executive white paper



Similar documents
SERVICE OVERVIEW SERVICES CATALOGUE

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

How To Improve Your Business

RSA ARCHER OPERATIONAL RISK MANAGEMENT

P3M3 Portfolio Management Self-Assessment

CA Service Desk Manager

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

Blending Corporate Governance with. Information Security

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment

AD Management Survey: Reveals Security as Key Challenge

ORACLE ENTERPRISE GOVERNANCE, RISK, AND COMPLIANCE MANAGER FUSION EDITION

Making Compliance Work for You

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY

Tapping the benefits of business analytics and optimization

The Value of Vulnerability Management*

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

agility made possible

IBM Tivoli Netcool network management solutions for enterprise

14 October 2015 ISACA Curaçao Conference By: Paul Helmich

Contents. viii. 4 Service Design processes 57. List of figures. List of tables. OGC s foreword. Chief Architect s foreword. Preface.

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer

The Asset Management Landscape

Applying ITIL v3 Best Practices

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Achieving Business Imperatives through IT Governance and Risk

Understanding and articulating risk appetite

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

, Head of IT Strategy and Architecture. Application and Integration Strategy

A Ready Business has total visibility and control. Seamlessly manage your global telecommuncations in a secure environment

How To Ensure Financial Compliance

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015

Reining in the Effects of Uncontrolled Change

Framework for Enterprise Risk Management

Technical Management Strategic Capabilities Statement. Business Solutions for the Future

Development, Acquisition, Implementation, and Maintenance of Application Systems

The RSA Solution for. infrastructure security and compliance. A GRC foundation for VMware. Solution Brief

building a business case for governance, risk and compliance

Privileged user management

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

CA Configuration Management Database (CMDB)

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

White Paper Software Quality Management

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

"Service Lifecycle Management strategies for CIOs"

Data Governance. Unlocking Value and Controlling Risk. Data Governance.

PROTEUS Enterprise - IT Governance, Risk and Compliance Management Solution

Who s next after TalkTalk?

Agile enterprise content management and the IBM Information Agenda.

How SUSE Manager Can Help You Achieve Regulatory Compliance

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

opinion piece IT Security and Compliance: They can Live Happily Ever After

Top 10 Key Attributes of a Successful Project

Information & Asset Protection with SIEM and DLP

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

ISO 19600: The development

Part A OVERVIEW Introduction Applicability Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

IT Governance Dr. Michael Shaw Term Project

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

Symantec Control Compliance Suite. Overview

Addressing IT governance, risk and compliance (GRC) to meet regulatory requirements and reduce operational risk in financial services organizations

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

treasury risk management

fs viewpoint

Application Outsourcing: The management challenge

Configuration Management System:

Outsourcing & Regulatory Compliance Risks

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Understanding Data Governance ROI: A Compliance Perspective

Wilhelmenia Ravenell IT Manager Eli Lilly and Company

Customer requirements. Asset management planning Inspection and assessment Route asset planning Annual work plans Contracting strategy

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

National Occupational Standards. Compliance

Data2Diamonds Turning Information into a Competitive Asset

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Cisco Network Optimization Service

Practical IT Governance - Using MKS's Enterprise Software Change Management Solution for Greater Auditability and Control

Best Practices for Planning and Budgeting. A white paper prepared by PROPHIX Software October 2006

Best practices for planning and budgeting. A white paper prepared by Prophix

Lancashire County Council Information Governance Framework

IBM Tivoli Asset Management for IT

WHITE PAPER IMPROVING PERFORMANCE WITH AN ADAPTIVE PLATFORM FOR ENTERPRISE OPERATIONAL INTELLIGENCE HIGHLIGHTS P1 P4 P5.

SOLUTION BRIEF: CA IT ASSET MANAGER. How can I reduce IT asset costs to address my organization s budget pressures?

Self-Service SOX Auditing With S3 Control

IBM Maximo Asset Management for IT

White Paper: AlfaPeople ITSM This whitepaper discusses how ITIL 3.0 can benefit your business.

Transcription:

EXECUTIVE WHITE PAPER executive white paper Governing IT to Maximise Value IT Governance for Compliance, Risk Management and Cost Reduction Contents Introduction...2 APM Technology...3 Governance...4 Compliance...6 Risk Management...8 Case Study...9 Conclusion...10 Next Steps...11 1

Introduction With a constant need to maintain and advance market position, today s corporations continue to invest significant resources in the development of intangible assets such as their intellectual capital, operational information and the technical capabilities to process and exploit them. Software applications remain the most costly and longest lived of all these intangible assets, as once deployed they quickly become integral components in business-critical processes. When you consider that overall IT investment is estimated to consume more than 50% of annual capital investment and represents more than 30% of an organisation s cost base 1, it is inevitable that there will be a strong focus on overseeing and monitoring the IT operation. With up to 76% 2 of IT budgets currently being used to simply maintain the current estate, it is particularly crucial to ensure the efficient use of all resources and to reduce operational costs where practical. The challenge for many boards is that while they understand the business value delivered by the IT organisation, they lack the means to gain a clear understanding of the IT operation. An effective IT governance framework closes this gap. It helps to manage the risks associated with IT s intensive investment and high impact profile, as demanded by today s stringent corporate governance requirements. Closely associated with governance are the areas of risk and compliance, and it is generally recognised that effective governance can only be achieved if these are managed together in a mutual and concerted manner. A combined approach to GRC (governance, risk and compliance) will deliver a more effective IT governance framework, helping organisations identify and mitigate potential risks, become more efficient, and ensure the overall value of the portfolio is maximized. Application Portfolio Management (APM) is a technology based process that can deliver the necessary insight into the application environment to drive this level of IT governance. With the associated technology, organisations can value their applications and assess them down to their code level to understand the system parameters and inter-dependencies that directly impact compliance efforts. This paper will cover all three aspects of the GRC agenda and how APM can be used to directly address them. 2

Gartner provides the following description of APM: properly executed, it enables the continuous evolution of the application inventory in the desired business and architectural directions, while providing the desired or contracted level of service support for the least investment and risk during an extended period 3. APM Technology Before examining the specific aspects of GRC in greater detail and how they can be effectively addressed by APM technology, a summary of typical APM technology capabilities is provided in figure 1. This is based up on Enterprise View, an APM technology solution from Micro Focus. While specific GCRM (Governance, Compliance, and Risk Management) technology solutions have arrived in the marketplace, APM is generating considerable interest because it enables the governance process to be interlinked with day-today management objectives. A core aspect of APM functionality is an ability to automate the collection and storage of information relevant to existing business processes and associated applications. The result is a dynamic inventory that lists the software attributes across the application portfolio lines of code, number of objects, file types, and number of programs, all of which are updated when a changes occur. This visibility provides actionable insight into the technical parameters of the application inventory, highlighting the value, inter-dependencies and risk exposure of individual systems. By delivering this level of technical information which offers wide business applicability, governance, compliance and risk management initiatives become implicitly embedded in the management process and help avoid some of the main obstacles associated with ensuring widespread adoption. Figure 1: Example of APM technology capabilities applicable to GRC A key element of any IT governance framework is access to relevant reporting and monitoring capabilities, though as Gartner points out there is no single application governance tool 4 currently available that offers a comprehensive silver-bullet approach. Instead, these capabilities are derived from a variety of different solution areas, with APM providing arguably the most complete functionality for extending governance across the application landscape, and the best approach for administering the bulk of today s IT expenditure. 3

Governance IT governance can be defined as the processes that ensure the effective and efficient use of IT, enabling an organization to achieve its goals 4. There is a growing consensus among commentators that it will overtake corporate governance in importance due to the strategic value of technology to the corporation. As Alan Calder puts it, Organizations that fail to direct and control their IT to best competitive advantage will be left as road kill on the information superhighway 1. To assist the creation of effective IT governance frameworks, a number of management standards have emerged. These include: CoBIT ( Control Objectives for Information and Related Technology) COSO (Committee of Sponsoring Organizations of the Treadway Commission) ISO27001 for certification of information security management ITIL (IT Infrastructure Library) ISO 2000 an international standard for IT service management Each standard has originated from different sponsoring organisations, in response to different business drivers; for example ITIL began as as a library of best practice processes for IT service management. However, regardless of emphasis and composition, any framework must incorporate objective measures that will enable an enterprise to understand where they currently are with regards to achieving an effective governance capability, and where improvement efforts should be targeted. To satisfy this information requirement, CoBit, as an example, defines a management toolkit comprising 5 : dashboards to provide indicators that the ship is on course. scorecards to provide measures that demonstrate satisfactory results are being achieved for the widest possible audience of stakeholders benchmarking to provide a comparative scale for assessing how the IT function is adapting to changes in its environment. A typical approach for this is to adopt the Software Engineering Institute s Capability Maturity Model (CMM) 6. The CoBit framework also defines the focus areas in which to apply this toolkit, as illustrated in figure 2 below. Figure 2: CoBiT s IT Governance Focus Areas 5 The aim of this framework is to ensure: IT is aligned with the business IT enables business execution and maximises benefits IT resources are used responsibly IT risks are managed appropriately 4

This is a good representation of the aims of most governance initiatives, and by examining each factor in turn, the following table summarizes how core APM capabilities map directly to the key elements of this framework and, by implication, the other standards mentioned above. CoBit Focus Area Strategic Alignment and Value Delivery Risk Management Resource Management (applications, information assets, technical infrastructure and people) APM Technology Capabilities Automate the compilation of business-value questionnaires to speed-up and simplify the analysis process to make large scale application reviews feasible. Provide a central storage repository for both the questionnaire review data and details of all application attributes across the portfolio, to enable the reporting of business value metrics against governance measures such as software or service quality. Enterprise View parses the application portfolio down to code level to provide a detailed understanding on the impact of any planned changes, and is equipped with a range of features that help reduce this type of risk. These features include: Technical inventory and software quality analysis that gauges the size and complexity of code to be altered, enabling the most appropriate change management procedures to be employed. Automated impact analysis to enable IT to review the attributes of all applications impacted by a proposed change and to generate a detailed impact assessment to improve risk mitigation planning, as well as ensuring completeness of execution and a reduction in the risk of abends. Additional features such as graphical representations of attribute relationships and automated production of technical documentation, to impart a broad understanding of the application environment and to ensure any changes are proposed with a greater appreciation of context and impact, reducing in turn the likelihood of defects and outages. Automatic calculation of software quality metrics, to provide indicators of how application code is currently being maintained and to help avoid any unnecessary complexity being added through poor programming standards which will only increase support costs over time. Top down business value and technology assessment support, combined with software quality analyses, provides a systematic and consistent method for determining candidate applications for migration to lower cost platforms. Graphical representations of attribute relationships, impact analyses and the automatic production of technical documentation, significantly reduces the ramp up time for teams looking to work on new applications. This in turn can deliver a step change in resource flexibility and productivity. 5

CoBit Focus Area Performance Management APM Technology Capabilities The combination of defect history from help desk ticketing systems, change history from source code management systems, and the business value and software quality data, are combined to create powerful role-based dashboards and management reports that span service, quality, and productivity performance. These can be in multiple views, spanning different departments, service areas and service providers, both internal and external to the business. This benchmarking of relative performance, which takes into account code complexity, allows comparisons to be made that can ultimately help maintain and improve performance levels and shift resources to those areas delivering the greatest return or in need of the greatest support. Many of the aspects mentioned in the table above are still applicable when the application portfolio has been outsourced. In this situation, it is vital to ensure good governance processes are being consistently applied to prevent erosion of asset values through poor quality development and unnecessary complexity. As the client, tracking SLA performance and benchmarking the performance of individual providers is a fundamental requirement for ensuring value maximization, as well as certifying that the provider is executing an effective governance model around code and service quality and protecting application asset value. Compliance Given the complex, multi-national, multi-regulatory environment that corporations operate in today, delivering statutory compliance is an intense and un-forgiving challenge for many senior IT managers. The regulatory mandates facing the enterprise will differ by sector, but the overall framework can be broadly broken down into three primary areas: Corporate governance - where acts such as the Sarbanes Oxley ( SOX ) Act of 2002 and the Combined Code on Corporate Governance in the UK, require companies listed on the USA Securities and Exchange Commission and the London Stock Exchange, to have in place internal control frameworks that enable the company s board to manage operational and financial risk effectively. Personal data and identity protection laws - require appropriate technical measures to be taken to prevent unauthorized or unlawful processing of personal data, accidental loss, destruction or damage. In the UK, the Data Protection Act of 1998 also stipulates that personal data should not be transferred to countries that cannot provide adequate protection. In addition, certain state laws in the USA, such as California s Security Breach Notification SB-1386, 7 require immediate disclosure to customers if a breach of personal data has occurred. Industry specific legislation - particularly 6

relevant to companies operating in the financia services industry where regulations, such as Basel II and Solvency 2 in the banking and UK insurance sector respectively, require accurate reporting on all risks relating to capital exposure. Other examples include the USA s HIPAA Health Insurance Portability and Accountability Act of 1996 7, which designates the parameters of access controls that need to be in place to protect against inappropriate access to sensitive data. These are only a few examples of the myriad of compliance-related directives currently in existence, and the total number will surely expand in line with future political demands. The response to date of many IT organisations has largely been around ensuring appropriate access controls to systems and applications are in place and fault tolerant. However, the growing complexities of certain regulatory demands have implications at the application code level that require enhanced capabilities in compliance analysis. For example, access security standards have a direct impact on field/record and file structures, which in turn should be consistent throughout the multitude of interconnecting programmes and applications that form an organization s business and customer services processes. Ensuring compliance here will provide a sustained burden on resource capacities. APM technologies directly address these issues through a code level analysis capability that is ideal for assessing granular level compliance. In pursuit of total compliance coverage across the enterprise architecture, users can select individual applications and use the intelligent code search functions to rapidly bring up the relevant fields across all interconnected programmes and applications. In the case that changes are required, for example a field length expansion, APM supports such alterations by assessing the impact across all related applications to gauge the effort involved and the project risks. In this way APM technology can provide a very rapid, low risk approach to ensuring application compliance down to code level. Indeed, the demand for this capability is only likely to grow, with an increasing number of governance standards already stipulating that effective controls must be in place to assess and document program code changes. An example of this is the COSO framework which requires general controls to be deployed in accordance with the USA s Auditing Standard No 2 of the PCAOB (Public Company Accounting Oversight Board), paragraph 50, which states: information technology general controls over program development, program changes, computer operations...help ensure that specific controls over the processing of transactions are operating effectively. 7 Complete portfolio visibility is also critical for ensuring data access controls are effective across all applications to remove the threat of unauthorized entry. For some organisations this should prove straightforward enough, but in larger and more mature operations, the IT landscape has inevitably incorporated some ad hoc responses to tactical and strategic imperatives. The result is an elaborate and complex network permeating the entire organisation, and one that makes keeping track of the technologies and inter-relationships, at all levels of an application, extremely difficult. In this instance, IT controls are difficult to validate, and managers cannot guarantee 360 degree security for sensitive data. The graphical relationship maps that can be produced from a code level analysis within APM provide details of 7

how each application links with other applications to avoid these problems. In terms of the compliance requirements relating specifically to financial institutions, such as Basel II and Solvency 2, the challenge on the IT function is to ensure risk management reporting can be reconciled accurately down to a transactional level. Increasingly, this is prompting the need to analyse a system s transaction handling components at a code level. Again, the ability of APM technology to greatly enhance application and code level understanding makes such initiatives far more feasible. As well as these specific business issues, there are also more generic trends and developments that pose potential compliance risks. This is particularly reflected in the continual evolution of technology towards new, low-cost operating environments. The challenge here is to ensure compliance to the latest technical standards, which will in turn reflect the corporation s view of which developments can be considered acceptable. This can prove difficult in organizations with large, geographically dispersed, operations, but critical to the overall compliance agenda. To speed the process, self certification can prove extremely useful. The automated questionnaire capabilities within APM solutions can offer an effective approach to undertaking such an evaluation, with results stored in the APM repository for review or as a future audit trail. Risk Management Any change to mission-critical applications, ranging from small maintenance updates to large scale migrations, involves an inherent risk to the business due to the complexity and inter-dependency of today s architectural landscape. All too often, a change in one application will mysteriously cause another to stop and it can be weeks before the root cause is finally isolated. APM, through the data held on business value, service and software quality, as well as the technical inventory, provides a diversity of different views into existing applications to help mitigate such operational risks. It also helps manage strategic risk by providing an accurate decision-making framework for guiding application strategy in terms of retirements, investments, and modernisation or migration initiatives. Once candidates for a particular action have been identified, the extensive level of technical documentation available helps to determine the level of risk associated with any proposed activity. This in turn informs the benefit/risk trade-off analysis. The resulting combination of broad cross-portfolio clarification, together with a code level focus at an individual application level, provides an effective mechanism for balancing strategic risk. In terms of operational risk, once a course of action has been determined, the full range of knowledge available to IT personnel in conjunction with the automated production of technical documentation helps to clarify the best course of action and reduce overall exposure. For example, when modernizing an application, it is only with the insight provided by the graphical analysis of APM that project teams can ensure the changes are executed in a manner that continues to support the inter-relationships of 8

all programmes, objects and applications effectively. To avoid compromising compliance integrity, it is crucial that no adverse behaviour occurs due to oversights on application interrelationships and access permissions, particularly when handling sensitive data. Along with the ability to calculate precisely the impact of any changes, APM also helps detail the resources required for any potential application change project. This helps management to adequately plan, scope and resource individual projects, understand with confidence all the risks involved, and to improve the chances of the project being completed on time and within budget. Case Study To illustrate the benefits of APM technology in supporting governance, let us take a quick look at a real life example of a customer that has taken such an approach. In this case, a global bank was determined to improve its IT governance, driven by the specific goals of: 1. optimizing IT resources following a series of mergers and 2. gaining a better understanding of its complex internal processes More specifically, the bank wanted to address the maintainability and quality of its application code and evaluate whether their systems integrators were delivering the anticipated value in line with their support and maintenance agreements. The customer deployed the Micro Focus Enterprise View APM solution to consolidate multiple data strands into an accurate and comprehensive understanding of their application portfolio. An executive dashboard was then created to convey this new application insight, which was used in the management of a number of IT processes including resource budgeting and financing, capacity management, SLA management and customer demand and satisfaction management. The use of the Enterprise View has provided the bank with a continuous representation of a rapidly evolving and dynamic system. The information base now available has equipped the bank with an ability to produce targeted reporting on demand, at different levels of aggregation, for different end-user classes. Data can be now be split out by line of business, role, application area, language or any other useful criteria ongoing activities never enter uncontrolled cycles, they are always well reported, well controlled, and as a consequence, well governed. Through the new higher vision of the IT operation gained from the available analysis and insight, the bank has been able to improve the service level performance of its outsourcers and obtained contract renewals with clear performance measures and significant cost reductions. The bank has estimated that these reductions represent a 20% saving on their previous contract costs. 9

Conclusion Looking to the future, it is likely that IT governance obligations will only increase in size and scale. Therefore, a tool that can provide a precise analysis of an application down to the code level, including inter-dependencies and relationship views, should certainly be considered a key component in the IT organisation s governance armoury. Even if large sections of the technical environment have been outsourced, this only heightens the need to ensure compliance integrity and control standards are robust and fully functional. Visibility into the performance of outsource providers will help ensure quality and programming standards are being adhered to, ensuring the continued development of overall asset value. This also encourages a more strategic view of IT assets. A previous lack of in depth portfolio level application insight has run the risk of value optimization based on short term technology opportunism versus the systematic and holistic GRC-based view that can be achieved using APM technology. In summary, the benefits to IT governance initiatives that APM can deliver are extensive, providing in depth application understanding that helps identify areas of non-compliance and opportunities for maximizing the value of a portfolio of critical IT assets. In particular, it can help reduce the strategic risk connected to a failure to plan application strategy in a portfolio context. This can often precipitate a crisis management approach to the technological demands of the business, resulting in the adoption of short term measures that don t necessarily correspond with the intended governance framework or maximise asset value over the long term. But by using APM to assess business value and technology-related risk, management has the multi-dimensional visibility into potential hot spots and the ability to dive into the underlying problems for further investigation. This insight encourages a more pro-active approach to GRC and the capacity to manage and target resources in a more effective way and at the point of need. 10

Next Steps Micro Focus Enterprise View is a comprehensive APM solution offering the capabilities discussed in this paper. It is already deployed and delivering improved governance to a range of enterprise customers. Please visit www.microfocus.com/solutions/apm/ for further information on how APM could deliver benefits for your business. References 1 Calder, Alan, IT Governance, A pocket guide, IT Governance Publishing 2007 2 Murphy, Phil, Building the business case for APM, Forrester Best Practices, 2005 3 Duggan, Jim, APM Improves Business Margins Through Cost and Risk Reduction, Gartner Research, 2007 4 Hotle, Matthew, The Seven Deadly Sins of Application Governance, Gartner Research, 2008 5 CoBiT, 4.1, IT Governance Institute, 2007 6 www.sei.cmu.edu/cmmi/ 7 Calder, Alan, IT Regulatory Compliance in North America, IT Governance Publishing 2007 www.microfocus.com Micro Focus Worldwide Australia... 1800 632 626 Belgium... 0800 11 282 Canada... 877-772-4450 x1123 France... 0800 835 135 Germany... 0800 182 5443 Ireland... +353 182 120 49 Italy... +39 02 694 34 01 Japan... +81 3 5793 8550 Luxembourg... 800 23743 Netherlands... +31 23 5689 138 Norway... +47 22 91 07 20 Spain... +34 91 57 26 649 Sweden... +46 850 901 258 Switzerland... 0800 564 247 United Kingdom... 0800 328 4967 United States... +1 877 772 4450 Other Countries.. +44 1635 32646 For contacts worldwidewww.microfocus.com/contact 2008 Micro Focus. All Rights Reserved. Micro Focus is a registered trademark. Other trademarks are the property of their respective owners. WPAPMG1108-US 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information