IT Governance Framework at KIT

Similar documents
Security and Privacy Governance Program Guidelines

UCSB IT Forum. April 15, 2014

International Atomic Energy Agency Meeting the Challenge of the Safety- Security Interface

IT Expert (Enterprise Network and Infrastructure Architect)

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Turning Risk into Advantage

Information Security Governance and IT Governance

EUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE

GNSSN. Global Nuclear Safety and Security Network

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Information Systems Security Requirements for Federal GIS Initiatives

Accreditation Services Council Governing Charter

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

MINUTES COMMITTEE ON GOVERNANCE Conference Call April 7, 2010

The University of Queensland

Symantec Data Center Transformation

Effective: 12/31/17 Last Revised: 8/28/17. Responsible University Administrator: Vice Chancellor for Information Services & CIO

Accelerate Your Enterprise Private Cloud Initiative

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

ISACA. Certification Details for Certified in the Governance of Enterprise IT (CGEIT )

How to choose the right Data Governance resources. by First San Francisco Partners

EXAM PREPARATION GUIDE

Jerry Luftman. Executive Director & Distinguished Professor SIM VP Chapter Relations & Academic Affairs, Emeritus

Information Technology Governance

ENTERPRISE ARCHITECTURE

ASSEMBLY, No STATE OF NEW JERSEY. 217th LEGISLATURE INTRODUCED FEBRUARY 4, 2016

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

NERC Staff Organization Chart Budget 2019

REPORT 2015/010 INTERNAL AUDIT DIVISION

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

POSITION DESCRIPTION

NIS Directive : Call for Proposals

OUTDATED. Policy and Procedures 1-12 : University Institutional Data Management Policy

University of Texas Arlington Data Governance Program Charter

MNsure Privacy Program Strategic Plan FY

NERC Staff Organization Chart Budget 2019

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

UK Permanent Salary Index November 2013 Based on registered vacancies and actual placements

Appendix 6 Operational Support Systems Change Management Plan

Electricity Sub-Sector Coordinating Council Charter FINAL DISCUSSION DRAFT 7/9/2013

Information technology security and system integrity policy.

SAVANNAH LAKES VILLAGE PROPERTY OWNERS ASSOCIATION, INC. JOB DESCRIPTION

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

Data Governance Central to Data Management Success

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

STRATEGIC PLAN. USF Emergency Management

Organization/Office: Secretariat of the United Nations System Chief Executives Board for Coordination (CEB)

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

EU General Data Protection Regulation (GDPR) Achieving compliance

Dated 3 rd of November 2017 MEMORANDUM OF UNDERSTANDING SIERRA LEONE NATIONAL ehealth COORDINATION HUB

The Global Research Council

Data Governance Framework

REPORT 2015/149 INTERNAL AUDIT DIVISION

How Cisco IT Improved Development Processes with a New Operating Model

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

NATIONAL INFRASTRUCTURE COMMISSION CORPORATE PLAN TO

Memorandum of Understanding between the Central LHIN and the Toronto Central LHIN to establish a Joint ehealth Program

TOURISM REGULATORY AUTHORITY VACANCIES

INFORMATION SECURITY PRINCIPLES OF THE UNIVERSITY OF JYVÄSKYLÄ

WHO Secretariat Dr Oleg Chestnov Assistant Director-General Noncommunicable Diseases and Mental Health

EXAM PREPARATION GUIDE

ESFRI Strategic Roadmap & RI Long-term sustainability an EC overview

Dan Lipman Chair, 2016 NIS Organising Committee. Roger Howsley Executive Director, WINS. Elena Sokova - Executive Director, VCDNP

MT. SAN ANTONIO COLLEGE 2018 Educational and Facilities Master Plan HMC ARCHITECTS // COLLABORATIVE BRAIN TRUST

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

NERC Staff Organization Chart Budget 2018

2nd ENISA Workshop German CERT-Activities. 5 th October, 2006 Brussels

Canada Life Cyber Security Statement 2018

Overview. Business value

Audit of Information Technology Security: Roadmap Implementation

The challenges of the NIS directive from the viewpoint of the Vienna Hospital Association

The Analysis and Proposed Modifications to ISO/IEC Software Engineering Software Quality Requirements and Evaluation Quality Requirements

TERMS OF REFERENCE FOR: REGIONAL CLIMATE AND GREEN GROWTH CONSULTANT EASTERN AFRICA

Continuous protection to reduce risk and maintain production availability

Architecture and Standards Development Lifecycle

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

CERTIFIED IN THE GOVERNANCE OF ENTERPRISE IT CGEIT AFFIRM YOUR STRATEGIC VALUE AND CAREER SUCCESS

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Policy. Business Resilience MB2010.P.119

Professional Services for Cloud Management Solutions

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

S&T Stakeholders Conference

Section One of the Order: The Cybersecurity of Federal Networks.

Appendix 3 Disaster Recovery Plan

RESPONSE TO 2016 DEFENCE WHITE PAPER APRIL 2016

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

IT Governance and emerging trends

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

Global Statement of Business Continuity

Position Description IT Auditor

STRATEGIC PLAN

Certified Business Analysis Professional (CBAP )

April 17, Ronald Layne Manager, Data Quality and Data Governance

PROTECT YOUR DATA AND PREPARE FOR THE EUROPEAN GENERAL DATA PROTECTION REGULATION

The World s Leading Organization for Electrical Power Systems Professionals and Industry Leaders

NERC Staff Organization Chart Budget 2017

System Chief Business Officer - B. J. Crain The Texas A&M University System Position Description--January 13, 2010

Impact of Enterprise Security Risk Assessments on Integrators & Manufacturers. J. Kelly Stewart Steve Oplinger James Marcella

Transcription:

[unofficial English version; authoritative is the German version] IT Governance Framework at KIT 1. Recent situation and principle objectives Digitalization increasingly influences our everyday life at KIT, in the field of research, teaching, innovation, as well as with regard to administrative tasks. Thus, it is vital to look at IT from an overall strategic perspective. KIT develops the IT governance to establish an effective and up-to-date framework for design and implementation. In the understanding of this paper, IT comprises information technology infrastructure and all basic services, application services and service portals realized on it. When we talk about IT, we address the digital workplace as such. 1 IT governance is understood to be the regulatory and operational framework to define responsibilities, rights, cross-cutting coordination structures and communication channels. This concerns all five IT decision areas: principles, enterprise architecture, infrastructure, business application needs, investment and prioritization. The principle objectives of the IT governance at KIT are: To align IT-related decisions with the overall strategy of KIT and by doing this generating additional value; To govern IT processes at KIT and to make IT comprehensible, targeted, sustainable and user-oriented. Security, reliability, data protection, and usability are of particular importance; To provide space for agile, innovative developments and to trigger the interaction between centralized and decentralized units as well as to make IT-related decisions according to the principle of subsidiarity. This paper describes roles, functions and duties for IT strategy planning and IT-related decisions (section 2) and coordination structures for monitoring and controlling the implementation of the IT strategy (section 3). The interaction of centralized and decentralized units is explained in section 4. It also describes the interaction in the areas of information security and data protection. It is not an object of the IT governance framework to define the general organizational structure of KIT. 2. IT strategy planning and IT-related decisions The crucial purpose of IT strategy planning and IT-related decisions is to shape the digital environment at KIT. Strategic decisions are characterized by the fact that they aim at long-term developments, are often associated with a substantial use of resources, or can affect many people at KIT. Strategic decisions can also involve cooperations with external partners. 2 IT strategy planning and preparation of IT-related strategic decisions are placed on a broad basis. The concerning committee structure is shown in Figure 1. 1 In German the equivalent abbreviation to IT would be IV which stands for Informationsverarbeitung und -versorgung. A common translation would be processing and supply of information. 2 In the case of strategic decisions, the KIT s act (KIT-Gesetz) and the KIT s articles of association (Gemeinsame Satzung) regulate the participation of others such as the KIT Senate or the Staff Council. 1

Figure 1: Committee structure for IT strategy planning and preparation of IT-related strategic decisions It is important that the Presidential Committee has a comprehensive overview of IT. Therefore the position of the Chief Information Officer (CIO) is taken on by a member of the Presidential Committee. The CIO is supported by an authorized CIO representative called IV-Bevollmächtigte/r (IV-B) as specified in the KIT s articles of association (Gemeinsame Satzung). Furthermore, the Vice Presidents are involved in the IT Steering Groups and the Presidential Committee holds special meetings focusing on IT. The Presidential Committee sets the overall strategic framework and decides on IT principles. The Presidential Committee also determines the basis for decision-making regarding IT investment and prioritization. The operational implementation takes place in accordance with the existing organizational structure. The IT governance at the level of strategy planning is characterized by interaction of the functions, roles and elements described below: Chief Information Officer (CIO) and IV-Bevollmächtigte/r (IV-B) 3 IT Council (A-IVI) IT Steering Groups (LK-IV) Chief Information Officer (CIO) and IV-Bevollmächtigte/r (IV-B) As the main responsible person for IT the Chief Information Officer (CIO) is a member of the Presidential Committee and has decision-making authority for the supervision and control of all IT tasks. Due to the extensive involvement of all departments in this cross-cutting issue, the President of KIT takes responsibility for the role of the CIO. According to KIT s articles of association, the Presidential Committee appoints the IV-B at the suggestion of the CIO. In a staff function, the IV-B is directly assigned to the President of KIT in his/her role as CIO and is instructed by the CIO to carry out the duties of the CIO. In accordance with KIT s articles of association, the IV-Bevollmächtigte (IV-B) is responsible for the technical and organizational integration and the coordination of all activities in the field of digital information and communication, as well as for the use of information technologies at KIT. 3 In English: authorized CIO representative. 2

The main tasks of the IV-B are: Responsibility for the IT strategy and the IT concept of KIT; Representing the IT strategy and the IT concept, both internally and externally; representing KIT in all IT matters concerning scientific and political events of strategic importance; Supervision and control of all technical and organizational IT activities and thereby strengthening the collaboration between VP s areas of responsibility, divisions and organizational units; Monitoring of major IT projects at KIT; Hosting and supervising the IT Council as well as the subject-specific IT Steering Groups, the latter together with the responsible vice presidents. The IV-B is involved in decisions of the Presidential Committee related to IT. IT Council (A-IVI) The IT Council is appointed by the Presidential Committee with the consent of KIT Senate and deals with strategic and cross-cutting issues concerning IT at KIT. The Council makes recommendations to support strategic IT decisions of the Presidential Committee and KIT Senate. In particular, the Council advises on the following IT issues: Drafting and updating of the IT strategy and of the IT concept; Planning, coordination and design of an integrated IT infrastructure at KIT; Assessment and management of IT-related risks; Drafting of guidelines and regularities for use and operation of the IT infrastructure; Recommendations and statements on IT projects of general importance; Budget planning of KIT concerning IT-related personnel, material and investments. The IT Council is to be seen as a council of users. Its members contribute expertise and a KIT-wide perspective according to the structural roles they have. Members of the IT Council are: the IV-B as permanent representative of the CIO, a head of division, professors and and senior scientists from all divisions of KIT, academic and non-academic staff as well as a student representative. The directors of the central IT service providers, representatives of the heads of the service units, the head of the Digital Office (see section 3) as well as the speaker of the IT Forum and of ASDuR (see section 4) attend the meetings as permanent guests. To connect and to pay attention to department-specific IT needs and thus especially to focus on the core mission of KIT, mandated members from each of the Steering Groups (see below) present their corresponding perspectives to the IT Council. This ensures that the IT Council takes into account the positions and recommendations of the Steering Groups. From a KIT-wide perspective, the IT Council presents the combined spectrum of positions and needs to the Presidential Committee via the CIO/IV-B and makes recommendations also with regard to prioritization to support overall strategic IT decisions. The IT Council and its members support a targeted and effective communication between the delegating bodies/groups and the Presidential Committee on the issues dealt with in the IT Council. IT Steering Groups (LK-IV) The individual organizational purposes of KIT and the departments of the Presidential Committee have general and specific needs. To ensure that they are included in the IT strategy of KIT, there are three Steering Groups chaired by the Vice Presidents: IT Steering Group in Research and Innovation (LK-IV F&I) IT Steering Group in Studies and Teaching (LK-IV S&L) 3

IT Steering Group in Administration (LK-IV Admin) The IT Steering Groups (LK-IV) act as advisory bodies of the responsible Vice Presidents to establish recommendations for the strategic IT orientation and the development of IT in the VP s area of responsibility. The LK-IV gather, analyze, discuss, specify and prioritize the strategic IT application needs of their assignment. In the Steering Groups, user representatives work together to pool the departmental IT application perspectives. Besides the IV-B and the user representatives, selected service units and the Digital Office (see below) are involved in the Steering Groups. The central IT service providers work in all LK- IV to point out the possibilities of IT in terms of opportunities and limits. Together with the IV-B, the responsible Vice Presidents ensure that their specific perspectives are adequately represented when the LK-IV are appointed. Guests can be invited depending on the topic. Assigned to a Steering Group, there can be working groups at the operational level meeting regularly. They support the development of IT application services and, in the case of major decision-making issues, work together with the corresponding IT Steering Group. The Vice Presidents, together with the CIO/IV-B, determine the strategic application needs that are to be pursued. 3. Coordination structure for supervising and controlling the implementation of the IT strategy The Digital Office At the interface between strategic and operational responsibility, it is necessary to compare intended implementations with the overall IT architecture in order either to adapt the implementation to the overall IT architecture or to develop the overall IT architecture further. For these tasks the CIO/IV-B is supported by the Digital Office. Together with the Digital Office, the CIO/IV-B defines the rules for implementation and the overall enterprise architecture. In particular, the Digital Office ensures that the digitalization of processes and the supportive IT infrastructure are compatible. For this purpose, the Digital Office coordinates the alignment of implementation planning between business and IT and mediates between the operational and strategic levels. The Digital Office is thus responsible for the procedural implementation of IT governance. Moreover, the Digital Office works to continuously improve and innovate IT services. In addition to the head of the Digital Office and the executive assistant of the IV-B, business relationship managers (BRM) are involved in the Digital Office. They support the coordination between business and IT at the level of service strategy and overall IT architecture. They possess the skills of project managers and act as experts for task and process orientation. Moreover, they present a driving force in questions of the adequate digitalization of services. The BRMs support the interaction in IT matters between decentralized and central units as well as across departmental boundaries. By suggestion of the CIO/IV-B, the Presidential Committee appoints an Information Security Officer (ISB) as the central contact person for information security 4. Independent of the organizational units the ISB is part of the Digital Office. The ISB is responsible for the organization of the information security management. Those responsible for business processes are also accountable for assessing the risk and protection needs for those processes. 4 The term information security, in contrast to the term IT security, emphasizes the protection of information regardless of the specific form of representation, processing or storage. Valuable information assets can exist anywhere at KIT, e. g. research data, personal data or contract data. 4

4. Cooperative IT system The following section describes the (co-)operative implementation in the interaction of central IT service providers and decentralized organizational units as well as functional elements. In addition, cooperation in the areas of information security and data protection will be addressed. The cooperative IT system and the IT governance are shown schematically in the following figure 2. Figure 2: Schematic overview of the IT governance and the cooperative IT system Media and IT Coordination (MIK) At KIT, there are three central facilities for the provision of media and IT: Steinbuch Centre for Computing (SCC) as the central information technology center organizes the information processing at KIT for research, teaching, innovation and administration. SCC combines science and services in its work. KIT Library (BIB) organizes the scientific information supply at KIT and is a centre of competence and control for all library processes at KIT. BIB operates as a partner for research, teaching and innovation. Center for Technology-Enhanced Learning (HoC-ZML) functions as first address and coordination centre for e-learning at KIT. It is committed to the integration and innovative enhancement of the use of digital media in teaching and study at KIT. The directors of the three central facilities are resonsible for those parts of the IT infrastructure concept correspondening to their duties (this includes the shared responsibilty for jointly operated services and projects). In the end, the CIO/IV-B decides on the IT infrastructure concept. Based on the overall IT architecture, the operational implementation is coordinated with regard to the three central institutions BIB, SCC und HoC-ZML by the Media and IT Coordination (MIK). This also includes the coordination of the corresponding service and project portfolios, which are the essential part of the IT concept. In addition, the CIO/IV-B as well as the A-IVI and the LK-IV can ask MIK for feasibility studies of IT services. 5

Members of MIK are directors of the central institutions BIB, SCC und HoC-ZML as well as a representative of the decentralized IT. MIK is hosted and supervised by the IV-B or the Digital Office. Depending on the topic, further stakeholders can be consulted to support a successful digitalization of services and the exchange of information with the divisions and organizational units. MIK appointee For the media and IT coordination, the organizational units appoint local appointees to implement IT services and to provide the respective on-site support. For this purpose the role of the appointee in the local IT must be developed in the sense of an authorized appointees system in order to take into account not only information processing, but also the supply of information and the use of digital media. The local appointees for IT services collaborate concertedly with MIK in matters of local IT or directly with the central IT institutions BIB, SCC or HoC-ZML for specific issues. The same applies to the other appointees named by the Working Group on Information Security, Data Protection and Law (ASDuR). The local IT appointees are an essential part of the cooperative IT system of KIT and are formally appointed by the head of the organizational unit(s). They are recruited from the staff of the individual organizational unit(s). Supported by additional specialists from the organizational unit, they act as local IT service providers. The local IT appointees are to be organized in decentralized IT service teams, if appropriate. To ensure a flow of information between MIK and the local IT appointees, meetings are held on a regular basis. IT Forum The IT Forum is a platform for exchanging technical IT and application questions. There the IT experts and users of the organizational units of KIT articulate needs and discuss approaches to solve problems. The IT Forum serves as technical consultant in the interest of all at KIT. In particular, the IT Forum is involved through its speaker in A-IVI, in ASDuR and in MIK to contribute suggestions and expertise. Information security and data protection Given the relevance of information to KITs activities, information security and data protection take an important role. The organization of information security and data protection within KIT is clarifed in separate documents. This section only outlines the interaction according to the IT governance. Information security and data protection as cross-cutting issues are supported at KIT by a Working Group on Information Security, Data Protection and Law (ASDuR) led by the ISB. ASDuR deals with general questions related to information security, data protection and legal compliance. ASDuR makes technical and organizational recommendations to ISB, IV-B and to A-IVI. In addition to the ISB, the Data Protection Officer and the head of the legal department are also represented in ASDuR for a comprehensive expertise. A representative of SCC Board of Directors and a representative of the Staff Council also participate in ASDuR, just as the speaker of the IT Forum does in order to contribute a decentralized point of view. Other experts can be involved, in particular for representing the decentralized side. The ISB as speaker of ASDuR is a guest of A-IVI and reports there on the information security situation and the information security risk management. The SCC as the central IT provider and IT infrastructure operator is responsible for the IT security of the central IT services. At SCC, there is a Computer Emergency Response Team (KIT-CERT), which acts as a central contact point for IT security incidents, advises on incident prevention and detection and takes appropriate measures. The KIT-CERT supports the ISB in particular. The head of the organizational unit is responsible for the IT security of the corresponding decentrally operated IT system. 6

5. Closing statement KIT and science in general is constantly undergoing a process of change driven by IT, which equally affects research, teaching, innovation and the associated administration. The IT governance sets the framework for providing a well-functioning cooperative IT for all at KIT, contributes to a task-related development of a comprehensively integrated IT and ensures an appropriate action and interaction in IT matters. At the same time, there is a need to systematically deal with opportunities and risks. By reviewing set goals, learning from challenges, exceptions and deviations as well as by comparing KIT to other scientific institutions, a continuous improvement is to be achieved. This also applies to IT governance itself, which is to be advanced adequately and continuously. Decided unanimously by the Presidential Committee on December 11, 2017. Karlsruhe, December 11, 2017 Prof. Dr.-Ing. Holger Hanselka President of KIT 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback