It governance in_higher_education_by_james_yungPresentation Transcript
IT Governance In Higher Education “ What is it, and how does it benefit your Institution?” Pre-Conference Seminar – June 23, 2007
James Yung, CISA Associate Director, IS Audit Harvard University Risk Management and Audit Services Presenter
What is IT Governance
IT Governance at Harvard University
CoBIT in Assessing IT Governance at Harvard
What does IT Governance mean to you?
Is IT Governance happening in your university?
What are your key challenges in IT Governance?
How do most research universities govern the large and rapidly evolving set of information technology initiatives that take place on their campuses? ANSWER: Inefficiently, ineffectively and not as well as they should. ~ Source: Educause – IT Governance in Higher Education 2006 ~
What is IT Governance?
It’s about organization leadership
Decision making that leads to better alignment of IT and the business
IT delivering more business value
IT resources are used responsibly
IT risks are managed appropriately
Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goals of:
Providing strategic direction
Ensuring that objectives are achieved
Ascertaining that risks are managed appropriately
Verifying that the enterprise’s resources are used responsibly
The responsibility of the board of directors and executive management
An integral part of enterprise governance, consisting of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives
IT Governance, as Defined by IT Governance Institute (ITGI)
Business management Set direction for IT, monitor results and insist on corrective measures Defines business requirements for IT and ensures that value is delivered and risks are managed Delivers and improves IT services as required by the business Provides independent assurance to demonstrate that IT delivers what is needed Measures compliance with policies and focuses on alerts to new risks Risk and compliance IT audit IT management Board and executive
IT Governance at Harvard
Harvard University Facts
143 Research and Academic Centers
Approximately 7,000 Undergraduate and 13,000 Graduate Degree Candidates
More than 19,000 Faculty and Staff
$623M Sponsored Research
$2.7B Operating budget
IT Governance Risks at Harvard
Wrong IT strategy precludes growth and operational sustainability
False starts and wasted resources (i.e. money, time and productivity)
Fragmented IT planning
High project implementation failure rates
Lack of disaster recovery planning
Why Audit IT Governance at Harvard
IT is strategic and critical to the university reputation and success
Compliance with numerous regulations (FERPA, HIPAA, GLB, PCI, etc.) depends on effective IT controls
Expectation and reality often don’t match
IT had not received the attention it deserves
The Need for IT Governance at Harvard
Keeping IT Running Security Value/Cost Managing Complexity Aligning IT with Business Regulatory Compliance
Millions of dollars on IT spending
Decentralized IT computing and Business operations
Increasing numbers of severe security breaches
IT ability to scale and sustain operation
Various IT delivery models
Regulatory compliance SAS 112, FERPA, HIPAA, GLB, PCI, etc.
IT strategy is aligned with school strategy
Schools and IT are effectively communicating
The organization is structured to facilitate the implementation of its strategy and goals
Risks and opportunities are effectively managed
Performance against objectives are transparent
Stakeholders need to know that:
Risk Management and Audit Services Mission “ To Assist University Management and Governing Boards in Identifying, Managing and Mitigating Risk and Ensuring Risk Management Processes are Integrated Into the University’s Business Practices and Academic and Research Activities”
System Base Audit Integrated Audit IT Governance Audit Level of Complexity Value Add Evolution of RMAS IS Audit Low High Tactical Strategic
Objective is to audit university critical systems based on high, medium or low risk criteria.
Audit of network, servers, access controls, change controls, BCP/DR
Objective is to assure information technology controls are enabled to support the business process.
Audit of applications, servers, access controls, change controls, BCP/DR
Objective is to ensure IT strategy is aligned with business objectives.
Audit IT processes, management policy, procedures and compliance.
Audit IT internal controls and security management.
2006 2000 Pre-2000
CoBIT and IT Governance Control Objectives IT (CoBIT) is an International standard in directing and controlling an enterprise’s information technology. CoBIT sets the standards of measuring IT Governance process maturity.
Plan and Organize
Acquire and Implement
Delivery and Support
Monitor and Evaluate
Process Maturity Domain IT Processes Business Requirements IT Resources Basic CoBIT Principle
Benefits of CoBIT
CoBIT offers an IT Governance Auditing Framework
Internationally recognized standard for best management practices and processes
IT risks and IT controls are easily communicated to IT and non-IT professionals
C OBI T Framework
The C OBI T framework was created with the main characteristics:
PERFORMANCE: Business Goals CONFORMANCE Basel II, Sarbanes- Oxley Act, etc. Enterprise Governance IT Governance ISO 9001:2000 ISO 17799 ISO 20000 Best Practice Standards QA Procedures Processes and Procedures Drivers C OBI T COSO Security Principles ITIL Balanced Scorecard
CoBIT Approach In Assessing IT Governance At Harvard
A major premier school in transition:
Changes in academic curriculum
Aggressive recruitment of faculty
Campus expansion and facility improvements
Decentralized to centralized IT operations
Focus within two primary areas:
IT Governance that assessed technology organization’s performance against its responsibilities of delivering efficient and quality IT services measured against the School’s overall strategic business objectives
IT Assessment that evaluated the processes and systems of internal control and compliance
Assessing IT Governance Detailed review of the school IT Governance and internal controls within Information Technology Services.
Audit Approach Identify Business Goals IT Goals Key IT processes and Key IT resources Identify Control Objectives
Planning, communicating and managing the realization of the strategic vision
Implementing organizational and technological infrastructure
Is the enterprise achieving optimum use of its resources?
Does everyone in the organization understand the IT objectives?
Is the quality of IT systems appropriate for business needs?
Plan and Organize (PO) PO1 Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organization and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. Plan and Organize
Identifying, developing or acquiring, implementing, and integrating IT solutions
Changes in and maintenance of existing systems
Are new projects likely to deliver solutions that meet business needs?
Are new projects likely to be delivered on time and within budget?
Will the new systems work properly when implemented?
Acquire and Implement (AI) AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use . AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes. Acquire and Implement (AI)
The management of security, continuity, data and operational facilities
Service support for users
Are IT services being delivered in line with business priorities?
Is the workforce able to use IT systems productively and safely?
Are adequate confidentiality, integrity and availability in place?
DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations. Deliver and Support