Tuesday, January 23, 2007

10. Reflection

this is want we had learnt :

COBIT is the newest evolution of control objectives for information and related technology benefit includes Clear ownership and responsibilities

ISACA is a world-wide professional organisation for individuals involved in the profession of information systems audit and control. Being a member of isaca can provide Networking opportunities through chapter meetings and technical sessions.

IT governance activities are to understand the issues and the strategic importance of ITLG.

Doing ITLG is fun and interesting as we had did something which is different from others and also experience project that is some different from what we had did. In this project, i had learnt the how IT played an important part in helping companies to improve their business process. IT can help to salvage a companies.
- jason

posted by zeSt @ 12:53 AM 0 comments

Monday, January 22, 2007

9. Appendix

COBIT

http://www.isaca.org/Template.cfmSection=COBIT6&CONTENTID=
22129&TEMPLATE=/ContentManagement/ContentDisplay.cfm

http://www.itgi.org/Template_ITGI.cfmSection=Case_Studies1
&CONTENTID= 27626&TEMPLATE=/ContentManagement
/ContentDisplay.cfm

http://www.isaca.org/Template.cfmSection=COBIT6&Template=
/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981

ISACA

http://www.isaca.org.sg/

IT Governance

http://www.dsta.gov.sg/Home/DisplayPage/ContentPage10.asp?id=2598

http://www.itgi.org/AMTemplate.cfm?Section=I
TGI_Research_Publications&Template=
/ContentManagement/ContentDisplay.cfm&ContentID=24224

http://www.itgi.org/AMTemplate.cfm?Section=Deliverables&Template=
/ContentManagement/ContentDisplay.cfm&ContentID=24261

http://www.itgi.org/

Other

www.yahoo.com

http://www.deloitte.com/dtt/cda/doc/content/
UK_ERS_ITGovernanceSurvey_2005.pdf

posted by zeSt @ 6:13 PM 0 comments

Sunday, January 21, 2007

8. Case Study 4: IT Governance in UK

This is the chart showing different employees from different company with different salaries
  • Wthin this in mind, Deloitte recently surveyed over 50 UK CIOs about how they implemented IT Governance processes and the benefits they typically obtained . turnover excess of $1billion.
  • The survey included both public and private sector organisation and included IT departments that varied in both size and maurity

Within this survey, a number of keys findings have emerged:

  • 77% of CIOs in the companies surveyed believed that only half of their employees can explain IT Goverance.
  • 70% of our respondents indicated that their organisation failed to deliver at least one in four of their project on time and to budget.
  • 70% of the organisations believed that their processes to identify IT risk were routine and well embedded .
  • 60% of organisations stated that their approach to embedding and monitoring IT Governance was "good" but only 15% made use of Services Level Agreement(SLA)s

posted by zeSt @ 5:47 AM 0 comments

7. Case Study 3: DSTA

According to Singapore’s Defence Science & Technology Agency’s (DSTA) Leow Aik Siang, project manager in the CIO Office, the DSTA has several reasons to adopt enterprise architecture. It would focus on the enterprise as a whole, rather than on individual systems or silos, achieve better business-IT alignment; reduce re-inventing the wheel; address interoperability issues at the business, information and technology levels; provide a consistent framework for project and investment decision processes as well as improve visibility and control for business and IT.

Leow said that IT governance, the third cycle within DSTA’s enterprise architecture framework that comes after evolution and transformation of business and evolution of technical infrastructure have been completed, is one of the core components of enterprise architecture.

The DSTA also has a complementary governance structure and processes meant to drive accountability and maximise portfolio value. Projects would be scrutinized as they enter the portfolio management governance process of budgeting, approval and agreement, execution as well as benefits realisation and validation. The DSTA has five governance structures: the eDSTA steering committee and Architecture Review Board, which are higher-level structures supported by portfolio managers and segment managers, the Programme management office and the IT configuration control committee.

The third and fourth review–design review and deployment control–arise during project execution. Enterprise architecture has definitely given the DSTA tangible benefits, said Leow. It was instrumental in improving clarity on alignment of projects to the IT strategy, transparency on the investment portfolio, consistency in investment decisions, budgeting discipline as well as visibility for better decision-making. Measuring alignment is a key aspect of portfolio management.

In some organisations, battle lines are drawn in the sand between IT and business. The question then shifts to how to sell the concept of IT governance

It is important, to communicate the importance of running IT as a business. It’s strategic, mission critical and it’s not a cost-centre anymore.

While most were concerned about staff needing to learn new systems–which are necessary, it is more important to consider the need to change mindsets. Resistance is to be expected as people are shaken out of their comfort zones.

posted by zeSt @ 5:11 AM 0 comments

6. How IT Governance can help companies


Illuminating the black box

A good way to start would be using IT governance in day-to-day operations rather than relegating it to the back burner as theoretical concept. IT today is a business and you’ve to manage it like a business.

Effective IT governance relies on control, compliance and alignment. Control gives real-time visibility into IT transactions and projects, consistent and repeatable processes, and reliable metrics. While compliance provides comprehensive data capture, an automatic audit trail as well as transparent IT operations.

Alignment is most critical of the three as it prioritises projects to reflect business needs and objectives. It’s really about making sure that IT and businesses are working hand-in-hand and that you’re working on the right priorities and projects to drive up the true value.


The nuts and bolts

The IT governance process begins with demand management that fulfils two distinctive needs: day-to-day and strategic. “Good IT governance means having processes and efficiencies in each of these areas, but as importantly, making sure that each area collaborates and understands the upstream and downstream.”

The Four starting points of the journey to good IT governance: portfolio management, project visibility and control, IT service automation and application change management.

Having poor portfolio management is a liability, as the lack of a clear and consolidated view is catalyst to the squeaky wheel syndrome, where executives who shout the loudest bulldose their way through. Such unmethodical processes are never to the organisation’s best interest.

IT governance eliminates the emotional factor and returns objectivity to the decision-making process.

Implementing IT governance through a front-door approach would consolidate all incoming demand in an automated management application, letting light into the black box of IT. 30 to 40 percent of all communication between the end-users and IT are just status updates.

Equally as undisciplined is the disjointed process of managing change to enterprise applications. When such processes are poorly documented, there is no effective way to ensure compliance, potentially resulting in error-riddled deployments that require extensive and disruptive reworking. The situation can escalate when problems crop up in systems with direct access to production environments, risking breakdowns to vital systems.

posted by zeSt @ 4:19 AM 0 comments

5. Case study 2: Harley -Davidson


BACKGROUND

Harley-Davidson Motor Company was founded in 1903 in Milwaukee, Wisconsin, USA. It is the oldest producer of motorcycles in the US and has enjoyed 20 consecutive years of record revenue. In 2003, Harley-Davidson had limited IT controls in place and staff had limited control knowledge. There were no standardized user access process, no defined and documented change management process, and no rigor on backup and recovery processes, and there were minimal organizational standards.

Although complying with Sarbanes-Oxley was going to be a challenge, the company took strong action, utilized COBIT and passed Sarbanes-Oxley year one compliance.
In addition, it had been difficult finding other manufacturers for benchmarking, and COBIT helped show Harley-Davidson management where the company was positioned regarding controls and what should be done to improve.

PROCESS

To jumpstart IT governance and Sarbanes-Oxley activities, Harley-Davidson created an IS compliance department and began implementing a vendor’s general computer controls model. After attending a COBIT User Convention, a Harley-Davidson risk specialist recommended COBIT to management and then converted the control framework to COBIT, published by the IT Governance Institute. Concurrently, the internal audit department was driving IT to move beyond pure compliance. The company realized it needed a broad control framework, which helped eliminate the constantly changing “bar” used as a benchmark.


Reasons behind Harley-Davidson’s selection of COBIT include:

  • It is an internationally accepted standard for IT governance and control practices.
  • It can be used by management, end users, and IT audit and security professionals, and it provides a common language.
  • It provides a means for benchmarking controls compliance.
  • Use of the COBIT framework, including tools and templates, is available essentially free as a download from www.itgi.org
  • Other leading standards, including ISO 17799, ITIL and NIST, harmonize and map to COBIT.

The company was able to gain agreement with the external auditor on the same framework and control objectives.
Key to introducing COBIT was ensuring that all of IT and management understood why they needed to care about effective, value-focused controls. Getting them to realize that there are many important business reasons for this was the first key hurdle to be successfully addressed. COBIT’s business-focused language allowed management, IT and internal audit to ensure they were on the same road.


One of the major benefits of using COBIT as its overall internal control and compliance model was getting everyone—especially nontechnical motorcycle experts—revved up about control activities and why controls are important. Harley-Davidson is subject to many regulations, including HIPAA and Gramm-Leach-Bliley, and COBIT serves as an umbrella framework that helps the company zero in on appropriate control and compliance activities.

Tracking and reporting are important components of ongoing IT governance activities. Team members must be able to learn about carry over and repeat findings, and follow up with management action plan owners to ensure forward momentum continues to address the issues. Harley-Davidson developed an MS Access issues-tracking database to have joint IT and internal audit visibility of known control weaknesses.


Driving internal change was also a key goal of this highly competitive company, and COBIT benchmarking was an invaluable tool for independent comparison. It put the information in the right perspective for management and to obtain overall buy-in. The framework shows peer comparison in an unbiased format and is used as part of every IT audit. Best of all, it invites discussion about where the company would like to be.


CONCLUSION


Prior to implementing the COBIT framework, areas the external auditor audited were chosen randomly or on loose justifications. Now the areas selected for auditing are firmly based on business value and control needs.
The breadth and depth of COBIT have naturally allowed it to be used successfully as a central control model. In addition, benefits Harley-Davidson has found by using COBIT as a control model include:

  • IT governance personnel can map frameworks “behind the scenes.”
  • End users need to be aware of only one standard.
  • IT can easily show compliance with multiple frameworks.
  • It helps establish a consistent focus.
  • It gains external audit agreement on the company’s control position.
  • It establishes the ability to use control objectives to help identify root causes.
  • There is a comprehensive view of the risk and control environment.
  • It provides a foundation for all future internal and Sarbanes-Oxley-related audits.

posted by zeSt @ 2:10 AM 0 comments

4. Case study 1: Prudential


sCOBIT 4.0, An Essential Tool to Consolidate Prudential’s Leadership in Asia

Background

Prudential, a leading financial services provider worldwide, recognizes the need to adopt an IT governance framework to provide its operations in Asia with a uniformed platform to sustain growth and eliminate risks. As a result, the corporation chose Control Objectives for Information and related Technology (COBIT) for its user-friendliness, flexibility and simple structure. Although Prudential’s implementation of COBIT is still in progress, the corporation’s regional IT team has already seen results in enhanced communications between IT and business operations, better responsiveness in project management as well as an improved environment for risk assessment for each of the corporation’s 12 market countries in Asia.

Some improvements Prudential made through having COBIT:
  • COBIT Provides Essential Foundation for Management Support

IT governance can appear to be a boring subject to Prudential colleagues in business operations, and without any background in IT many of them may never understand it. The last thing Prudential want is to give the business and project managers the impression that IT governance is all about what they cannot do rather than what they can do. For this reason, Prudential adopted COBIT as their framework because its language is so easy for non-specialists to understand and it will enable business colleagues to develop an interest to understand what doors IT governance can open for them

  • COBIT Helps Protect Corporate Integrity and Reputation

With so much data about Prudential’s clients across Asia, the possibilities of leaking any of these data to unwanted hands is something that Prudential have always kept in mind. Without a proper code of conduct in the IT system, however, there will be risks for someone to gain undesirable access to those data. In another scenario, if Prudential were to outsource its IT operations to the wrong partner without the proper guidelines put in place, the corporation will be revealing its businesses to further risks across the region. Therefore, to Prudential, COBIT is a very important guiding light that identifies where the risks are, what their overall impact is, and what the team can do to deal with them.


  • A Cost-effective Value Creator with Long-Lasting Results for Corporations

COBIT’s well-structured, easy to use components allow Prudential to get as technical and specific on any element or topic as they see fit. At the same time, it also provides them plenty of capacity to take into consideration the needs of Prudential’s various markets in Asia.



Conclusion


Although Prudential’s implementation of COBIT is still in progress, it is clear from that the framework will continue to provide values to the corporation in terms of:

  • IT governance: Pan-regional strategy formation, uniformity
  • Cost-cutting: Trims repetition
  • Security: Managing regional customer data
  • Outsourcing: Provides proper liabilities for outsourcing partners
  • Easy to understand terminology for wide range of corporation audiences
  • Business Growth: Provides a safer, more coherent overall IT environment for leaders to focus
  • Risk assessment: Sets boundaries for decision-makers to understand what they can do

posted by zeSt @ 1:11 AM 0 comments

Saturday, January 20, 2007

3. Information on IT Governance



Objectives of IT Governance

The overall objectives of IT governance activities are to understand the issues and the strategic importance of IT, to ensure that the enterprise can keep up with its operations and to establish that it can implement the strategies required to extend its activities into the future. IT governance practices aim at ensuring that expectations for IT are met, IT's performance is measured, its resources are managed and its risks are mitigated.
The Purpose of IT governance

Basically, there are four reasons for having IT governance. The purpose of IT governance is to direct IT endeavors, to ensure that IT's performance meets the following objectives:
  • For IT to be aligned with the enterprise and realize the promised benefits
  • For IT to enable the enterprise by exploiting opportunities and maximizing benefits
  • For IT resources to be used correctly
  • For IT-related risks to be managed appropriately


Who Is Involved in IT Governance?

  • Team leaders report to and receive direction from their managers;
  • Managers report up to the executive;
  • The executive reports to the board of directors.

This reporting process includes descriptions of any activities that show signs of deviating from targeted objectives. Each layer, when reporting these deviations, should include recommendations for action that must be authorized by the governing level above. Clearly the effectiveness of this layered approach depends on successful cascading of strategy and goals down into the organization.

Stakeholders, play a part in IT governance. At the heart of the governance responsibilities of setting strategy, managing risks, allocating resources, delivering value and measuring performance, are the stakeholder values, which drive the enterprise and IT strategy.
Sustaining the current business and growing into new business models are certainly stakeholder expectations and can be achieved only with adequate governance of the enterprise's IT infrastructure.



Process of IT Governance




  1. The IT governance process begins with setting objectives for the enterprise's IT, providing the initial direction.

  2. After that, a continuous loop is established: performance is measured and compared to objectives, creating a redirection of activities where necessary and change of objectives where appropriate.

  3. While objectives are primarily the responsibility of the board and performance measures that of management, it is also shown that they should be developed in concert so that the objectives are measurable represent the objectives correctly.


posted by zeSt @ 11:16 PM 0 comments

2. What is ISACA ?

What is ISACA Singapore ?

  • ISACA SG was established in 1983
  • Membership base of over 940
  • A world-wide professional organisation for individuals involved in the profession of information systems audit and control
  • A variety of professional IT-related positions—to name just a few, IS auditor, consultant, educator, IS security professional, regulator, chief information officer and internal auditor
  • Work in nearly all industry categories, including financial and banking, public accounting, government and the public sector, utilities and manufacturing

Benefits that you would enjoy as an ISACA Singapore Chapter member include:

  1. Networking opportunities through chapter meetings and technical sessions;
  2. Disounts on conferences, seminars and talks organized by ISACA Singapore Chapter and ISACA International;
  3. Free subscription to the IS Audit & Control Journal and Global Communique newsletter;
  4. Significant discounts on the CISA Examination Registration fee and materials;
  5. Discounts on ISACA Bookstore products;
  6. Priority access to the latest IT research, e.g. COBIT and Local Chapter's Library; and
  7. Free exclusive subscription to the Award Winning Newsletter RealTime published by Singapore Chapter.

posted by zeSt @ 11:07 PM 0 comments

1. What is COBIT all about ?

What is COBIT all about?

The first edition of Cobit was published in 1996 and the framework has been updated several times since. It is now used by governments and large corporations in many parts of the world, ranging from Thailand's Securities and Exchange Commission to the Dubai Municipality to the European Union.

The most recent incarnation, Cobit 4.0, was released in December last year and incorporates enhancements to guide companies in the area of regulatory compliance.

COBIT 4.0 is the newest evolution of control objectives for information and related technology, the world’s leading IT control and governance framework.

It is an IT government framework and supporting toolset that allows manages to bridge the gap between control requirements, technical issues and business risks.

It also emphasis regulatory compliance, helps organization to increase the value attained from IT, enables alignment and simplifies implementation of COBIT framework.

Some of the benefits of implementing COBIT are:

  • Better alignment upon business focus
  • Understandable view of IT for management
  • Clear ownership and responsibilities
  • General acceptance with 3rd parties and regulators
  • Shared understanding among all stakeholders based on computer language
  • Fulfillment of COSO required for the IT control environment

Processes


The core content of COBIT is divided into 34 IT processes. Each is divided into 4 sections for each process:

  1. The high level control objective of process
  2. The detailed level control objective of process
  3. Management guidelines; input and output, RACI(Responsible, accountable, consulted and (or informed) charts, goals and metrics)
  4. Maturity model of process

posted by zeSt @ 10:47 PM 1 comments

Sunday, November 05, 2006

zeSt project group

zeSt !!!!
This is our Infomation Technology Law and Governance Blog

Hi, we are zeSt !! we are a group of fun and hardworking bunch of students. We(zeSt) are proud of our class T04.

Team consist of:
Jason Yong Chee Keng (Leader); row 2, left
Ester Niak Chin Yee (Recorder); row 2, right
Rio Susanto (IT Manager); row 1
Lim Ying Hui (Researcher); row 2, centre

We are year 3 BIT students, currently we are having our last semester. Thank you for viewing our ITLG blog. Feel free to give us your feedback.
contact us at ckyongjason@gmail.com
Take care dude.

posted by zeSt @ 7:37 PM 0 comments