IM540 Midterm

Governance

Processes and structures that inform, direct, manage, & monitor organization activities to achieve objectives. Need to ensure effective use of resources and alignment with business objectives.

Compliance

regulations regarding IT governance

Bring Your Own Device (BYOD)

use of a personal device for job duties and accessing company’s software/applications

Legal concerns about BYOD

FLSA compliance: employees completing job tasks outside their shift time, Liability for Employee Actions, Data Breach Notifications, Legal Discovery, Privacy Issues

MDM

Mobile Device Management, software that contains the process of monitoring, managing, and securing mobile devices such as smartphones, tablets, and laptops used in enterprises to access data.

Risk Management

leads to the need for controls and security to reduce risks

Data breach laws in all US states

enacted legislation to protect consumer privacy requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information

EU GDPR

Any organization processing personal data of EU residents must protect personal data

UK Data Protection Act

complements the EU GDPR

CCPA

mirrors the standards in GDPR. processing information on CA residents or doing business in CA must be protected

PIPEDA

Canadian law that mirrors the standards in GDPR

FERPA

federal law that affords parents the right to have access to their children’s educational records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from education records

FISMA

US federal agencies protection of information and IT systems

GLBA

US financial institutions must protect privacy of personal information, safety of Internet

HIPAA

Governs healthcare organization and partners creating, storing and transmitting electronic protected health information

PCI DSS

Entities that take credit cards must protect privacy of customer financial data

SOX

defined to secure the public against corporate fraud and misrepresentation

J-SOX

Financial Instruments and Exchange Act, is the set of Japanese standards for internal controls

FLSA

Fair Labor Standards Act, non-exempt workers must be paid overtime for hours worked outside the 40 hours per week. 

Risk

the potential for loss or damage when a threat exploits a vulnerability. measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

Internal Control

A process designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance

Information Security

Protection of information assets from harm

Internal Control Objectives

Effectiveness and Efficiency of operations including operational and financial performance goals, and safeguarding assets against loss

Information Security Objectives

Confidentiality/Privacy, Integrity, Availability, Authentication, Nonrepudiation

COSO

Committee of Sponsoring Organizations of the Treadway Commission, is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence

Three categories of COSO objectives

Operating, Compliance, and Reporting

Five components of internal controls

Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities

Control Environment

the foundation on which an effective system of internal control is built and operated in an organization that strives to 1) achieve its strategic objectives, 2) provide reliable financial reporting to internal and external stakeholders, 3) operate its business efficiently and effectively, 4) comply with all applicable laws and regulations, and 5) safeguard its assets

Risk Assessment

requires management to consider the impact of possible changes in the internal and external environment and to potentially take action to manage the impact

Control Activities

actions (generally described in policies, procedures, and standards) that help management mitigate risks in order to ensure the achievement of objectives

Information & Communication

allows senior management to demonstrate to employees that control activities should be taken seriously

Monitoring Activities

periodic or ongoing evaluations to verify that each of the five components of internal control, including the controls that affect the principles within each component, are present and functioning around their products

Enterprise Risk Management

five components: Governance and culture, Strategy and objectives, performance, review and revision, and information, communication and reporting.

IT Governance

subset of overall organizational governance. processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.

CIO

Chief Information Officer. Leads the development of an IT governance framework for the organization. Oversees selection of corp standards, technology architecture, technology evaluation and transfer.Responsible for planning, choosing, buying and installing a company’s technologies and information

IT Governance Approach

Ideation/Design, Develop, Test, Deploy, Operate, Retire

Standards

Defined very well (one way of doing things) and to comply, the organization has to follow a specific method

Frameworks

defines the ways and methods through which an organization can implement, manage and monitor IT governance within an organization

ISO

International Organization for Standardization, non governmental but participation from public and private organizations.

ISO 27000

ISMS is a family of standards that contains overview and vocabulary.

ISO 27001

standard that helps organizations become risk-aware and proactively identify and address weaknesses. promotes a holistic approach to information security: vetting people, policies and technology

ISO 27002

guideline standards that provide code of practice for information security controls with detailed guidance. reference set of generic information security controls including implementation guidance

ISMS

information security management system, consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets

NIST

National Institute of Standards and Technology, non regulatory governmental agency, part of Department of Commerce, Develops technology, metrics, and information security standards and guidelines that can help drive innovation and economic competitiveness. Standards include guidance to assist agencies with FISMA compliance.

NIST Special Publications

publish information security and guidelines, recommendations and reference materials

SP 8XX

Computer Security, NIST's primary mode of publishing computer/cyber/information security guidelines, recommendations and reference materials

FIPS

Federal Information Processing Standards, To meet Federal government requirements for security and interoperability when there are no acceptable industry standards or solutions

FIPS 199

Standards for Security Categorization of Federal Information and Information Systems, The standard that establishes security category for both information and an IS (information system). SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}

FIPS 200

Minimum Security Requirements for Federal Information and Information Systems, mandatory federal standard developed by NIST in response to FISMA. Specifies minimum security requirements for federal information and information systems and a risk

High water mark concept

must be used to determine the overall impact level of the information system. Thus, a low

FISMA 2002

Federal Information Security Management Act, assigns responsibilities to NIST to provide standards and guidance to aid agencies in meeting the requirements of the law

SP 800.53

apply the appropriately tailored set of baseline security controls.

HMG Cyber Essentials

Five areas: firewalls, secure configuration, user access control, malware protection, security update management

Digital Transformation

refers to incorporating computer-based technologies into an organization's products, processes and strategies.

DevOps

software development that involves more collaboration between IT operations and development teams (balancing speed and quality). 

Agile Project management

is based on breaking down a project into smaller “pieces”. At intervals throughout the project, teams can release these project “pieces” for feedback and testing, enabling timely feedback about the project product before a new phase is started. The idea is to reduce the likelihood of finding out a project is an overall failure at the end, because there was continuous feedback and improvement throughout the project lifecycle.

Lean IT

The approach is a way of thinking and acting, focusing heavily on organizational culture. Lean IT is associated with the development and management of Information Technology products and services. The essence of Lean is to deliver value to the customer and to continuously improve by removing waste and using less resources.

ITIL

IT Infrastructure Library, operational perspective, with a focus on service management and delivery. Strives to help organizations optimize IT services such that they best support the organization

Value Stream

A series of steps that an organization uses to create and deliver valued IT products and services to a service consumer. a combination of the organization’s value chain activities.

Co-creation of value

recognizes that while some customers might expect providers to “deliver value” independently, value requires open dialogue and active collaboration between providers and consumers (end users). The service provider and consumer have a relationship, a two-way communication process to generate feedback and pre-empt demands in a proactive rather than reactive way.  Although co-created, value realization is in the eye of the beholder (the consumer).

Value

The perceived benefits, usefulness, and importance of something. can be seen as a combination of outcomes, cost and risk.

Outcome

A result for a stakeholder enabled by one or more outputs.

Cost

The amount of money spent on a specific activity or resource.

Risk

A possible event that could cause harm or loss or make it more difficult to achieve objectives. can also be defined as uncertainty of outcome and can be used in the context of measuring the probability of positive outcomes as well as negative outcomes.

Output

a tangible or intangible delivery of an activity

service

a means of enabling value cocreation by facilitating outcomes that customers want to achieve, without the customer having to manage specific costs and risks.

Service value system

represents how the various components and activities of the organization work together to facilitate continual value (co) creation through IT

Parts of SVS

Guiding principles, governance, service value chain, practices, continual improvement

Guiding Principles

Recommendations that guide an organization and its people on how to work flexibly in all circumstances

Governance

The means by which an organization is directed and controlled

The Service Value Chain (SVC)

(the “heart”) an operating model which outlines the key activities required to respond to demand and facilitate value creation through the creation and management of products and services

Practices

sets of organizational resources designed for performing work or accomplishing an objective, including process and capabilities

Continual Improvement

a recurring organizational activity performed at all levels to ensure that an organization’s performance continually improves in meeting stakeholders’ expectations

Seven guiding principles of SVS

Focus on value, Start where you are – (leverage what you can), Progress iteratively with feedback, Collaborate and promote visibility, Think and work holistically, Keep it simple and practical, Optimize and automate

Service value chain

describes six key activities needed to realize value (including guidance about how to plan, manage, and improve key activities for the creation, delivery, and continual improvement of services).

service value chain activities

Plan, improve, engage, design and transition, obtain/build, deliver and support

Plan

This activity creates plans, portfolios, architectures, policies etc. to ensure a shared understanding of what the organization is trying to achieve, and how this will be done.

Improve

This activity creates improvement plans and initiatives to ensure continual improvement of all products, services, and practices across all four dimensions of service management

Engage

This activity encourages good understanding, transparency, engagement with stakeholders to understand their needs and develop strong relationships.

Design and transition

This activity creates new and changed products and services and ensures that they meet stakeholder expectations for quality, cost, and time to market

Obtain/build

This activity creates service components, ensures they are available when and where they are needed, and that they meet agreed specifications.

Deliver and support

This activity ensures that services are delivered according to specification and supported in a way that meets stakeholder expectations.

Four dimensions of service management

organizations and people, information and technology, partners and suppliers, value streams and processes

Organizations and people

This includes the culture, systems of authority, roles, skills, and competencies needed to plan, manage, and deliver services.

Information and technology

This includes the information and technology needed to deliver services (servers, storage, networks, databases, etc.) as well as the information and technology needed to manage those services (IT service management (ITSM) tools, knowledge bases, configuration information, etc.).

Partners and suppliers

The partners and suppliers dimension helps to ensure that we consider all the relationships needed to foster effective service delivery, since in the modern business environment no service provider can do everything by themselves. We all work with a wide number of other organizations who contribute in various ways to the services we deliver.

Value streams and processes

This dimension considers all the activities, workflows, controls, and procedures needed to succeed. They need to work together seamlessly to take incoming demand from customers and users and help to create value.

COBIT

Control Objectives for Information and Related Technologies, root in audit and controls. addresses the modern technologies, trends and security requirements for organizations. It strives to provide guidance for improving alignment/compliance to global standards, frameworks and best practices such as TOGAF, CMMI, and ITIL, providing an open

COBIT Principles of Governance System

Provide stakeholder value, holistic approach, dynamic governance system, governance distinct from management, tailored to enterprise needs, end to end governance system

COBIT Principles of Government Framework

Based on conceptual model, open and flexible, aligned to major standards

Meet stakeholder needs

Each enterprise needs a governance system to satisfy stakeholder needs and to generate value from the use of I&T. Value reflects a balance among benefits, risk and resources, and enterprises need an actionable strategy and governance system to realize this value.

Holistic approach

A governance system for enterprise I&T is built from a number of components that can be of different types and that work together in a holistic way.

Dynamic governance system

This means that each time one or more of the design factors are changed (e.g., a change in strategy or technology), the impact of these changes on the EGIT system must be considered. A dynamic view of EGIT will lead toward a viable and future

Distinct governance from management

A governance system should clearly distinguish between governance and management activities and structures.

Tailored to enterprise needs

A governance system should be tailored to the enterprise’s needs, using a set of design factors as parameters to customize and prioritize the governance system components.

End to end governance system

A governance system should cover the enterprise end to end, focusing not only on the IT function but on all technology and information processing the enterprise puts in place to achieve its goals, regardless where the processing is located in the enterprise.

Components of a Governance System

Processes, Organizational structures, principles, policies & frameworks, information, culture, ethics & behavior, people, skills & competencies, services, infrastructure & applications

Focus area

describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components.

Technopedia, CIO, ComputerWorld Knowledge Centers, CNet, ZDNet, Tech on the Web, Wired

publishes reviews, news, articles, blogs, podcasts, and videos on technology and consumer electronics globally

Executive Support System (ESS)

software that allows users to transform enterprise data into quickly accessible and executive-level reports, such as those used by billing, accounting and staffing departments