answer question
ITS 833 – INFORMATION GOVERNANCE
Chapter 10 - Information Governance and Information Technology Functions
Dr. Isaac T. Gbenle
1
1
CHAPTER GOALS AND OBJECTIVES
Identify current trends that are considered weaknesses in IT processes
Describe IG best practices in the area of IT governance
Identify the foundational programs or areas that support the IG efforts in IT
What is meant by data governance? How does it differ from IT?
What would be the steps in implementing an effective data governance program?
Who created the data governance framework? Why?
What is information management? What are its subcomponents?
What is master data management (MDM)?
What is information lifecycle management?
What is data modeling?
What are the different approaches to data modeling?
What is the goal of IT governance?
Be able to identify or give examples of several IT governance frameworks and tell the distinguishing features of each
What is the ISACA organization and what is it responsible for?
Who was responsible for creating ValIT?
2
2
Issues related to IT and IG
IT has not been held accountable for the output in its custody
3
Ig best practices that assist it in delivering business value
Focus on the business impact instead of the technology itself
Customize IG approach for the specific business, applying industry specific best practices where applicable
Tie IG to business objectives
Standardize the use of business terms
3
Programs that support IG effort in IT
Data Governance – Processes and controls that ensure information at the data level is true, accurate, and unique.
Data Cleansing
De-duplication
Information quality
Master Data Management (MDM)
Accepted IT Standards and Best Practices
4
4
Steps to effective data governance
5
5
Recruit Strong Executive Sponsor – Not easy to do. Executive management does not want to deal with minutia
Assess Current State – Where does data reside? What problems are related to existing data
Compute Data Value-compute how much value good data can add to business unit
Set ideal state vision and strategy-Create realistic vision, articulate business benefits, articulate measurable impact
Assess Risks-Likelihood of potential data breaches? Cost of potential data breaches
Steps to effective data governance…continued
6
6
Implement “going forward” strategy – provide a clean starting point
Manage the Change – Train and Educate as to why and benefits
Assign accountability for Data Quality to Business Unit, not to IT – Push ownership and responsibility to business unit that created the data
Monitor Data Governance Program – Look for oversight, shortfalls and fine-tune
DATA GOVERNANCE INSTITUTE (DGI) FRAMEWORK
7
7
INFORMATION MANAGEMENT
Information Management is a principle function of IT
IM-application of management techniques to collect information, communicate it within and outside the organization and process it to enable managers to make quicker and better decisions.
Components of Information Management
Master Data Management (MDM)-Goal is to ensure reliable, accurate data from a single source is leveraged across business units.
Information Lifecycle Management – Managing information appropriately and optimally at different stages of its useful life
Data Architecture – Design of structured and unstructured information systems in an effort to optimize data flow
Data Modeling-Illustrates the relationship between data
8
8
KEY STEPS FROM DATA MODELING TO INTEGRATION
9
9
6 Approaches to data modeling
Conceptual data modeling – diagrams data relationships at the highest level
Enterprise data modeling – business oriented approach that includes requirements for the business or business unit
Logical data modeling – Illustrates the specific entities, attributes and relationships involved in the business function
Physical data modeling – implementation of a logical data model
Data Integration – merges data from two or more sources, processing data and moving it into a database
Reference data management modeling – refers to data in categories using look up tables, categorizes data found in a database – often confused with MDM
10
10
COMPARISONS OF DATA MODELS
11
11
COMPARISONS OF DATA MODELS
Copyright@Geanie Asante 2019
12
12
Efficiency
Value Creation
Method by which stakeholders ensure that investment in IT creates business value
Focus on software development’
Keep CEO and Board of Directors in the loop
13
It governance
13
CobiT®
ITIL
CobiT 5
ValIT®
ISO38500
14
It governance frameworks
14
As an independent, nonprofit, global association, ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.
SACA got its start in 1967, when a small group of individuals with similar jobs—auditing controls in the computer systems that were becoming increasingly critical to the operations of their organizations—sat down to discuss the need for a centralized source of information and guidance in the field. In 1969, the group formalized, incorporating as the EDP Auditors Association. In 1976 the association formed an education foundation to undertake large-scale research efforts to expand the knowledge and value of the IT governance and control field. Previously known as the Information Systems Audit and Control Association®, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.
Today, ISACA’s constituency—more than 140,000 strong worldwide—is characterized by its diversity. Constituents live and work in more than 180 countries and cover a variety of professional IT-related positions—to name just a few, IS auditor, consultant, educator, IS security professional, regulator, chief information officer and internal auditor. Some are new to the field, others are at middle management levels and still others are in the most senior ranks. They work in nearly all industry categories, including financial and banking, public accounting, government and the public sector, utilities and manufacturing. This diversity enables members to learn from each other, and exchange widely divergent viewpoints on a variety of professional topics. It has long been considered one of ISACA’s strengths.
Offers a number of certifications in:
Certified Information Systems Auditor
Certified in Risk and Information Systems Control
Certified Information Security Manager
Certified in the Governance of Enterprise IT
Cybersecurity NEXUS – CSX – Certificate and CSX-P Certification
(source: www.isaca.org)
15
ISACA
15
COBIT
Control Objectives for Information and Related Technology
Is a process based IT Governance Framework
IT Governance Institute and ISACA
Strengths
Cuts IT risks and gain business value from IT
Assists in meeting regulatory compliance requirements
Improved reporting and management
Improves IT and Information Asset Control
Maps to the ISO 17799 and is compatible with ITIL (Information Technology Infrastructure Library) which are accepted practices in IT development and operations
Traditional Paradigm
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate
Detailed description of processed and tools to measure progress
Broken into 3 organizational levels and their responsibilities
Board of Directors and Executive Management
IT and Business management
Line-level governance
4 IT Domains
34 IT processes
210 Control objects
16
16
17
Cobit frAMEWORK
17
Released in 2012
Newest version of the business framework for the governance of IT from ISACA.
Expands on CobIT 4.1
Integrates other major frameworks, standards and resources that are in frequent use today
Comprised of 5 key principles for governance and management of IT at the enterprise (big business) level
Meeting Stockholder needs
Covers Enterprise end-to-end
Applies single integrated framework
Enabling a holistic approach
Separates governance from management
18
It governance frameworks-CobiT 5
Contains 7 categories of enablers
Principles, policies and frameworks
Processes
Organizational Structures
Culture, ethics and behavior
Information
Services, infrastructure and applications
People, skills and competencies
18
IT Governance Institute® The IT Governance Institute (ITGITM) (www.itgi.org) is a non-profit, independent research entity that provides guidance for the global business community on issues related to the governance of IT assets. ITGI was established by the non-profit membership association ISACA in 1998 to help ensure that IT delivers value and its risks are mitigated through alignment with enterprise objectives, IT resources are properly allocated, and IT performance is measured. ITGI developed Control Objectives for Information and related Technology (COBIT®) and Val ITTM, and offers original research and case studies to help enterprise leaders and boards of directors fulfil their IT governance responsibilities and help IT professionals deliver value-adding services.
Source: https://www.isaca.org/Knowledge-Center/Val-IT-IT-Value-Delivery-/Documents/Val-IT-Framework-2.0-Extract-Jul-2008.pdf
19
It Governance Institute
19
Value-oriented framework
Complements CobiT
Focus on principles and best practices aimed at gaining maximum value from IT investments
40 key ValIT management practices = CobiT control objectives
Includes 3 primary processes
Value Governance
Portfolio managemenet
Investment management
When integrated with CobiT 5:
Define relationships between IT and the responsible business functional areas with governance responsibility
Manage an organization’s portfolio of It enabled business investments
Maximize the quality of business cases for IT enabled investment
20
It governance frameworks ValIT®
20
ITIL was created in the 1980's by the UK governments CCTA (Central Computer and Telecommunications Agency) with the objective of ensuring better use of IT services and resources.
The ITIL concept emerged in the 1980s, when the British government determined that the level of IT service quality provided to them was not sufficient. The Central Computer and Telecommunications Agency (CCTA), now called the Office of Government Commerce (OGC), was tasked with developing a framework for efficient and financially responsible use of IT resources within the British government and the private sector.
The earliest version of ITIL was actually originally called GITIM, Government Information Technology Infrastructure Management. Obviously this was very different to the current ITIL, but conceptually very similar, focusing around service support and delivery.
Large companies and government agencies in Europe adopted the framework very quickly in the early 1990s. ITIL was spreading far and, and was used in both government and non-government organizations. As it grew in popularity, both in the UK and across the world, IT itself changed and evolved, and so did ITIL.
In year 2000, The CCTA merged into the OGC, Office for Government Commerce and in the same year, Microsoft used ITIL as the basis to develop their proprietary Microsoft Operations Framework (MOF).
In 2001, version 2 of ITIL was released. The Service Support and Service Delivery books were redeveloped into more concise usable volumes. Over the following few years it became, by far, the most widely used IT service management best practice approach in the world.
In 2007 version 3 if ITIL was published. This adopted more of a lifecycle approach to service management, with greater emphasis on IT business integration.
21
It governance frameworks - ITIL
21
ITIL – set of process oriented best practices and guidance originally developed to standardize delivery of IT service management
Applicable for both public and private sector
Best practices are the foundation for ISO/IEC 2000
Consists of 5 core published volumes that map the IT service cycle:
Service Strategy
Service Design
Service Transition
Service Operation
Continual Service Improvement
22
It governance frameworks - ITIL
22
ISO/IEC - International Organization for Standardization (ISO) and the International Electro technical Commission (IEC).
ISO/IEC 20000 is the first international standard for IT service management. It was developed in 2005, by ISO/IEC JTC1/SC7 and revised in 2011. It is based on and intended to supersede the earlier BS 15000 that was developed by BSI Group.
23
It governance frameworks – ISO/IEC 2000
23
ISO/IEC 38500:2008 – International standard for high level principles and guidance for senior executives and directors for effective and efficient use of IT
Three main section:
Scope, Application and Objectives
Framework for Good Corporate Governance of IT
Guidance for Corporate Governance of IT
Derived from the Australian 8015 guiding principles
24
It governance frameworks-ISO 38500
24
As it relates to IT functions, best practices have developed to prevent leakage of data from databases, and from Web services
Implement a uniform set of policies and practices to assist in compliance and reduce costs
Proven database security best practices include:
Inventory and document
Assess exposure and weaknesses
Shore up the database
Monitor
Deploy monitoring and auditing tools
Verify privileged access
Protect sensitive data
Deploy masking
Integrate and automate standardized security processes
25
IG Best practices for database security and compliance
25
The end
26
26