IT Governance Blog

CobiT definition:

The information services function determines the technology direction to support the business. This requires the creation of a technological infrastructure plan and an architecture board that sets and manages clear and realistic expectations of what technology can offer in terms of products, services and delivery mechanisms. The plan is regularly updated and encompasses aspects such as systems architecture, technological direction, acquisition plans, standards, migration strategies and contingency. This enables timely responses to changes in the competitive environment, economies of scale for information systems staffing and investments, as well as improved interoperability of platforms and applications.

Control over the IT process of
Determine technological direction

that satisfies the business requirement for IT of
having stable, cost-effective, integrated and standard application systems, resources and capabilities
that meet current and future business requirements

by focusing on
defining and implementing a technology infrastructure plan, architecture and standards that
recognise and leverage technology opportunities

is achieved by
• Establishing a forum to guide architecture and verify compliance
• Establishing the technology infrastructure plan balanced against cost, risk and
requirements
• Defining the technology infrastructure standards based on information
architecture requirements

and is measured by
• Number and type of deviations from the technology
infrastructure plan
• Frequency of the technology infrastructure plan review/update
• Number of technology platforms by function across the enterprise

Control objectives:

PO3 Determine Technological Direction

PO3.1 Technological Direction Planning
PO3.2 Technology Infrastructure Plan
PO3.3 Monitor Future Trends and Regulations
PO3.4 Technology Standards
PO3.5 IT Architecture Board

Check out the links for details on the control objectives.

I’ve decided it was time that I get a little more serious about my IT Governance education and as such I have decided to pursue a couple of worthwhile certifications - ITIL Foundations (for a start) and CGEIT, which is Isaca’s Certified in the Governance of Enterprise IT certification.

For the Foundations’s certificate studying I purchased Introduction to the ITIL Service Lifecycle (ITIL Version 3) which does a very good job going over the highlight’s of ITIL and is their official introductory guide. I also signed up for some online education through HDI, which is an acreddited training organization, which also included a discunted exam fee. The online course is available for about 12 weeks, so sometime between now and then I’ll register and take the exam, which is multiple choice.

Going through the book and the online course together has been invaluable, I am really understanding the overall service lifecycle very well, and am actually looking forward to starting to purchase the core books and getting more in depth into studying ITIL and IT Governance.

This is what Isaca says about the CGEIT:

This certification will benefit the individual, through recognition of their professional knowledge and competencies; skill-sets; abilities and experiences, and will enhance their professional standing. It will also add value to the enterprises they support through the demonstration of a visible commitment to excellence in IT governance practices.

The certification process has been specifically developed for professionals who have a significant management, advisory, or assurance role relating to the governance of IT. The certification promotes the advancement of professionals who wish to be recognized for their IT governance-related experience and knowledge.

The exam for this is scheduled on December 12th. Just passing the exam is not enough to earn the certification To earn the CGEIT credential, an individual must:

1. Pass the CGEIT exam (first exam - December 2008)
2. Adhere to the ISACA Code of Professional Ethics
3. Agree to comply with the CGEIT Continuing Education Policy
4. Provide evidence of appropriate IT governance work experience as defined by the CGEIT Job Practice

Based on my work experience I should have no problem qualifying (as long as I pass the exam!). Reference materials for study are available as free downloads on their website. I did register as an Isaca member to get the discount, so now I am an official Isaca member.

It’s been awhile since I have studied like this but I like it! I look forward to sharing more about my experience in seeking these certifications.

CobiT definition:

Define and implement procedures to ensure the integrity and consistency of all data stored in electronic form, such as databases, data warehouses and data archives.

Bill says,

“All data stored in electronic form” is one hell of a big task, but if you are to implement the proper level of controls that is truly what you are on the hook for. Once you have classified your data you will have a list of what is important to your business and what you need to control. Now you have to design and implement the procedures that ensure that data is what you think it is and it has the visibility that you think it should have.

Integrity of the data is fairly simple for static data, you really just need to be able to maintain an archived version that you can compare it to proving it’s integrity, assuming of course that you have the security of that data established properly.

The biggest challenge to integrity management is in your transactional database where your staff, and perhaps even your customers, are responsible for maintain some aspect of that data. This is where you need to automate as much as possible so that you are not relying on human nature, but no matter how much of that you do you will still be on the heck for documenting those processes and controls.

Integrity management is difficult but important. If you have followed the steps within this control objective you should be well on your way to achieving a good level control.

The fourth step in Defining the Information Architecture is integrity management.

CobiT definition:

Establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public,
confidential, top secret) of enterprise data. This scheme should include details about data ownership; definition of appropriate
security levels and protection controls; and a brief description of data retention and destruction requirements, criticality and
sensitivity. It should be used as the basis for applying controls such as access controls, archiving or encryption.

Bill says,

What I really like about CobiT is it forces you to look at things in a comprehensive way. For data classification you really need to analyze every bit of data you collect, categorize it, and decide who will have access, how you will control it, etc - but those are future controls. For this one it is all about defining the classification of data.

Let’s look at some non-traditional data that really does need to be captured in your classification scheme. For example, you probably use WebEx for data conferencing. And I am sure you realize that there is a lot of data archives pertaining to the meetings held through WebEx - many of which can have very telling titles.

As an aside, if you are using WebEx make sure you do not have your site open to the public - or you have strict rules and controls in place regarding what people can use as the subject line in meetings. Prior to us turning this off I saw some pretty awkward meeting titles that were open for all to see - employees, customers and competitors.

So you probably have never thought about that data but you need to. What parts are important? I know for me we record the monthly usage locally because after three months we lose access to it through WebEx. Who has access to that? How can we be sure we know who is responsible for archiving it? These are all important questions that you need to go through as part of the classification exercise.

Don’t be scared off by how much data you have, this is work that needs to be done!

The third step in Defining the Information Architecture is defining the data classification sceme.

CobiT definition:

Maintain an enterprise data dictionary that incorporates the organisation’s data syntax rules. This dictionary should enable the
sharing of data elements amongst applications and systems, promote a common understanding of data amongst IT and business
users, and prevent incompatible data elements from being created.

Bill says,

Establishing and maintaining a data dictionary for a complex application is difficult but not impossible, particulary if the application and the underlying data structure and processes don’t change much. But when you start defining an overall data dictionary for your enterprise it becomes a much more difficult challenge. When building a data dictionary, however, don’t feel as though it needs to be perfect - better than to have a mess documented than not at all.

In today’s corporate IT applications space integration between applications is critical. The ability to integrate between applications effectively is contingent on a good enterprise data dictionary. If you have not done this then you are not doing the corporate governance that you should be doing.

An important component of this is to understand what the data means and ensuring that both the business and IT are in alignment. For example, we have a phone system that records ACD transaction and one of the pieces of data that comes out of this application is abandoned calls. What does that mean to you? Does it mean something different to sales? In our case IT thought they knew what abandoned calls meant and sales thought it meant something else. When in fact the vendor defined it to mean even something else! SLAs had been established around this key piece of data and nobody in the business truly understand what it actually meant.

The second step in Defining the Information Architecture is establishing an enterprise data dictionary along with corresponding data syntax rules.

CobiT definition:

Establish and maintain an enterprise information model to enable applications development and decision-supporting activities,
consistent with IT plans as described in PO1. The model should facilitate the optimal creation, use and sharing of information by the
business in a way that maintains integrity and is flexible, functional, cost-effective, timely, secure and resilient to failure.

Bill says,

I haven’t seen a company yet that has done this one even close to complete. What it’s talking about is defining data models for customers, vendors, employees, etc - across all applications define a consistent data model as an aid to integration and reporting. With a new company starting up I think this is something that could be done, but most of us have legacy data and applications that make a consistent data model very difficult.

Still, it is worth the effort to get it done. With a consistent and holistic enterprise information architecture model the quality of your analytics, the simplicity of your integrations and the power of your business are all magnified.

Take something as simple as the employee data model. Should be a no-brainer right? Well, it isn’t. Your HR program came stock with certain fields, your CRM with others and you probably have built a myriad of other functional applications leveraging employee data. Taking the time to make the data models consistent across all employee applications is a hard project to fund. More likely you will define your employee data model at the data warehouse level, and map your integrations with each application such that it feeds the necessary data. Once you have a data model defined in the warehouse you are about as close to having a solid data model as you could expect.

Still, even though it is hard it needs to be done the best you can.

The first step in Defining the Information Architecture is defining the enterprise information architecture model.