It governance in_higher_education_by_james_yung


Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • IT governance process and structure usually involve a confusing hybrid of autonomous departments and one or more centralized units. There are usually a complex committee structure and a mix of decentralized, independent decision makers who are responsible for most local decisions. The governance process are confusing and time consuming and occasionally fail, as evidenced of damaging IT security breaches on many campuses.
  • It is about the organization leadership, internal/external stakeholders and how IT investment decisions are made and prioritized.
  • IT Governance starts with effective enterprise governance that clarifies strategic direction, priorities of objectives, and exert sufficient control to manage risks and enterprise resources to achieve the outcomes. Management is differs from governance in that its primary focus is on the implementation of decisions made through the governance process.
  • Good governance processes will foster timely decisions, responsible actions, and alignment of an organization’s IT strategy with its overall mission and goals.
  • 2006 Educause survey suggest IT Governance is a top issue as funding IT is directly related to governance and institutional priority setting.
  • Assessment of the IT Governance domain can be integrated or independent based on organization operating environment and risks.
  • The risk of inadequate funding of IT and/or mismanagement of IT investments that squandering institutional resources through duplication of efforts and/or lack of planning.
  • How critical does your university success depends on IT? How much investment in IT is too much or not enough?
  • IT governance framework provides the ability to measure the effectiveness of IT operational, compliance with significant laws and regulations and the delivered value to the business.
  • Adoption of CoBIT Framework as an IT Audit standard. Use of CoBIT established creditability of IS Auditor.
  • IT Governance Assessment reviews strategic alignment, operational effectiveness, and systems of internal control.
  • Seven key IT Governance audit objectives
  • It governance in_higher_education_by_james_yung

    1. 1. IT Governance In Higher Education “ What is it, and how does it benefit your Institution?” Pre-Conference Seminar – June 23, 2007
    2. 2. James Yung, CISA Associate Director, IS Audit Harvard University Risk Management and Audit Services Presenter
    3. 3. Agenda <ul><li>What is IT Governance </li></ul><ul><li>IT Governance at Harvard University </li></ul><ul><li>CoBIT in Assessing IT Governance at Harvard </li></ul>
    4. 4. Questions <ul><li>What does IT Governance mean to you? </li></ul><ul><li>Is IT Governance happening in your university? </li></ul><ul><li>What are your key challenges in IT Governance? </li></ul>
    5. 5. How do most research universities govern the large and rapidly evolving set of information technology initiatives that take place on their campuses? ANSWER: Inefficiently, ineffectively and not as well as they should. ~ Source: Educause – IT Governance in Higher Education 2006 ~
    6. 6. What is IT Governance? <ul><li>It’s about organization leadership </li></ul><ul><li>Decision making that leads to better alignment of IT and the business </li></ul><ul><li>IT delivering more business value </li></ul><ul><li>IT resources are used responsibly </li></ul><ul><li>IT risks are managed appropriately </li></ul>
    7. 7. <ul><li>Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goals of: </li></ul><ul><ul><li>Providing strategic direction </li></ul></ul><ul><ul><li>Ensuring that objectives are achieved </li></ul></ul><ul><ul><li>Ascertaining that risks are managed appropriately </li></ul></ul><ul><ul><li>Verifying that the enterprise’s resources are used responsibly </li></ul></ul><ul><ul><li>Enterprise Governance </li></ul></ul>©2007 IT Governance Institute
    8. 8. <ul><li>Enterprise governance is about : </li></ul><ul><li>Conformance </li></ul><ul><ul><li>Adhering to legislation, internal policies, audit requirements, etc. </li></ul></ul><ul><li>Performance </li></ul><ul><ul><li>Improving profitability, efficiency, effectiveness, growth, etc. </li></ul></ul><ul><ul><li>Enterprise Governance Drives IT Governance </li></ul></ul>Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board. Performance Conformance ©2007 IT Governance Institute
    9. 9. <ul><li>IT governance is: </li></ul><ul><li>The responsibility of the board of directors and executive management </li></ul><ul><li>An integral part of enterprise governance, consisting of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives </li></ul><ul><ul><li>IT Governance, as Defined by IT Governance Institute (ITGI) </li></ul></ul>64% Doing something about it 42% Not doing something about it 2003 2005 Source: Surveys by PwC for the IT Governance Institute Sep-Oct 2003 and Sep-Oct 2005 36% 58% ©2007 IT Governance Institute PERFORMANCE MEASUREMENT RESOURCE MANAGEMENT RISK MANAGEMENT VALUE DELIVERY STRATEGIC ALIGNMENT
    10. 10. <ul><ul><li>IT Governance Domain </li></ul></ul>Value delivery Focuses on ensuring the linkage of business and IT plans and on aligning IT operations with enterprise operations IT delivers the promised benefits against the strategy , concentrating on optimizing costs and proving the intrinsic value of IT Is about the optimal investment in , and the proper management of , critical IT resources : applications, information, infrastructure and people Senior management, appetite for risk , compliance requirements , transparency about the significant risks to the organisation Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery to achieve goals measurable beyond conventional accounting Performance measurement Risk management Resource management Strategic alignment ©2007 IT Governance Institute
    11. 11. ©2007 IT Governance Institute <ul><ul><li>IT Governance Stakeholders </li></ul></ul>Business management Set direction for IT, monitor results and insist on corrective measures Defines business requirements for IT and ensures that value is delivered and risks are managed Delivers and improves IT services as required by the business Provides independent assurance to demonstrate that IT delivers what is needed Measures compliance with policies and focuses on alerts to new risks Risk and compliance IT audit IT management Board and executive
    12. 12. IT Governance at Harvard
    13. 13. Harvard University Facts <ul><li>12 Schools </li></ul><ul><li>143 Research and Academic Centers </li></ul><ul><li>Approximately 7,000 Undergraduate and 13,000 Graduate Degree Candidates </li></ul><ul><li>More than 19,000 Faculty and Staff </li></ul><ul><li>$25B Endowment </li></ul><ul><li>$623M Sponsored Research </li></ul><ul><li>$2.7B Operating budget </li></ul>
    14. 14. IT Governance Risks at Harvard <ul><li>Wrong IT strategy precludes growth and operational sustainability </li></ul><ul><li>False starts and wasted resources (i.e. money, time and productivity) </li></ul><ul><li>Short-sighted planning </li></ul><ul><li>Fragmented IT planning </li></ul><ul><li>High project implementation failure rates </li></ul><ul><li>Lack of disaster recovery planning </li></ul>
    15. 15. Why Audit IT Governance at Harvard <ul><li>IT is strategic and critical to the university reputation and success </li></ul><ul><li>Compliance with numerous regulations (FERPA, HIPAA, GLB, PCI, etc.) depends on effective IT controls </li></ul><ul><li>Expectation and reality often don’t match </li></ul><ul><li>IT had not received the attention it deserves </li></ul>
    16. 16. <ul><ul><li>The Need for IT Governance at Harvard </li></ul></ul>Keeping IT Running Security Value/Cost Managing Complexity Aligning IT with Business Regulatory Compliance <ul><ul><li>Millions of dollars on IT spending </li></ul></ul><ul><ul><li>Decentralized IT computing and Business operations </li></ul></ul><ul><ul><li>Increasing numbers of severe security breaches </li></ul></ul><ul><ul><li>IT ability to scale and sustain operation </li></ul></ul><ul><ul><li>Various IT delivery models </li></ul></ul><ul><ul><li>Regulatory compliance SAS 112, FERPA, HIPAA, GLB, PCI, etc. </li></ul></ul>
    17. 17. <ul><li>IT strategy is aligned with school strategy </li></ul><ul><li>Schools and IT are effectively communicating </li></ul><ul><li>The organization is structured to facilitate the implementation of its strategy and goals </li></ul><ul><li>Risks and opportunities are effectively managed </li></ul><ul><li>Performance against objectives are transparent </li></ul>Stakeholders need to know that:
    18. 18. Risk Management and Audit Services Mission “ To Assist University Management and Governing Boards in Identifying, Managing and Mitigating Risk and Ensuring Risk Management Processes are Integrated Into the University’s Business Practices and Academic and Research Activities”
    19. 19. RMAS Organization
    20. 20. System Base Audit Integrated Audit IT Governance Audit Level of Complexity Value Add Evolution of RMAS IS Audit Low High Tactical Strategic <ul><li>Objective is to audit university critical systems based on high, medium or low risk criteria. </li></ul><ul><li>Audit of network, servers, access controls, change controls, BCP/DR </li></ul><ul><li>Objective is to assure information technology controls are enabled to support the business process. </li></ul><ul><li>Audit of applications, servers, access controls, change controls, BCP/DR </li></ul><ul><li>Objective is to ensure IT strategy is aligned with business objectives. </li></ul><ul><li>Audit IT processes, management policy, procedures and compliance. </li></ul><ul><li>Audit IT internal controls and security management. </li></ul>2006 2000 Pre-2000
    21. 21. CoBIT and IT Governance Control Objectives IT (CoBIT) is an International standard in directing and controlling an enterprise’s information technology. CoBIT sets the standards of measuring IT Governance process maturity. <ul><li>Plan and Organize </li></ul><ul><li>Acquire and Implement </li></ul><ul><li>Delivery and Support </li></ul><ul><li>Monitor and Evaluate </li></ul>Process Maturity Domain IT Processes Business Requirements IT Resources Basic CoBIT Principle
    22. 22. Benefits of CoBIT <ul><li>CoBIT offers an IT Governance Auditing Framework </li></ul><ul><li>Internationally recognized standard for best management practices and processes </li></ul><ul><li>IT risks and IT controls are easily communicated to IT and non-IT professionals </li></ul>
    23. 23. C OBI T Framework <ul><li>The C OBI T framework was created with the main characteristics: </li></ul><ul><ul><li>Business-focused </li></ul></ul><ul><ul><li>Process-oriented </li></ul></ul><ul><ul><li>Controls-based </li></ul></ul><ul><ul><li>Measurement-driven </li></ul></ul>©2007 IT Governance Institute C OBI T Framework Characteristics
    24. 24. PERFORMANCE: Business Goals CONFORMANCE Basel II, Sarbanes- Oxley Act, etc. Enterprise Governance IT Governance ISO 9001:2000 ISO 17799 ISO 20000 Best Practice Standards QA Procedures Processes and Procedures Drivers C OBI T COSO Security Principles ITIL Balanced Scorecard <ul><ul><li>Where Does C OBI T Fit? </li></ul></ul>©2007 IT Governance Institute
    25. 25. CoBIT Approach In Assessing IT Governance At Harvard
    26. 26. Background <ul><li>A major premier school in transition: </li></ul><ul><ul><li>New Dean </li></ul></ul><ul><ul><li>Changes in academic curriculum </li></ul></ul><ul><ul><li>Aggressive recruitment of faculty </li></ul></ul><ul><ul><li>Campus expansion and facility improvements </li></ul></ul><ul><ul><li>Decentralized to centralized IT operations </li></ul></ul>
    27. 27. <ul><li>Focus within two primary areas: </li></ul><ul><li>IT Governance that assessed technology organization’s performance against its responsibilities of delivering efficient and quality IT services measured against the School’s overall strategic business objectives </li></ul><ul><li>IT Assessment that evaluated the processes and systems of internal control and compliance </li></ul>Assessing IT Governance Detailed review of the school IT Governance and internal controls within Information Technology Services.
    28. 28. Audit Approach Identify Business Goals IT Goals Key IT processes and Key IT resources Identify Control Objectives <ul><li>Perform risk assessment </li></ul><ul><li>Identify risks </li></ul><ul><li>Inquire and confirm </li></ul><ul><li>Inspect (walk-through and review) </li></ul><ul><li>Observe </li></ul><ul><li>Sampling and analyze </li></ul>Planning Scoping Testing
    29. 29. ©2007 IT Governance Institute IT Governance Audit Objectives Effectiveness Information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner Efficiency Provision of information through the optimal (most productive and economical ) use of resources Confidentiality The protection of sensitive information from unauthorised disclosure Integrity Relates to the accuracy and completeness of information Availability Information being available when required by the business process now and in the future; it also concerns the safeguarding of necessary resources and associated capabilities Compliance Complying with those laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies Reliability The provision of appropriate information for management to operate the entity and to exercise its fiduciary and governance responsibilities
    30. 30. <ul><li>IT Governance </li></ul><ul><li>IT Enterprise Strategy </li></ul><ul><li>Steering Committee effectiveness </li></ul><ul><li>IT Budgeting & Investments </li></ul><ul><li>Identification & Prioritization IT initiatives </li></ul><ul><li>IT Performance Metrics </li></ul><ul><li>Incident Response, support calls & problem management </li></ul><ul><li>IT Controls </li></ul><ul><li>Change Mgmt Framework </li></ul><ul><li>Project Mgmt </li></ul><ul><li>System Development Life Cycle </li></ul><ul><li>Incident Response </li></ul><ul><li>Mgmt of Third-Party Vendors Contracts </li></ul><ul><li>Business Continuity/Disaster Recovery </li></ul><ul><li>Data Center </li></ul>Scope of Work Observations and Recommendations Risk Analysis <ul><li>ITS </li></ul><ul><li>Office of Academic Affairs </li></ul><ul><li>Student Office </li></ul><ul><li>Office of Administration </li></ul><ul><li>Faculty </li></ul><ul><li>IT Steering Committee </li></ul>Approach IT Audit IT Governance Process Strategy Controls Interviews Documentation <ul><li>Organizational charts </li></ul><ul><li>ITS Budgets </li></ul><ul><li>Third-party Contracts </li></ul><ul><li>Helpdesk Reports </li></ul><ul><li>Project Logs </li></ul><ul><li>Training Materials </li></ul><ul><li>Policy and Procedures </li></ul><ul><li>Communications </li></ul>
    31. 31. CoBIT Four IT Process Domains <ul><li>Plan and Organize </li></ul><ul><li>Acquire and Implement </li></ul><ul><li>Delivery and Support </li></ul><ul><li>Monitor and Evaluate </li></ul>Business Requirements IT Resources
    32. 32. ©2007 IT Governance Institute <ul><ul><li>Objectives: </li></ul></ul><ul><ul><ul><li>Planning, communicating and managing the realization of the strategic vision </li></ul></ul></ul><ul><ul><ul><li>Implementing organizational and technological infrastructure </li></ul></ul></ul><ul><ul><li>Scope: </li></ul></ul><ul><ul><ul><li>Is the enterprise achieving optimum use of its resources? </li></ul></ul></ul><ul><ul><ul><li>Does everyone in the organization understand the IT objectives? </li></ul></ul></ul><ul><ul><ul><li>Is the quality of IT systems appropriate for business needs? </li></ul></ul></ul>Plan and Organize (PO) PO1 Define a strategic IT plan. PO2 Define the information architecture. PO3 Determine technological direction. PO4 Define the IT processes, organization and relationships. PO5 Manage the IT investment. PO6 Communicate management aims and direction. PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. Plan and Organize
    33. 33. ©2007 IT Governance Institute <ul><ul><li>Objectives: </li></ul></ul><ul><ul><ul><li>Identifying, developing or acquiring, implementing, and integrating IT solutions </li></ul></ul></ul><ul><ul><ul><li>Changes in and maintenance of existing systems </li></ul></ul></ul><ul><ul><li>Scope: </li></ul></ul><ul><ul><ul><li>Are new projects likely to deliver solutions that meet business needs? </li></ul></ul></ul><ul><ul><ul><li>Are new projects likely to be delivered on time and within budget? </li></ul></ul></ul><ul><ul><ul><li>Will the new systems work properly when implemented? </li></ul></ul></ul>Acquire and Implement (AI) AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use . AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes. Acquire and Implement (AI)
    34. 34. ©2007 IT Governance Institute Deliver and Support (DS) <ul><ul><li>Objectives: </li></ul></ul><ul><ul><ul><li>The management of security, continuity, data and operational facilities </li></ul></ul></ul><ul><ul><ul><li>Service support for users </li></ul></ul></ul><ul><ul><li>Scope: </li></ul></ul><ul><ul><ul><li>Are IT services being delivered in line with business priorities? </li></ul></ul></ul><ul><ul><ul><li>Is the workforce able to use IT systems productively and safely? </li></ul></ul></ul><ul><ul><ul><li>Are adequate confidentiality, integrity and availability in place? </li></ul></ul></ul>DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11 Manage data. DS12 Manage the physical environment. DS13 Manage operations. Deliver and Support
    35. 35. ©2007 IT Governance Institute Monitor and Evaluate (ME) <ul><ul><li>Objectives: </li></ul></ul><ul><ul><ul><li>Performance management </li></ul></ul></ul><ul><ul><ul><li>Monitoring of internal control </li></ul></ul></ul><ul><ul><li>Scope: </li></ul></ul><ul><ul><ul><li>Is IT’s performance measured to detect problems before it is too late? </li></ul></ul></ul><ul><ul><ul><li>Does management ensure that internal controls are effective and efficient? </li></ul></ul></ul><ul><ul><ul><li>Can IT performance be linked to business goals? </li></ul></ul></ul><ul><ul><ul><li>Are risk, control, compliance and performance measured and reported? </li></ul></ul></ul>ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure compliance with external requirements. ME4 Provide IT governance. Monitor and Evaluate
    36. 36. Align Business Goals with Key IT Goals
    37. 37. School Harvard Target IT Governance Maturity Benchmark 1.5 <ul><li>Using CoBIT’s Maturity Benchmark, ITS scored a 1.5, which is estimated to be in line with Harvard University’s other IT organizations. </li></ul><ul><ul><li>School can gain significant benefits in operational efficiencies (i.e. productivity), effectiveness (i.e. operational costs) and compliance by operating within a target maturity level rating of 3.0. </li></ul></ul><ul><ul><li>Five Key IT Governance recommendations were identified to help the school to achieve the goals of reaching maturity level of 3.0. </li></ul></ul>
    38. 38. Key Recommendations Listed in priority order: <ul><li>IT Governance recommendations will require the School’s senior leadership team’s involvement, as it ultimately set the strategic direction. </li></ul><ul><li>*IT Control recommendations are the responsibility of the CIO. </li></ul>
    39. 39. Benefits to the Auditee <ul><li>Clearly communicate who is accountable for decisions in academic and administrative computing </li></ul><ul><li>Foster true partnership between IT and business leaders </li></ul><ul><li>Clarify IT decision-making roles and responsibilities </li></ul><ul><li>Strengthen general IT controls and security </li></ul>
    40. 40. Lessons Learned <ul><li>Auditing IT governance involves interaction at every level of the organization leadership and internalexternal stakeholders </li></ul><ul><li>IT governance scope must be clear and concise </li></ul><ul><li>Appropriate risk and controls must be identified </li></ul><ul><li>IT governance should be conducted with a senior auditor with appropriate consultative skill sets </li></ul><ul><li>Internal audit plays a critical role in IT governance </li></ul>IT GOVERNANCE AUDIT IS NOT FOR FAINT-HEARTED
    41. 41. Questions
    42. 42. References IT Governance Institute - ISACA - / IT Audit -