#L09 Without Which None: Key Data Points for IT Governance Metrics Jennifer Bayuk, CISA, CISM, CGEIT Independent Information Security Consultant www.bayuk.com
Session Content 1. How to compartmentalize complex IT infrastructures in order to label them 2. Application component labeling 3. Index-sharing requirements for commonly used metrics 4. Simple and effective ways to efficiently collect data on IT-related initiatives 5. How to align risk assessment activities with accountability for IT project and service delivery
IT Architecture Components Application components Component to software mapping Component to hardware mapping Virtual machines Data Sources
Application components APPLICATION Web Services Authentication Web2.0 Desktop CODE BASE Message Bus GUI Data Services REUSABLE SOFTWARE Load Balancer Web Server Database CONTAINER COMPONENTS Operating Sys Network Monitoring INFRASTRUCTURE COMPONENTS
Component to software mapping Web Services Custom Source Code Authentication Interface Database Interface Message Bus Interface Web Server Config
Component to hardware mapping Network Monitor Load Balancer Web Server Web Service GUI Web Server Web Service GUI Auth Services Database Interface Auth Interface Database Interface Server 1 Server 2 Database Interface Server 3 Web Services Compute Module Message Bus Interface Server 4 Message Bus Message Bus Interface Server 5 Database Management System Server 6
Virtual machines Multiple Virtual Network Addresses Web Services Web Services Auth Services Operating System Operating System Operating System Virtual OS Config Utilities Operating System of Virtual Device Points of administration. Admin Console
Potential Data Sources Enterprise Management System Configuration Management Database Application Inventory
Potential data source on components architecture Enterprise Management System IP centric asset inventory OS and Infrastructure focused Requires coordinated data entry or feeds to align with business process Typically snmp, may be client-server-based.
Potential data source on components architecture Configuration Management Database Operations focused Provides relationships between configuration items Requires coordinated data entry or feeds to align with asset inventory and/or business process CPU DISK PROCESS X231 HXL2Z GZETS CPU DISK PROCESS X231 HXL2Z GZETS The system shall provide an administrator with the capability to monitor the state of availability of critical system resources (e.g., overflow indication, lost messages, and buffer queuesthe system shall prevent buffer overflow conditions that allow for unauthorized access. 3For software and data created or modified in the system, the system shall provide an administrator with the capability to retrieve the user-id along with the date and time associated with that creation or modification. Typically used to support operations and service desk.
Potential data source on components architecture Application Inventory Development focused Provides accountability for maintenance of software Requires coordinated data entry or feeds to align with asset inventory Typically used to justify IT Spend to Business Customers.
Data Source Consolidation Application Inventory APPLICATION COMPONENT data Configuration Management Database COMPONENT ASSET data Enterprise Management System ASSET data UNIVERSE METRICS
Metrics How-to: Start with known data on environment Quantify or otherwise represent unknowns Link control-relevant data to known data Anticipate decision requirements Design presentations
Known Indexes for consolidation 1. Application Index or Acronym 2. Vendor Software Release Identifier 3. Network IP Address 4. Equipment Serial Number
Identify Gaps 1. Application Index or Acronyms e.g.: without associated equipment 2. Vendor Software Release Identifier e.g.: not associated with any application 3. Network IP Address e.g.: with no equipment serial numbers 4. Equipment Serial Number e.g.: not associated with any vendor
Potential control-related extensions 1. Security Software Configuration 2. Change Authorization Correlation 3. Security Review or Audit Scope 4. Information Classification 5. Outsourcing Arrangements 6. Application Impact 7. Business Recovery Objectives 8. System Development Projects
Potential accountability extensions 1. Line of Business 2. Development Team Acronym 3. IT Manager Realm of Responsibility 4. Support Escalation Chain 5. Identity Management System
Link Indexes for Control and Accountability to Management Strategies Risk Assessment Reports Role and Responsibility Assignments Business Recovery Test Plans Outsourcing Statements of Work Project At-Risk Reports
Link Indexes Application Inventory Configuration Management Database Enterprise Management System APPLICATION COMPONENT ASSET COMPONENT ASSET data data data UNIVERSE From Data Consolidation slide Security Review Database Control Attributes APPLICATION IMPACT BCP Data Accountability Attributes COMPONENT IT Manager Identity Management Database Support team Common Indexes cannot be expected to exist in different realms and different management domains. Expectations for linkage must be articulated.
Example: Strategic Alignment LOB1 LOB2 Vendor- provided Software charged to LOB not associated with any application Hardware owned by LOB personnel not associated with any application
Example: Risk Management Percentage of Applications by Recovery Type LOB1 Customer Service Only LOB2 Customer Service Only LOB3 Customer Service Only
Example: Value Delivery 100% Application Satisfaction Index Business Leader Survey 2008 This is the list of applications that IT supports for your business unit. For each application, please rate each statement T or F:: 1. The application provides value to my business. 2. The application budget is worth the product delivered. 3. Application functionality meets expectations. 4. Support for the application is adequate for user needs. 75% 92% Survey Analysis Creates Index 25% LOB1 LOB2 LOB3
Example: Resource Management Component Reuse Represents number of applications that require a component of the designated type 100% Custom API 1 Custom API 2 Apache Oracle Sybase MS-SQL Progress Custom API 3 Custom API 4 In-House Developed Informix Access FoxPro Component Type: Log Utility Web Server DBMS
Example: Performance Measurement * UNK represents down equipment not associated with any application
Summary Manage holistically by incorporating architecture, metrics, and risk into one conceptual framework. Use metrics to visualize it.
For More Information: Jennifer Bayuk, CISA, CISM, CGEIT Independent Information Security Consultant www.bayuk.com jennifer@bayuk.com Jennifer L Bayuk LLC
Thank you!