.
 

Home

|

IT Governance

|

Services

|

Solution Spotlight

|

Support

|

Resources

|

Company

|

Contact us
 
 

 

 

 
             
   
                     
                   
   

 The ITGS Governance Review Process

              
     


The ITGS Governance Review consists of an identification of a business’ unique requirements and a comparison of its current policies, procedures, processes to standards for compliance. The selection of standards is based upon the company’s industry and external requirements. The comparison results in recommendations to more closely align IT processes with controls employed by the leading, well-governed businesses of similar size, stage of development and industry.

The engagement begins with a review of the regulatory mandates for a specific company and industry. We review the myriad of regulations and determine a compliance grid for the consultation, noting where conflicts exist. After the particular regulations are identified, we review a business’ existing IT policy and operations manuals. ITGS becomes familiar with the management style, corporate culture and appetite for risk as well as tone from the top as expressed in written policies and directives. After reviewing written materials, ITGS interviews key personnel to fill in gaps in written documents with informal practices.

Next, ITGS maps the processes and controls to the standards and performs a gap analysis of existing policies compared to the requirements that apply specifically to the company. The mapping provides guidance on processes for which the company may be missing formal documentation. At this point, ITGS generates a list of provisions that will need to be documented.

 

The next phase is to identify the missing policies along with the standards required to adopt them. It encompasses the policies and procedures that surround technology to assure adherence to business processes going forward. This produces a list of equipment and software that may be needed to execute the standards.

Finally, a roadmap is developed for the company to become compliant. Time frames are outlined and take into account the company’s IT environment and technical readiness.

 

At the conclusion of the consultation the roadmap serves as a tangible demonstration to bring the company’s environment and processes in alignment with external requirements.

 

Businesses of all sizes, industries and stages of organizational development find standards essential to sustainable compliance and continuous improvement. In recent years businesses have found best practices instrumental to achieve efficiencies, operational savings and revenue generation.

  


The consultation runs 10 days over a period of several weeks. An on-site visit is made to corporate headquarters to review documents and interview key personnel. The purpose of the on-site is to discover and clarify information pertinent to the consultation and to observe informal practices. Then, ITGS maps the existing policies to mandates and standards specific to the company and industry. ITGS identified over 120 separate, identifiable policies covering a variety of laws, statutes, rules, regulations and standards. The mapping provides a comprehensive view of the landscape within which the IT environment competes.

  • Identify IT Governance standards and regulations specific to the business and industry

  • Review existing policies and procedures.

  • Interview key managers about informal practices.

  • Map business processes to standards and requirements.

  • Generate gap analysis of processes and controls.

  • Recommend remedies and continuous improvements.

  • Prioritize accomplishment of IT Governance objectives.

  • Produce a roadmap to compliance.

          
                   
   

 Planning and Constructing a Compliance Roadmap

              
     

 

Managing the volume and complexity of mandates.
A compliance roadmap benefits the acquisition and implementation of hardware and software assets. It is a tool to manage the sheer volume, complexity and diversity of regulations and mandates. With abundant solutions focused on silo'ed, one-time projects, a compliance roadmap enables the consolidation of disparate systems and the stitching together of one-off programs. It results in a centralized, consistent, measurable and auditable compliance function.

 Protecting the investment in IT infrastructure.
With the rising cost of complying, a compliance roadmap protects the business’ substantial investment in IT. The cost of compliance increased in 2007 to $29.9 billion up from $15.5 billion in 2005 according to AMR Research. AMR predicts that expenses will continue to rise. Sarbanes-Oxley compliance has not tapered off as expected. Instead, AMR survey respondents anticipate more expenses in 2008.

Streamlining business practices.
The bright spot is that 42% of the AMR respondents also realize benefits from streamlined business practices.

 Mitigating risk.
Increasing security threats – both internal and external – make a vulnerable business environment exceedingly expensive. In 2007, the average cost of data breaches rose to $6.3 million in 2007 according to the IT Compliance Institute. The costs include actual loss, notification, remediation, legal and settlement fees. Additionally, corresponding increases in general business insurance premiums, audit fees, reputation loss and subsequent loss of customers have elevated compliance to capital proportions.

Third-party contractors, outsourcers, business partners, supply chain, business network members have privileged access to sensitive customer and business data. Third-party security needs to be contractually enforced – a change that will likely drive compliance initiatives in the near term.

  


Thirty-four states now have privacy laws; the remaining will likely adopt privacy protection legislation in the coming year. With elevated awareness of privacy and data leakage, greater activism in privacy and protection of information will likely occur. CFO.com predicts increasing class actions focused on security, privacy breaches and data leakage.

 

Until now, security of mobile solutions has been an afterthought. Mobile solutions for a mobile workforce needs greater security. More and more organizations are locking down the mobile devices and are adopting controls over them.

 Integrating compliance into corporate business goals and objectives.


A compliance roadmap enables businesses to move from reactive state responding to auditors, incidents or regulatory mandates to continuous improvement state. It accelerates compliance adoption because it makes initiatives visible. The roadmap enables the organization to leverage best practices from peers across the enterprise and to improve operational performance.

As a graphic representation of the path to compliance, the roadmap can be used as a tool to mark progress and as a scorecard performance indicator. A Compliance Roadmap benefits a business with better alignment between business and IT strategy; more informed, practical decisions about technology investments; greater flexibility in meeting shifting demands and stronger foundation for innovation; and better measurement and control of costs related to the protection of IT assets.

          
                   
   

  Governance & IT Asset Management

              
     

 

Today, leading businesses are adopting rigorous IT Governance initiatives in order to sustain and integrate corporate governance for continuous improvement.  IT hardware and software asset management is often the first step in that direction.  

IT Asset Management and Software Asset Management is structure and processes for the effective management, control and protection of software assets throughout their entire lifecycles.  According to Gartner, IT/SAM is 80% people and process and 20% technology.

 

IT/SAM enables understanding of:

What hardware, peripherals and devices are owned

What software is installed and the entitlements

Where it is located

How it is used

How software is licensed

When it needs to be updated or changed

Patching

 

Understanding what assets belong to the company, where it is and how it is used, enables the achievement of tangible business benefits such as lower costs, greater security, decreased risk and improved corporate governance.  By knowing its assets, a business can accurately budget and plan software purchases. 

Understanding how software is licensed takes into account:  is it appropriately licensed, are there unused installations, are there duplicate installations, is installed software used regularly, are there license shortfalls and does every employee have the software they need?

 

Patching includes:  is the software up-to-date, is the software secure, which versions need patching, which versions need retiring?

 

There are three parts to IT/SAM.

Policies and procedures to assure continuous operations and continuous improvement

 

Inventory of hardware, network, devices and software

 

License reconciliation to understand the assets and their configuration

 

IT/SAM addresses the underlying policies, procedures, processes, controls and technology that create the environment in which corporate performance occurs.

 

Reconciling licenses involves:

License entitlement to what the business thinks it has

 

What the business has to what the software vendor thinks it has

 

Entitlements to actual proofs

 

Installed software versus entitlements

 

Understanding hardware and software assets enables IT Governance.

 

An IT/SAM implementation organizes licenses and proofs of purchase and summarizes it in one place.  The business knows at a glance where software resides for greater control over their software assets and how each can be used.  This helps the company maintain and disclose accurate information related to the business’ assets.

 

Software is a significant portion of the control environment.  IT Controls represent 21% of all controls  – twice the number of the next two control categories combined.  Software represents 25% of COBIT Control Objectives. Software controls how and what goes on financial reports.  Software needs to be secure to prevent violations of networks, breaches of privacy or confidentiality and safeguard database integrity. 

 

The main IT/SAM controls to mitigate risk exposure are:

Monitor, plan, budget IT infrastructure purchases

Change control

Inventory reconciliation

Security

Release deployment and management

Disaster Recovery & Resiliency and Business Continuity Planning

Disciplinary action applied to violators

IT/SAM adds value to your business

 

IT and Software Asset Management enables the achievement of business goals by providing the technology that delivers productivity, efficiency and organizational effectiveness.  IT/SAM contributes to market value and competitiveness by enhancing the organization’s ability to exploit its information assets.  It contributes to growth by increasing productivity and margins enabling organic growth. 

 

IT/SAM provides opportunity to achieve competitive advantage.  Round the clock business system and network capacity availability is essential for global business.  A comprehensive asset management program helps reduce the introduction of worms, viruses and malicious code to keep networks up and running.  IT/SAM best practices, for example, control or limit downloads to pre-approved titles offered by reputable sites.  Thus giving IT control to manage system resources and keep networks up and running.

  

 

IT/SAM enables effective IT Governance.

As a first step in achieving effective IT Governance, IT and software asset management facilitates the accomplishment of the IT Governance tenets listed above.  It enables management to understand its assets and to gain control over licensing.  IT/SAM helps prevent an inadvertent breach of privacy by securing database integrity and enhancing network security.  IT/SAM helps regulate application change management and plan inventory purchases – which saves money.

 

Change Control and Configuration Management.

 

Knowing the server farm or how many computers the business has is a step in configuration management.  Knowing what’s on those computers is the next step.  If a company does not know what is on them, how does it know when security has been breached?  Or, that they are compliant?  A business can’t figure out what is needed if the company doesn’t know what it has.

 

Knowing the configuration speeds time to incident resolution and enhances release management.  It enables easier and faster server consolidation for infrastructure optimization, business combination and business expansion.  It enables IT to focus on future IT initiatives, migrations, new hardware and software purchases and deployment.  It facilitates the elimination of unplanned work.

 

Change and configuration management best practice is the creation and maintenance of computer profiles (software installed on each computer) and user profiles (software titles each user is permitted to access).  Consequently, mangers can monitor and track software changes as they occur.  The company now has a way to regulate what goes on computer computers.  It can also remove suspect programs and potentially insidious code that can threaten network security.

 

A side benefit to understanding the hardware and software assets is that employees are better informed about their obligations and responsibilities.  Putting IT/SAM in the employee handbook lets employees know what is expected of them.  And they can help keep networks free of unlicensed or unauthorized software.

 

Plan and Budget.  One of the intended outcomes of IT Governance is to produce better run companies and a major principle of well-run businesses is planning.  A well-executed IT/SAM implementation enables the company to plan for purchases.  By consolidating purchasing, planning budgets in advance and anticipating upgrades or agreement expirations, businesses right-size their investment in software, ultimately saving money.

 

By knowing what the company has and what employees are using or not using, it can accurately budget and plan software purchases, eliminate waste and redundancy, reallocate unused licenses and avoid unnecessary upgrades.

 

Financial Reporting.  When networks and computers are free and clear of unauthorized, unwanted software, the risk of intrusion into protected information can be minimized and therefore preserve and protect the accuracy of financial data and reporting.

 

Policies and Procedures.  Formal policies and procedures are the hallmark of well-run organizations that are also well-governed.  Good governance practices leads to greater profitability and higher valuations.  It and software assets require specific policies and procedures which guide employee conduct for the acquisition and use of software.

 

By concentrating on IT and software asset management, business will dramatically improve insight into its IT infrastructure and drive productivity enhancements.  More important, the business can enjoy immediate cost savings from improved software allocation, volume license discounts, better prices point, accurate asset depreciations.

 

Further, these initial steps in IT/SAM put the business in a strong position to implement IT Governance best practices.

          
                     
 

ITGS is a trademark of IT Governance Services, all other trademarks are property of their respective trademark holders

all material ©2010 IT Governance Services a SMS, Inc. company | Redmond, WA | legal | privacy policy

www.businessGRFX.com