siege it is put out by ice AKA. So it's probably a good idea to start by figuring out who is I. Sacha.
So I sack. Originally, the acronym was supposed to see him for information security. I'm sorry. Information Systems Auditing Control Association. Um,
and that was officially the term that they used in 1994. They've been around for a long time. It's kind of an interesting acronym because at first they were geared towards working with the manufacturing in the finance industry, providing controls and guidelines for audit. Um,
now they've moved over to information technology, information, security,
and since 2008 they've gone back saying the I SEC assert Acronym stands for nothing. So, you know, it kind of these acronyms change over time. Kind of funny eye socket does other certifications they do. This is, um they do, says a C risk. And then, of course, the Si Jin
eyes. Really, they're probably best known for Schism and CISA,
but the Sea Gent certification is becoming more and more popular on. We'll talk about some of the reasons for that in just a few minutes. Oh, let's talk about them now, shall we?
So the siege in certification is currently, like I said, becoming very, very popular. At one point in time, I really wasn't getting requests to teach this course. And now I'm seeing it come up on the schedule more and more and more because what's happening is
as more and more organizations become aware
off the need tohave not just enterprise governance, but I t governance within the enterprise. More and more organizations are looking to individuals that can demonstrate a standard degree of knowledge and understanding in that particular field.
So yes, absolutely not only is I sack a very well respected organization, they've stood the test of time. They've been around for
60 years plus, but this is also a very well respected certification. It's one of those that it's it's not a technical certain at all. It really more is going to require that you demonstrate a knowledge of governance off
establishing the frameworks for an organization and serving the purpose of
a se's Oh, or a nice Oh, um, in that capacity,
so other benefits. And and this is true of any certification that you get. I am a really big fan of certifications, not because I think because you're certified, you know everything. But I do believe that if you know what you're doing, a certification will help you get the interview
where you can show them
you know what you're doing, if you know what I mean. We've all heard the term paper certification. Some people are big fans of search and others aren't. But what I believe is in, um,
difficult times when the economy is difficult and I have a lot of people out of work, and I'm sorting through resumes on my desk. If I've got 50 resumes, they go into stacks, certified and not certified. And then in the stack of the folks that are certified, I'm gonna look through and see who I think has the most experience and is the most qualified.
So I'm not saying get certified in lieu of knowing what you're doing.
I'm saying when you know what you're doing, get the certification so that you get the interviews, you get the promotions, you get the opportunities. Um, one of the nice things about I Sacha certifications. It's not a U. S. Specific. So I sack is an international organization and the siege it certification
enterprise I t governments, right. That's not specific to one region, one country or one industry.
Every industry today needs the support of I t. It's just the way that we live. It's just the world that we're in currently. So this is the type of certification that will travel with you from industry to industry, business to business, company to company, um,
customers that understand and that are aware of the certification. This provides an assurance of quality just like any other certification. Now again, we can we can discuss that Does a certification really guarantee quality doesn't guarantee quality,
But what it does show is that we adhere to a standard. We have a benchmark of performance and knowledge,
and that really does speak to clients, gives me greater opportunity for advancements and employers. You know, I live in the Washington D. C area, and many of the contracts that get awarded are driven by what organization
had meets the requirements. Like, for instance, we may require that there are
there is a PNP who is the project manager of a specific project I'm looking to hire for or Emmy require that your organization your sizzle within your organization have a siege, it certification or this certification or that. So, Like I said,
if you have the knowledge, go take the test, go get certified
and I highly recommend that, All right, So do you have the knowledge is the question Well, as I mentioned before, this certification is really kind of a unique combination of knowledge because we have
the i t world right in I t management and I t folks tend to be very IittIe focused, were very technical in nature.
We're very much focused on information, security, and you know you can't be alive today without being aware of the many security breaches that air in the news every single week, if not every single day. It almost seems like
so you've gotta have that understanding of the relevance and the role of I t within an organisation and how to effectively manage I t Resource is.
But then you also have to be able to work with strategic planning and have that background in governance. So I have to be able to work with my board of directors and my other senior officers in order to
help determine the objectives of the organization with the goals are the risk appetite of the organization. What are basic mission is and what's the best way to get there.
So when we talk about strategy, we're thinking about that long term planning
and then also and I gotta tell you, risk management is critical in just about any field you're gonna work in today. You will be very hard pressed to find a field where you would not benefit from understanding risk management, and it's been a long time coming. But we're finally understanding
that risk management really should be the foundation of all our decisions.
Right when we're determining what to do, what direction to go, what we need in terms of security or in budget or in function, or this that or the other, we start by looking at What are our assets? What are the things important? Us? What are we trying to accomplish?
What are the things that could threaten those assets were threatened. Our goals and objectives.
What are the weaknesses that would allow those threats to materialize? And how can we proactively preempt those threats from exploiting our weaknesses? Or, you know, if we're just talking about actions and objectives, how can we pro actively anticipate the things that could keep us from meeting our goals?
And what can we do about it? So that those obstacles and those hurdles air removed and that's risk management. So
all three of these elements come together and are the basis for knowledge for the sea Geant. OK, so
specialties, you know, really combining you need i t knowledge. You need governance and strategy, and you need risk management.
Okay, so you've decided you have the knowledge, the next thing that you want to do, and we'll talk in just a minute about what the requirements are. But I just want to mention that any questions you have about the siege it exam,
like, for instance, I'm gonna give you some testing windows. I'm gonna give you some broad guidelines about the exam,
but anything you need to know you want to go toe i sacha dot org's
They're really going to be the entity that that website is going to be able to answer any questions that you have. Um, the details come and ghost what I tell you today, they may modify in three weeks or four weeks. If you're watching. This is a recorded version or whatever that may be. So always double check it. I sacha dot org's.
And when you're ready to register for the exam, ines eye socket dot org's exam reds. You'll need to set up an account with ice aka indicate that you're ready to register for the exam. You'll fill out some information, you'll go ahead and schedule it. Okay, here's a test taking tip. You cannot
passed the exam if you don't schedule the exam.
Okay, so put the exam on the schedule. This is really something that you have your sights on. And if this is really a goal of yours and you very seriously want to accomplish a certification and add it to your credentials, the material that we go through in this course is designed to prepare you for the exam.
I'm not saying this is the be all and end all but I'm saying we should certainly in this course cover the material that I sack and deems necessary. Toe have this certification.
You want to combine that with some exam preparation? I'm not sure Kaplan has three exam prep or the practice questions for this certain, but there certainly are other exam prep utilities out on the Web. If you don't have those,
um, your knowledge, your background and your experience
Hopefully, you know, if you've had the time to be in this realm and this course will prepare you, So if you want to take the test, go ahead and put it on the schedule, commit to a date that gives you kind of that accountability. And I know that I never wake up in the morning and think
I'd like to take a test. I'd like to take an exam, but if I have the exam on the schedule, I will work towards being ready on that day.
Now something interesting with ice aka, um, not many years ago, they only offered their examinations two or three times a year.
And that was always odd to me. You know, at one point in time, they only offered it twice a year. They offered it once in the spring and once in the fall, man. And if you had an appointment that one day and you were sick the other, you just were not gonna be I sak a certified that year, and they got a lot of very negative feedback.
But, you know, sometimes by making something very scarce, it drums up interest. I'm not really sure what the philosophy waas
So now what they do instead is they open up testing windows. So the test is not available all the time, but certainly available much more than it was before. So currently, the testing window is from October 1st, which is already, of course, happen. I'm sorry,
the October 1st, all the way through January 24th 2019. So you can schedule that exam anytime in that time frame the next testing window. So after the 24th testing shuts down. But that's okay because it opens back up on the first of February all the way to the 24th
of May. So they have pretty large testing windows. You'll be able to get in there and take the exam when you want. Now they will be opening up third and fourth quarter testing windows.
They just haven't done so yet. So once again, going back to eye socket dot org's will kind of keep you posted on that.
All right, What is the exam like you ask? Well, it is 150 questions, and they give you four hours to complete the exam. These air, multiple choice questions. Um, you don't see,
sort of dragon drop. You don't see any simulation tests. It's certainly not the type of test for that. However, you will see numerous questions of a reasonable length. You know, if if you've taken maybe this is, um and you might see a one question, you know, one sentence question. Don't really see that on this exam you're seeing much lengthier questions that are a little bit more involved.
A little bit more detail required, a little bit more thought. So you have four hours to complete 100 50 questions. You want to be mindful of the time. Not fearful, but mindful you will have a clock on your screen is you're taking the test and you'll be able to see it
any point in time. How far along you are.
Um, the questions really are designed to test your practical knowledge to test your experience there a lot of judgment based questions. But there's also just a huge. They're huge amount of questions that are just based on I. Saca's information.
I Sacha says this, therefore
this and of course I pulled together that type of information that's really relevant for the exam,
and that's what we're gonna be covering here. But the point I wanted to make by that is just experience alone is not enough to be certified. You know they'll talk about the Val I t. Framework and they'll talk about CO. But they'll talk about you know, some things from Project Management Institute and Co. So and all these different,
um, frameworks. You definitely have to study. Definitely.
I want to spend some time preparing, but it's a very doable exam. So multiple choice. There is only one credited answer I used to say, Choose the correct answer and stop that, that I'd say Choose the best answer had stopped that I now say Choose the credited response
because if you're like I am, you know best is very subjective. What is the best way to
you? Ask four engineers. They'll tell you five different answers for the best way to do anything, right? So what I want you to do is to absorb I Saca's guidance and I saca's best practices. And that's what we're testing on. So again, it's not really a test of your experience.
It's a test of your knowledge
off I. Saca's guidance I Saca's best practices. Their common body of knowledge you're scoring is anywhere from 200 to 800. So the good news is, if you find your desk and are able to sit down in front of it, boom 200 points
Please do not contact me for help if you get less than 200. If you get 201 I'm happy to help you. But if you don't get the 200 at least on your score sheet, there's nothing I can do there. All right now, top score is 804. 50 is passing.
I don't know why they do the scoring the way they do. Many organizations air kind of doing that, and I think they feel like the more vague taken be in how they score
somehow. That's a benefit, and I don't necessarily agree with that. But the questions are weighted. Not all questions are weighted equally. Everybody wants me to say, Hey, if you're getting 78% on these tests questions you'll be, you know you'll go past you just can't do that with this exam.
The best thing I can tell you is studying the material that you have review review,
practice exam prep questions so that you can make sure you're thinking about things in the mindset of ice, aka Schedule the test and go do it.
Also make sure that you answer every question you can more questions for review and come back to them later. But before you'd ever go past a question, always put something
put. See, don't care bees good, too, but put something before you move forward just on the off chance that you don't get to go back and review your answers. And sometimes that happens, at least rather than having a 0% chance of being right. You got a one in four chance.
So before you move forward, even if you want to think about it later and come back to it,
click on some button to a least, have an answer in case you don't get back to it.
All right. Now, uh, the next piece is to make sure you understand that passing the exam is not enough. Although, i'll tell you, really that's the hard stuff, right? Getting passed the exam. And absolutely when you pass it, you get that 4 50 end up,
Yea, but you're still not certified. You have to submit to attest to the fact that you have five years experience in and around the realm of I t governance
at least one year of developing or maintaining an i t governance framework. So basically, what they're looking here to do here is that this certification is to compliment your resume as a schism, right? You can't just walk in off the street and say
I think I'd like to be a chief information security officer, actually can. But you're probably not gonna do very well in your career, so I don't recommend it. So basically, you've got this experience. This certification is going to work very nicely with the experience that you have and is going to test to the fact that
you understand I sack of the many types of I T governments, frameworks and enterprise frameworks that are out there.
So submit the application. You do have to provide two references.
The references could be checked at any time before I put anybody down as a reference ever. I always give him a quick call or send him an email and just make sure that they know that they're on my friend list and we'll be getting a Christmas card in the mail for me as well as
having the wonderful opportunity to verify the employment that I've listed. So give folks ahead. It's up with that, of course, and then submit those twos references. You will also have to agree to the ice, aka code of professional ethics.
So ultimately, by the time you sign up for this exam,
you have to sign that code of ethics. The code of ethics is on I Saca's website. Go ahead out there, peruse it before you test code of ethics questions are always testable on any exam that you take, so keep that in mind as well.
All right. And once you get your si jin certification, just like most other certifications, you do have to maintain it. Now, the great news is you don't have to retest every little bit that you, you know, every three years or however how many years your certification. You can maintain that through continuing
professional education units,
great news in either courses here it cyberia We'll satisfy those requirements. So it's not like you have to fly off the Washington D. C and sit through a class physically. OK, you are able to take that course
on cyber Eri. You get your certificate of completion that attest to so many continuing education hours.
Once again, if you want details on how many hours across what period, go ahead and go toe i sacha dot org's. Usually it's about 40 per year 120 per three years again, that's just kind of a generic standard. Go to a second dot or to make sure.
as we have kind of wrapped up for our wrapping up some of the preliminary work here. We want to talk about the course agenda.
So the material that we are going to be covering in this course and then, of course, how relevant it is to the certification exam. And you can see right off the bath that not all the mains air created equally the very first domain, the framework for
enterprise I t. Governance or framework for the governance of enterprise I t is the single most testable topic
now. It's also very interesting that it's closely followed by risk optimization, because again, every decision we make should be founded in risk management. So when we talk about the framework for governance, what we're looking at is we're talking about the structure.
We're talking about the support we're talking about providing the foundation
to govern I t within an enterprise. So what we want to make sure that we do is oh, our What our focus is gonna be in that chapter is just really understanding what is governance? What are some of the governance frameworks that we might work with?
Things like CO so ands Ackman and SAB, PSA and some of the ice or 27,001 frameworks.
But really even bigger than that. Talk about the strategies of governments and the purpose of governments and the problems we're trying to solve by bringing in I t. Governance in addition to enterprise, governance and what or even the differences there so domain one
huge for the exam. We want to make sure that we have a good understanding of that.
All right, domain to strategic management. When we talk about strategic management, we're talking long term. What are my long term goals? One of my long term? What's my long term vision? What's my my strategy.
So strategic management, through governance, is making clear throughout our organization our vision
and putting the mechanisms in place so that we can ultimately accomplish those objectives. Now, in addition to that, we have to provide oversight. So we have to continuously monitor the mechanisms and the controls that we've put in place. Our vision constantly has to be on
reaching the prize, right.
Where do we want to be in five years governance and by implementing my strategy, my road map, how we're gonna get there,
all right, benefits realization, and it's kind of interesting that that's one of the lower areas because, you know, it's all about the benefits, what's in it for me and more specifically, not for me so much. But what's in it for the organization? Because when we bring in a new element of governance,
there's overhead. There's additional staffing there, additional processes.
There's additional training, you know, there there's there is some overhead by structuring I t governance in addition to enterprise governance. So why we have to talk about the benefits of doing so
at any point in time? If the cost outweighs the benefits of what I'm doing, I need to scrap what I'm doing
right. You know, any point in time getting out of bed in the morning is riskier than me staying in bed. Then maybe I'll just take the day off, right? So benefits realization is important, and I think the reason may be that it's less testable. Per se is because benefits realization
really is covered to a degree in governance framework and I t governance. You know, we have to talk about why we're doing it when we talk about those elements and we have to talk about how that brings value and adds value. So I think that specific to that domain. Maybe you don't see a ton of questions,
but as a general rule, I think that is it
a testable idea? Alright, risk optimization risk management, risk management, risk management. I just mentioned cost benefit analysis. You know, what we're trying to do with risk optimization is to safeguard our assets. Or as I like to say, see why a
cover your assets, right? We're gonna protect those assets that are ours
that, you know, again that's tied into benefits realization that's tied into resource optimization. We're gonna protect those entities that are ours, create a policy. I should understand the role of a nightie framework within our organization. Right? There's might be some tasks and the knowledge statements
necessarily to a specific activity that I'm gonna perform. But my knowledge statements would be things that I should have an understanding off. I should be able to step back and say, OK, I get this big picture, waas. All right, so we'll start by covering the task and the knowledge statements,
and then we're gonna move into just talking about
I t governments. What is I T governments again? We kind of touched on it, but we've just hit the tip of the iceberg. So we're gonna define 90 governance. We're gonna talk about how it fits into enterprise governance. We're gonna talk about the benefits that it brings. We should talk about
the structure that it should bring to an organization.
So you know the frameworks gonna make sure that we have a consistent,
objective, driven set of processes and activities in place to be in alignment with the enterprise framework.
All right, we'll look at some existing frameworks out there. Like I had mentioned. There's co bit. There's, ah, I so 27,001 there. They're all sorts of different frameworks that might apply to us based on our industry. And we'll talk about those frameworks
in the type of structure and foundation that they provide for us.
And then we're gonna talk about enterprise, architecture and specifically enterprise. I t architecture. And when you look at the term architecture, what we're looking at is how all the elements of our enterprise ideally come together and work towards a common goal,
right, and that common goal is to reach our strategic objectives
to satisfy the goals of our organization to be where we want to be in five years out, whatever that may be. So ultimately, what are those elements within the company within the organization as a whole? And what is the role of I T In the grand scheme of things,
we'll also talk about various control types and a control environment
will certainly discuss the importance of communication, communication, communication,
essential and not just the fact that we do communicate but how we communicate, um, through our policies and our procedures. The wording of those policies and procedures, standards and guidelines being very, very important, critical
to how they're perceived by our users will talk about good communication strategies
and then last but not least, in this chapter, one or domain one is managing change. The only thing permanent is change. There's always going to be changed now. Environmental change, organisational change, system based changed.
There has to be a process for everything
it's not. The change is bad, but unmanaged changes bad. So within governance we have to provide a framework to allow change toe happen while still being controlled. Okay, So each of these elements were what we're gonna discuss
in this particular domain. And like I said, we won't be able to finish this entire domain today by any stretch. But
But we'll get into it.
Paul's for coffee. I'm gonna also Paul's while you appreciate the Boston Terrier coffee mug that I have. It is my goal to have a new and more ridiculous coffee cup every time we meet. So I'll set apart. I'll set apart for that is my mission.
And then the problem with having a really good Micah's. I'm sure you guys come here every swallow that makes a sorry for that.
with our task and knowledge statements,
like I said, there's certain activities that we should feel competent in performing. So establishing a framework for the governance of enterprise I t That's kind of the whole purpose of this certification. So what's that really gonna look like?
Well, we're gonna have to be able to examine existing frameworks
right? And determine which framework is gonna meet the needs of our organization as a whole. Which framework is gonna be best to help us reach our objectives and then taking that broad, foundational guideline and working towards it? Right, So we know where we are. We have an idea of where we want to be.
How do we close that gap and you'll hear that term sometimes referred to his gap
analysis. Right. Here's where I am. I know where I wanna be. How do we close that gap? Well, we're gonna close that gap through implementing a security program or we're gonna perhaps by using, ah, policies and procedures, standards and guidelines. A grouping of controls to
impact the environment, which we exist.
Okay, so we're gonna establish that framework. We'll look at being able to decide which framework is most relevant for us and then how we move towards implementing the framework.
All right. Identify requirements and objectives again within the organisations. This if we're gonna implement a framework, if we're gonna migrate from an existing environment to a new environment, we're now going to be,
um, working towards CMM. I level three or we want to get ice a 27,001 certified whatever.
This is very much going to be a project and we need to manage that as a project. So a huge part of a project of project management starts with understanding the requirements. What are our our requirements. What are our critical success factors? What are the objectives that we're hoping to reach
by making this transaction transition
to establishing this I t framework. Hey, we want to make sure that our planning is repeatable. What we put in place isn't a one off, so to speak, right, we want to implement policies, procedures, standards, guidelines.
We want to implement an architecture and have all of these elements work together
for consistent and stable environment.
Methodical, well defined, repeatable. All of those elements are essential to what we're doing.
We also want to be able to create an environment where we have clearly defined roles and responsibilities. Separation of duties is essential in an organization frameworks mandate separation of beauties. Most frameworks will require an audit to ensure that
individual roles are clearly defined and delineated.
And to make sure that you have a reporting structure and audit structure security structure, you know that there's a place for everything and everything in its place, so to speak, as far as roles within the organization. So we should have the knowledge and understanding of the various elements and determine hate. This is a job.
Um, the chief information officer. This is something the chief operating officer would be responsible for and so on.
And then another thing that we should be able to do within our organization is to sell I t governance. And what I mean by that is we should have a clear understanding of the benefit of I t. Governance. And we should be able to articulately express that to our board of directors
to our other senior managers and officials,
and we should be able to demonstrate.
what's the word? Elaborate on the goals, the benefits of
All right. And then our knowledge statements. You can also say, you know, I always think of this as by the end of the main one, I solemnly swear that I will understand i t frameworks. I will understand the various industry standards now. Course
standards were different for every industry. You're not expected to know every industry standard, however, understanding how
industry standards and best practices by knowing those that's gonna satisfy due diligence. And when we act upon those and implement the framework so that we can maintain compliance that showing do care,
we'll also look at the various business drivers. What makes our business tick? Why air we in business day to day? How do we evaluate ourselves as being successful or not successful? Well, certainly, profit is very often part of that equation. But it's not all
you know, what is our reputation in the industry? What's the recognition of our brand? What's the amount of goodwill we have in the community there, Many other things other than profit that are important to us as an organization, they're important to our shareholders. So
what are the drivers that drive our organization?
All right, we'll talk about SWAT analysis, strengths, weaknesses, opportunities and threats. What are our strengths? What are our weaknesses? What are those opportunities we can maximize? And how can we minimize the threats
again? We'll talk about principles of enterprise architecture and how there's elements are gonna come together. Already talked about change management and then monitoring and reporting. Sadly, monitoring reporting is one of those areas that often gets overlooked or kind of swept under the rug.
Anything that we implement, we have to have expectations for
we have objectives. So when I move towards implementing an I T framework within my organization. Why?
What am I looking for?
I'm looking for an improvement. That means nothing, right? We have to have well defined objectives. We have to define how we're gonna measure to determine if we're meeting those objectives. We have set time frames and timelines. So ultimately, what this comes down to is
we have to measure to determine if the controls were putting in place
are meeting their objectives, monitoring and reporting.
All right, so I think that is a sensational tongue to take a break. Let's do this. It is 3 44 usually we take about a five minute break. I'm gonna go crazy, cause today's a Tuesday and we're gonna take a six minute break. So if you'll be back at
3 50 we're gonna pick up, and we're going to get into the exciting and fascinating world of I t. Governance.
So be back at 3 50 Stretch your legs, get some more caffeine, and, uh, we'll see them. All right. Thanks.
Uh, glad you came back. Sometimes that coffee pot can be so very attractive. It's hard to leave. I understand that. So, uh, hope you got a refill and are ready to go.
So like we talked about prior to break, um you know, certified in governance of enterprise I t. Well, we want to talk about the ideas of governance and what I t governance is versus enterprise governance. So let's just start out by getting some definitions of the two.
So when you in these come from my sack us so that we can have this understanding in the contact context of I sacha.
So when we talk about enterprise governance,
the method by which and I'm not usually one to read sentence by sentence. But let's take this since these air direct quotes for my sack and the topic is governance. So the method by which that should be an enterprise not end enterprise but the method by which an enterprise insurers and here, the important pieces
We want to make sure that stakeholder needs
Options opinions are too are evaluated, Doesn't say are achieved right. You can't achieve the need of every stakeholder. You can't, um you can't make everybody happy, right? So to determine, balanced agreed upon
Right? So we want to accomplish the balanced, agreed upon enterprise objectives. And how do we know what those are? We look at our stakeholders, we have We take their needs
into consideration. We evaluate the stakeholders because not all stakeholders are created equal. We prioritize our stake holders
and those key stakeholders come to an agreement about,
the strategic direction of the organization. So this is going to involve making sure that our organization is faced in the right direction,
that we have priorities that are established within our organization and ultimately that we continue to move forward, making sure that we maintain compliance with legal and ethical standards and
ultimately work towards meeting and satisfying our objectives. Okay, so the big pieces their stakeholders are gonna have to have a means of in putting you are we're gonna have to have a way of soliciting or listening. Stakeholder
information, stakeholder concerns, stakeholder opinions.
Ah, stakeholder feedback. We're going to have to find a way to balance those stakeholders because there are many within an organisation these air, the folks to whom we want to deliver value so we deliver value and one means simply by helping them meet their objectives.
So that's where the organization as a whole, you know, to set the direction of the organization. Just determine when our organizational priorities are.
What we're trying to accomplish is a business so within the organization. And like we said, every organization that we work within today is gonna have an I t structure, right? It just can't be in business today without some sort of I t support. So when we look at I t. Governance,
a view focusing on, of course, that our information and technology resource is
our it or working together within the enterprise strategy, and that the technology that we use helps bring us closer to satisfying the objectives of the enterprise. Now, I know that sounds like a no brainer, Right? Technology should help and not hinder. But that's not always the case. Sometimes we have
Sometimes we have technology that's not working properly. We're not maximizing the benefits off. And I'll tell you, with our technology, look around today and look at some of the information security breaches you've seen and tell me
there has been a major hotel chain that had a compromise of over 500 million
accounts. And let me ask you, if you think technology has helped them or has hindered them in meeting their organisational objectives. Because I can tell you when you go to the media and have to report a compromise of 500 million customer accounts, your stock is gonna take a little dip, right?
we want to make sure that the technology that we implement supports the organization and helps move us to our enterprise objectives. We also want to make sure that the ICTY capabilities air managed well, our resource is are utilized properly.
We are protecting our organizational and informational asset.
It's so I d governance is simply a subset of enterprise governments.
All right, now, how do we know if we're gonna have a successful, uh, program? How do we know that I t governance is working or more specifically, that it's not working or we may not have I t governance in place right now.
So if we're looking at moving towards ah,
an environment based on I t frameworks and that are gonna
more closely control our technology usage, how will we know what has to be in place to make this successful?
Well, just like we talked about I t Governance has to be a subset of enterprise governance, meaning we gotta have buy in from the board of directors from the chief officers from steering committees we have toe have buy in from our major stakeholders. They have to understand how significant
a role technology plays in an organization or enterprise being able to meet our goals,
and they have to support it.
And what that means is when we talk about this idea of integration being an integral part of enterprise governance, we have to stop thinking about business operations and I t operations. Business operations are I t operations and I t operations are business operations.
And the sooner that we understand that.
And we stop treating these as two different sides of the house and we bring technology in to facilitating the organization, meeting our goals, the better off we'll be. And that really is a critical requirement for the success of I T. Governance. And that comes from senior management. Valiant.
All right roles and responsibilities must be well defined.
Absolutely, we have toe have clearly defined roles and responsibilities. Those roles and responsibilities have to be separated in such a way that no one individual has too much authority or too much power. We have toe have mechanisms in place to ensure that
critical functions and critical,
um, actions are safeguarded against again. That idea of the abuse of power,
roles and responsibilities have to be clearly defined. The other problem that that solves is the finger pointing between departments. Everybody thinks they know what they're doing, and then there's compromise
and, you know, there's some sort of breach or some sort of malfunction or something doesn't go the way it's supposed to. And then, you know, we do some investigations. What we generally come to is department A says no, That was department, these responsibility
and then department be said no, that was Department A's responsibility. And so what that generally tells us is we have a gap either in our roles and responsibility definitions or in our understanding of those definitions.
Um, governance must be ongoing. This isn't something that you do, you know at one time governance is an ongoing activity. It's an ongoing set of processes. We, you know, we do our research in our due diligence
and we work towards building a framework. We implement that framework we build upon the framework and then we continue to monitor
throughout, so it's not a one time thing. It's a continuing set of processes. And then we also have to have plans for governance in relation to continuity of the business In the event that there's some sort of disruption. You know, making those plans for continuity of operations is an important element.
All right, eso One of the things
that I mentioned as far as task statements is that we need to be able to sell information, security, governance. We need to have a very clear understanding of the benefits of implementing security governance within an organization because it's gonna think resource is
it's gonna take up time to implement information, security, governance. It's going to and not just information security, governments, information technology, governance. You know, it's hard to say technology without saying security today, and it's hard to say security without saying
technology if you're in the information assurance field. So this could read benefits of information technology, governance as well,
value realization. Having technology that works for us instead of against US technology that facilitates the accomplishment of our goals cost savings, risk aware business decisions, having better control, better understanding of the processes and of technology
being able to monitor and establish metrics that will tell me, Are my objectives being met?
Or do I need to move another direction, being able to justify expenses and determine what best is gonna meet our needs in the future? You know, all of these are benefits of I T. Governance and a 1,000,000 more things, right? I mean, we could go on and on and really name
the benefits of government.
Now, the drawback is, any time we implement something new every time we move to a more structured environment, that's change and change can be difficult. Many people resist change. I mean, they're people that if you give a $1,000,000 will say us. That means I have to buy a bigger wallet, right?
And employees, we get very comfortable in our existing environment. We don't tend to like change.
So there's some drawbacks with moving towards a more controlled framework and structure. But the benefits for the organization as a whole should far outweigh the drawbacks.
All right, now, when we talk about the I tease, when we talk about the focus areas for I t governance there really five big focus areas, things that we want to accomplish here. We want to make sure that we're in strategic alignment with
the business. That's gonna come up soo many times,
especially for folks in I t. Sometimes we get lost in the technology. We have technology for the sake of technology. Um, we like the biggest, best, fastest, loudest equipment. We want to be cutting edge or even bleeding edge. And that's not just techies down in the basement.
I've seen scissors that really want to be at the forefront of technology, and that's okay.
If that supports the objectives of the business, we want to be known as an industry leader and we're risk aggressive. We have a huge capacity to absorb risk. That's one thing. But ultimately what we have to do is we have to start by knowing the business, what's the environment of the business
so that we can determine how I t can best meet those goals.
All right, Um, and as a matter of fact, it didn't. Each of these are We've got slides form across the next couple of pages, so I'm just gonna Okay, I t governance and strategic alignment. We've already talked about that, but making sure that there's clapper collaboration between the business units and i t
to make sure that technology
is there to serve the business. Ah, lot of times like I mentioned before, there's that divide between the business and I T or business units in the I T department. As a matter of fact, sometimes they're butting heads because I t tends to be very technical.
Maybe doesn't like to talk in terms of the business but likes to talk in acronyms. Lot of techies like acronyms.
But what we want to do is facilitate,
and the collaborative functions between those two elements toe work together because we're all working together for a common goal.
All right, we want to deliver value, Of course we do for our stakeholders, and we want to maximize our return on investment. So for everything that we put out, we want something in return. And remember, it's not always dollars. Sometimes we spend money not to increase profit,
but maybe to increase goodwill in the community,
maybe to increase our brand recognition, maybe to maintain compliance, whatever that is. But we want to make sure that we're maximizing our return on investment, so we're not just doing things off the cuff. We have a set of objectives that we work towards as an organization. We're all on the same page.
Wanna make maximize of, Ari said. This maximize the benefits, minimized the associated losses that are tied to I T. And I can assure you when you look at an organization that has a substantial compromise of account numbers, credit card numbers,
customer information, patient information, financial details,
that's an organization that's going to suffer drastically. And it's not the I T department that suffering other than the fact that we're working nights and weekends and very long, very hard hours. But it's business that suffers.
There was a hardware based company that's, Ah, major national retailer, and, um, they had a vulnerability assessment conducted by an external third party,
and that third party came back and said, Look here, the vulnerabilities that we found in that third party company that conducted the associate the assessment was essentially told. Listen, you know what we do here? We sell hammers.
I'd like to sell more hammers. I'd like to sell a variety of different hammers to more people. I'd like to buy them cheaper, sell him for higher prices. That's what we do.
And the just the just of what that manager was saying about what? That executive officer wasn't just a manager of the store. This was at the corporate level. But essentially what he was saying is, Listen, I don't want to deal with I t. I'm not here to talk about computers and talk about now wear and all that stuff.
I just want to focus on the business.
Well, ideally, I t governance is gonna help me focus on the business. But if I ignore I t. Governance,
the technology and how we use and protect our informational assets can take the business down. Right, So the technology is there and can offer tremendous benefits. But for too long, we've said and let the I T department take care of it.
All right, so that's value delivery risk management, the importance of risk aware business decisions and, um, risk optimization is its own chapter, so I'm not going to spend a ton of time on risk management here, and I've I've hit these ideas before.
Figure out what your assets are, what they're worth.
What are the weaknesses and the threats? What's our potential for loss?
How can I implement controls the main purpose of risk management? Safeguard your assets, right.
Figure out what the weaknesses are and how to protect them in a cost effective way. Also keeping in mind there is always a trade off for security. Security always costs you something.
What's it gonna cost you
so it could cost money?
Um, it could cost time. Could cost performance could cost backwards. Compatibility. Usability. Absolutely. So the bottom line is when we implement security mechanisms and we can talk about those in, um you know the context of information security,
there is always a cost.
So let's make sure we understand the costs. Because I've worked for organisations that have so much security. People feel like they can't do anything.
And generally that's the basis off an I T department or in information security department having too much control within the organization, not properly understanding their role in supporting the business
as an I t. Person. You know what I would like? I would like you to unplug your computer powered off sitting in your closet and lock your closet door.
I have just given you a secure system, right? And I t wants toe lock down. Resource is not unnecessarily i t. But information security team.
That's what we think about doing is how can I limit our vulnerabilities? How can I make ourselves resilient to threats? But the business says technology should be here to use when we need it, and it should be accessible.
So who's correct while the answers the truths in the middle and we need that collaboration from business units and our I t department toe work towards the common goal? All right, so risk management doesn't mean we go all out and ensure no threat will ever materialize.
What it means is a balance trade off between safeguarding my assets
and enhancing the business operations.
All right, I t governance and resource management. Again, we have limited resource is let's use them well and resource is congee. People taken be it could be money. It can be material resource is like,
you know, systems, assets, inventory, whatever
we want to make sure that we are managing our resource is well that we know what type of technology we have
that we make sure that changes, the technology is controlled. We make sure that we presented a stable environment. So we manage those I t. Resource is we make sure we know how much inventory we have. We have a means of tracking inventory.
We want to make sure that we know what our most critical assets are so that we direct their efforts and our energy to protecting those most critical assets
and then performance and governance. We're going to get more detailed. We're gonna talk later about key performance indicators and key risk indicators. So I just want to reiterate to you yes, performance and governance should go hand in hand.
Oversight means I'm verifying.
I'm continuously monitoring to ensure that we're meeting our objectives.
All right, now, a couple of terms here
measuring, monitoring, controlling and reporting. You know, those words are often used together, and I just want to kind of give you a little definition for each of those. So when we talk about measuring,
we're collecting data
measuring is collecting data.
And by that I mean just the facts. I am documenting this measurement. My processor utilization, on average is 22%.
I don't know if that's good or bad. It's just the fact Here is my, um here's the total number of inventory that we have currently in stock. Good or bad? I don't know. Here, the versions of software that we're running right I am just documenting. I'm just recording data playing dab. It has no meaning.
When we look at monitoring were trying to put that data in context. What I'm looking to do is to see,
you know, I'm looking for variance analysis, really? With monitoring them doing variance analysis, variance, analysis. What are my expectations versus what's actually happening?
Why, it's my processor utilization at 22% it's normally at 3%. Well, that's a problem, or hey, you know, it looks like we're being a little more efficient. Process. Utilization is normally a 26% drop, down to 22%.
Right? The idea is, monitoring takes that data and puts it in context to give us information
through variance analysis. Alright. Controlling means making adjustments.
Okay, so we monitored. Maybe we've determined were not making meeting our objectives. Maybe we need to find tune, um, access lists on our firewall. Or maybe we need to make some adjustments to how, um
we're distributing our software updates.
Hey, so controlling means were modifying. And, of course, reporting means were sharing communications in an easy to understand format. And we're sharing that information with our stakeholders as appropriate. Of course.
So measuring gives a stata monitoring gives us information controlling means. We're adjusting. We're making adjustments based on various analysis and then reporting, we want to share information with their stakeholders in a manner that they can understand.
All right, now, the next piece understanding our frameworks,
All right. Frameworks, frameworks, framework. So, what are frameworks? What are some existing frameworks? Why do we need him? What will they do?
Okay, so enterprise governance frameworks and information technology frameworks. So what we're looking to implement is a system of internal controls,
and ultimately, those internal controls need toe work together, of course. Toe help the enterprise accomplish its objectives, meet its strategic golds
you know, this is this sort of general, nebulous concept of our strategy. And you know, our goals to really give us well defined action steps in order to meet those goals, if you will. So to put in that supporting structure so that we can accomplish our objectives.
All right, so we're gonna need a control environment. We're gonna have to use risk assessment. Already talked about that. We're gonna have various control activities. We're gonna have to communicate information with our stakeholders, and we're gonna have to monitor this really shouldn't be new, but
let's go ahead and just go through these
when we talk about our control environment. So this is gonna be the structure that all of our controls air built upon.
Hey, we want to be able to, you know, what is governance about? Yes, meet objectives. But we want transparency. We want to be able to provide reliable reporting, financial reporting, business reporting to our stakeholders that air internal and external.
We want our employees to know where we stand and we want our customers to know where we stand.
We want to operate business efficiently and effectively. We want toe move about accomplishing our goals.
Risk assessment already talked about. The main purpose here is to safeguard our assets in a manner that is cost effective
control activities. We want to make sure that we implement controls as driven by risks. Okay, so when we look at risk and we say All right, this particular risk is greater than we're willing to accept. So we need to mitigate, while the way we mitigate those risks is through controls,
whether they be administrative controls like policies and procedures. Which is, of course, what we're most responsible for
as governing entities, but also technology controls. Also physical controls, facility controls and so on. What we're how we're gonna implement controls is through security program and the foundation of the security program are the policies, procedures, standards and guidelines that we create,
um, information and communication again with both internal end external stakeholders. We want to make sure that we're communicating with the important individuals with the key stake holders, but also that we're communicating the correct information.
You know, if you've ever been in a staff meeting, where the information that's there really isn't relevant to you
and the problem with that is, it may be relevant to you, but there's a really lack of connection between what's being reported and why it matters. So part of our frameworks goal is to make sure that we're able to effectively communicate
what we're doing and how that's going to impact our long term goals and objectives and being able to meet those.
you know how training of our employees, you know, when we train our employees, how does that ultimately help them understand the organization better
and ideally, helped them operate more efficiently and effectively. And then monitoring said a lot about monitoring. Um, and depending on your agency, there may be
third part, or there may be requirements for monitoring, right? We may have to submit toe audits
or it may be in the benefit. It may be to our benefit to submit the audits. You know, if I'm a cloud service provider, I want to make sure that I submit the various audits so that I can provide assurance for my customers.
Um, you know, we'll talk later about socks service, organizational control reports that air specified from S S a 18 that's referenced here at the bottom point. But that's the statement on standards for at a station engagements.
So basically making sure that third party entities are providing the appropriate controls. So again, a cloud service provider that would be certainly very relevant. But if I'm if I have to be adherent, the PC idea cess,
or if I'm compliance with if I have to be concerned with Sarbanes Oxley compliance and so on.
So again, just being able to provide monitoring, to be able to provide that transparency to my employees. To my steak and stockholders, all of those pieces are essential
up. Look at that. That is the material that we wanted to get through today. And I just want to make sure that the things that we talked about kind of sunk in to see what you're what you're retaining. So I have just a couple of review questions for us to go through. Let's see how we do on these.
Alright is everybody have their thinking caps on because we're gonna start with review Question number one.
Which of the following processes ensures that all vital assets and resource is of the organization are safeguarding?
we look at defining resource requirements. Well, that's not really about protecting our assets, right? That's more about making sure we know who does what and how many resources we need.
Cost estimation. Now that's about budget Vendor Contract administration process now, But how about risk management? Risk management looks at the threats and vulnerabilities and is going to be there to support
mitigating strategies and mitigating controls. So the answer to question one is
risk management for the win.
All right question to Paul has been asked to complete a SWAT analysis for his solution. Scope. What does SWAT mean? And that stands for strengths, weaknesses, opportunities and threats. So the answer there is bees and Bravo.
How are you guys doing? Are we are we two for two
Moving on to question three. Which of the following processes uses statistical evidence to determine progress towards specific defined organizational objectives?
So, statistical evidence we are measuring we have, ah, defined objective. Are we reaching that objective? That's what performance measurement is all about. The answer is C. Charlie.
All right. And then that brings us to question four.
Which of the following components work to support achievements of the enterprises, mission strategies and related business objectives. In an internal control system,
each correct answer represents a complete solution. So with this question, um, on the exam, they only have you choose one answer A, B, C or D.
Okay. This, however, is multiple choice, and this is one of those dreaded choose all that apply.
So basically, this question is asking us, you know, out of these four, which one or multiple is going to help us
achieved the enterprise mission,
achieve our strategies, achieve our business objectives in an internal control system?
So certainly our control activities are in our control environment.
Risk assessment is going to drive the control activities, but strategic alignment should have already happened. This is a tough question because all of the's, A, B, C and D are all important elements. But when we're talking about achieving the enterprises, mission strategies, the ideas, we already have
Now what? We already know what we're trying to accomplish. So that's where we conduct our risk assessment. We implement controls and we control the environment, which we operate. A little bit of a tricky one
and then last but not least, question five. Which of the following domains of siege it aims to guarantee that I t function remains aligned with the organization. Strategic objectives? That's exactly what I t governance framework is all about. Making sure I t stays
with the enterprise as a whole I t. Governance is a subset of enterprise governance.
That's a lot. We've covered a lot of information, and absolutely some of this information is a bit repetitive because that's the first day. And we're really trying to lay the groundwork for everything that we want to do. And I think we've done so. I think we're pretty firmly rooted in the role that I t should play within our organization,
the significance in the port in importance of I t. Governance
and risk assessment in the role of all that we play. So we're gonna go ahead and wrap things up for the day. I'm really glad you co chose to spend the afternoon with May. I hope this class was helpful. I hope it was informative. And I hope you'll come back to join me on Thursday at three o'clock, same bat time, saying that that channel
we'll do this again and we'll expand on
what we've laid out for the day and will continue to build. So hope you have a terrific afternoon. I wish you a great rest of your weight hope to see on Thursday