Title: A CIO
1A CIOs Perspective on Compliance Risk
ManagementKeeping Stakeholders and Auditors
Happy with ICT Value Contributions and Controls
- Steve Sanazaro
- For TACUA
- April 8, 2010
2Topline Summary
- Objective improve your understanding and your
ability to team with IT leaders to implement and
manage a robust and meaningful compliance regime - Briefly describe the general and
college/university environment - Discuss IT Governance where teamwork and
cohesion begins - Describe the role, agenda and cross-pressures on
CIOs and their organizations - Demonstrate some of the sources of dysfunctional
friction between compliance and achieving the IT
agenda - Provide a roadmap to
- IT Compliance collaboration and integration for
efficiency and productivity
3My Backgroundwelcome to my day job
- Executive and technology roles in all three
aspects of information and communications
technology - Commercial technology product development
e-business, data communications, reservations
technology, business applications - Corporate executive business strategy and
operations, technology planning and
implementation and managing ICT (CIO/CTO/CEO/COO) - Professional services provider advising
corporations in a range of industries on
business-technology opportunities and managing
strategic initiatives (consultant) - Educator and mentor of the next generation of
business-technology leaders (the 110 factor) - Diverse industry experience in the US and other
countries - Software, telecom, e-commerce, distribution and
supply chain management, hospitality,
transportation, consumer products, manufacturing,
health, broadcasting, business process
outsourcing, consulting - Companies in all stages mature Global 500,
mid-size growth, early-stage and startup
companies, not-for-profits - Responsible for international initiatives and
technology management with multiple companies - Instrumental in 2 successful IPOs
- Founder of multiple companies, including two
profitable professional services businesses - Today I advise companies on business and ICT
strategy, major program implementations,
competency development, change management and
other subjects companies explore to maximize the
competitive standing and value of the enterprise.
- Special focus strategic readiness,
organizational health and sustainment, total
supply chain, performance management,
turnarounds, rejuvenation efforts - All of my engagements today require a strong
background in international business, Information
Technology, business operations, compliance and
risk management, strategic planning, performance
management, cross-cultural business and social
experience and travel.
4A More Detailed Overview
- 1 - The unique environment of colleges and
universities and the environment we all share - 2 - The IT Value Proposition
- Automation, Information, Communication,
Collaboration - Routine performance and innovation
- Performance and institutional sustainment
- 3 - IT Governance
- Integration, not alignment team sport
- Expectations, priorities and targets
- Performance and organizational sustainment
- Financial stewardship
- Risk management and controls
- 4 - What do CIOs do anyway?
- Agenda and cross pressures
- 5 - Friction and Dysfunction in IT Compliance
Implementation - Risks the infinite spectrum
- IT control regimes
- Integrating compliance into IT
- 6 A Roadmap to IT-Compliance Harmonization
- Compliance as connective tissue, not a separate
organ
5- 1 - The Unique Environment of Colleges and
Universities Today
6The 21st Century Economy
- Global relentlessly competitive talent,
products, customers, suppliers - Fast Unforgiving time is the enemy
- Continuous innovations imitations new
products, new competitors, new technologies,
imitators everywhere - Digital information is replacing physical
goods - Customers are in command
- Choice access to global information, access to
peer opinions - Fluid loyalties
- Suppliers - Partners - Customers
- Results-driven
- Financial
- Other
- Emerging global culture the new cosmopolitans
7Management in the Global Reality
- Managements great task will be taking strategic
control of companies and simultaneously
decentralizing operational controlloosening
controls without losing control. - Strategic Discontinuity, McKinsey, 2002
8Enterprise Purpose Convert Assets to Goals
Value-Generating Processes
- Enterprise Execution Model
- Performance
- Health Sustainment
9Cash Results from Doing the Right Things Right
- Businesses begin with assets and try to grow
them over time - Assets become sales
- Sales minus expenses become profits
- Profits become cash flow
- Cash flow becomes assets
- Theres no reason to grow the asset base except
to generate higher revenue, more sales, etc. - ICT must adopt the same attitude
- The purpose of IT assets is to grow revenue
(effectiveness) and net income (efficiency
10Globalization Has Enlarged the Enterprise Focus
Risk Management Agenda
- Talent development attract, recruit, retain,
develop, place - Economics and Free Trade
- Tradition, Sovereignty and Cultural Preservation
- The Role of Information, Communications and
Collaboration - Education, Opportunity and Participation
- Population Shifts and Mass Migrations
- Human Rights
- Crime Safety
- Environmental Concerns and Pollution
- Transborder Disease
- Corporate Social Responsibility and the Digital
Divide - Compliance
- Corruption and Governance
- Intellectual Property Rights
- Representation and Participation
11Colleges and Universities Face Additional
Challenges
- Some are common to institutions some are unique
to educational institutions - Further gradients of issues are by
public/private, size, target curricula, etc. - Just a few of the many Big questions
- What is the 21st century college and university
value proposition? - Autonomy and centralization issues
- What new programs or capabilities do we need?
- Performance targets what to measure, what to do
with the results? - Customers and colleagues Students, academics,
administrators, other stakeholder interests - How do we improve distance and continuing
education? - How do IT technologies, applications and services
change curricula, delivery methods, target
audience, student and prospective student
expectations? - The special function of university research
- Endowments , special gifts, programs and other
fundraising - Talent management faculty, administration
- Community support
- Peer standing among other colleges and
universities - Mastering legal and regulatory mandates
12College and University ICT Challenges
- Centralized core systems and supporting
infrastructure - Fragmented departmental and functional systems by
discipline - High variability in governance policies and
effectiveness - Non-standardized user technology
- PCs and laptops, smart phones, game consoles,
sensors, video cameras - An open information culture with information
integrity and protection - Inherent resistance to centralized authority
- Diverse investor (contributor/user) base with
different objectives - Facility or discipline-specific gifts
- Endowment
- Student/parent payments
- Industry/corporate gifts
- Gifts in-kind
- Net net mandates from on high will not achieve
the objective of a controlled ICT environment in
a fragmented, decentralized institution - Challenge how to get critical mass on the
compliance team
13Institutions Balance Today with Tomorrow
- Organizational Health (tomorrow)
- Reinforcing desired culture
- Respect, curiosity, integrity, diversity,
excellence - Strategic assessments
- Where do we want to be in the future? When does
the future begin? - Planning
- New programs, facilities, relationships, etc.
- Skills and competency improvements (people)
- Job and organizational structure reviews
- Building compliance and risk management
competencies
- Doing the work working the plan
- The academic year cycle
- The financial cycle
- Fund raising campaigns
- Incremental improvements
- Security, applications
- Delivering on commitments
- Meeting deadlines
- Operations reliability and continuity
- Meeting goals and objectives
- Managing controls conducting compliance audits
14Wheres your Line between Performance
Institutional Sustainment Initiatives
- Performance
- Execution
- Operations
- Continuous Improvement
- Monitoring
- Measuring
- Adjusting
- Controlling
-
Whats your institution's Optimal Golden Mean? Do
you have a way to get there? Time, talent
treasure
- Institutional Health Sustainment
- New Capabilities - dynamic compliance,
resilient disaster recovery - New Methods and Processes administration,
customer interaction - New Subject Areas performance management and
reporting - New Relationships complementary virtual
institutions - Strategic Planning Investment - programs,
facilities, faculty, locations
15Innovation the New Is Hard to Control
Continuous Future
Today
Today
Legacy Systems financial, email, registration,
Blackboard, payments, grading, Internet access,
etc.
Emerging systems Social Networks, Smart Phone
apps, new academic apps
Innovative Apps Services
Controls in place audited
Controls in development
The Wild Wild West
Process and Accountabilities to Develop Oversee
Controls
New and Enhanced Regulatory Regimes Privacy,
Intellectual Property Rights, Security,
Disclosure, Transparency, Statistical Mandates
Therefore, to jump ahead, the competence to
develop, operate and improve controlled processes
in a timely manner is MORE MUCH MORE
important than developing a protocol for any one
regulatory regime. I know easier said than
done
16University Compliance Missions Are Inconsistent
- To support the Universitys fundamental
commitment to the highest standards of ethics,
education, integrity, lawful conduct, and
responsible citizenship by complying with all
laws, regulations, and internal policies. This
makes sense to me. - Columbia University
- To reinforce and support a culture at UNT which
builds compliance consciousness into its daily
activities and operations of the University and
encourages each employee to conduct UNT business
with the highest standards of honesty and
integrity. This makes sense to me - University of North Texas
- The mission of internal audit is to assess and
monitor the university community in the discharge
of their oversight, management, and operating
responsibilities in relation to governance
processes, the systems of internal controls, and
compliance with laws, regulations and University
policies including those related to ethical
conduct by providing relevant, timely,
independent, and objective assurance, advisory
and investigative services using a systematic,
disciplined approach to evaluate risk and improve
the effectiveness of control and governance
processes. Huh? - - University of California system
17- 2 The ICT Value Proposition
18Pervasive IT Whos In Charge? In Control?
- ICT today serves every aspect of institutional
life, and numerous personal ones as well - Universities have an exceptional Venn overlay of
these two domains - Transcends organizational boundaries tremendous
interaction with external individuals and
institutions - Continues to permeate organizations at every
level and scale - Is encompassing more devices (Smart phones,
object sensors, whats next?) - Includes all types of data (text, numbers, video,
audio, all digitally translatable analog data,
real time, hyper-aggregated, images) - Includes both staged, asynchronous and real-time
information events - The proportion of IT activity that happens
outside of IT continues to grow - Consumer devices iPhone, Blackberry, Xbox,
Playstation - Social networking Facebook, online games,
Twitter, Foursquare - Embedded systems device sensors and
controllers, cars - Non-IT business functions - every enterprise
function has some independent IT, whether they
admit it or not (think Excel) - Consider everything your faculty and students are
doing with Information, Communications and
Collaboration tools today? Whats coming
tomorrow? - Content, devices, communications channels, users,
collaborators, intelligent agents
19The ICT Value-Building Cycle
Plan
Execute
Assess
Move On
Environment
IT Governance, Portfolio Management Alignment
Delivery
Assess
Business Strategy - Differentiators
Enabling Initiatives Execution
Priorities, Projects Service Levels
Measurement
Operations
Capabilities Competencies
Performance Management - Measures Targets
Vision Mission
Adjust Adapt Flexibility Resilience
Issue What are the decision rights,
accountabilities, responsibilities and metrics
for each component and the overall cycle? Hint
no answers no controls ineffective risk
management
20Four Sources of New IT Value
Improve Decision Making
Improve Process
Source The Real Business of IT, Hunter
Westerman , Harvard Business Press 2009
21The IT Value Proposition
- Information, communications and collaboration
- Automation of existing work
- Blackboard
- Accounting AP, AR, GL, Asset Management
- Funds management
- Grants administration
- Research
- Admissions
- Financial aid
- Payment
- Improvement and optimization
- Innovation (new, unknown, speculative,
experimental) - External integration
- Risk management (assets, security, data, services
continuity, liability)
22Getting a return on your ICT investments
23ICT Governance
- Governance is the process of ensuring that an
institutions financial investments yield the
desired returns and are well managed - A subset of the overall institutional governance
function - Strategy (direction), institutional integration
and oversight - Priorities and investments
- Focus on projects, performance (overall
operations) and sustainment - Integration, not alignment a team sport
- Expectations, priorities and targets
- Setting expectations, priorities and targets
- Focused, at heart, on ensuring that the
enterprise receives an appropriate return for the
money and other resources invested in IT - Financial stewardship
- Balancing performance with organizational
sustainment - Integrating strategy, operations and IT
24Governance Analysis, Decision, Follow-through
- Enablers
- Clear accountabilities
- Shared purpose goals
- Smooth collaboration
- Measures targets
- Org sustainment
-
25Risk Management is Integral to IT Governance
- Internal control is a process
- Not a department, organization or function a
genuine team sport - There is no ultimate destination or rest for the
weary - It focuses in an ideal world on insuring that the
institution is being managed and operated in
reasonable accord (not a perfect world) with
regard to - Effectiveness (right things) and efficiency
(right level of resources) - Integrity and reliability of reporting not just
financial - Compliance with a growing list of laws and
regulations - Being able to deliver priority projects and
services - Being able to keep services running (continuity)
or to recover from a disaster - This makes well-managed risk management and
compliance a key enabler of institutional
processes IT and other that operate to move
the enterprise towards its goals
26ICT Governance Cross Currents
Goal Achieving, maintaining and improving
strategic and operational integration among all
internal and external entities and stakeholders
to deliver value and improve enterprise health
and sustainability
Strategy Integration Setting Managing Direction Governance Oversight Risk Management Priorities and Delivery The IT Agenda
Foundation Strategy and opportunity management Core competencies Management Talent management CobiT, ITIL, CMMI, Balanced Scorecard Frontline IT Collaboration teamwork across distance and cultures Global core competencies Attract and retain talent Reliable operations
Focus Continuously scan the environment, find opportunities make adjustments Set priorities and targets Oversee progress Keep business in sync Delivery excellence (CMMI) Operations excellence (ITIL) Solutions identification (what) Enterprise architecture (how) Project delivery
Finish Increase enterprise value Outcomes assessment (Balanced scorecard) Delivering demonstrating IT value Continuous enhancements Innovative leaps
27IT Investment Profiles
Rethinking IT Strategy, McKinsey, Aug 2006
28ICT Portfolio Allocations
Talent Career Management
Core Competencies
Organizational Health Projects
ICT Structure
Investment Allocations (Capex Opex)
Bus-Tech Architecture
ICT Portfolio
Risk Management
Measures Targets
Innovation
Business Technology Projects
Competitive Parity or Advantage
Service Levels
Operations
Capacity Planning
29ICTs Role Is Changing
August 2006, Trends Is There A Career Future In
Enterprise IT?
30- 4 What do CIOs Do Anyway?
31CIO Career Growth Stages
Source CIO Success Factors, TechExecs, Nov 2009
32The CIOs Universe
ICT Environment
Stakeholders Business Partners
ICT Environment
General Business Environment
Strategy Governance Integration
Alignment Portfolio Mgmt Compliance Risk
Mgmt Architecture Measures Targets Financial
Mgmt
ICT Competencies, Processes Staff
Projects
Emerging Future Technologies
Enterprise Environment
ICT Infrastructure Operations
33The CIO Meta-Agenda
- Shaping and Meeting Enterprise Expectations a
translation layer between institutional needs and
technology capabilities and talents - Providing reliable and effective IT services
- Planning Insight and Foresight
- Doing the right things the right way
- Operations running what is already in place
- Projects delivering extended, enhanced or
innovative improvements - Institution building / organizational health
- Financial and compliance stewardship / risk
management - Communicating value the iceberg report
- Building and reinforcing a High Performance
culture - Net net provide more value, continuously improve
and extending IT into new areas to increase
value/benefit provided for investment made
34Sample ICT Agenda Items Today
Item Performance Organizational Health
Innovation Enhancement Reduce of Ops spending Develop strong Operations processes innovation processes
Integrate with paying customers Transaction integration Customer conversations
End-to-end business process mastery adding business capabilities Improve operational results Strengthen resilience, flexibility, external relationships, etc.
Actionable information Predictive analytics performance monitoring Strategic planning and adjustments
Green Computing Reduce energy consumption recycling responsibly Culture of thrift and conscious spending
Architecture Technology Integration Cloud computing, virtualization, mobile, social, etc. Flexible rapidly adaptive infrastructure services
Decide whats important and concur on expectations with the leadership team Short-term priority setting targets Longer term capabilities
Integration architecture Process optimization New opportunities with external partners faster initiatives
35a brief aside on controls and controlled
environments
36Compliance Regimes
- SB1386 (California privacy breech disclosure law)
- Internal proprietary regimes
- FERC/NRC (Energy)
- FERPA Controls on student grade and other
personal information - Jeanne Cleary Act (1990) campus crimes
disclosure - FISMA Federal Information Security Act
- PCI Payment Card Industry control objectives
- Access systems access controls
- Sarbanes Oxley (SEC, PCAOB, COSO, CobiT, ITIL)
- SAS 70 external service provider control regime
- Graham-Leach-Bliley Consumer information
privacy safeguards - HIPAA Protection of personal health information
- SysTrust WebTrust AICPA assessment of IT
risks and opportunities can substitute for a
Sox audit - Government Accountability Office
- Securities and Exchange Commission
- NIST National Institute of Standards and
Technology - ISO 27000 Security techniques
- Office of Thrift Supervision
- ITIL Information Technology Infrastructure
Library - FIPS 140-1 140 2 Federal standards for
cryptographic software implementation - CMMI Capabilities Maturity Model Integration
- GAAP/FASB Generally Accepted Accounting
Principles / Financial Accounting Standards
Board - IFRS / IASB (International Accounting Standards
Board) convergence projects with FASB underway
Source Students enrolled in EMIS 7360 Executive
program, May 2008
37The Purposes of Controls
- Safeguarding assets essentially the
cash-to-result value chain - Checking the accuracy, integrity and reliability
of operational and financial data - Promoting operational efficiency through rigorous
process definition, measurement, assessment and
continuous improvement - Encouraging and ensuring that official policies
and procedures are followed - Demonstrating legal compliance by
contemporaneous, current process, role and
proof-of-adherence documentation
38Look at the Regulatory Storm We All Face
39Relationship of Control Regimes
Operations
Applications
Finance
Strategy
COCO
COSO
COBIT
ITIL
University control regimes are derived from
frameworks originally developed for businesses
and need tweaking to fit comfortably.
40COSO Enterprise Risk Management Model
41The COSO ERM Framework
- Entity objectives can be viewed in the context of
four categories - Strategic
- Operations
- Reporting
- Compliance
- ERM considers activities at all levels of the
organization - Enterprise-level
- Division or subsidiary
- Business unit processes
Source COSO Enterprise Risk Management
Framework Draft Version, July 2003
42Internal Environment
- Risk Management Philosophy
- Risk Culture
- Board of Directors
- Integrity and Ethical Values
- Commitment to Competence
- Managements Philosophy and Operating Style
- Risk Appetite
- Organizational Structure
- Assignment of Authority and Responsibility
- Human Resource Policies and Practices
43Internal Auditors ERM Responsibilities per COSO
- Do not have primary responsibility for
establishing or maintaining ERM - Play an important role in monitoring ERM
- Regarding the ERM process - assist management and
the Board or Audit Committee by - Monitoring - Examining
- Evaluating Reporting On
- Recommending improvements
CIO comment ICT needs assistance too.
44ICT Vulnerabilities Are Increasing
- Scale (Pervasive IT) creates complexity
complexity generates opportunities to breech
security - Security is a moving target
- Security is a people issue, not a technical
issue - Complexity of Software and open development
philosophy - Microsoft windows most major league
applications - Linux / Open source
- Macintosh (yes, Macintosh)
- New processing
- Wireless devices open wireless connections
- Unencrypted environment
- Web based processing-immature security
- More send/receive devices (Smart phones)
- Decentralized infrastructures / physical and
logical access control complexity
45Follow the Frameworks Minimize Roll Your Own
Controls
The policies, procedures, practices, and
organizational structures that are designed to
provide reasonable assurance that business
objectives will be achieved and that undesired
events will be prevented, detected and corrected.
formerly known as the Information Systems
Audit and Control Association and, prior to
that, the EDP Auditors Association
46 Control Frameworks and ICT
- Control Environment as much the culture of
integrity and ethics as the official policies and
procedures. Roles and responsibilities. - Risk Assessment internal and external
controllable (prevent) and uncontrollable
(anticipate and recover) observe and report only - Control Activities policies and procedures that
transparently ensure that management directives
are carried out - Information and Communication includes all
information being controlled. Includes ensuring
that everyone knows their role and
responsibility. - Monitoring timely assessment of adherence and
effectiveness of controls
47CobiT Processes by Domain
Monitoring
Planning Organization
Delivery Support
Acquisition Implementation
48Integrated CobiT Schematic
49The 34 Defined CobiT Processes
1
3
2
4
50The 7 CobiT Principles
51Elements of a Controlled ICT Environment
- Defined and effective governance
- Defined executed change management systems
implementation process - Software controls configuration management
- Hardware access asset controls
- Computer operations controls
- Data security access, CRUD, password management,
storage, retention, recovery - Administrative control (new and exiting
employees, etc.) - Balancing high availability and widespread use
with security integrity - Policy-based, not technology-based control
environment
52- 5 - Friction and Dysfunction in IT Compliance
Implementation
53Risks the infinite spectrum
- Every ICT manager lives somewhat in fear of
outages and disruptions - Who defines risks and who assigns the cost of
addressing risks? - Who pays? What doesnt happen because of risk
management expenditures? - What gets taken off the ICT plate because of
compliance? (Hint not much, if anything) - Real risk management versus mandated risk
management - Random versus controlled activity process
definition and discipline versus mandate meeting - Expected versus actual outcomes measures and
targets defined in advance - Multi-perspective verification evidence versus
anecdotes
54Sources of Auditor-ICT Conflict a Sampler
- These may apply more to commercial businesses
than colleges and universities but some
all-too-common sore points include - Surprise, surprise Gomer Pyle, repeatedly
- Showing up with a deliverable and a deadline with
no prior relationship - Mandating a regime-specific set of controls to
meet a deadline - Asking for a control to be documented multiple
ways - Assuming CIOs have never thought of this stuff
before (security, privacy, data integrity) - Criticizing the ICT program without offering
specific suggestions on how to design, implement
or improve a control - Priority stuffing (10 pounds of sugar in a 5
pound bag) - Leveraging senior management or the external
auditor against ICT without developing a clear
understanding with ICT of any problems - Expecting ICT to allocate labor to the mandate
with no support for who pays the bill - Blaming ICT for whatever goes wrong
55- 6 A Roadmap to IT-Compliance Harmonization
56Compliance as connective tissue, not a separate
organ
- The Compliance Challenge Making performance and
compliance complimentary (Lets skip the synergy
thing)
57IT and Auditing Share Mutual Compliance
Challenges Today
- IT demand is shifting towards mobile and social
services - Objective obtain any information or communicate
with anyone via any channel, anytime, anywhere - Technologies iPhone, Blackberry, netbooks,
pervasive wireless - Applications Facebook, Twitter, Linkedin,.
- Challenges
- Standards security is often a matter of
technology currency as well as programmatic
actions. How to allocate budget for technology
refreshes? - Privacy of personal information e.g.,
unencrypted public wireless lost or stolen
devices - Security and retention of confidential data
what IP is in that email attachment? - Inappropriate behavior or postings on social
networking sites (things that impugn your
institutions reputation or enable someone to
cause harm to another, for instance)
58Integration, not alignment
- Compliance like information and communications
has to be part of core institutional processes
to be effective - Built-in quality versus post-incident inspection
- Compliance and IT share the need for an
enterprise and extra-enterprise perspective - Both require some formal oversight group to bring
expertise and attention not a pickup band of
departmental assignees
59The Compliance Challenge
- Making performance and compliance complimentary
- Getting IT Work Done
- Doing the right things the right way
- Operations
- Projects
- Organizational health
- Implementing Compliance Regimes
- Compliance and Risk Management Roles
- The lineup
- Responsibilities and accountabilities
- Team work, collaboration and productivity
- Defining and refining processes and practices
- Training and incentives
- Performance management and feedback
- Overhead, Co-existence or Leverage?
- Synthesizing Compliance and ICT Goals
60We need to overcome our professional vocabularies
PSTN DNS IP EA HTTPS NTFS FTP GSM CMMi Extreme
Programming CSS Ocxx ACL SATA SSL LDAP DFD API Pe
ering SMTP LAMP PHP OSPF
Risk Assessment Attest Segregation of
Duties Control Risk FERPA Footnotes Materiality Si
gnificant Controls Confirmation Reperformance Subs
tantive Tests HIPAA PCI Monitoring Year Fraud Reas
onable Assurance Unqualified Report Independence P
CAOB AICPA
Enrollment Applicants Transcript Financial
Aid Registrar Major Academic Advisor Syllabus Conv
ocation Endowment Trusts and Gifts Transfer Intern
Distance Learning Postgraduate SAT Credit
Unit Tuition Withdrawal Deadline Incomplete Plagia
rism Wait List Year
61CobiT Processes by Domain
Monitoring
Planning Organization
Delivery Support
Acquisition Implementation
62 Process Categories
Process Management Project Management
Organizational Process Focus Organizational Process Definition Organizational Training Organizational Process Performance Organizational Innovation and Deployment Project Monitoring and Control Project Planning Supplier Agreement Management Integrated Project Management Risk Management Quantitative Project Management
Engineering Support
Requirements Development Requirements Management Technical Solution Product Integration Validation Verification Configuration Management Measurement and Analysis Process and Product Quality Assurance Decision Analysis Resolution Causal Analysis and Resolution
63CMM Maturity Levels
5. Optimizing. Continuous process improvement. 4.
Managed. Detailed measures of the software
process and product quality are collected. 3.
Defined. Management and engineering activities
are documented, standardized, institutionalized.
2. Repeatable. Basic project management tracks
cost, schedule, and functionality. Successes can
be repeated for similar projects. 1. Initial. Ad
hoc. Success depends on individual effort and
heroics.
64Compliance Regimes Overlap with ICT Processes
Regimegtgt IT Implications PCI HIPPA SAS70 FERPA Sox 404 FIPS
Governance X X X X X X
Project Management X X X X X X
Security Access Control X X X X X X
Data Integrity X X X X X X
Business Continuity X X X X X X
Patch Management X X X X X X
Change Control X X X X X X
Monitoring Measuring X X X X X X
Operations SLAs X X X X X X
Friction Point ICT needs to control an overall
process not build a process to accommodate an
individual mandate
65The Special Case of ICT Operations and ITIL
- IT Infrastructure Library, Office of Government
Commerce, UK - Focus
- People
- Process
- Technology
- Service Delivery
- Service Level Management
- Availability Management
- Capacity Management
- IT Service Continuity Management
- Service Support
- Incident Management
- Problem Management
- Change Management
- Configuration Management
- Release Management
Many compliance issues manifest themselves in
ITSM (IT Service Management) although the root
cause is often way upstream.
66The V3 Lifecycle
67Collaborate on the Basics of Effective Controls
- Authority and responsibility clear,
communicated and documented - Authorization of transactions - documented
- Adequate accounting records - a good audit trail
- Segregation of duties
- Independent verifications
- Limited access and physical protection of assets
- Physical
- Electronic
- Virtual
- Cosign and co-deliver the defining documents
68Complexity
- Complexity is built in dont add your own
- Complexity is as much organizational as technical
- Unnecessary technical complexity challenges
timeliness, functionality and performance as long
as it persists - Changes must be made within the changeability
index of your institution - Scale optimization or a true re-engineering
- Materiality of the changes risk quotient
- Readiness management, process, education,
communications - Openness and willingness of the culture to change
- Skill and history prior projects and risk
management efforts - Persistence the willingness to stay on task
until it is right - Leadership more than management
- Plan B
69Key Ingredients of the Success Recipe (1)
- ICT is inseparable from the enterprise
integration, not alignment - Build on-going relationships dont make
compliance the basis of creating relationships - Auditor-ICT co-responsibility
- Clear responsibilities and accountabilities
- On-going programs, not projects
- Rely on control frameworks where possible to
reduce the time necessary to define and implement
regimes - Select and tailor the regime CobiT, ITIL, etc.
to fit your circumstances - Simplify ICT Leverage compliance to make ICT
more efficient - Lower unit costs, fewer labor specialties, less
manual labor, etc. - Engineer and manage processes dont organize
around individual regimes - Build-in, dont bolt-on measures through design
and refinement
70Key Ingredients of the Success Recipe (2)
- Collaborate on defining and seeking funding for
automated tools and any other resources necessary
to leverage efficiency efforts and controls - Backup/recovery, patch management, intrusion
detection, access management, employee
hire/termination, logging - Spend each dollar once and track pay-offs
- Standardize reporting and evidentiary
documentation - Hold regular unofficial compliance meetings
- Project reviews
- Upcoming regulation
- Network with other institutions auditors and
ICT together - Work together to improve ICT governance
effectiveness
71Triangulate to Succeed Mutually
The Powers that Be
Auditor / Compliance Authorities
CIO / IT Authorities
72A Final Word
- We know that more and more compliance measures
are heading towards all of us lets get ready - Compliance implementations and controls are
tremendous opportunities for institution
building, teamwork, operational improvements
(performance) and greater transparency - Compliance is a team sport and everyone on the
team has to feel valued and know their role and
responsibilities. - Make compliance-ICT relationships and integration
a regular part of your work cycle - Synthesis can generate triple wins for your
institutions, for Audit and for ICT.
73Comments, Q A