1. Mobile Music
Proposing a comprehensive framework to ensure that MM’s IT aligns and
extends corporate strategy, creates value and mitigates risks
Trinity Ankita Vij
Team 7 Himanshu Sharma
April 9th, 2010 Pranali Lad
3. ________________________________________________________________________________
Ageing
Infrastructure
Compliance
Ageing
Unaligned IT with Infrastructure
Business
IT Governance Security ssues Security Issues
Security
Overstressed
Network
Compliance
________________________________________________________________________________
3
Source: Team Analysis
4. ________________________________________________________________________________
0 1 2 3 4 5
Vision
Mission
C I Goals
MM Current state MM Leadership
Industry average (BOD + Executive)
IT
Plan Implement
Mismanaged Risks and Returns
Incident-based
Business Metrics System Analysis
Prioritization
Performance Critical success IT Portfolio
Indicators factors Management
________________________________________________________________________________
Source: Team analysis 4
5. ________________________________________________________________________________
0 1 2 3 4 5
Vision
Mission
C I F Goals
MM Current state
Industry average BOD + IT Strategy Committee
MM Future
state Executive Management + IT Steering Committee
Monitor and Evaluate (ME)
IT Governance
Plan and organize (PO) Acquire and Implement (AI) Deliver and Support (DS)
Managed Risks and Returns
Metrics Control Objectives Service Management
Performance Indicators RACI Matrix Business Continuity
Balanced Scorecard Maturity Model Best Current Practice
________________________________________________________________________________
Source: Team Analysis 5
6. ________________________________________________________________________________
MM Goals
Requirements Information
IT Goals
IT Processes
Control Control
Key Activities
Outcome Tests Objectives
Derived from
Performed by
Responsibility and Performance Outcome Maturity Control Based on Control
Accountability Chart Indicators Measures Models Design Test Practices
________________________________________________________________________________
Source: ISACA presentation 6
7. ________________________________________________________________________________
What do
Business Requirements stakeholders
expect from IT?
What resources are made
How IT is organized available to and built up by
to respond to the IT Processes IT?
requirements?
________________________________________________________________________________
Source: Adopted from COBIT v4.1 7
9. ________________________________________________________________________________
Financial
Perspective Manage IT-
Related Risks
Internal Business Customer
Perspective Perspective
Goals
Learning &
Growth
Perspective
________________________________________________________________________________
Source: Adapted from COBIT v4.1 9
10. ________________________________________________________________________________
Business
• Manage IT-related risk
Goal
• Ensure that critical and confidential information is
IT Goal
withheld from those who should not have access to it
• Ensure systems security
Process
________________________________________________________________________________
Source: Team Analysis, Adapted from COBIT v4.1 10
12. ________________________________________________________________________________
Control Objectives for DS5
DS5.1 Management of IT Security
DS5.2 IT Security Plan ITIL Mapping
DS5.3 Identity Management
SD 4.6 Information
DS5.4 User Account Management security management
DS5.5 Security Testing, Surveillance and Monitoring
SO 5.13 Information
DS5.6 Security Incident Definition security management
and service operation
DS5.7 Protection of Security Technology
DS5.8 Cryptographic Key Management
DS5.9 Malicious Software Prevention, Detection and
Correction
DS5.10 Network Security
DS5.11 Exchange of Sensitive Data
________________________________________________________________________________
Source: Team Analysis, Adapted from ‘Aligning COBIT and ITIL’ by IT governance institute and Office of Governance Commerce 12
13. *
________________________________________________________________________________
Head Development
Head IT Administration
Functions
Head Operations
Business Executive
Chief Architect
Compliance, Audit,
Business Process
Risk and Security
PMO
Activities
CEO
Owner
CFO
CIO
Define and maintain an IT security plan I C C A C C C C I I R
Define, establish and operate an identity (account) management
I A C R R I C
process
Monitor potential and actual security incidents A I R C C R
Periodically review and validate user access rights and privileges I A C R
Establish and maintain procedures for maintaining and safeguarding
cryptographic keys A R C
Implement and maintain technical and procedural controls to protect
information flows across networks A C C R R C
Conduct regular vulnerability assessments I A I C C C R
*A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed
________________________________________________________________________________
Source: Adapted from COBIT v4.1 13
15. ________________________________________________________________________________
Optimized
Benefits
Managed and Measurable
Value
Defined Process Costs
Repeatable but Intuitive
Audit
Initial/Ad-hoc Driven
Controls
Timeline
T1 T2 T3
Starting Point Current Point Future Point
________________________________________________________________________________
Source: Adapted from Ernst & Young – COBIT presentation 15
17. ________________________________________________________________________________
Identify Needs
Phase Raise awareness and obtain Define resources
Define scope Define risks Plan program
1 management commitment and deliverables
Envision Solution
Phase
2 Assess actual Define target for Analyze gaps and
performance improvement Identify Improvements
Phase Plan Solution
3 Define projects
Develop
improvement plan
Phase Implement Solution
Monitor
4 Implement the
implementation
Review program
improvements effectiveness
performance
Phase Operationalize Solution
5 Build Indentify new governance
sustainability requirements
________________________________________________________________________________
Source: Team Analysis, Samsung COBIT Implementation roadmap 17
18. ________________________________________________________________________________
Plan and Organize Acquire and Implement
• PO1 Define a strategic IT plan • AI1 Identify automated solutions
• PO2 Define the information architecture • AI2 Acquire and maintain application software
• PO3 Determine technological direction • AI3 Acquire and maintain technology infrastructure
• PO4 Define IT processes, organization and relationships • AI4 Enable operation and use
• PO5 Manage IT investment • A15 Procure IT resources
• PO6 Communicate management aims and direction • AI6 Manage changes
• PO7 Manage IT humans resources • AI7 Install and accredit solutions and changes
• PO8 Manage quality
• PO9 Assess and manage IT risks
• PO10 Manage projects
Deliver and Support Monitor and Evaluate
• DS1 Define and manage service levels • ME1 Monitor and evaluate IT performance
• DS2 Manage third-party services • ME2 Monitor and evaluate internal control
• DS3 Manage performance and capacity • ME3 Ensure compliance with external requirements
• DS4 Ensure continuous service • ME4 Provide IT governance
• DS5 Ensure systems security
• DS6 Identify and allocate costs
• DS7 Educate and train users
• DS8 Manage service desk and incidents
• DS9 Manage the configuration
• DS10 Manage problems
• DS11 Manage data
• DS12 Manage the physical environment
• DS13 Manage operations
________________________________________________________________________________
Source: Team Analysis, Adapted from COBIT v4.1 18
19. ________________________________________________________________________________
Make leadership understand role of IT as a crucial
‘Business Driver’
Need to have leadership commitment
Propose the suggested solution/ framework in
the upcoming meeting
•Assess the current CMM* state of IT
•Make necessary organization structural changes
•Start with the implementation of the IT governance framework
towards future state
Fix fundamental IT issues before venturing into new
businesses
________________________________________________________________________________
*CMM – Capability Maturity Model
Source: Team Analysis 19
20. Thank You
Questions?
________________________________________________________________________________
20
21. ________________________________________________________________________________
Capability Maturity Model Linkages of goals & processes
Capability Maturity Attribute Table Business Goals to IT Goals
IT Goals to IT processes
Organization Change
IT strategy and IT Steering Committee ITIL
Functions and Processes
Balanced Scorecard Overview
Balanced Scorecard Template
Accountability Structure
Business Continuity Plan Roles and Responsibilities for
Business Continuity Planning Executive Management
Risks faced Questionnaires
Risk Mapping Executive Management
Board of Directors
________________________________________________________________________________
21
22. ________________________________________________________________________________
Awareness and Policies, Plans and Tools and Automation Skills and Expertise Responsibility and Goal Setting and
Communication Procedures Accountability Measurement
1 Recognition for the There are ad hoc Some tools may exist; Skills required for the There is no definition of Goals are not clear and
need for the process is approaches to usage is based on process are not accountability and no measurement takes
emerging. processes and standard desktop tools. identified. responsibility. place.
practices.
2 There is awareness of Similar and common Common approaches to Minimum skill An individual assumes Some goal setting
the need to act. processes emerge, but use of tools exist but requirements are his/her responsibility occurs; some financial
are largely intuitive are based on solutions identified for critical and is usually held measures are
because of individual developed by key areas. accountable, even if established but are
expertise. individuals. this is not formally known only by senior
agreed. management.
3 There is Usage of good practices A plan has been defined Skill requirements are Process responsibility Some effectiveness
understanding of the emerges. for use and defined and and accountability are goals and measures are
need to act. standardization of tools documented for all defined and process set, but are not
to automate the areas. owners have been communicated, and
process. identified. there is a clear link to
business goals.
4 There is The process is sound Tools are implemented Skill requirements are Process responsibility Efficiency and
understanding of the and complete; internal according to routinely updated for all and accountability are effectiveness are
full requirements. best practices are standardized plan, and areas, proficiency is accepted and working measured and
applied. some have been ensured for all critical in a way that enables a communicated and
integrated with other areas, and certification process owner to fully linked to business goals
related tools. is encouraged. discharge his/her and the IT strategic
responsibilities. plan.
5 There is advanced, External best practices Standardized tool sets The organization Process owners are There is an integrated
forward-looking and standards are are used across the formally encourages empowered to make performance
understanding of applied. enterprise. continuous measurement system
requirements. improvement of skills, linking IT performance
based on clearly to business goals by
defined personal and global application of
organizational goals. the IT balanced
________________________________________________________________________________ scorecard.
Source: Adapted from COBIT 4.1 Home 22
23. ________________________________________________________________________________
IT Strategy Committee IT Steering Committee
Level • Board Level • Executive Level
• Provides insight and advice to the board on topics such as: Decides the overall level of IT spending and how costs will be
— The relevance of developments in IT from a business allocated
perspective • Aligns and approves the enterprise IT architecture
— The alignment of IT with the business direction • Approves project plans and budgets, setting priorities and
— The achievement of strategic IT objectives milestones
— The availability of suitable IT resources, skills and • Acquires and assigns appropriate resources
infrastructure to meet the strategic objectives • Ensures projects continuously meet business requirements,
— Optimization of IT costs, including the role and value delivery including reevaluation of the business case
Responsibility of external IT sourcing • Monitors project plans for delivery of expected value and
— Risk, return and competitive aspects of IT investments desired outcomes, on time and within budget
— Progress on major IT projects • Monitors resource and priority conflict between enterprise
— The contribution of IT to the business (i.e., delivering the divisions and the IT function, and between projects
promised business value) • Makes recommendations and requests for changes to
— Exposure to IT risks, including compliance risks strategic plans (priorities, funding, technology approaches,
— Containment of IT risks resources, etc.)
• Provides direction to management relative to IT strategy • Communicates strategic goals to project teams
• Is driver and catalyst for the board’s IT governance practices • Is a major contributor to management’s IT governance
Responsibilities
• Advises the board and management on IT strategy • Assists the executive in the delivery of the IT strategy
Authority • Is delegated by the board to provide input to the strategy and • Oversees day-to-day management of IT service delivery and
prepare its approval IT projects
• Focuses on current and future strategic IT issues • Focuses on implementation
• Sponsoring executive
Membership • Board members and (specialist) non board members • Business executive (key users)
• CIO
• Key advisors as required (IT, audit, legal, finance)
________________________________________________________________________________
Source: Adopted from Board Briefing of IT Governance 2nd Edition Home 23
26. ________________________________________________________________________________
Governance Issues Technology issues for Management
Enterprise Architecture
Resource Management
Selective Outsourcing
Application Controls
Strategic Alignment
Application Security
System Integration
IT Service Delivery
Cost Optimization
Risk Management
Themes mapped to Risk
Prioritizing and
Value Delivery
Measurement
Performance
Factors
Planning
Security
Low levels of user satisfaction - X - - X - - - - - - - - -
Regular audit findings about poor performance - X - - X X X X X X X X X X
Evaluating IT investments, investment decision making - X - - - - - - - - - X - -
Improving quality of service - X - - - - X - - - - - - -
Inadequate IT capability to support IT operations - - X - - - X - - - - X - -
Inadequate IT capability to support new developments - - X - - - - - - - X - - -
Inadequate IT capability to take advantage of new technologies - - X - - - - X - X - - - -
High reliance on IT specialists X - X - - - - X - X - - - -
Infrequent negotiation of supplier contracts - X X - - - - X - - - - - -
Vendor support problems - - X - - - - X - - - - - -
High costs of ownership - - X - - - X - - - - - - -
High cost of network support and maintenance - - X - - - X - - - - - - -
High network supply costs - - X - - - X X - - - - - -
Configuration control problems - - X - - - - - - - - - - -
Software license and version control - - X - - - - - - - - - - -
________________________________________________________________________________
Home 26
Source: Adopted from ISACA – Samsung’s presentation
29. ________________________________________________________________________________
Service Strategy Service Design Service Operation Service Transition Continual service
improvement
Financial Service Catalog Event Management Transition planning
Management Management and support The 7-step
Incident improvement
Service Portfolio Service Level Management Change process
Management Management Management
Request Fulfillment Service Reporting
Demand Capacity Service asset and
Management Management Problem configuration Service
Management Management Measurement
Availability
Management Access Release and Return on
Management Deployment Investment on CSI
IT service continuity
Management
Management Operational Business Questions
Activities in other Service Validation for CSI
Information Security
lifecycle phases Testing
Management
Service desk Evaluation
Supplier Management
Technical Knowledge
Requirements
Management Management
Engineering
Data & Information IT operations
Management management
Application
Management
________________________________________________________________________________
Source: Adopted from ITIL v3 Home 29
31. ________________________________________________________________________________
Strategic Alignment Value Delivery IT Resource Management Risk Management Performance Management
CEO • Align and integrate IT • Direct the optimization of IT • Ensure the organization is in the • Adopt a risk, control • Obtain assurance of the
strategy with business goals costs best position to capitalize on its and governance performance, control and risks
• Align IT operations with • Establish co- responsibility information and knowledge framework of IT and independent comfort
business operations between • Establish business priorities and • Embed about major IT decisions
• Cascade strategy and goals the business and IT for IT allocate resources to enable responsibilities for risk • Work with the CIO on
down into the organization investments effective IT performance management in the developing an IT balanced
• Mediate between • Ensure the IT budget and • Set up organizational structures organization scorecard ensuring it is properly
imperatives of the business investment plan is realistic and and responsibilities that facilitate • Monitor IT risk and linked to business goals
and of the technology integrate into the overall IT strategy implementation accept residual IT risks
financial • Define and support the CIO’s
plan role, ensuring the CIO is a key
• Ensure that financial business player and part of
reporting has accurate executive decision-making
accounting of IT
Business • Understand the enterprise’s • Approve and control service • Allocate business resources • Provide business • Sign off on the IT balanced
Executive IT organization, levels required to ensure effective IT impact assessments scorecard
infrastructure and • Act as customer for available governance over projects and to the enterprise risk • Monitor service levels
capabilities IT services operations management • Provide priorities for
• Drive the definition of • Identify and acquire new IT process addressing IT performance
business requirements and services problems and corrective
own them • Assess and publish actions
• Act as sponsor for major IT operational benefits of owned
projects IT investments
CIO • Drive IT strategy • Clarify and demonstrate the • Provide IT infrastructures that • Assess risks, mitigate • Ensure the day-to-day
development and value facilitate creation and sharing of efficiently and make management and verification
execute against it, ensuring of IT business information at optimal risks transparent to the of IT processes and controls
measurable value is delivered • Proactively seek ways to cost stakeholders • Implement an IT balanced
on time and budget, currently increase IT value contribution • Ensure the availability of suitable • Implement an IT scorecard
and in the future • Link IT budgets to strategic IT resources, skills and control framework with few but precise
• Implement IT standards aims and objectives infrastructure to meet the • Ensure that roles performance measures directly
and policies • Manage business and strategic objectives critical for managing IT and demonstrably
• Educate executives on executive expectations relative • Ensure that roles critical for risks are appropriately linked to the strategy
dependence on IT, IT-related to IT driving maximum value from IT are defined and staffed
costs, technology issues and • Establish strong IT project appropriately defined and staffed
insights, and IT capabilities management disciplines • Standardize architectures and
technology
________________________________________________________________________________
Source: Adopted from Board Briefing of IT Governance 2nd Edition Home 31
32. ________________________________________________________________________________
Questions V A M R P
How critical is IT to sustaining the enterprise? How critical is IT to rowing the enterprise?
What strategic initiatives has executive management taken to manage IT’s criticality relative to maintenance and growth of the
enterprise, and are they appropriate?
What is the organization doing about leveraging its knowledge to increase stakeholder value?
What IT assets are there and how are they managed?
Are suitable IT resources, infrastructures and skills available to meet the required enterprise strategic objectives?
Is the enterprise clear on its position relative to technology: pioneer, early adopter, follower or laggard?
Is IT participating in overall corporate change-setting and strategic direction? Do IT practices and IT culture support and encourage
change within the enterprise?
Does the enterprise research technology, process and business prospects to set direction for future growth?
Are enterprise and IT objectives linked and synchronized?
Is the enterprise clear on its position relative to risks: risk-avoiding or risk-taking?
Is there an up-to-date inventory of risks relevant to the enterprise?
What has been done to address these risks?
How far should the enterprise go in risk mitigation and is the cost justified by the benefit?
What is management doing to address risks?
Is the board regularly briefed on risks to which the enterprise is exposed?
Based on these questions, can the enterprise be said to be taking “reasonable” precautions relative to technology risks?
What are other similar organizations doing, and how is the enterprise placed in relation to them, relative to value, risk and resource
management?
What is industry best practice and how does the enterprise compare, relative to value, risk and resource management?
________________________________________________________________________________
V = IT Value Delivery; A = IT Strategic Alignment; M = IT Resource Management; R = Risk Management; P = Performance
Source: Adapted from Board Briefing of IT Governance 2nd Edition Home 32
33. ________________________________________________________________________________
Questions V A M R P
How certain is the board about the answers provided to the Questions answered by executive management?
Is the board aware of the latest developments in IT from a business perspective?
Is IT a regular item on the agenda of the board and is it addressed in a structured manner?
Does the board articulate and communicate the business direction to which IT should be aligned?
Is the board aware of potential conflicts between the enterprise divisions and the IT function?
Does the board have a view on how and how much the enterprise invests in IT compared to other like organizations?
Is the reporting level of the most senior IT manager commensurate with the importance of IT?
Does the board have a clear view on the major IT investments from a risk and return perspective?
Does the board obtain regular progress reports on major IT projects?
Does the board obtain IT performance reports illustrating the value of IT from a business driver perspective (customer service, cost,
agility, quality, etc.)?
Is the board regularly briefed on IT risks to which the enterprise is exposed, including compliance risks?
Is the board assured of the fact that suitable IT resources, infrastructures and skills are available (including external resourcing)
to meet the required enterprise strategic objectives?
Is the board getting independent assurance on the achievement of IT objectives and the containment of IT risks?
V = IT Value Delivery; A = IT Strategic Alignment; M = IT Resource Management; R = Risk Management; P = Performance
________________________________________________________________________________
Source: Adapted from Board Briefing of IT Governance 2nd Edition Home 33
34. End of our Deck
--
Thank you
________________________________________________________________________________
34