"IT Governance Helping Business Survival

1
"IT GovernanceHelping Business Survival

• Steve Crutchley
• CEO Founder
• Consult2Comply
• www.consult2comply.com

2
Introduction Steve Crutchley

• Experience in Government, Finance, Utilities,
  Pharmaceutical, Transportation (Airports) and
  Insurance
• Successfully ran businesses ex CEO of a public
  company
• Developed Assessment Software to support the
  Business Security/Risk needs
• Product architect for C2C Products
• Numerous Articles, Speaking and TV appearances
  related to security and security related
  solutions

• Founder CEO of Consult2Comply
• 39 Years IT Business Experience
• 22 Years GRC - Risk/Compliance Experience CGEIT
  CISM
• Recognized International Consultant
• ISO 27001, ISO 20000, BS 25999 Qualified Lead
  Auditor IRCA approved
• Content expert Regulations, Standards Best
  Practices - worldwide
• ISO 27001, ISO 20000, BS 25999 Trainer and ACP
• Approved CobIT trainer - ISACA

3
Seminar Content?

• IT Governance introduction the whys and
  wherefores
• Issues that cause IT Governance concerns
  setting the scene
• Governance Standards and Frameworks
• IT Governance for Business Survival
• Seminar to be Interactive with Questions as
  required

4
Seminar Content?
5
What is IT Governance?

• Information Technology Governance, IT Governance
  is a subset discipline of Corporate Governance
  focused on information technology (IT) systems
  and their performance and risk management.
• The rising interest in IT Governance is partly
  due to compliance initiatives (e.g.
  Sarbanes-Oxley (USA) and Basel II (Europe)), as
  well as the acknowledgment that IT projects can
  easily get out of control and profoundly affect
  the performance of an organization.

5
6
Why target IT?
In recent years, surveys have consistently
revealed that 20 to 70 percent of large-scale
investments in IT-enabled change are wasted,
challenged or fail to bring a return to the
enterprise (figure In fact, one survey on
measuring costs and value found that, in many
enterprises, less than 8 percent of the IT budget
is actually spent on initiatives that create
value for the enterprise.
A 2002 Gartner survey found that 20 percent of
all expenditures on IT is wasteda finding that
represents, on a global basis, an annual
destruction of value totaling about US 600
billion. A 2004 IBM survey of Fortune 1000 CIOs
found that, on average, CIOs believe that 40
percent of all IT spending brought no return to
their organizations. A 2006 study conducted by
The Standish Group found that only 35 percent of
all IT projects succeeded while the remainder (65
percent ) were either challenged or failed.
Reference Val IT Framework 2.0
7
Headlines around the world corroborate these
findings
Nike reportedly lost more than US 200 million
through difficulties experienced in implementing
its supply chain software. Failures in
IT-enabled logistics systems at MFI and Sainsbury
in the UK led to multimillion-pound write-offs,
profit warnings and share price erosion. Tokyo
Gas reported a US 46.6 million special loss due
to cancellation of a large customer relationship
management (CRM) project. In the public sector,
the UK Department for Work and Pensions
apparently squandered more than 2 billion by
abandoning three major projects.
Reference Val IT Framework 2.0
8
Why is IT Governance important?
IT are in competition for budget Business is
beating IT to and for budget IT needs to become
a business focused discipline IT is viewed by
senior management as Fire Fighters and not
Planners or implementers IT is viewed as a
monetary drain on business IT needs to compete
effectively at the C level Business does not
perceive IT as value for money
8
9
IT Governance Discipline
The discipline of information technology
governance derives from corporate governance and
deals primarily with the connection between
business focus and IT management of an
organization. It highlights the importance of IT
related matters and states that strategic IT
decisions should be owned by the corporate board,
rather than by the CISO/CSO or other IT managers.
9
10
History of IT Governance Standards and Frameworks
Australian Standards AS 80152005 Corporate
Governance of information and communications
technology ITGi based on CobIT Val IT
Framework 1.0 launched 2006 Val IT Framework
2.0 launched 2008 ISO/IEC 385002008 Corporate
governance of information technology based on
AS 80152005
10
11
Setting the Scene
11
12
Governance Issues
Education
Human interface
Records Management
Laws of the Land beyond
13
Risk Issues
14
Legislative Issues
15
Security Issues
16
Internal Threats
17
External Threats
18
Physical Security
19
What should Information Technology Governance
Deliver?
Executives should focus on Information Technology
Governance, which when properly implemented
should provide the following
19
20
What are the IT Governance Characteristics?

• A general theme of IT Governance discussions is
  that the IT capability can no longer be something
  the business doesnt understand and that IT must
  also understand the business and its needs.
• Handling of IT has always been an issue for
  board-level executives because of the technical
  nature of IT, therefore , key decisions were left
  to IT professionals. IT Governance implies a
  system in which all stakeholders, including the
  board, internal customers and related areas such
  as finance, have the necessary input into the
  decision making process.
• This will prevent a single stakeholder,
  typically IT, being blamed for poor decisions. It
  also prevents users from later complaining that
  the system does not behave or perform as expected
  very important for IT

20
21
What are the IT Governance Characteristics (2)?

• Most importantly - The board needs to understand
  the overall architecture of its company's IT
  applications portfolio The board must ensure
  that management knows what information resources
  are out there, what condition they are in, and
  what role they play in generating revenue

21
22
IT Governance Goals

• The primary goals for Information Technology
  Governance are
• assure that the investments in IT generate
  business value
• (2) mitigate the risks that are associated with
  IT.
• This can be done by implementing an
  organizational structure with well-defined roles
  for the responsibility for information, business
  processes, applications, infrastructure thats is
  well communicated across the organization.

22
23
C2Cs GRC Model view supporting IT Governance
24
Who is this aimed at?
Senior Management CIOs CISOs IT Managers IT
staff and IT centric organizations
25
What are the Frameworks or Standards?
26
Overview of ISO/IEC 38500 and Val IT 2.0
27
What is the objective of IT Governance?
Strategic alignment of IT with the Business with
emphasis on Business Governance Conformance of
the organization to Security, Privacy - Trade
Practices, IPR, Records Management, Legislation
and Regulations (Laws of the Land) and alignment
to Best Practices to reduce and streamline costs
and improve revenues.
28
ISO/IEC 385002008
29
What is a framework?
A framework is a basic conceptual structure used
to solve or address complex issues something
like ISO/IEC 38500 Governance for IT
But it should have processes that are effective.
30
ISO/IEC 38500 Structure
Principle 1 Responsibility Individuals and
groups within the organization understand and
accept their responsibilities in respect of both
supply of, and demand for IT. Those with
responsibility for actions also have the
authority to perform those actions. Principle 2
Strategy The organizations business strategy
takes into account the current and future
capabilities of IT the strategic plans for IT
satisfy the current and ongoing needs of the
organizations business strategy. Principle 3
Acquisition IT acquisitions are made for valid
reasons, on the basis of appropriate and ongoing
analysis, with clear and transparent decision
making. There is appropriate balance between
benefits, opportunities, costs, and risks, in
both the short term and the long term.
31
ISO/IEC 38500 Structure
Principle 4 Performance IT is fit for purpose in
supporting the organization, providing the
services, levels of service and service quality
required to meet current and future business
requirements. Principle 5 Conformance IT
complies with all mandatory legislation and
regulations. Policies and practices are clearly
defined, implemented and enforced. Principle 6
Human Behavior IT policies, practices and
decisions demonstrate respect for Human Behavior,
including the current and evolving needs of all
the people in the process.
32
ISO/IEC 38500 Responsibility
3.2 Principle 1 Responsibility extracts
Evaluate Directors should evaluate the options
for assigning responsibilities in respect of the
organizations current and future use of IT.
Direct Directors should direct that plans be
carried out according to the assigned IT
responsibilities. Monitor Directors should
monitor that appropriate IT governance mechanisms
are established.
33
ISO/IEC 38500 Strategy
3.3 Principle 2 Strategy - extracts Evaluate Di
rectors should evaluate developments in IT and
business processes to ensure that IT will provide
support for future business needs. Direct Direct
ors should direct the preparation and use of
plans and policies that ensure the organization
does benefit from developments in
IT. Monitor Directors should monitor the
progress of approved IT proposals to ensure
that they are achieving objectives in required
timeframes using allocated resources.
34
ISO/IEC 38500 Acquisition
3.4 Principle 3 Acquisition - extracts Evaluate
Directors should evaluate options for providing
IT to realize approved proposals, balancing risks
and value for money of proposed
investments. Direct Directors should direct that
IT assets (systems and infrastructure) be
acquired in an appropriate manner, including the
preparation of suitable documentation, while
ensuring that required capabilities are
provided. Monitor Directors should monitor IT
investments to ensure that they provide
the required capabilities.
35
ISO/IEC 38500 Performance
3.5 Principle 4 Performance - extracts Evaluate
Directors should evaluate the means proposed by
the managers to ensure that IT will support
business processes with the required capability
and capacity. These proposals should address the
continuing normal operation of the business and
the treatment of risk associated with the use of
IT. Direct Directors should ensure allocation of
sufficient resources so that IT meets the needs
of the organization, according to the agreed
priorities and budgetary constraints. Monitor Dir
ectors should monitor the extent to which IT does
support the business.
36
ISO/IEC 38500 Conformance
3.6 Principle 5 Conformance - extracts Evaluate
Directors should regularly evaluate the extent to
which IT satisfies obligations (regulatory,
legislation, common law, contractual), internal
policies, standards and professional
guidelines. Direct Directors should direct those
responsible to establish regular and
routine mechanisms for ensuring that the use of
IT complies with relevant obligations (regulatory,
legislation, common law, contractual), standards
and guidelines. Monitor Directors should monitor
IT compliance and conformance through
appropriate reporting and audit practices,
ensuring that reviews are timely,
comprehensive, and suitable for the evaluation of
the extent of satisfaction of the business.
37
ISO/IEC 38500 Conformance
3.7 Principle 6 Human Behavior -
extracts Evaluate Directors should evaluate IT
activities to ensure that human behaviors
are identified and appropriately
considered. Direct Directors should direct that
IT activities are consistent with identified
human behavior. Monitor Directors should monitor
IT activities to ensure that identified
human behaviors remain relevant and that proper
attention is given to them.
38
Val IT Framework 2.0Based on CobIT
39
ITGi Val IT Framework 2.0
Purpose Governance of IT Investments
40
Value Governance (VG)
Value governance establishes the overall
governance framework, including defining the
portfolios required to manage investments and
resulting IT services, assets, and
resources. Value governance monitors the
effectiveness of the overall governance framework
and supporting processes, and recommends
improvements as appropriate.
41
Portfolio Management (PM)
Portfolio management establishes the strategic
direction for investments, the desired
characteristics of the investment portfolio, and
the resource and funding constraints within which
portfolio decisions must be made. Portfolio
management evaluates and prioritizes programs
within resource and funding constraints, based on
their alignment with strategic objectives,
business worth (both financial and
non-financial), and risk (both delivery risk and
benefits risk), and moves selected programs into
the active portfolio for execution. Portfolio
management monitors the performance of the
overall portfolio, adjusting the portfolio as
necessary in response to program performance or
changing business priorities.
42
Investment Management (IM)
Investment management defines potential programs
based on business requirements, determines
whether they are worthy of further consideration,
and develops and passes business cases for
candidate investment programs to portfolio
management for evaluation. Investment management
launches and manages the execution of active
programs, and reports on performance to portfolio
management. Investment management moves resulting
IT services, assets and resources to the
appropriate operational IT portfolio(s) and
continues to monitor their contribution to
business value. Investment management retires
programs when there is agreement that desired
business value has been realized, or when
retirement is deemed appropriate for any other
reason. Investment management monitors the
performance of IT services, assets and resources
to determine whether additional investments are
required to maintain, enhance, or retire the
service, asset, or resource to sustain or
increase their contribution to business value.  
43
Supporting Standards and Infrastructures
44
ISO/IEC 270012005 Understanding an
Information Security Management System (ISMS)
45
Information

• According to ISO/IEC 270012005, information is
  defined as
• An asset that, like other important business
  assets, is essential to an organizations
  business and consequently needs to be suitably
  protected.

46
Types of Information

• Printed or written on paper
• Stored electronically
• Transmitted by post or using electronic means
• Shown on corporate videos
• Verbal (e.g., spoken in conversations)

47
Types of Information Covered by an ISMS
48
What is Information Security
49
Summary

• Information security protects information from a
  wide range of threats in order to ensure business
  continuity, minimize business damage, and
  maximize return on investment and business
  opportunities
• Every organization will have a differing set of
  requirements in terms of controls and the level
  of confidentiality, integrity, and availability
  required

50
Fundamentals of IT Service Management and the
ISO/IEC 20000 Series

• What is Service Management?

51
Service Management

• Service management is defined as the
• Management of services to meet the business
  requirements
• 2.14, ISO/IEC 20000-12005

52
The ISO/IEC 20000 Series
Part 1 Specification forservice management
Part 2 Code of practice for service management
53
History of ISO/IEC 20000-12005

• The U.K. government launched the IT
  Infrastructure Library (ITIL) in 1989
• ITIL defines best practice processes and
  procedures
• ITSMF formed in 1991 to further develop best
  practice
• ITSMF approaches BSI to develop a standard
• BS 15000 first published in 2000 as a
  specification
• BS 15000 revised in 2002
• ISO/IEC 20000 released in 2005

54
ISO/IEC 20000-12005

• Specifies a number of closely related service
  management processes
• Identifies that relationships exist between these
  processes, and that these relationships will be
  dependent on their application within an
  organization
• Provides guideline objectives and controls to
  enable an organization to deliver managed
  services

55
The Need for ISO/IEC 20000-1

• ISO/IEC 20000-1 is necessary because
• Organizations are increasingly dependant on IT
• User demands continue to grow
• Infrastructure is increasingly complex
• There is a lack of guidance, accepted standards,
  or published best practices for IT service
  management

56
Purpose of ISO/IEC 20000-1

• The ISO/IEC 20000-1 specification
• Defines requirements for an organization to
  deliver managed services of an acceptable quality
  for its customers
• Is the first worldwide standard aimed
  specifically at IT service management

57
Purpose of ISO/IEC 20000-1

• The ISO/IEC 20000-1 specification
• Introduces a service culture and provides the
  methodologies to deliver services that meet
  defined business requirements and priorities in a
  manageable way
• Emphasizes processes to support the quality of
  live provision

58
Benefits of ISO/IEC 20000-1 to Organizations

• ISO/IEC 20000-1 helps organizations
• Promote the adoption of an integrated process
  approach to deliver managed services to meet the
  business and customer requirements
• Understand best practices, objectives benefits,
  and possible problems of IT service management
• Raise the profile of the IT department
• Deliver cost effective service!

59
Benefits of ISO/IEC 20000-12005 to Organizations

• The implementation of ISO/IEC 20000-1
• Provides control, greater efficiency, and
  opportunities for improvement
• Turns technology focused departments into service
  focused departments
• Ensures IT services are aligned with and satisfy
  business needs
• Improves system reliability and availability
• Provides a basis for service level agreements
• Provides the ability to measure IT service quality

60
Service Management Documents

• Supporting documents for IT service management
  include

61
ISO 20000 IT service management structure?
62
Overview of ISO/IEC 270012005 and ISO/IEC
270022005
63
ISMS Standards
ISO/IEC 270022005Code of Practice for
Information Security Management
ISO/IEC 270012005Requirements for Information
Security Management Systems
64
ISO 27001 Information Security management
management structure?
65
ISO/IEC 27000 family (a.k.a. ISMS) of standards
is growing
66
Risk Assessment

• ISO/IEC 270012005 Clause 4.2.1 requires a risk
  assessment to be carried out to identify threats
  to assets.
• Guidance is now available using ISO/IEC
  270052008

67
Information Security Management

• The goal of ISO/IEC 270012005 and ISO/IEC
  270022005 is to
• Safeguard the confidentiality, integrity, and
  availability of written, spoken, and electronic
  information

68
ISO/IEC 270022005 Code of Practice

• Defines a process to evaluate, implement,
  maintain, and manage information security
• Is based on BS 7799-12005
• Is intended for use as a reference document
• Is based on best information security practices
• Consists of 11 control sections, 39 control
  objectives, and 133 controls
• Was developed by industry for industry
• Is not used for assessment and registration
• Is not a technical standard

69
ISO/IEC 270012005Requirements

• Specifies requirements for establishing,
  implementing, and documenting Information
  Security Management Systems (ISMS)
• Specifies requirements for security controls to
  be implemented according to the needs of
  individual organizations
• Consists of 11 control sections, 39 control
  objectives, and 133 controls
• Is aligned with ISO/IEC 270022005

70
ISO/IEC 270012005 Focus

• Harmonization with other management system
  standards
• The need for continual improvement processes
• Corporate governance
• Information security assurance
• Implementation of OECD principles

71
Holistic Approach

• ISO/IEC 270012005 defines best practices for
  information security management
• A management system should balance physical,
  technical, procedural, and personnel security
• Without a formal Information Security Management
  System, such as an ISO/IEC 270012005-based
  system, there is a greater risk to your security
  being breached
• Information security is a management process, not
  a technological process

72
Growing Acceptance

Status 17th January 2009
See http//www.iso27001certificates.com/ for the
registry of certificates
73
Supporting Documents
74
Benefits of an ISMS

• Provides the means for information security
  corporate governance
• Improves the effectiveness of the information
  security environment
• Allows for market differentiation due to a
  positive influence on company prestige and image,
  as well as a possible effect on the asset or
  share value of the company
• Provides satisfaction and confidence of that
  customers information security requirements are
  being met
• Allows for focused staff responsibilities

75
Benefits of an ISMS

• Ensures compliance with mandates and laws
• Reduces liability and risk due to implemented or
  enforced policies and procedures, which
  demonstrate due diligence
• Potentially lowers rates on insurance
• Facilitates better awareness of security
  throughout the organization
• Provides competitive advantages and reduction in
  costs connected with the improvement of process
  efficiency and the management of security costs

76
The Eleven Control Clauses(a.k.a., the Eleven
Domains)
77
The Eleven Control Clauses
ORGANIZATIONAL STRUCTURE
Management
Security Policy
Organizational Info Sec
Asset Management
Access Control
Compliance
Business Continuity Management
Human Resource Security
Systems Development and Maintenance
Communications and Operations Management
Physical Environ. Security
Operations
Security Incident Management
78
Key Controls

• The Introduction of ISO/IEC 270012005 identifies
  10 controls as
• a good starting point for implementing
  information security. They are either based on
  essential legislative requirements or considered
  to be common practice for information security.

79
Key Controls
80
BS 25999 Business Continuity Management
81
Development of BCM standards

• In 2002 it was widely recognised that numerous
  BCM models and approaches existed
• All of these looked different but were saying the
  same thing
• Very confusing to organisations and the industry
  in general
• BCM was viewed as a black art rather than
  logical and practical activities
• BCM was at risk of being viewed as costly,
  fragmented and not delivering business benefit
• In 2003, PAS 56 was developed by the BSI in
  conjunction with the Business Continuity
  Institute
• In November 2006, PAS 56 was replaced BS by BS
  25999 Part 1 Code of Practice 2007 saw Part 2
  Specification being issued together with the
  certification scheme

82
BCM Landscape

• NFPA 1600
• Z 1600
• FFIEC BCP requirements
• Title IX (FCD-1 2)
• Cert Resiliency Framework
• BS 25999
• BCI
• DRA
• New ASIS plan being worked on

83
What is BS 25999-1 Code of Practice

• BS 25999-12006 has been developed by
  practitioners throughout the global community,
  drawing upon their considerable academic,
  technical and practical experiences of BCM.
• It has been produced to provide a system based on
  good practice for BCM
• It is intended to serve as a single reference
  point for identifying the range of controls
  needed for most situations where BCM is practiced
  in industry and commerce, and to be used by
  large, medium and small organizations in
  industrial, commercial, public and voluntary
  sectors

84
BS 25999-1 Code of Practice

• Provides a common generic framework and
• guidelines for BCM
• Give guidance on business continuity
• management
• Establish the principles and terminology of
  business continuity management
• Describe the activities involved and give
  recommendations for good practice
• Describe evaluation techniques for use by
  managers and auditors

85
BS 25999-1 ? ? BS 25999-2

• BS 25999-12006
• Code of Practice For Business Continuity
  Management
• Best practices framework reference
  documentation
• Use of the word should

• BS 25999-22007
• Specification With Guidance For Use
• Specify the process for achieving certification
  that business continuity capability is
  appropriate to the size and complexity of an
  organization
• Auditing specification
• Use of the word shall

86
Using the Standard

• The BCM Standard not intended as a beginners
  guide to BCM
• However some supporting material will be produced
  alongside which will help the less experienced
  user
• Can use the standard to get an idea of your
  current level of expertise and an idea of areas
  of weakness
• Can use the standard in Service Level agreements

87
BCM Standards
88
The Contents of BS 25999-1 Code of Practice

• Terms and definitions
• Overview of business continuity management (BCM)
• The business continuity management policy
• BCM programme management
• Understanding the organisation
• Determining business continuity strategy
• Developing and implementing BCM response
• Exercising and reviewing BCM arrangements
• Embedding BCM in the organisation
• References
• List of figures
• List of Tables

89
The Contents of BS 25999-2Specification

• 1 Scope
• 2 Terms and definitions
• 3 Planning the business continuity management
  system
• 3.1 General
• 3.2 Establishing and managing the BCMS
• 3.3 Embedding BCM in the organizations culture
• 3.4 BCMS documentation and records
• 4 Implementing and operating the BCMS
• 4.1 Understanding the organization
• 4.2 Determining business continuity strategy
• 4.3 Developing and implementing a BCM response
• 4.4 Exercising, maintaining and reviewing BCM
  arrangements
• 5 Monitoring and reviewing the BCMS
• 5.1 Internal audit
• 5.2 Management review of the BCMS
• 6 Maintaining and improving the BCMS
• 6.1 Preventive and corrective actions
• 6.2 Continual improvement

90
Conclusion

• Business Continuity Management is a growing area
  of organizational concern
• An agreed standard will benefit all sizes of
  organisation as they seek to improve
• Standards evolve over time and feedback from
  users is essential to help BSI ensure the
  standard is useful and relevant

91
IT Governance for Business Survival
92
Modeling IT Governance
Keys to success

• Dont work in silos
• Allocate responsibilities
• Make sure people understand the plan and model
• The model must be mapped across the organization
• It must include all aspects and requirements
  Policies, procedures, process maps
• Create relationships across multiple control
  frameworks

93
Good IT Governance Principles
Commitment Governance Policy Roles and
Responsibilities Identification of Business
Governance issues Obligations to
stakeholders Organizational Policies Operating
procedures Dealing with breaches Record
keeping Internal reporting Maintenance Education
and training Communication and visibility Monitori
ng and assessment Review Report back
94
How do you measure IT Governance?
Must have decided on the standard or
framework Must understand your IT Governance
requirements Must understand your business
objectives Must understand the processes you are
supporting Must set a baseline to work from
includes your responsibilities Must be able to
Monitor Must have a measurement method
Measure Must be able to Manage Must be able to
Self Assess
95
What can help you?
Understand applicable Compliance landscape
(GRC) ISO 20000/ITIL Service management v.3 ISO
27001 Information Security Management
System BCM Standards and Guidelines ISO/IEC 38500
It Governance Standard COBIT/ITGI Val IT
2.0 CMM Maturity Modeling Six Sigma -
Quality Balanced Scorecard - Metrics (Monitor,
Measure and Manage) Understand your Business
need and respond accordingly
95
96
Implementation issues
Management Commitment IT understanding from a
management perspective ITs understanding of
business processes Effective and appropriate
training People - hidden agendas Getting
budget Proving Business value for IT Governance
implementation Getting it RIGHT!
97
Example IT Governance Structure
98
Harmonization with existing BS/ISO standards
guidelines
ISO 27799 Health Informatics - Security
Management in Health using ISO 17799 ISO 19077
Software Asset Management ISO 27005 Information
Security Risk Management ISO 15489 Effective
Records Management ISO 21188 Public Key
infrastructure for Financial Services ISO 18044
Incident Management BS 8470 Secure Disposal of
confidential material BS 8549 Security
Consultancy Code of Practice ISO 15288 System
Software Engineering - System lifecycle
processes
99
Questions?
100
Presenter Steve Crutchley Email
scrutchley_at_consult2comply.com Telephone 571 332
8204/703 871 3950