Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IT Governance - Consult2Comply


Published on

  • Be the first to comment

  • Be the first to like this

IT Governance - Consult2Comply

  1. 1. "IT Governance Helping Business Survival” Steve Crutchley CEO & Founder Consult2Comply
  2. 2. <ul><li>Founder & CEO of Consult2Comply </li></ul><ul><li>39 Years IT & Business Experience </li></ul><ul><li>22 Years GRC - Risk/Compliance Experience – CGEIT & CISM </li></ul><ul><li>Recognized International Consultant </li></ul><ul><li>ISO 27001, ISO 20000, BS 25999 Qualified Lead Auditor – IRCA approved </li></ul><ul><li>Content expert – Regulations, Standards & Best Practices - worldwide </li></ul><ul><li>ISO 27001, ISO 20000, BS 25999 Trainer and ACP </li></ul><ul><li>Approved CobIT trainer - ISACA </li></ul><ul><li>Experience in Government, Finance, Utilities, Pharmaceutical, Transportation (Airports) and Insurance </li></ul><ul><li>Successfully ran businesses – ex CEO of a public company </li></ul><ul><li>Developed Assessment Software to support the Business & Security/Risk needs </li></ul><ul><li>Product architect for C2C Products </li></ul><ul><li>Numerous Articles, Speaking and TV appearances related to security and security related solutions </li></ul>Introduction – Steve Crutchley
  3. 3. Seminar Content? <ul><li>IT Governance introduction – the why’s and wherefores </li></ul><ul><li>Issues that cause IT Governance concerns – setting the scene </li></ul><ul><li>Governance Standards and Frameworks </li></ul><ul><li>IT Governance for Business Survival </li></ul><ul><li>Seminar to be Interactive with Questions as required </li></ul>
  4. 4. Seminar Content?
  5. 5. What is IT Governance? <ul><li>Information Technology Governance , IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management. </li></ul><ul><li>The rising interest in IT Governance is partly due to compliance initiatives (e.g. Sarbanes-Oxley (USA) and Basel II (Europe)), as well as the acknowledgment that IT projects can easily get out of control and profoundly affect the performance of an organization. </li></ul>
  6. 6. A 2002 Gartner survey found that 20 percent of all expenditures on IT is wasted—a finding that represents, on a global basis, an annual destruction of value totaling about US $600 billion. A 2004 IBM survey of Fortune 1000 CIOs found that, on average, CIOs believe that 40 percent of all IT spending brought no return to their organizations. A 2006 study conducted by The Standish Group found that only 35 percent of all IT projects succeeded while the remainder (65 percent ) were either challenged or failed. In recent years, surveys have consistently revealed that 20 to 70 percent of large-scale investments in IT-enabled change are wasted, challenged or fail to bring a return to the enterprise (figure In fact, one survey on measuring costs and value found that, in many enterprises, less than 8 percent of the IT budget is actually spent on initiatives that create value for the enterprise. Why target IT? Reference: Val IT Framework 2.0
  7. 7. Nike reportedly lost more than US $200 million through difficulties experienced in implementing its supply chain software. Failures in IT-enabled logistics systems at MFI and Sainsbury in the UK led to multimillion-pound write-offs, profit warnings and share price erosion. Tokyo Gas reported a US $46.6 million special loss due to cancellation of a large customer relationship management (CRM) project. In the public sector, the UK Department for Work and Pensions apparently ‘squandered’ more than £2 billion by abandoning three major projects. Headlines around the world corroborate these findings: Reference: Val IT Framework 2.0
  8. 8. Why is IT Governance important? IT are in competition for budget – Business is beating IT to and for budget IT needs to become a business focused discipline IT is viewed by senior management as ‘Fire Fighters’ and not ‘Planners or implementers’ IT is viewed as a monetary drain on business IT needs to compete effectively at the ‘C’ level Business does not perceive IT as value for money
  9. 9. IT Governance Discipline The discipline of information technology governance derives from corporate governance and deals primarily with the connection between business focus and IT management of an organization. It highlights the importance of IT related matters and states that strategic IT decisions should be owned by the corporate board, rather than by the CISO/CSO or other IT managers.
  10. 10. History of IT Governance Standards and Frameworks Australian Standards – AS 8015: 2005 – Corporate Governance of information and communications technology ITGi – based on CobIT Val IT Framework 1.0 – launched 2006 Val IT Framework 2.0 – launched 2008 ISO/IEC 38500: 2008 Corporate governance of information technology – based on AS 8015:2005
  11. 11. Setting the Scene
  12. 12. Governance Issues Human interface Records Management Education Laws of the Land & beyond
  13. 13. Risk Issues
  14. 14. Legislative Issues
  15. 15. Security Issues
  16. 16. Internal Threats
  17. 17. External Threats
  18. 18. Physical Security
  19. 19. What should Information Technology Governance Deliver? Executives should focus on Information Technology Governance, which when properly implemented should provide the following:
  20. 20. What are the IT Governance Characteristics? <ul><li>A general theme of IT Governance discussions is that the IT capability can no longer be something the business doesn’t understand and that IT must also understand the business and its needs. </li></ul><ul><li>Handling of IT has always been an issue for board-level executives because of the technical nature of IT, therefore , key decisions were left to IT professionals. IT Governance implies a system in which all stakeholders, including the board, internal customers and related areas such as finance, have the necessary input into the decision making process. </li></ul><ul><li>This will prevent a single stakeholder, typically IT, being blamed for poor decisions. It also prevents users from later complaining that the system does not behave or perform as expected – very important for IT </li></ul>
  21. 21. What are the IT Governance Characteristics (2)? <ul><li>Most importantly - The board needs to understand the overall architecture of its company's IT applications portfolio … The board must ensure that management knows what information resources are out there, what condition they are in, and what role they play in generating revenue… </li></ul>
  22. 22. IT Governance Goals <ul><li>The primary goals for Information Technology Governance are: </li></ul><ul><li>assure that the investments in IT generate business value </li></ul><ul><li>(2) mitigate the risks that are associated with IT. </li></ul><ul><li>This can be done by implementing an organizational structure with well-defined roles for the responsibility for information, business processes, applications, infrastructure that’s is well communicated across the organization. </li></ul>
  23. 23. C2C’s GRC Model view – supporting IT Governance
  24. 24. Who is this aimed at? Senior Management CIOs CISOs IT Managers IT staff and IT centric organizations
  25. 25. What are the Frameworks or Standards?
  26. 26. Overview of ISO/IEC 38500 and Val IT 2.0
  27. 27. What is the objective of IT Governance? Strategic alignment of IT with the Business with emphasis on Business Governance Conformance of the organization to Security, Privacy - Trade Practices, IPR, Records Management, Legislation and Regulations (Laws of the Land) and alignment to Best Practices to reduce and streamline costs and improve revenues.
  28. 28. ISO/IEC 38500:2008
  29. 29. What is a framework? A  framework  is a basic conceptual structure used to solve or address complex issues – something like ISO/IEC 38500 – Governance for IT But it should have processes that are effective.
  30. 30. ISO/IEC 38500 Structure Principle 1: Responsibility Individuals and groups within the organization understand and accept their responsibilities in respect of both supply of, and demand for IT. Those with responsibility for actions also have the authority to perform those actions. Principle 2: Strategy The organization’s business strategy takes into account the current and future capabilities of IT; the strategic plans for IT satisfy the current and ongoing needs of the organization’s business strategy. Principle 3: Acquisition IT acquisitions are made for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision making. There is appropriate balance between benefits, opportunities, costs, and risks, in both the short term and the long term.
  31. 31. ISO/IEC 38500 Structure Principle 4: Performance IT is fit for purpose in supporting the organization, providing the services, levels of service and service quality required to meet current and future business requirements. Principle 5: Conformance IT complies with all mandatory legislation and regulations. Policies and practices are clearly defined, implemented and enforced. Principle 6: Human Behavior IT policies, practices and decisions demonstrate respect for Human Behavior, including the current and evolving needs of all the ‘people in the process’.
  32. 32. ISO/IEC 38500 Responsibility 3.2 Principle 1: Responsibility – extracts Evaluate Directors should evaluate the options for assigning responsibilities in respect of the organization’s current and future use of IT. Direct Directors should direct that plans be carried out according to the assigned IT responsibilities. Monitor Directors should monitor that appropriate IT governance mechanisms are established.
  33. 33. ISO/IEC 38500 Strategy 3.3 Principle 2: Strategy - extracts Evaluate Directors should evaluate developments in IT and business processes to ensure that IT will provide support for future business needs. Direct Directors should direct the preparation and use of plans and policies that ensure the organization does benefit from developments in IT. Monitor Directors should monitor the progress of approved IT proposals to ensure that they are achieving objectives in required timeframes using allocated resources.
  34. 34. ISO/IEC 38500 Acquisition 3.4 Principle 3: Acquisition - extracts Evaluate Directors should evaluate options for providing IT to realize approved proposals, balancing risks and value for money of proposed investments. Direct Directors should direct that IT assets (systems and infrastructure) be acquired in an appropriate manner, including the preparation of suitable documentation, while ensuring that required capabilities are provided. Monitor Directors should monitor IT investments to ensure that they provide the required capabilities.
  35. 35. ISO/IEC 38500 Performance 3.5 Principle 4: Performance - extracts Evaluate Directors should evaluate the means proposed by the managers to ensure that IT will support business processes with the required capability and capacity. These proposals should address the continuing normal operation of the business and the treatment of risk associated with the use of IT. Direct Directors should ensure allocation of sufficient resources so that IT meets the needs of the organization, according to the agreed priorities and budgetary constraints. Monitor Directors should monitor the extent to which IT does support the business.
  36. 36. ISO/IEC 38500 Conformance 3.6 Principle 5: Conformance - extracts Evaluate Directors should regularly evaluate the extent to which IT satisfies obligations (regulatory, legislation, common law, contractual), internal policies, standards and professional guidelines. Direct Directors should direct those responsible to establish regular and routine mechanisms for ensuring that the use of IT complies with relevant obligations (regulatory, legislation, common law, contractual), standards and guidelines. Monitor Directors should monitor IT compliance and conformance through appropriate reporting and audit practices, ensuring that reviews are timely, comprehensive, and suitable for the evaluation of the extent of satisfaction of the business.
  37. 37. ISO/IEC 38500 Conformance 3.7 Principle 6: Human Behavior - extracts Evaluate Directors should evaluate IT activities to ensure that human behaviors are identified and appropriately considered. Direct Directors should direct that IT activities are consistent with identified human behavior. Monitor Directors should monitor IT activities to ensure that identified human behaviors remain relevant and that proper attention is given to them.
  38. 38. Val IT Framework 2.0 Based on CobIT
  39. 39. ITGi – Val IT Framework 2.0 Purpose: Governance of IT Investments
  40. 40. Value governance establishes the overall governance framework, including defining the portfolios required to manage investments and resulting IT services, assets, and resources. Value governance monitors the effectiveness of the overall governance framework and supporting processes, and recommends improvements as appropriate. Value Governance (VG)
  41. 41. Portfolio management establishes the strategic direction for investments, the desired characteristics of the investment portfolio, and the resource and funding constraints within which portfolio decisions must be made. Portfolio management evaluates and prioritizes programs within resource and funding constraints, based on their alignment with strategic objectives, business worth (both financial and non-financial), and risk (both delivery risk and benefits risk), and moves selected programs into the active portfolio for execution. Portfolio management monitors the performance of the overall portfolio, adjusting the portfolio as necessary in response to program performance or changing business priorities. Portfolio Management (PM)
  42. 42. Investment management defines potential programs based on business requirements, determines whether they are worthy of further consideration, and develops and passes business cases for candidate investment programs to portfolio management for evaluation. Investment management launches and manages the execution of active programs, and reports on performance to portfolio management. Investment management moves resulting IT services, assets and resources to the appropriate operational IT portfolio(s) and continues to monitor their contribution to business value. Investment management retires programs when there is agreement that desired business value has been realized, or when retirement is deemed appropriate for any other reason. Investment management monitors the performance of IT services, assets and resources to determine whether additional investments are required to maintain, enhance, or retire the service, asset, or resource to sustain or increase their contribution to business value.   Investment Management (IM)
  43. 43. Supporting Standards and Infrastructures
  44. 44. ISO/IEC 27001:2005 Understanding an Information Security Management System (ISMS)
  45. 45. Information <ul><li>According to ISO/IEC 27001:2005, information is defined as: </li></ul><ul><ul><li>“ An asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected.” </li></ul></ul>
  46. 46. Types of Information <ul><li>Printed or written on paper </li></ul><ul><li>Stored electronically </li></ul><ul><li>Transmitted by post or using electronic means </li></ul><ul><li>Shown on corporate videos </li></ul><ul><li>Verbal ( e.g. , spoken in conversations) </li></ul>
  47. 47. Types of Information Covered by an ISMS Internal Information that you would not want your competitors to know Customer or Client Information that customers would not wish you to divulge Outsourced Information that needs to be shared with other trading partners
  48. 48. What is Information Security Confidentiality Clause 3.3 of ISO/IEC 27001 Ensuring that information is accessible only to those authorized to have access Integrity Clause 3.8 of ISO/IEC 27001 Safeguarding the accuracy and completeness of information and processing methods Availability Clause 3.2 of ISO/IEC 27001 Ensuring that authorized users have access to information and associated assets when required
  49. 49. Summary <ul><li>Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage, and maximize return on investment and business opportunities </li></ul><ul><li>Every organization will have a differing set of requirements in terms of controls and the level of confidentiality, integrity, and availability required </li></ul>
  50. 50. Fundamentals of IT Service Management and the ISO/IEC 20000 Series
  51. 51. Service Management <ul><li>Service management is defined as the: </li></ul><ul><li>Management of services to meet the business requirements </li></ul><ul><li>2.14, ISO/IEC 20000-1:2005 </li></ul>
  52. 52. The ISO/IEC 20000 Series Part 1: Specification for service management Part 2: Code of practice for service management
  53. 53. History of ISO/IEC 20000-1:2005 <ul><li>The U.K. government launched the IT Infrastructure Library (ITIL) in 1989 </li></ul><ul><li>ITIL defines “best practice” processes and procedures </li></ul><ul><li>ITSMF formed in 1991 to further develop best practice </li></ul><ul><li>ITSMF approaches BSI to develop a standard </li></ul><ul><li>BS 15000 first published in 2000 as a specification </li></ul><ul><li>BS 15000 revised in 2002 </li></ul><ul><li>ISO/IEC 20000 released in 2005 </li></ul>
  54. 54. ISO/IEC 20000-1:2005 <ul><li>Specifies a number of closely related service management processes </li></ul><ul><li>Identifies that relationships exist between these processes, and that these relationships will be dependent on their application within an organization </li></ul><ul><li>Provides guideline objectives and controls to enable an organization to deliver managed services </li></ul>
  55. 55. The Need for ISO/IEC 20000-1 <ul><li>ISO/IEC 20000-1 is necessary because: </li></ul><ul><ul><li>Organizations are increasingly dependant on IT </li></ul></ul><ul><ul><li>User demands continue to grow </li></ul></ul><ul><ul><li>Infrastructure is increasingly complex </li></ul></ul><ul><ul><li>There is a lack of guidance, accepted standards, or published best practices for IT service management </li></ul></ul>
  56. 56. Purpose of ISO/IEC 20000-1 <ul><li>The ISO/IEC 20000-1 specification: </li></ul><ul><ul><li>Defines requirements for an organization to deliver managed services of an acceptable quality for its customers </li></ul></ul><ul><ul><li>Is the first worldwide standard aimed specifically at IT service management </li></ul></ul>
  57. 57. Purpose of ISO/IEC 20000-1 <ul><li>The ISO/IEC 20000-1 specification: </li></ul><ul><ul><li>Introduces a service culture and provides the methodologies to deliver services that meet defined business requirements and priorities in a “manageable way” </li></ul></ul><ul><ul><li>Emphasizes processes to support the quality of live provision </li></ul></ul>
  58. 58. Benefits of ISO/IEC 20000-1 to Organizations <ul><li>ISO/IEC 20000-1 helps organizations: </li></ul><ul><ul><li>Promote the adoption of an integrated process approach to deliver managed services to meet the business and customer requirements </li></ul></ul><ul><ul><li>Understand best practices, objectives benefits, and possible problems of IT service management </li></ul></ul><ul><ul><li>Raise the profile of the IT department </li></ul></ul><ul><ul><li>Deliver cost effective service! </li></ul></ul>
  59. 59. Benefits of ISO/IEC 20000-1:2005 to Organizations <ul><li>The implementation of ISO/IEC 20000-1: </li></ul><ul><ul><li>Provides control, greater efficiency, and opportunities for improvement </li></ul></ul><ul><ul><li>Turns technology focused departments into service focused departments </li></ul></ul><ul><ul><li>Ensures IT services are aligned with and satisfy business needs </li></ul></ul><ul><ul><li>Improves system reliability and availability </li></ul></ul><ul><ul><li>Provides a basis for service level agreements </li></ul></ul><ul><ul><li>Provides the ability to measure IT service quality </li></ul></ul>
  60. 60. Service Management Documents <ul><li>Supporting documents for IT service management include: </li></ul>BIP 0005:2004 IT Service Management – A Manager’s Guide PD 0015:2002 IT Service Management – Self-assessment Workbook IT Infrastructure Library (ITIL) A series of guidance books on the provision of IT services produced by the U.K. Office of Government Commerce (OGC)
  61. 61. ISO 20000 IT service management structure?
  62. 62. Overview of ISO/IEC 27001:2005 and ISO/IEC 27002:2005
  63. 63. ISMS Standards ISO/IEC 27001:2005 Requirements for Information Security Management Systems ISO/IEC 27002:2005 Code of Practice for Information Security Management
  64. 64. ISO 27001 Information Security management – management structure?
  65. 65. ISO/IEC 27000 family (a.k.a. ISMS) of standards is growing ISO/IEC 27000 - ISMS Overview and Vocabulary Foundational standard in the 27000 series. Progressing through technical level voting. Expected publication is in 2008. ISO/IEC 27003 – Information Security Management System Implementation Guidance Provides further guidance on implementing 27001. Under development. Expected publication in 2008. ISO/IEC 27004 – Information Security Management Measurement Provides guidance on measuring effectiveness of security program implementation, as required by 27001 and 17799. Expected publication is in 2008. ISO/IEC 27005 – Information Security Risk Management Provides guidance on conducting risk assessment and managing risk, as required by 27001 and 27002. Published 2008 ISO/IEC 27007 – ISMS Auditing Guidelines Study Period on the subject was closed with a recommendation to develop New Proposal. China and Sweden submitted contributions and presented at the meeting. New Proposal will be coming out in the next 2 months with an outline for the new standard. Work is expected to commence after October meeting.
  66. 66. Risk Assessment <ul><li>ISO/IEC 27001:2005 Clause 4.2.1 requires a risk assessment to be carried out to identify threats to assets. </li></ul><ul><li>Guidance is now available using ISO/IEC 27005:2008 </li></ul>
  67. 67. Information Security Management <ul><li>The goal of ISO/IEC 27001:2005 and ISO/IEC 27002:2005 is to: </li></ul><ul><ul><li>Safeguard the confidentiality , integrity , and availability of written, spoken, and electronic information </li></ul></ul>
  68. 68. ISO/IEC 27002:2005 Code of Practice <ul><li>Defines a process to evaluate, implement, maintain, and manage information security </li></ul><ul><li>Is based on BS 7799-1:2005 </li></ul><ul><li>Is intended for use as a reference document </li></ul><ul><li>Is based on best information security practices </li></ul><ul><li>Consists of 11 control sections, 39 control objectives, and 133 controls </li></ul><ul><li>Was developed by industry for industry </li></ul><ul><li>Is not used for assessment and registration </li></ul><ul><li>Is not a technical standard </li></ul>
  69. 69. ISO/IEC 27001:2005 Requirements <ul><li>Specifies requirements for establishing, implementing, and documenting Information Security Management Systems (ISMS) </li></ul><ul><li>Specifies requirements for security controls to be implemented according to the needs of individual organizations </li></ul><ul><li>Consists of 11 control sections, 39 control objectives, and 133 controls </li></ul><ul><li>Is aligned with ISO/IEC 27002:2005 </li></ul>
  70. 70. ISO/IEC 27001:2005 Focus <ul><li>Harmonization with other management system standards </li></ul><ul><li>The need for continual improvement processes </li></ul><ul><li>Corporate governance </li></ul><ul><li>Information security assurance </li></ul><ul><li>Implementation of OECD principles </li></ul>
  71. 71. Holistic Approach <ul><li>ISO/IEC 27001:2005 defines best practices for information security management </li></ul><ul><li>A management system should balance physical , technical , procedural , and personnel security </li></ul><ul><li>Without a formal Information Security Management System, such as an ISO/IEC 27001:2005-based system, there is a greater risk to your security being breached </li></ul><ul><li>Information security is a management process, not a technological process </li></ul>
  72. 72. Growing Acceptance Status 17 th January 2009 See for the registry of certificates
  73. 73. Supporting Documents
  74. 74. Benefits of an ISMS <ul><li>Provides the means for information security corporate governance </li></ul><ul><li>Improves the effectiveness of the information security environment </li></ul><ul><li>Allows for market differentiation due to a positive influence on company prestige and image, as well as a possible effect on the asset or share value of the company </li></ul><ul><li>Provides satisfaction and confidence of that customers’ information security requirements are being met </li></ul><ul><li>Allows for focused staff responsibilities </li></ul>
  75. 75. Benefits of an ISMS <ul><li>Ensures compliance with mandates and laws </li></ul><ul><li>Reduces liability and risk due to implemented or enforced policies and procedures, which demonstrate due diligence </li></ul><ul><li>Potentially lowers rates on insurance </li></ul><ul><li>Facilitates better awareness of security throughout the organization </li></ul><ul><li>Provides competitive advantages and reduction in costs connected with the improvement of process efficiency and the management of security costs </li></ul>
  76. 76. The Eleven Control Clauses (a.k.a., the Eleven “Domains”) A.5 Security Policy A.6 Organization of Information Security A.7 Asset Management A.8 Human Resources Security A.9 Physical and Environmental Security A.10 Communications and Operations Management A.11 Access Control A.12 Information Systems Acquisition, Development, and Maintenance A.13 Information Security Incident Management A.14 Business Continuity Management A.15 Compliance
  77. 77. The Eleven Control Clauses ORGANIZATIONAL STRUCTURE Systems Development and Maintenance Communications and Operations Management Business Continuity Management Human Resource Security Compliance Asset Management Organizational Info Sec Access Control Security Policy Operations Management Security Incident Management Physical & Environ. Security
  78. 78. Key Controls <ul><li>The Introduction of ISO/IEC 27001:2005 identifies 10 controls as: </li></ul><ul><ul><li>“ a good starting point for implementing information security. They are either based on essential legislative requirements or considered to be common practice for information security.” </li></ul></ul>
  79. 79. Key Controls Controls Considered Essential from a Legislative Point of View Data protection and privacy of personal information Protection of organizational records Intellectual property rights Controls Considered to be Best Practice Information security policy document Allocation of information security responsibilities Information security awareness, education, and training Correct processing in applications Technical vulnerability management Business continuity management Management of information security incidents and improvements
  80. 80. BS 25999 Business Continuity Management
  81. 81. Development of BCM standards <ul><li>In 2002 it was widely recognised that numerous BCM models and approaches existed </li></ul><ul><li>All of these looked different but were saying the same thing </li></ul><ul><li>Very confusing to organisations and the industry in general </li></ul><ul><li>BCM was viewed as a ‘black art’ rather than logical and practical activities </li></ul><ul><li>BCM was at risk of being viewed as costly, fragmented and not delivering business benefit </li></ul><ul><li>In 2003, PAS 56 was developed by the BSI in conjunction with the Business Continuity Institute </li></ul><ul><li>In November 2006, PAS 56 was replaced BS by BS 25999 Part 1 Code of Practice – 2007 saw Part 2 Specification being issued together with the certification scheme </li></ul>
  82. 82. BCM Landscape <ul><li>NFPA 1600 </li></ul><ul><li>Z 1600 </li></ul><ul><li>FFIEC BCP requirements </li></ul><ul><li>Title IX (FCD-1 & 2) </li></ul><ul><li>Cert Resiliency Framework </li></ul><ul><li>BS 25999 </li></ul><ul><li>BCI </li></ul><ul><li>DRA </li></ul><ul><li>New ASIS plan being worked on </li></ul>
  83. 83. What is BS 25999-1 – Code of Practice <ul><li>BS 25999-1:2006 has been developed by practitioners throughout the global community, drawing upon their considerable academic, technical and practical experiences of BCM. </li></ul><ul><li>It has been produced to provide a system based on good practice for BCM </li></ul><ul><li>It is intended to serve as a single reference point for identifying the range of controls needed for most situations where BCM is practiced in industry and commerce, and to be used by large, medium and small organizations in industrial, commercial, public and voluntary sectors </li></ul>
  84. 84. BS 25999-1 Code of Practice <ul><li>Provides a common generic framework and </li></ul><ul><li>guidelines for BCM </li></ul><ul><li>Give guidance on business continuity </li></ul><ul><li>management </li></ul><ul><li>Establish the principles and terminology of business continuity management </li></ul><ul><li>Describe the activities involved and give recommendations for good practice </li></ul><ul><li>Describe evaluation techniques for use by managers and auditors </li></ul>
  85. 85. BS 25999-1   BS 25999-2 <ul><li>BS 25999-1:2006 </li></ul><ul><ul><li>Code of Practice For Business Continuity Management </li></ul></ul><ul><ul><ul><li>Best practices framework – reference documentation </li></ul></ul></ul><ul><ul><ul><li>Use of the word s hould </li></ul></ul></ul><ul><li>BS 25999-2:2007 </li></ul><ul><ul><li>Specification With Guidance For Use </li></ul></ul><ul><ul><ul><li>Specify the process for achieving certification that business continuity capability is appropriate to the size and complexity of an organization </li></ul></ul></ul><ul><ul><ul><li>Auditing specification </li></ul></ul></ul><ul><ul><ul><li>Use of the word shall </li></ul></ul></ul>
  86. 86. Using the Standard <ul><li>The BCM Standard not intended as a beginners guide to BCM </li></ul><ul><li>However some supporting material will be produced alongside which will help the less experienced user </li></ul><ul><li>Can use the standard to get an idea of your current level of expertise and an idea of areas of weakness </li></ul><ul><li>Can use the standard in Service Level agreements </li></ul>
  87. 87. BCM Standards
  88. 88. <ul><li>Terms and definitions </li></ul><ul><li>Overview of business continuity management (BCM) </li></ul><ul><li>The business continuity management policy </li></ul><ul><li>BCM programme management </li></ul><ul><li>Understanding the organisation </li></ul><ul><li>Determining business continuity strategy </li></ul><ul><li>Developing and implementing BCM response </li></ul><ul><li>Exercising and reviewing BCM arrangements </li></ul><ul><li>Embedding BCM in the organisation </li></ul><ul><li>References </li></ul><ul><li>List of figures </li></ul><ul><li>List of Tables </li></ul>The Contents of BS 25999-1 Code of Practice
  89. 89. <ul><li>1 Scope </li></ul><ul><li>2 Terms and definitions </li></ul><ul><li>3 Planning the business continuity management system </li></ul><ul><li>3.1 General </li></ul><ul><li>3.2 Establishing and managing the BCMS </li></ul><ul><li>3.3 Embedding BCM in the organization’s culture </li></ul><ul><li>3.4 BCMS documentation and records </li></ul><ul><li>4 Implementing and operating the BCMS </li></ul><ul><li>4.1 Understanding the organization </li></ul><ul><li>4.2 Determining business continuity strategy </li></ul><ul><li>4.3 Developing and implementing a BCM response </li></ul><ul><li>4.4 Exercising, maintaining and reviewing BCM arrangements </li></ul><ul><li>5 Monitoring and reviewing the BCMS </li></ul><ul><li>5.1 Internal audit </li></ul><ul><li>5.2 Management review of the BCMS </li></ul><ul><li>6 Maintaining and improving the BCMS </li></ul><ul><li>6.1 Preventive and corrective actions </li></ul><ul><li>6.2 Continual improvement </li></ul>The Contents of BS 25999-2 Specification
  90. 90. Conclusion <ul><li>Business Continuity Management is a growing area of organizational concern </li></ul><ul><li>An agreed standard will benefit all sizes of organisation as they seek to improve </li></ul><ul><li>Standards evolve over time and feedback from users is essential to help BSI ensure the standard is useful and relevant </li></ul>
  91. 91. IT Governance for Business Survival
  92. 92. Modeling IT Governance Keys to success <ul><li>Don’t work in silos </li></ul><ul><li>Allocate responsibilities </li></ul><ul><li>Make sure people understand the plan and model </li></ul><ul><li>The model must be mapped across the organization </li></ul><ul><li>It must include all aspects and requirements – Policies, procedures, process maps </li></ul><ul><li>Create relationships across multiple control frameworks </li></ul>
  93. 93. Good IT Governance Principles Commitment Governance Policy Roles and Responsibilities Identification of Business Governance issues Obligations to stakeholders Organizational Policies Operating procedures Dealing with breaches Record keeping Internal reporting Maintenance Education and training Communication and visibility Monitoring and assessment Review Report back
  94. 94. How do you measure IT Governance? Must have decided on the standard or framework Must understand your IT Governance requirements Must understand your business objectives Must understand the processes you are supporting Must set a baseline to work from – includes your responsibilities Must be able to Monitor Must have a measurement method – Measure Must be able to Manage Must be able to Self Assess
  95. 95. What can help you? Understand applicable Compliance landscape (GRC) ISO 20000/ITIL – Service management v.3 ISO 27001 – Information Security Management System BCM Standards and Guidelines ISO/IEC 38500 It Governance Standard COBIT/ITGI – Val IT 2.0 CMM – Maturity Modeling Six Sigma - Quality Balanced Scorecard - Metrics (Monitor, Measure and Manage) Understand your Business need and respond accordingly
  96. 96. Implementation issues Management Commitment IT understanding from a management perspective IT’s understanding of business processes Effective and appropriate training People - hidden agendas Getting budget Proving Business value for IT Governance implementation Getting it RIGHT!
  97. 97. Example IT Governance Structure
  98. 98. Harmonization with existing BS/ISO standards & guidelines ISO 27799 Health Informatics - Security Management in Health using ISO 17799 ISO 19077 Software Asset Management ISO 27005 Information Security Risk Management ISO 15489 Effective Records Management ISO 21188 Public Key infrastructure for Financial Services ISO 18044 Incident Management BS 8470 Secure Disposal of confidential material BS 8549 Security Consultancy Code of Practice ISO 15288 System & Software Engineering - System lifecycle processes
  99. 99. Questions?
  100. 100. Presenter Steve Crutchley Email: [email_address] Telephone: 571 332 8204/703 871 3950