Getting Started With Governance of Enterprise IT (GEIT)

Transcription

1 Getting Started With Governance of Enterprise IT (GEIT) AN ISACA WHITE PAPER Implementing a governance of enterprise IT (GEIT) system successfully will bring myriad benefits, including lower costs, greater control, and overall increased efficiency and effectiveness. The primary purpose of using a GEIT system is to deliver value to stakeholders. If that value cannot be delivered, or if its delivery is not well understood, the resources consumed to implement GEIT are wasted. A proven GEIT framework identifies the steps that are needed to perform this value delivery and how to measure its impact and ongoing effectiveness. Given the uniqueness of enterprises around the world, a framework is the appropriate tool to use. A framework allows, even requires, customization to fit the enterprise it serves, as opposed to standards, which command compliance. Enterprises with strong governance operate with lower costs and make more efficient and effective use of their resources. External parties assess enterprises with strong governance as having greater internal control and lower general levels of risk. This last fact has been documented in studies that look at the cost of capital. Enterprises with strong governance actually pay lower interest in the capital markets when accessing funds. This paper will describe the use of a framework to implement GEIT, the resources needed to do so and the benefits that can be expected.

2 ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL USA Phone: Fax: Web site: Provide feedback: Participate in the ISACA Knowledge Center: Follow ISACA on Twitter: Join ISACA on LinkedIn: ISACA (Official), Like ISACA on Facebook: With more than 115,000 constituents in 180 countries, ISACA ( helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus, a comprehensive set of resources for cybersecurity professionals, and COBIT, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor (CISA ), Certified Information Security Manager (CISM ), Certified in the Governance of Enterprise IT (CGEIT ) and Certified in Risk and Information Systems Control (CRISC ) credentials. The association has more than 200 chapters worldwide. DISCLAIMER ISACA has designed and created Getting Started With Governance of Enterprise IT (GEIT) white paper (the Work ) primarily as an educational resource for governance professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, governance professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment ISACA. All rights reserved.

3 ACKNOWLEDGMENTS ISACA Board of Directors Robert E Stroud CGEIT, CRISC, CA, USA, International President Steven A. Babb CGEIT, CRISC, ITIL, Vodafone, UK, Vice President Garry J. Barnes CISA, CISM, CGEIT, CRISC, BAE Systems Detica, Australia, Vice President Robert A. Clyde CISM, Clyde Consulting LLC, USA, Vice President Ramses Gallego CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President Theresa Grafenstine CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President Vittal R. Raj CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President Tony Hayes CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President Gregory T. Grocholski CISA, SABIC, Saudi Arabia, Past International President Debbie A. Lew CISA, CRISC, Ernst & Young LLP, USA, Director Frank K.M. Yam CISA, CIA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Director Alexander Zapata Lenis CISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V., Mexico, Director Knowledge Board Steven A. Babb CGEIT, CRISC, ITIL Vodafone, UK, Chairman Rosemary M. Amato CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands Neil Patrick Barlow CISA, CISM, CRISC, CISSP, Capital One, UK Charlie Blanchard CISA, CISM, CRISC, CIPP/US, CIPP/E, CISSP, FBCS, ACA, Amgen Inc., USA Sushil Chatterji CGEIT, Edutech Enterprises, Singapore Phil J. Lageschulte CGEIT, CPA, KPMG LLP, USA Anthony P. Noble CISA, Viacom, USA Jamie Pasfield CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK Ivan Sanchez Lopez CISA, CISM, ISO LA, CISSP, DHL Global Forwarding & Freight, Germany Framework Committee Sushil Chatterji CGEIT, Edutech Enterprises, Singapore, Chairman David Cau GRCP, ITIL V3, MSP, Deloitte, France Joanne De Vito De Palma CISM, BCMM Assessor, PFI, USA Jimmy Heschl CISA, CISM, CGEIT, ITIL Expert, Red Bull, Austria Katherine McIntosh CISA, CIA, Central Hudson Gas & Electric Corp., USA Andre Pitkowski CGEIT, CRISC, APIT Informatica, Brazil Paras Kesharichand Shah CISA, CGEIT, CRISC, CA, Vital Interacts, Australia Sylvia Tosar CGEIT, PMP, Uruguay Tichaona Zororo CISA, CISM, CGEIT, CRISC, CIA, CRMA, EGIT Enterprise Governance of IT (PTY) LTD., South Africa ISACA. All rights reserved.

4 INTRODUCTION WHAT IS THE PURPOSE OF THIS PUBLICATION AND HOW IS IT ORGANIZED? Practitioners need a practical guide to using GEIT frameworks without the need to become framework experts themselves. This guide will provide that pathway and lead users through the available GEIT material to quickly gain the value of using GEIT. This guide is organized around the steps that a project team follows in implementing a GEIT system. As such, it can be used as a field guide to executing GEIT. WHAT IS GEIT AND WHAT FRAMEWORKS ARE AVAILABLE? Governance of enterprise information technology (GEIT) is a discipline concerned primarily with organizing the resources of an enterprise for the purpose of satisfying stakeholders. GEIT is meant to bring alignment between high-level strategic objectives with operational level activities and work outcomes. The formal definition of GEIT in COBIT 5 1 mentions three key elements: evaluate, direct and monitor. These key elements make up the activities of GEIT and are what enterprise leaders focus on. COBIT 5 Implementation 2 has a much more detailed discussion of GEIT. ISACA s COBIT 5 is a comprehensive governance and management framework that allows the user to structure and align the enterprise resources with the requirements of their stakeholders. The International Organization for Standardization (ISO) published a standard titled ISO/International Electrotechnical Commission (IEC) 38500:2015, Information technology-governance of IT for the organization and ISO/IEC TR 38502:2014 Information technology-governance of IT-Framework and model. ISO is also developing a standard titled ISO/IEC TS 38501, Information technology-governance of IT-Implementation guide, which is planned for publication in early As outlined in appendix E of the framework, COBIT 5 is aligned with the six principles of ISO/IEC The ISO/IEC 3850X approach is to provide principles-based guidance on the governance of IT for the organization, a subset of enterprise governance. AXELOS owns Information Technology Infrastructure Library (ITIL ). AXELOS is a joint venture between the British Cabinet Office and Capita plc. AXELOS also owns PRINCE2, a project management methodology. ITIL is quite popular for determining what specific tasks can be used to accomplish specific service delivery objectives. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) publishes a controls framework. Its most recent version was published in ISACA recently published a white paper, Relating the COSO Internal Control Integrated Framework and COBIT 3, which explains the relationship between COSO and COBIT 5 and how they can effectively be used with each other. The frameworks are complementary and compatible as guidance to support the assessment and improvement of internal control practices and activities within the governance and management arrangements of an enterprise. However, the use of both frameworks continues to require professional judgment and work by enterprise management and its auditors/advisors to comprehend, adapt and apply the principles and guidance to specific enterprise goals and enterprise capabilities. Relating the COSO Internal Control Integrated Framework and COBIT provides support for such professional judgment. 1 ISACA, COBIT 5, USA, 2012, 2 ISACA, COBIT 5 Implementation, USA, ISACA, Relating the COSO Internal Control Integrated Framework and COBIT, USA, 2014, ISACA. All rights reserved.

5 The Open Group publishes The Open Group Architecture Framework (TOGAF ), which is currently at version 9.1. TOGAF focuses on determining what the enterprise architecture should look like and then maintaining that architecture in a flexible enough manner such that the enterprise can adapt to change readily. WHAT ARE THE BENEFITS OF USING GEIT? GEIT ensures greater alignment of IT functionality with business needs. The most commonly experienced outcomes of implementing GEIT are improvements in management of IT-related risk and communication and relationships between business and IT. GEIT can also help to transition IT s role to a more proactive one. This can be done through the use of mechanisms such as GEIT boards, an appropriate organization structure encompassing roles for managing business relationships and standardized processes to effectively bridge the business demand with the IT supply. IT innovation offers ample opportunities for IT to play a more proactive role. For example, GEIT enablers, such as optimal investment management processes, can help ensure a balance between IT innovation and run-the-business initiatives. GEIT initiatives must take a balanced and holistic view of the five GEIT focus areas: strategic alignment, risk management, value delivery, resource management, performance measurement. During an economic crisis, when there is a strong focus on managing cost, effective GEIT can ensure that this focus is balanced with a view on investments that can generate cost savings and are ultimately self-funding. Successfully implementing GEIT depends on several factors: change management, communication, proper scoping and identification of achievable objectives. The outcomes of a successful GEIT implementation produce both shorter-term, tangible benefits, such as reduced cost, and longer-term benefits, such as enhanced management of IT-related risk, improved relationships between business and IT, and increased business competitiveness. A strong presence of GEIT can also contribute to lowered financial costs because lenders assess the risk level of the enterprise due to increased control. IMPLEMENTING A GEIT FRAMEWORK Commitment from the enterprise leadership at the highest level (C-suite, board of directors, etc.) is necessary to ensure a successful implementation. After that commitment is secured, a comprehensive GEIT implementation may proceed. In the sections below, a step-by-step approach for implementing GEIT is presented. UNDERSTANDING WHEN TO IMPLEMENT A FRAMEWORK Securing commitment to implement GEIT requires a clear discussion of pain points that an enterprise is experiencing. From the pain points identified, a business case for the implementation of GEIT can be built. This business case will be used to identify the scope of the GEIT implementation project and to help understand the resources that it will require. The implementation is a simple matter of confirming that the reasons prompting the desire to adopt or upgrade the framework are worthwhile. If not, the resources expended are likely to be for naught. Pain points and their related trigger points are discussed further in the COBIT 5 Implementation guide ISACA. All rights reserved.

6 1. Write business case for implementing GEIT. STEPS TO IMPLEMENT GEIT Follow an established project methodology to ensure reasonable use of resources and control of implementation project deliverables, budget and timing. Initially, for an enterprise to implement a new GEIT system, commitment must be secured from the highest levels. GEIT implementation can only succeed when the C-suite, board of directors and others of the highest authority drive the need for it. After commitment to implementing GEIT is in place, the real work begins. A project team must be assembled, and they should temporarily take ownership of getting the appropriate GEIT elements in place. This implementation team should then develop a project plan based on the seven implementation steps from the COBIT 5 Implementation guide. Figure 1 is taken from COBIT 5 and shows the seven project phases. Getting the Environment and Resources in Place The enterprise must be ready for a significant GEIT implementation. Getting resources in place is necessary, but more important is making certain staff understands the urgency of the project and what is needed. This is getting change enablement in place. Figure 1 Implementation Phases 6 Did we get there? 7 How do we keep the momentum going? Realise benefits 5 How do we get there? Embed new Execute plan approaches Review effectiveness Operate and use Operate Sustain and measure Implement improvements Monitor and evaluate Build Identify role players Plan programme 4 What needs to be done? 1 What are the drivers? Initiate programme Establish desire to change Recognise need to act improvements state Define target Assess current state Form implementation team outcome Communicate Define problems and opportunities Define road map 3 Where do we want to be? 2 Where are we now? Programme management (outer ring) Change enablement (middle ring) Continual improvement life cycle (inner ring) Source: ISACA, COBIT 5, USA, 2012, figure ISACA. All rights reserved.

7 1. Establish the project teams authority. 2. Communicate vision. 3. Empower all team members to carry out their charge. One of the earliest actions the project team will undertake is selecting a framework. Assuming COBIT 5 will be used, the framework must be carefully understood and then modified as needed to fit the enterprise. All of the materials presented in COBIT 5 are examples and not meant to be a prescriptive approach or the complete solution. Carefully determine which elements are needed, and communicate those to the project sponsor(s). Determining what the enterprise needs is done through a complete examination of stakeholder requirements. These requirements determine all enterprise goals that follow. These enterprise goals will make clear what other goals, IT and other resources (enablers), will be required. The COBIT 5 framework contains a deeper discussion on the goals cascade. It is shown in figure 2. Figure 2 Goals Cascade Stakeholder Drivers (Environment, Technology Evolution, ) 1. Assemble project team. 2. Assess current drivers and pain and trigger points for implementing GEIT. 3. Consider all seven enablers when considering resources to support. Creating a Plan Establish an implementation plan, and secure approval from the highest level of authority to implement it. This acts as a project charter, and provides authority to the project team members in conducting the implementation. This authority is necessary because resources will be needed from various areas in the enterprise and their superiors must be committed to their availability. 1. Project team should create project plan, showing all sub-plans (communication, procurement, etc.) that will be needed to implement GEIT. 2. Identify specific milestones to demonstrate accomplishment of each implementation phase. 3. Deliver project plan to project sponsor, and ask for approval to move forward with the overall plan. Benefits Realisation Stakeholder Needs Risk Optimisation Enterprise Goals IT-related Goals Influence Resource Optimisation Cascade to Cascade to Cascade to Executing the Plan Follow the implementation plan, delivering on milestones as planned and creating project continuation or departure points. Use appropriate tools (goals cascade and Responsible, Accountable, Consulted, Informed [RACI] chart) in determining how strategic goals and stakeholder objectives will be satisfied (value delivery). Apply the framework as broadly as the enterprise needs. 1. Implement the GEIT plan. 2. Report on milestone accomplishments. Enabler Goals Source: ISACA, COBIT 5, USA, 2012, figure ISACA. All rights reserved.

8 INTEGRATING MULTIPLE FRAMEWORKS, STANDARDS AND GOOD PRACTICES MANAGING CHANGE Consider whether there are multiple frameworks or sets of standards in place in the enterprise. If there are, plan for their integration into the overarching framework. Consider which framework is the most appropriate for GEIT over IT resources. UNDERSTANDING AVAILABLE AND NECESSARY RESOURCES (PROCESSES, ETC.) Enterprise resources need to tie processes into the internal control environment, which likely will have risk and controls detailed against a control matrix of control designs and control objectives. Plan to provide detail on how control objectives can be made from governance and management practices. Be careful to provide only the level of GEIT detail that the enterprise needs. In particular, define domains, processes and practices only to the extent that users in the enterprise need these terms. Be mindful that a common language is an important aspect to a successful framework implementation ISACA. All rights reserved.