Van Hove and Mark Thomas, Pragmatic Application of Service Management — The Five Anchors Approach presents a holistic view of service management, and provides a unique mapping to assist service management practitioners in their information gathering.
Contents 1. Why This Book 2. Addressing VSEs 4. The Five Anchors 5. Caselet 1 — Governance 6. Caselet 2 — Resource Optimization 7. Caselet 3 — Risk Management 8. Caselet 4 — Achieve Business Outcomes 9. But now we're seeing a lot of changes in terms of the threat landscape and threat profile, and we recently did a release on the threats that we're seeing in the industry, things like data leakage.
This is becoming a fundamental business issue for many organizations today. The fact is that data can leak out and you think about that information, and not necessarily personally identifiable information, but organizational information, trade secrets information, clearly we're seeing that as a major issue out there. Inadvertent employee mistakes are still happening so we're not going to stop them anytime soon, because as you put process in place, we do mitigate that to some extent, but they will still happen.
Now we're still seeing a growing threat in our dimension consumer driven IT now because of your bring-your-own-device. If the enterprise construct is not effectively developed to control this access from third-party devices, then you may have the opportunity to have data leakage or using those devices as a way to penetrate inside your organization. I think we're getting better at that and better at managing that as we move forward. Other things that are very topical like cyber attacks, external hacking and disgruntled employees, they're all still out there.
They're single digit kind of threats if you want to put a percentage on them, but overall what's happening is this threat landscape, there are more and more external threats now coming in to be able to get inside the environment of the data center or the IT construct, and these need to be understood and not necessarily always avoided.
Sometimes you just want to take a mitigation posture or you might want to take an acceptance posture depending on the business risk, the business climate and the business appetite.
One of the things that we reinforce and support in COBIT 5 for Information Security is how to put an effective risk posture in place, and we need to understand that security begins at the business and as a holistic partner.
That's one of the key aspects in the changing threat landscape. We need to be aware of all of these threats, we need to understand them and when you put effective process in place to either deal with them or if our risk posture allows us to accept some of them, how to deal with them after the event. That's going to depend on what industry you are in. If you're in an industry that cannot accept any risk, you're going to have a larger investment in security.
There are organizations that maybe can accept some of these. This is all about understanding your risk profile from a business perspective and understanding what the organizational impact is so that you can make effective investment decisions in the right areas. And I think that's a key thing that we're seeing today.
IT is moving so quickly. There is some evidence of an approach to, and some achievement of, the defined attribute in the assessed process. Some aspects of achievement of the attribute may be unpredictable. There is evidence of a systematic approach to, and significant achievement of, the defined attribute in the assessed process.
Some weaknesses related to this attribute may exist in the assessed process. There is evidence of a complete and systematic approach to, and full achievement of, the defined attribute in the assessed process.
No significant weaknesses related to this attribute exist in the assessed process. There is a need to ensure a consistent degree of interpretation when deciding which rating to assign. The table in figure 4 describes the rating in terms of both the original rating scale defined previously and those ratings translated into a percentage scale showing the extent of achievement. The assessors use these scales during their assessment to guide their judgement of the current level of achievement.
The table in figure 5 outlines each level and the necessary ratings that must be achieved. However, the attribute will need to be fully achieved to be rated at the next level. A self-assessment can identify process gaps that require improvements in advance of a formal assessment; it can be done for a relatively small investment and assists enterprise management in setting target capability levels.
Figure 6—Self-assessment Process Step 1 Decide on process to assess— scoping. Step 2 Determine level 1 capability. Step 3 Determine capability for levels 2 to 5. Step 4 Record and summarise capability levels. Step 5 Plan process improvement. There is a more detailed template that includes all 37 COBIT 5 processes provided in the supplementary tool kit.
In section 1 the results are summarised and the capability level determined, and section 2 records an assessment against criteria for each level of capability. Use the scoping template in the COBIT assessment programme tool kit to help select the processes to be assessed. This comprehensive resource explores the overarching question of governance within nonprofit organizations and addresses the roles, structures, and practices of an effective nonprofit.
The Handbook of Nonprofit Governance covers the topics that are Information governance considers a broad perspective of health information issues, while data governance focuses on actual data elements collected in the medical record. Information governance incorporates both data and IT governance Dimick, ; Kloss Effective IT governanc.
Auditing IT Governance July Different levels of the framework require different tools,. Developing an effective governance operating model How do I develop and maintain their skills, and how do I manage managers their performance?
Is IT standing in the way of executing the business strategy? What do I do if IT is not available? How often and how much do IT projects go over budget? How do I know whether I am compliant with all applicable regulations?
How to Find an Answer to These Questions All questions mentioned in figure 7 can be related to the enterprise goals, and serve as input to the goals cascade, upon which they can be addressed effectively.
Appendix D contains an example mapping between the internal stakeholder questions mentioned in figure 7 and enterprise goals. COBIT 5 aligns with the latest views on governance. Given this extended enterprise scope, COBIT 5 addresses all the relevant internal and external IT services, as well as internal and external business processes.
COBIT 5 provides a holistic and systemic view on governance and management of enterprise IT see principle 4 , based on a number of enablers. The enablers are enterprisewide and end-to-end, i. The model by which COBIT 5 defines enablers allows every stakeholder to define extensive and complete requirements for information and the information processing life cycle, thus connecting the business and its need for adequate information and the IT function, and supporting the business and context focus.
Governance Approach The end-to-end governance approach that is at the foundation of COBIT 5 is depicted in figure 8, showing the key components of a governance system. Governance Enablers Governance enablers are the organisational resources for governance, such as frameworks, principles, structures, processes and practices, through or towards which action is directed and objectives can be attained.
A lack of resources or enablers may affect the ability of the enterprise to create value. Given the importance of governance enablers, COBIT 5 includes a single way of looking at and dealing with enablers see chapter 5. Governance Scope Governance can be applied to the entire enterprise, an entity, a tangible or intangible asset, etc. That is, it is possible to define different views of the enterprise to which governance is applied, and it is essential to define this scope of the governance system well.
Roles, Activities and Relationships A last element is governance roles, activities and relationships. It defines who is involved in governance, how they are involved, what they do and how they interact, within the scope of any governance system.
In COBIT 5, clear differentiation is made between governance and management activities in the governance and management domains, as well as the interfacing between them and the role players that are involved. Figure 9 details the lower part of figure 8, listing the interactions between the different roles. For more information on this generic view on governance please see Taking Governance Forward at www. A single overarching framework serves as a consistent and integrated source of guidance in a non- technical, technology-agnostic common language.
COBIT 5 integrates all of this knowledge. A full list of references can be found in appendix A. Enablers are driven by the goals cascade, i. Information is required for keeping the organisation running and well governed, but at the operational level, information is very often the key product of the enterprise itself. Organisational 4. Culture, Ethics 2. Processes Structures and Behaviour 1. Principles, Policies and Frameworks 6. Services, 7. People, 5. Information Infrastructure Skills and and Applications Competencies Resources Some of the enablers defined previously are also enterprise resources that need to be managed and governed as well.
Some information, such as management reports and business intelligence information, are important enablers for the governance and management of the enterprise. Any enterprise must always consider an interconnected set of enablers. This means that to deal with any stakeholder need, all interrelated enablers have to be analysed for relevance and addressed if required. This mindset has to be driven by the top of the enterprise, as illustrated by the following examples.
A number of service delivery processes need to be implemented as well, supported by the appropriate organisational structures, showing how all enablers are required for successful service delivery. These policies, in turn, require a number of security-related practices to be implemented.
Goals Achieved? Stakeholders can be internal or external to the enterprise, all having their own, sometimes conflicting, interests and needs. A list of stakeholders is shown in figure 7.
For example, outcomes should be relevant, complete, current, appropriate, consistent, understandable and easy to use. This applies to information, structures, processes, policies, etc. Good practices support the achievement of the enabler goals. Good practices provide examples or suggestions on how best to implement the enabler, and what work products or inputs and outputs are required.
For other enablers, guidance from other standards, frameworks, etc. Enabler Performance Management Enterprises expect positive outcomes from the application and use of enablers. The first two bullets deal with the actual outcome of the enabler. Example of Enablers in Practice Example 5 illustrates the enablers, their interconnections and the enabler dimensions, and how to use them for practical benefit.
Eventually, processes cease to exist. In this case, the process managers would need to design and define the process first. In a later stage, the process needs to be made more robust and efficient, and for that purpose the process managers can raise the capability level of the process. Inspiration and example processes can be found there, covering the full spectrum of required activities for good governance and management of enterprise IT. These structures can be further elaborated in the organisational structures enabler, where a more detailed description of the structure can be provided, expected outcomes and related metrics can be defined e.
This is the focus area of the principles and policies enabler. In appendix G, the seven categories of enablers are discussed in more detail. Reading this appendix is recommended for better understanding the enablers and how powerful they can be in organising governance and management of enterprise IT. In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson.
In most enterprises, management is the responsibility of the executive management under the leadership of the CEO. Interactions Between Governance and Management From the definitions of governance and management, it is clear that they comprise different types of activities, with different responsibilities; however, given the role of governance—to evaluate, direct and monitor—a set of interactions is required between governance and management to result in an efficient and effective governance system.
These interactions, using the enabler structure, are shown at a high level in figure The process model also includes RACI charts, describing the responsibilities of different organisational structures and roles within the enterprise. Information The process model describes inputs to and outputs from the different process practices to other processes, including information exchanged between governance and management processes. Information used for evaluating, directing and monitoring enterprise IT is exchanged between governance and management as described in the process model inputs and outputs.
Organisational A number of organisational structures are defined in each enterprise; structures can sit in the governance space or the structures management space, depending on their composition and scope of decisions. Because governance is about setting the direction, interaction takes place between the decisions taken by the governance structures—e.
Principles, policies Principles, policies and frameworks are the vehicle by which governance decisions are institutionalised within the enterprise, and and frameworks for that reason are an interaction between governance decisions direction setting and management execution of decisions. Culture, ethics Behaviour is also a key enabler of good governance and management of the enterprise.
It is set at the top—leading by and behaviour example—and is therefore an important interaction between governance and management. People, skills and Governance and management activities require different skill sets, but an essential skill for both governance body members and competencies management is to understand both tasks and how they are different.
Services, Services are required, supported by applications and infrastructure to provide the governance body with adequate information and infrastructure and to support the governance activities of evaluating, setting direction and monitoring. Smaller enterprises may have fewer processes; larger and more complex enterprises may have many processes, all to cover the same objectives.
COBIT 5 includes a process reference model, which defines and describes in detail a number of governance and management processes. It represents all of the processes normally found in an enterprise relating to IT activities, providing a common reference model understandable to operational IT and business managers.
The proposed process model is a complete, comprehensive model, but it is not the only possible process model. Each enterprise must define its own process set, taking into account its specific situation.
Incorporating an operational model and a common language for all parts of the enterprise involved in IT activities is one of the most important and critical steps towards good governance.
It also provides a framework for measuring and monitoring IT performance, providing IT assurance, communicating with service providers, and integrating best management practices. Each implementation approach will also need to address specific challenges, including managing changes to culture and behaviour. It is not intended to be a prescriptive approach nor a complete solution, but rather a guide to avoid commonly encountered pitfalls, leverage good practices and assist in the creation of successful outcomes.
The guide is also supported by an implementation tool kit containing a variety of resources that will be continually enhanced. The optimal approach for the governance and management of enterprise IT will be different for every enterprise, and the context needs to be understood and considered to adopt and adapt COBIT effectively in the implementation of governance and management of enterprise IT enablers. COBIT is often underpinned with other frameworks, good practices and standards, and these, too, need to be adapted to suit specific requirements.
Major IT-related initiatives often fail due to inadequate direction, support and oversight by the various required stakeholders, and the implementation of governance or management of IT enablers leveraging COBIT is no different. Support and direction from key stakeholders are critical so that improvements are adopted and sustained.
In a weak enterprise environment such as an unclear overall business operating model or lack of enterprise-level governance enablers , this support and participation are even more important.
Enablers leveraging COBIT should provide a solution addressing real business needs and issues rather than serving as ends in themselves. Requirements based on current pain points and drivers should be identified and accepted by management as areas that need to be addressed. High-level health checks, diagnostics or capability assessments based on COBIT are excellent tools to raise awareness, create consensus and generate a commitment to act.
The commitment and buy-in of the relevant stakeholders need to be solicited from the beginning. To achieve this, implementation objectives and benefits need to be clearly expressed in business terms and summarised in a business case outline. Once commitment has been obtained, adequate resources need to be provided to support the programme.
Key programme roles and responsibilities should be defined and assigned. Care should be taken on an ongoing basis to maintain commitment from all affected stakeholders. Appropriate structures and processes for oversight and direction should be established and maintained. These structures and processes should also ensure ongoing alignment with enterprisewide governance and risk management approaches.
Recognising Pain Points and Trigger Events There are a number of factors that may indicate a need for improved governance and management of enterprise IT. By using pain points or trigger events as the launching point for implementation initiatives, the business case for governance or management of enterprise IT improvement can be related to practical, everyday issues being experienced. This will improve buy-in and create the sense of urgency within the enterprise that is necessary to kick off the implementation.
In addition, quick wins can be identified and value-add can be demonstrated in those areas that are the most visible or recognisable in the enterprise. This provides a platform for introducing further changes and can assist in gaining widespread senior management commitment and support for more pervasive changes.
In many enterprises, there is a significant focus on the first aspect—core governance or management of IT—but not enough emphasis on managing the human, behavioural and cultural aspects of the change and motivating stakeholders to buy into the change.
It should not be assumed that the various stakeholders involved in, or impacted by, new or revised enablers will readily accept and adopt the change. Also, optimal awareness of the implementation programme should be achieved through a communication plan that defines what will be communicated, in what way and by whom, throughout the various phases of the programme.
In other words, human, behavioural and cultural barriers need to be overcome so that there is a common interest to properly adopt change, instil a will to adopt change, and to ensure the ability to adopt change. A Life Cycle Approach The implementation life cycle provides a way for enterprises to use COBIT to address the complexity and challenges typically encountered during implementations.
The three interrelated components of the life cycle are the: 1. Core continual improvement life cycle—This is not a one-off project. Enablement of change—Addressing the behavioural and cultural aspects 3. Management of the programme As discussed previously, the appropriate environment needs to be created to ensure the success of the implementation or improvement initiative.
The life cycle and its seven phases are illustrated in figure It identifies the current pain points and triggers and creates a desire to change at executive management levels. High-level diagnostics can also be useful for scoping and understanding high-priority areas on which to focus. An assessment of the current state is then performed, and issues or deficiencies are identified by carrying out a process capability assessment.
Large-scale initiatives should be structured as multiple iterations of the life cycle—for any implementation initiative exceeding six months there is a risk of losing momentum, focus and buy-in from stakeholders. Some solutions may be quick wins and others more challenging and longer-term activities.
0コメント