SUIT Showdown 2010


Published on

Business case solution presentation for the SUIT showdown national competition.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SUIT Showdown 2010

  1. 1. Mobile Music Proposing a comprehensive framework to ensure that MM’s IT aligns and extends corporate strategy, creates value and mitigates risksTrinity Ankita VijTeam 7 Himanshu SharmaApril 9th, 2010 Pranali Lad
  2. 2. ________________________________________________________________________________ 2
  3. 3. ________________________________________________________________________________ Ageing Infrastructure Compliance Ageing Unaligned IT with Infrastructure Business IT Governance Security ssues Security Issues Security Overstressed Network Compliance________________________________________________________________________________ 3 Source: Team Analysis
  4. 4. ________________________________________________________________________________ 0 1 2 3 4 5 Vision Mission C I Goals MM Current state MM Leadership Industry average (BOD + Executive) IT Plan Implement Mismanaged Risks and Returns Incident-based Business Metrics System Analysis Prioritization Performance Critical success IT Portfolio Indicators factors Management________________________________________________________________________________ Source: Team analysis 4
  5. 5. ________________________________________________________________________________ 0 1 2 3 4 5 Vision Mission C I F Goals MM Current state Industry average BOD + IT Strategy Committee MM Future state Executive Management + IT Steering Committee Monitor and Evaluate (ME) IT Governance Plan and organize (PO) Acquire and Implement (AI) Deliver and Support (DS) Managed Risks and Returns Metrics Control Objectives Service Management Performance Indicators RACI Matrix Business Continuity Balanced Scorecard Maturity Model Best Current Practice________________________________________________________________________________ Source: Team Analysis 5
  6. 6. ________________________________________________________________________________ MM Goals Requirements Information IT Goals IT Processes Control Control Key Activities Outcome Tests Objectives Derived from Performed by Responsibility and Performance Outcome Maturity Control Based on Control Accountability Chart Indicators Measures Models Design Test Practices________________________________________________________________________________ Source: ISACA presentation 6
  7. 7. ________________________________________________________________________________ What do Business Requirements stakeholders expect from IT? What resources are madeHow IT is organized available to and built up byto respond to the IT Processes IT?requirements?________________________________________________________________________________ Source: Adopted from COBIT v4.1 7
  8. 8. DEMO________________________________________________________________________________ 8
  9. 9. ________________________________________________________________________________ Financial Perspective Manage IT- Related Risks Internal Business Customer Perspective Perspective Goals Learning & Growth Perspective________________________________________________________________________________ Source: Adapted from COBIT v4.1 9
  10. 10. ________________________________________________________________________________ Business • Manage IT-related risk Goal • Ensure that critical and confidential information is IT Goal withheld from those who should not have access to it • Ensure systems security Process________________________________________________________________________________ Source: Team Analysis, Adapted from COBIT v4.1 10
  11. 11. ________________________________________________________________________________ P = Primary enabler S = Secondary enabler________________________________________________________________________________ Source: Adopted from COBIT v4.1 11
  12. 12. ________________________________________________________________________________ Control Objectives for DS5 DS5.1 Management of IT Security DS5.2 IT Security Plan ITIL Mapping DS5.3 Identity Management SD 4.6 Information DS5.4 User Account Management security management DS5.5 Security Testing, Surveillance and Monitoring SO 5.13 Information DS5.6 Security Incident Definition security management and service operation DS5.7 Protection of Security Technology DS5.8 Cryptographic Key Management DS5.9 Malicious Software Prevention, Detection and Correction DS5.10 Network Security DS5.11 Exchange of Sensitive Data________________________________________________________________________________ Source: Team Analysis, Adapted from ‘Aligning COBIT and ITIL’ by IT governance institute and Office of Governance Commerce 12
  13. 13. *________________________________________________________________________________ Head Development Head IT Administration Functions Head Operations Business Executive Chief Architect Compliance, Audit, Business Process Risk and Security PMO Activities CEO Owner CFO CIO Define and maintain an IT security plan I C C A C C C C I I R Define, establish and operate an identity (account) management I A C R R I C process Monitor potential and actual security incidents A I R C C R Periodically review and validate user access rights and privileges I A C R Establish and maintain procedures for maintaining and safeguarding cryptographic keys A R C Implement and maintain technical and procedural controls to protect information flows across networks A C C R R C Conduct regular vulnerability assessments I A I C C C R *A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed________________________________________________________________________________ Source: Adapted from COBIT v4.1 13
  14. 14. ________________________________________________________________________________________________________________________________________________________________ Source: Adopted from COBIT v4.1 14
  15. 15. ________________________________________________________________________________ Optimized Benefits Managed and Measurable Value Defined Process Costs Repeatable but Intuitive Audit Initial/Ad-hoc Driven ControlsTimeline T1 T2 T3 Starting Point Current Point Future Point________________________________________________________________________________ Source: Adapted from Ernst & Young – COBIT presentation 15
  16. 16. End of DEMO________________________________________________________________________________ 16
  17. 17. ________________________________________________________________________________ Identify Needs Phase Raise awareness and obtain Define resources Define scope Define risks Plan program 1 management commitment and deliverables Envision SolutionPhase 2 Assess actual Define target for Analyze gaps and performance improvement Identify ImprovementsPhase Plan Solution 3 Define projects Develop improvement planPhase Implement Solution Monitor 4 Implement the implementation Review program improvements effectiveness performancePhase Operationalize Solution 5 Build Indentify new governance sustainability requirements________________________________________________________________________________ Source: Team Analysis, Samsung COBIT Implementation roadmap 17
  18. 18. ________________________________________________________________________________Plan and Organize Acquire and Implement• PO1 Define a strategic IT plan • AI1 Identify automated solutions• PO2 Define the information architecture • AI2 Acquire and maintain application software• PO3 Determine technological direction • AI3 Acquire and maintain technology infrastructure• PO4 Define IT processes, organization and relationships • AI4 Enable operation and use• PO5 Manage IT investment • A15 Procure IT resources• PO6 Communicate management aims and direction • AI6 Manage changes• PO7 Manage IT humans resources • AI7 Install and accredit solutions and changes• PO8 Manage quality• PO9 Assess and manage IT risks• PO10 Manage projectsDeliver and Support Monitor and Evaluate• DS1 Define and manage service levels • ME1 Monitor and evaluate IT performance• DS2 Manage third-party services • ME2 Monitor and evaluate internal control• DS3 Manage performance and capacity • ME3 Ensure compliance with external requirements• DS4 Ensure continuous service • ME4 Provide IT governance• DS5 Ensure systems security• DS6 Identify and allocate costs• DS7 Educate and train users• DS8 Manage service desk and incidents• DS9 Manage the configuration• DS10 Manage problems• DS11 Manage data• DS12 Manage the physical environment• DS13 Manage operations________________________________________________________________________________ Source: Team Analysis, Adapted from COBIT v4.1 18
  19. 19. ________________________________________________________________________________ Make leadership understand role of IT as a crucial ‘Business Driver’ Need to have leadership commitment Propose the suggested solution/ framework in the upcoming meeting •Assess the current CMM* state of IT •Make necessary organization structural changes •Start with the implementation of the IT governance framework towards future state Fix fundamental IT issues before venturing into new businesses________________________________________________________________________________ *CMM – Capability Maturity Model Source: Team Analysis 19
  20. 20. Thank You Questions?________________________________________________________________________________ 20
  21. 21. ________________________________________________________________________________ Capability Maturity Model Linkages of goals & processes Capability Maturity Attribute Table Business Goals to IT Goals IT Goals to IT processes Organization Change IT strategy and IT Steering Committee ITIL Functions and Processes Balanced Scorecard Overview Balanced Scorecard Template Accountability Structure Business Continuity Plan Roles and Responsibilities for Business Continuity Planning Executive Management Risks faced Questionnaires Risk Mapping Executive Management Board of Directors________________________________________________________________________________ 21
  22. 22. ________________________________________________________________________________ Awareness and Policies, Plans and Tools and Automation Skills and Expertise Responsibility and Goal Setting and Communication Procedures Accountability Measurement 1 Recognition for the There are ad hoc Some tools may exist; Skills required for the There is no definition of Goals are not clear and need for the process is approaches to usage is based on process are not accountability and no measurement takes emerging. processes and standard desktop tools. identified. responsibility. place. practices. 2 There is awareness of Similar and common Common approaches to Minimum skill An individual assumes Some goal setting the need to act. processes emerge, but use of tools exist but requirements are his/her responsibility occurs; some financial are largely intuitive are based on solutions identified for critical and is usually held measures are because of individual developed by key areas. accountable, even if established but are expertise. individuals. this is not formally known only by senior agreed. management. 3 There is Usage of good practices A plan has been defined Skill requirements are Process responsibility Some effectiveness understanding of the emerges. for use and defined and and accountability are goals and measures are need to act. standardization of tools documented for all defined and process set, but are not to automate the areas. owners have been communicated, and process. identified. there is a clear link to business goals. 4 There is The process is sound Tools are implemented Skill requirements are Process responsibility Efficiency and understanding of the and complete; internal according to routinely updated for all and accountability are effectiveness are full requirements. best practices are standardized plan, and areas, proficiency is accepted and working measured and applied. some have been ensured for all critical in a way that enables a communicated and integrated with other areas, and certification process owner to fully linked to business goals related tools. is encouraged. discharge his/her and the IT strategic responsibilities. plan. 5 There is advanced, External best practices Standardized tool sets The organization Process owners are There is an integrated forward-looking and standards are are used across the formally encourages empowered to make performance understanding of applied. enterprise. continuous measurement system requirements. improvement of skills, linking IT performance based on clearly to business goals by defined personal and global application of organizational goals. the IT balanced________________________________________________________________________________ scorecard.Source: Adapted from COBIT 4.1 Home 22
  23. 23. ________________________________________________________________________________ IT Strategy Committee IT Steering Committee Level • Board Level • Executive Level • Provides insight and advice to the board on topics such as: Decides the overall level of IT spending and how costs will be — The relevance of developments in IT from a business allocated perspective • Aligns and approves the enterprise IT architecture — The alignment of IT with the business direction • Approves project plans and budgets, setting priorities and — The achievement of strategic IT objectives milestones — The availability of suitable IT resources, skills and • Acquires and assigns appropriate resources infrastructure to meet the strategic objectives • Ensures projects continuously meet business requirements, — Optimization of IT costs, including the role and value delivery including reevaluation of the business case Responsibility of external IT sourcing • Monitors project plans for delivery of expected value and — Risk, return and competitive aspects of IT investments desired outcomes, on time and within budget — Progress on major IT projects • Monitors resource and priority conflict between enterprise — The contribution of IT to the business (i.e., delivering the divisions and the IT function, and between projects promised business value) • Makes recommendations and requests for changes to — Exposure to IT risks, including compliance risks strategic plans (priorities, funding, technology approaches, — Containment of IT risks resources, etc.) • Provides direction to management relative to IT strategy • Communicates strategic goals to project teams • Is driver and catalyst for the board’s IT governance practices • Is a major contributor to management’s IT governance Responsibilities • Advises the board and management on IT strategy • Assists the executive in the delivery of the IT strategy Authority • Is delegated by the board to provide input to the strategy and • Oversees day-to-day management of IT service delivery and prepare its approval IT projects • Focuses on current and future strategic IT issues • Focuses on implementation • Sponsoring executive Membership • Board members and (specialist) non board members • Business executive (key users) • CIO • Key advisors as required (IT, audit, legal, finance)________________________________________________________________________________Source: Adopted from Board Briefing of IT Governance 2nd Edition Home 23
  24. 24. ________________________________________________________________________________________________________________________________________________________________ Source: Adapted from ISACA – Using COBIT and Balanced scorecard Home 24
  25. 25. ________________________________________________________________________________________________________________________________________________________________ Source: Adopted from Shorpshire County Council white paper on BCP Home 25
  26. 26. ________________________________________________________________________________ Governance Issues Technology issues for Management Enterprise Architecture Resource Management Selective Outsourcing Application Controls Strategic Alignment Application Security System Integration IT Service Delivery Cost Optimization Risk Management Themes mapped to Risk Prioritizing and Value Delivery Measurement Performance Factors Planning Security Low levels of user satisfaction - X - - X - - - - - - - - - Regular audit findings about poor performance - X - - X X X X X X X X X X Evaluating IT investments, investment decision making - X - - - - - - - - - X - - Improving quality of service - X - - - - X - - - - - - - Inadequate IT capability to support IT operations - - X - - - X - - - - X - - Inadequate IT capability to support new developments - - X - - - - - - - X - - - Inadequate IT capability to take advantage of new technologies - - X - - - - X - X - - - - High reliance on IT specialists X - X - - - - X - X - - - - Infrequent negotiation of supplier contracts - X X - - - - X - - - - - - Vendor support problems - - X - - - - X - - - - - - High costs of ownership - - X - - - X - - - - - - - High cost of network support and maintenance - - X - - - X - - - - - - - High network supply costs - - X - - - X X - - - - - - Configuration control problems - - X - - - - - - - - - - - Software license and version control - - X - - - - - - - - - - -________________________________________________________________________________ Home 26 Source: Adopted from ISACA – Samsung’s presentation
  27. 27. ________________________________________________________________________________________________________________________________________________________________ Source: Adopted COBIT 4.1 Home 27
  28. 28. ________________________________________________________________________________________________________________________________________________________________ Source: Adopted from COBIT 4.1 Home 28
  29. 29. ________________________________________________________________________________ Service Strategy Service Design Service Operation Service Transition Continual service improvement Financial Service Catalog Event Management Transition planning Management Management and support The 7-step Incident improvement Service Portfolio Service Level Management Change process Management Management Management Request Fulfillment Service Reporting Demand Capacity Service asset and Management Management Problem configuration Service Management Management Measurement Availability Management Access Release and Return on Management Deployment Investment on CSI IT service continuity Management Management Operational Business Questions Activities in other Service Validation for CSI Information Security lifecycle phases Testing Management Service desk Evaluation Supplier Management Technical Knowledge Requirements Management Management Engineering Data & Information IT operations Management management Application Management________________________________________________________________________________ Source: Adopted from ITIL v3 Home 29
  30. 30. ________________________________________________________________________________________________________________________________________________________________ Source: Adopted from ITIL v3 Home 30
  31. 31. ________________________________________________________________________________ Strategic Alignment Value Delivery IT Resource Management Risk Management Performance Management CEO • Align and integrate IT • Direct the optimization of IT • Ensure the organization is in the • Adopt a risk, control • Obtain assurance of the strategy with business goals costs best position to capitalize on its and governance performance, control and risks • Align IT operations with • Establish co- responsibility information and knowledge framework of IT and independent comfort business operations between • Establish business priorities and • Embed about major IT decisions • Cascade strategy and goals the business and IT for IT allocate resources to enable responsibilities for risk • Work with the CIO on down into the organization investments effective IT performance management in the developing an IT balanced • Mediate between • Ensure the IT budget and • Set up organizational structures organization scorecard ensuring it is properly imperatives of the business investment plan is realistic and and responsibilities that facilitate • Monitor IT risk and linked to business goals and of the technology integrate into the overall IT strategy implementation accept residual IT risks financial • Define and support the CIO’s plan role, ensuring the CIO is a key • Ensure that financial business player and part of reporting has accurate executive decision-making accounting of IT Business • Understand the enterprise’s • Approve and control service • Allocate business resources • Provide business • Sign off on the IT balanced Executive IT organization, levels required to ensure effective IT impact assessments scorecard infrastructure and • Act as customer for available governance over projects and to the enterprise risk • Monitor service levels capabilities IT services operations management • Provide priorities for • Drive the definition of • Identify and acquire new IT process addressing IT performance business requirements and services problems and corrective own them • Assess and publish actions • Act as sponsor for major IT operational benefits of owned projects IT investments CIO • Drive IT strategy • Clarify and demonstrate the • Provide IT infrastructures that • Assess risks, mitigate • Ensure the day-to-day development and value facilitate creation and sharing of efficiently and make management and verification execute against it, ensuring of IT business information at optimal risks transparent to the of IT processes and controls measurable value is delivered • Proactively seek ways to cost stakeholders • Implement an IT balanced on time and budget, currently increase IT value contribution • Ensure the availability of suitable • Implement an IT scorecard and in the future • Link IT budgets to strategic IT resources, skills and control framework with few but precise • Implement IT standards aims and objectives infrastructure to meet the • Ensure that roles performance measures directly and policies • Manage business and strategic objectives critical for managing IT and demonstrably • Educate executives on executive expectations relative • Ensure that roles critical for risks are appropriately linked to the strategy dependence on IT, IT-related to IT driving maximum value from IT are defined and staffed costs, technology issues and • Establish strong IT project appropriately defined and staffed insights, and IT capabilities management disciplines • Standardize architectures and technology________________________________________________________________________________Source: Adopted from Board Briefing of IT Governance 2nd Edition Home 31
  32. 32. ________________________________________________________________________________ Questions V A M R P How critical is IT to sustaining the enterprise? How critical is IT to rowing the enterprise? What strategic initiatives has executive management taken to manage IT’s criticality relative to maintenance and growth of the enterprise, and are they appropriate? What is the organization doing about leveraging its knowledge to increase stakeholder value? What IT assets are there and how are they managed? Are suitable IT resources, infrastructures and skills available to meet the required enterprise strategic objectives? Is the enterprise clear on its position relative to technology: pioneer, early adopter, follower or laggard? Is IT participating in overall corporate change-setting and strategic direction? Do IT practices and IT culture support and encourage change within the enterprise? Does the enterprise research technology, process and business prospects to set direction for future growth? Are enterprise and IT objectives linked and synchronized? Is the enterprise clear on its position relative to risks: risk-avoiding or risk-taking? Is there an up-to-date inventory of risks relevant to the enterprise? What has been done to address these risks? How far should the enterprise go in risk mitigation and is the cost justified by the benefit? What is management doing to address risks? Is the board regularly briefed on risks to which the enterprise is exposed? Based on these questions, can the enterprise be said to be taking “reasonable” precautions relative to technology risks? What are other similar organizations doing, and how is the enterprise placed in relation to them, relative to value, risk and resource management? What is industry best practice and how does the enterprise compare, relative to value, risk and resource management?________________________________________________________________________________ V = IT Value Delivery; A = IT Strategic Alignment; M = IT Resource Management; R = Risk Management; P = PerformanceSource: Adapted from Board Briefing of IT Governance 2nd Edition Home 32
  33. 33. ________________________________________________________________________________ Questions V A M R P How certain is the board about the answers provided to the Questions answered by executive management? Is the board aware of the latest developments in IT from a business perspective? Is IT a regular item on the agenda of the board and is it addressed in a structured manner? Does the board articulate and communicate the business direction to which IT should be aligned? Is the board aware of potential conflicts between the enterprise divisions and the IT function? Does the board have a view on how and how much the enterprise invests in IT compared to other like organizations? Is the reporting level of the most senior IT manager commensurate with the importance of IT? Does the board have a clear view on the major IT investments from a risk and return perspective? Does the board obtain regular progress reports on major IT projects? Does the board obtain IT performance reports illustrating the value of IT from a business driver perspective (customer service, cost, agility, quality, etc.)? Is the board regularly briefed on IT risks to which the enterprise is exposed, including compliance risks? Is the board assured of the fact that suitable IT resources, infrastructures and skills are available (including external resourcing) to meet the required enterprise strategic objectives? Is the board getting independent assurance on the achievement of IT objectives and the containment of IT risks? V = IT Value Delivery; A = IT Strategic Alignment; M = IT Resource Management; R = Risk Management; P = Performance________________________________________________________________________________Source: Adapted from Board Briefing of IT Governance 2nd Edition Home 33
  34. 34. End of our Deck -- Thank you________________________________________________________________________________ 34