IT Governance Masterclass




Georges Ataya
CISA, CGEIT, CISA, CISSP, MSCS, PBA

External Relations Chair, ISACA
Professor...
Georges Ataya MSCS, PBA, CISA, CISM, CISSP


 •   Professor and Academic Director at Solvay Brussels School of Economics a...
Why Does IT needs a Governance Framework?




               Do any of these conditions sound familiar?
                • ...
IT Governance Needs a Management Framework




   Driving Forces
   Map Onto the                           IT

   IT Gover...
Six IT Governance domains


IT Governance              Risk
   Concepts             Management


  Strategic              ...
Definition
Governance, Risk & Compliance: GRC

                                                                         Compliance is...
Practices and processes in value governance

     Value Governance – elements

                   Strategy Management     ...
Projects success
Value Governance is based around
The Four “Ares” - continually asking…




                          Are we               ...
Risk approaches


Dependent on the type of risk and its
significance to the business, management
and the board may choose ...
Risk management of enterprise IT resources
              (application, information, infrastructure, people)

IT Risk Analy...
Does Your IT Architecture Look Like…




(needed a) …blueprint to bring order to “spaghetti layer of applications,
boxes a...
Four architectural views



         Business View

         Application View

         Information View

          Techno...
IT Governance needs a control framework
 How is it being used?
             IT Governance
              IT Governance     ...
COBIT Framework

                                                     BUSINESS OBJECTIVES AND
                            ...
Setting the Direction of IT Governance across the enterprise (in
support of the business)


                              ...
Value chain linkage between Enterprise Strategy and IT




       Enterprise              Business                        ...
Benchmarking IT process maturity by industry sector


                                                                    ...
Where Does Frameworks Fit?

                                                                     CONFORMANCE
             ...
Why Isn’t Everyone Doing This?

                            We do this already.
                            It’s not excit...
Upcoming SlideShare
Loading in …5
×

#sitbru Session 3 IT Governance for sap practitioners by Prof. G. Ataya

1,628 views

Published on

SAP Inside Track Brussels - Session 3 IT Governance for sap practitioners by Professor Georges Ataya

Published in: Education
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,628
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

#sitbru Session 3 IT Governance for sap practitioners by Prof. G. Ataya

  1. 1. IT Governance Masterclass Georges Ataya CISA, CGEIT, CISA, CISSP, MSCS, PBA External Relations Chair, ISACA Professor, Solvay Business School Managing Partner, ICT Control NV
  2. 2. Georges Ataya MSCS, PBA, CISA, CISM, CISSP • Professor and Academic Director at Solvay Brussels School of Economics and Management in charge of IT Management Education www.solvay.edu/it) www.solvay.edu/it) • Academic relations Committee Chair at ISACA (ISACA.org) (ISACA.org) • Managing Partner ICT Control SA (www.ictcontrol.eu) • Participated in various researches and publications. • Georges@ictcontrol.eu – www.ataya.info
  3. 3. Why Does IT needs a Governance Framework? Do any of these conditions sound familiar? • Growing complexity of IT environments • Fragmented IT infrastructures or applications • Demand for technologists outstripping supply • Communication gap between business and IT managers • IT service levels that are disappointing • Marginal productivity gains on technology investments • Impaired organisational flexibility and nimbleness to change • User frustration leading to ad hoc solutions • IT managers operating like fire fighters
  4. 4. IT Governance Needs a Management Framework Driving Forces Map Onto the IT IT Governance GOVERNANCE Concepts Focus Areas RESOURCE MANAGEMENT
  5. 5. Six IT Governance domains IT Governance Risk Concepts Management Strategic Resources Alignment Management Value Performance Management Measurement
  6. 6. Definition
  7. 7. Governance, Risk & Compliance: GRC Compliance is the act of adhering to, and demonstrating adherence to, external laws and Compliance regulations as well as corporate policies and procedures. Risk is the effect of uncertainty on business objectives; risk management is the coordinated Risk Governance is the culture, policies, activities to direct processes, laws, and control an and institutions that organization to realize Governance define the structure by which opportunities companies are while managing directed and negative events. managed. Source: OCEG (Open Compliance and Ethics Group)
  8. 8. Practices and processes in value governance Value Governance – elements Strategy Management A M r a c n h a Portfolio Management i g t e e m VALUE c e RISK Programme Management A M s g t n Total s m u t Benefits – r Total e t Costs Project Management t e Operations Management Source: IT Governance Institute
  9. 9. Projects success
  10. 10. Value Governance is based around The Four “Ares” - continually asking… Are we Are we doing getting the right the things? benefits? Are we Are we doing them getting the right them done way? well? Source: Fujitsu Consulting
  11. 11. Risk approaches Dependent on the type of risk and its significance to the business, management and the board may choose to: to: Mitigate Implementing controls, e.g., acquire and deploy security technology to protect the IT infrastructure Transfer Sharing risk with partners or transferring it to insurance coverage Accept Formally acknowledging that the risk exists and monitoring it
  12. 12. Risk management of enterprise IT resources (application, information, infrastructure, people) IT Risk Analysis Approach Source: IT Governance Institute
  13. 13. Does Your IT Architecture Look Like… (needed a) …blueprint to bring order to “spaghetti layer of applications, boxes and wires” Toby Redshaw VP of Strategy & Architecture Motorola
  14. 14. Four architectural views Business View Application View Information View Technology View What are the business strategies and processes that will make Which applications do we need to facilitate the business us successful What information do we need to manage in the process and manipulateneeded to support the information and What technology is the information business application needs
  15. 15. IT Governance needs a control framework How is it being used? IT Governance IT Governance Audit Methodology Security Security CobiT Sarbanes Oxley - Oxley Framework Outsourcing Outsourcing Process Standards Policy Policy “CobiT is the framework that gives me an end-to-end view of IT.” John Carrow, CIO, Unisys “CobiT is an end-to-end catalogue of IT decisions.” Simon Shapiro, CIO, Investec
  16. 16. COBIT Framework BUSINESS OBJECTIVES AND GOVERNANCE OBJECTIVES C O B I T ME1 Monitor and evaluate IT FRAMEWORK PO1 Define a strategic IT plan. performance. INFORMATION PO2 Define the information ME2 Monitor and evaluate architecture. internal control. Efficiency Integrity PO3 Determine technological ME3 Ensure compliance with Effectiveness Availability direction. external requirements. Compliance PO4 Define the IT processes, ME4 Provide IT governance. Confidentiality organisation and Reliability relationships. MONITOR PLAN PO5 Manage the IT investment. AND AND PO6 Communicate management EVALUATE ORGANISE aims and direction. IT PO7 Manage IT human resources. DS1 Define and manage service RESOURCES PO8 Manage quality. levels. PO9 Assess and manage IT risks. DS2 Manage third-party services. PO10 Manage projects. DS3 Manage performance and capacity. DS4 Ensure continuous service. Applications Information DS5 Ensure systems security. AI1 Identify automated solutions. Infrastructure DS6 Identify and allocate costs. People AI2 Acquire and maintain DS7 Educate and train users. DELIVER application software. ACQUIRE DS8 Manage service desk and AND AI3 Acquire and maintain AND incidents. SUPPORT IMPLEMENT technology infrastructure. DS9 Manage the configuration. AI4 Enable operation and use. DS10 Manage problems. AI5 Procure IT resources. DS11 Manage data. AI6 Manage changes. DS12 Manage the physical AI7 Install and accredit solutions environment. and changes. DS13 Manage operations.
  17. 17. Setting the Direction of IT Governance across the enterprise (in support of the business) Provide Direction Set Objectives IT Activities IT is aligned with the Increase automation business (make the business IT enables the business effective) & maximises benefits Compare Decrease cost (make the IT resources are used enterprise efficient) responsibly Manage risks (security, IT-related risks are reliability & compliance) managed appropriately Measure Performance • Objective: ensure that IT enables, sustains and extends the organisation’s strategies and objectives • Method: providing direction and exercising control • Content: Leadership, organisational structures and processes • Responsibility: board of directors and executive management Source: IT Governance Institute
  18. 18. Value chain linkage between Enterprise Strategy and IT Enterprise Business IT IT Strategy & Goals for IT Goals Processes Scorecard Architecture IT deliver Business Governance Information Requirements Requirements require influence run Information IT Applications Services Processes imply Information Infrastructure Criteria need & People Source: IT Governance Institute
  19. 19. Benchmarking IT process maturity by industry sector Po1 3.50 M1 Po3 3.00 DS11 Po5 Finance 2.50 Other DS10 2.00 Po9 IT Services 1.50 DS5 Po10 Public Sector Ret & Manu DS4 A11 DS1 A12 A16 A15 Po1 Po1 Po1 3.50 3.50 M1 3.50 Po3 M1 Po3 M1 Po3 3.00 3.00 3.00 DS11 Po5 DS11 2.50 Po5 DS11 2.50 Po5 2.50 2.00 2.00 2.00 DS10 Po9 DS10 Po9 DS10 Po9 1.50 1.50 1.50 1.00 1.00 1.00 DS5 Po10 DS5 Po10 DS5 Po10 DS4 A11 DS4 A11 DS4 A11 DS1 A12 DS1 A12 DS1 A12 A16 A15 A16 A15 A16 A15 Financial Services Public Sector Retail/Manufacturing Source: IT Governance Institute
  20. 20. Where Does Frameworks Fit? CONFORMANCE PERFORMANCE: Drivers Basel II, Sarbanes- Business Goals Oxley Act, etc. Balanced Enterprise Governance Scorecard COSO IT Governance COBIT 4.1 ISO ISO ISO Standards Best Practice 9001:2000 27002 20000 QA Security ITIL V3 Processes and Procedures procedures Principles
  21. 21. Why Isn’t Everyone Doing This? We do this already. It’s not exciting. You’re making it much too complex. It’s not easy. It’s an IT problem. Lack of business engagement / accountability We don’t know where to start! 21

×