IT Governance Blog

PO3.4 Technology Standards

2009-04-12T14:26:41Z

CobiT definition:

To provide consistent, effective and secure technological solutions enterprisewide, establish a technology forum to provide
technology guidelines, advice on infrastructure products and guidance on the selection of technology, and measure compliance with
these standards and guidelines. This forum should direct technology standards and practices based on their business relevance, risks
and compliance with external requirements.

Bill says,

This control objective has a number of different but important elements – in fact if I had been drafting this governance framework I may well have separated what I see to be two major points being addressed here.

The guidance is to establish a forum for the purpose of establishing technology guidelines and providing advice, but then it goes on to say that this forum would also measure compliance with the standards and guidelines. I don’t mind this forum providing both advice and measuring compliance, but it just seems like the kind of thing that needs to be separate.

In any case, I’ll address it together. So, what is the number one question about this control objective? It would have to be, “what is a forum?” The next control objective talks about establishing a board, so then is a forum different than a board? One could imagine that a forum is simply an informal discussion group but then that doesn’t align very well with the idea that the forum would also be measuring compliance – at least it doesn’t for me.

The advice clearly states that the forum should direct technology standards but is that different than setting them? If in fact the technology standards forum is different than the architecture board, then it would seem perhaps that this approach is too “big company” for a lot of us. I for one can’t see having different groups advise and set standards let alone measure compliance. We don’t have enough people!

Here is what I think is being said here and the difference between this and the next control objective, which is to form an IT Architecture Board. While the latter is meant to be focused on big picture, general architecture design decisions (should we go to a meshed MPLS network, for example) the former is designed to address all levels of technology, including end user devices. Will we be supporting iPhones? What model laptops are we going with this quarter? And so on. In my case we do all of these discussions at the IT Architecture Board level because I don’t have enough staff to have multiple groups.

Remember, this is one man’s opinion. What’s yours? What do you think a forum is?

The fourth step in Determining the Technological Direction is Technology Standards.

PO3 Determine Technological Direction CobiT definition: Th
PO3.2 Technology Infrastructure Plan CobiT definition: Cr
PO3.1 Technological Direction Planning CobiTdefinition: Ana

PO3.3 Monitor Future Trends and Regulations

2009-02-26T03:33:19Z

CobiT definition:

Establish a process to monitor the business sector, industry, technology, infrastructure, legal and regulatory environment trends.
Incorporate the consequences of these trends into the development of the IT technology infrastructure plan.

Bill says,

For me one of the great things about using a governance framework such as CobiT is the attention it forces you to take to the little things that ordinarily would fall to the wayside. This is a great example. How do most companies monitor future trends and regulations? Probably by reading CIO magazine or other industry trade mags. By attending conferences. By networking with peers. By reading the Wall Street Journal.

And those are all perfectly fine ways to go about monitoring future trends and regulations. But like many things in life if there is not a process framework developed forcing you to ensure that you have done the legwork necessary to actually do that, it becomes something that is done haphazardly and sporadically – if at all. Without a conscious directive to be looking for these trends one could go through the motions of the above mentioned research without really focusing on thinking strategically about the long term effects of new legislation, for example.

So what this control objective does is remind us that we need to put a process in place. The process could be as simple as building a monthly reading list with a reminder to look specifically for trends and regulations or it could be a board of individuals tasked with looking for certain things within their niche.

What I prefer to do is to hold each of my managers, and myself, accountable for this topic in a special monthly staff meeting where one of the topics is “What new technologies, trends or regulations could change our business within 3 years?” Sometimes there is nothing to discuss, sometimes there are a lot of different things. It would come as no surprise that over the last couple of years the focus of discussion has been on green computing, cloud computing and the rise of social media such as Facebook and Twitter.

I know this doesn’t sound like rocket science and that you think you just do this as a matter of your job – but make sure you take it a step further and put a process in place around monitoring future trends and regulations.

The third step in Determining the Technological Direction is to Monitor Future Trends and Regulations.

PO3 Determine Technological Direction CobiT definition: Th
PO3.1 Technological Direction Planning CobiTdefinition: Ana
PO3.2 Technology Infrastructure Plan CobiT definition: Cr

How to Pass the ITIL Foundations Certification Exam

2009-04-12T12:32:06Z

I’ll take a break in the action of going through CobiT to tell you that I recently passed the ITIL v3 Foundation for Service Management Certification exam. I had received an offer through HDI for a course and exam package and decided it was time to go for it, both to force me to look deeper into ITIL but to also see how relevant this exam would be for my staff. I ended up passing with a 90% score. Since only 65% is required to pass I guess you could say I passed with flying colors. By the way, what is up with a passing score being 65%? That’s insulting. When I was in school that was at least a D.

If you are interested in taking this certification exam I thought it would be worthwhile to describe the process and tools I used for passing the ITIL Foundations Exam.

First, I purchased the Official Introduction to the ITIL Service Lifecycle. You should get this book even if you are not planning to sit for the exam. It is the defacto introduction to ITIL. My first step in studying for the exam was to read through this book cover to cover, using a highlighter to mark passages that seemed important.

My second step was to go through the course that I purchased through HDI. You may find that something like the ITIL V3 Foundation Complete Certification Kit – Study Guide Book and Online Course works better and cheaper for you, but I was happy with the CBT from HDI. I went through the course once just going through it, no notes, no nothing. Just watching and learning.

The second time I went through the ITIL CBT Training I also opened the ITIL Intro book and read along with it and the course, and I started making flashcards on both the key points as highlighted in the CBT and the key points that I had previously highlighted in the book.

At this point I had a pretty good handle on the concepts. Now came the time to start practicing for taking the exam. For this I found some decent itil mock exams on the internet from CRM Help Desk Software.com.

The process I used for leveraging the mock exams was pretty standard I think. Each mock exam was 40 questions so I printed off a number of scoresheets that I could use. I started by taking mock exam #1 and as I was going through the questions I would mark the ones that I knew I was 100% correct on. After I was done I would grade myself, and then go through each question to see if I understood why the answer is what it is. I did this both for questions I got wrong but also questions I got right. I paid particular attention to those questions that I had marked as 100% sure but in fact I got wrong! I repeated this process for each of the 4 mock exams I had, until I was consistently getting everything correct.

Finally, on the day of the exam I showed up about 30 minutes early and did some cramming using the flashcards I had prepared. Since you can’t bring anything into the testing center I just sat in my car while going through them.

It would be nice to be able to see which 4 questions I missed but other than seeing what category they were in you can’t so I will have to be satisfied that my studying paid off. I’m still waiting for my certificate from HDI but I’m sure that will be coming soon.

I hope this helps you pass the ITIL v3 Foundation for Service Management Certification exam. If you use any of these tips to pass the exam why not come back here and let me know!

IT Governance Certifications I’ve decided

PO3.2 Technology Infrastructure Plan

2009-01-31T09:52:41Z

CobiT definition:

Create and maintain a technology infrastructure plan that is in accordance with the IT strategic and tactical plans. The plan should be based on the technological direction and include contingency arrangements and direction for acquisition of technology resources. It should consider changes in the competitive environment, economies of scale for information systems staffing and investments, and improved interoperability of platforms and applications.

Bill says,

It is in the Technology Infrastructure Plan where the strategy and the tactical meet. This is where you define things such as the role virtualization will play in addressing your technology strategy, who your primary technology sourcing vendors will be, and how geographical issues will impact your data center and staffing plan.

For example, let’s say that in your Technological Direction Planning you have identified that virtualization provides not only business opportunities for your company but opportunities for server consolidation and improved support within your IT organization. As that as the backdrop for the direction you want to go, it is in the TIP where you will outline how you will accomplish that. It is appropriate that in the TIP you will also outline how such a move will save on staffing expenses should that be an expected outcome.

By now you have seen enough of CobiT to know that much of this really isn’t complicated and it really is kind of obvious. You might be saying, why do I have to be told to create a direction plan and that a plan for how to implement that direction, as that seems so obvious. The problem is as obvious as it may seem it simply doesn’t get done to the degree you would expect. By following a framework like CobiT you can ensure that you are following best practices for running an IT organization. A governance framework is not designed to produce any real “aha” moments – it is simply to ensure that you have control over the basics. It is control of the basics where many companies fall down.

One thing you will note is the CobiT doesn’t give you guidance on much beyond what the basics are. So for example, what is the audience of the Technology Infrastructure Plan? Do you share it with your managers? All IT staff? Everyone in the company? CobiT isn’t going to give you guidance there, that is up to you and your knowledge of the culture of your company.

For me, I actually create two versions of the plan. One for Senior Management and one for general consumption. I believe that it is important to have corporate visibility to these plans.

The second step in Determining the Technological Direction is building the Technology Infrastructure Plan.

PO3.1 Technological Direction Planning CobiTdefinition: Ana
PO3.4 Technology Standards CobiT definition: To
PO3.3 Monitor Future Trends and Regulations CobiT definition: Es

PO3.1 Technological Direction Planning

2008-08-29T11:31:23Z

CobiTdefinition:

Analyse existing and emerging technologies, and plan which technological direction is appropriate to realise the IT strategy and the business systems architecture. Also identify in the plan which technologies have the potential to create business opportunities. The plan should address systems architecture, technological direction, migration strategies and contingency aspects of infrastructure components.

Bill says,

You have to give your team some context for your technical leadership direction. Are you the kind of leader, and hence your IT organization, who is a risk taker willing to implement the latest and greatest technology? Or are you more pragmatic, waiting for the other guys to take the risks on new technology first?

It is in the Technical Direction Planning CobiT control objective where you define this direction, and hence lay out the future for the direction your team will take from a technical standpoint.

Does Software as a Service make sense for your organization? What about mobile technologies? VOIP? Are there productivity improvements to be made there or are the risks too great? You need to map out these existing and emerging technologies and make clear what you as a leader are willing to accept.

From then on the details can be worked out.

The first step in Determining the Technological Direction is doing the necessary technological direction planning.

PO3 Determine Technological Direction CobiT definition: Th
PO3.2 Technology Infrastructure Plan CobiT definition: Cr
PO3.4 Technology Standards CobiT definition: To

PO3 Determine Technological Direction

2009-04-12T14:27:49Z

CobiT definition:

The information services function determines the technology direction to support the business. This requires the creation of a technological infrastructure plan and an architecture board that sets and manages clear and realistic expectations of what technology can offer in terms of products, services and delivery mechanisms. The plan is regularly updated and encompasses aspects such as systems architecture, technological direction, acquisition plans, standards, migration strategies and contingency. This enables timely responses to changes in the competitive environment, economies of scale for information systems staffing and investments, as well as improved interoperability of platforms and applications.

Control over the IT process of
Determine technological direction

that satisfies the business requirement for IT of
having stable, cost-effective, integrated and standard application systems, resources and capabilities
that meet current and future business requirements

by focusing on
defining and implementing a technology infrastructure plan, architecture and standards that
recognise and leverage technology opportunities

is achieved by
• Establishing a forum to guide architecture and verify compliance
• Establishing the technology infrastructure plan balanced against cost, risk and
requirements
• Defining the technology infrastructure standards based on information
architecture requirements

and is measured by
• Number and type of deviations from the technology
infrastructure plan
• Frequency of the technology infrastructure plan review/update
• Number of technology platforms by function across the enterprise

Control objectives:

PO3 Determine Technological Direction

PO3.1 Technological Direction Planning
PO3.2 Technology Infrastructure Plan
PO3.3 Monitor Future Trends and Regulations
PO3.4 Technology Standards
PO3.5 IT Architecture Board

Check out the links for details on the control objectives.

PO3.1 Technological Direction Planning CobiTdefinition: Ana
PO3.4 Technology Standards CobiT definition: To
PO3.2 Technology Infrastructure Plan CobiT definition: Cr

IT Governance Certifications

2008-10-25T10:00:21Z

I’ve decided it was time that I get a little more serious about my IT Governance education and as such I have decided to pursue a couple of worthwhile certifications – ITIL Foundations (for a start) and CGEIT, which is Isaca’s Certified in the Governance of Enterprise IT certification.

For the Foundations’s certificate studying I purchased Introduction to the ITIL Service Lifecycle (ITIL Version 3) which does a very good job going over the highlight’s of ITIL and is their official introductory guide. I also signed up for some online education through HDI, which is an acreddited training organization, which also included a discunted exam fee. The online course is available for about 12 weeks, so sometime between now and then I’ll register and take the exam, which is multiple choice.

Going through the book and the online course together has been invaluable, I am really understanding the overall service lifecycle very well, and am actually looking forward to starting to purchase the core books and getting more in depth into studying ITIL and IT Governance.

Update – I passed the exam with a 90% score. Read more on how I did it by checking out How to Pass the ITIL Foundations Certification Exam.

This is what Isaca says about the CGEIT:

This certification will benefit the individual, through recognition of their professional knowledge and competencies; skill-sets; abilities and experiences, and will enhance their professional standing. It will also add value to the enterprises they support through the demonstration of a visible commitment to excellence in IT governance practices.

The certification process has been specifically developed for professionals who have a significant management, advisory, or assurance role relating to the governance of IT. The certification promotes the advancement of professionals who wish to be recognized for their IT governance-related experience and knowledge.

The exam for this is scheduled on December 12th. Just passing the exam is not enough to earn the certification To earn the CGEIT credential, an individual must:

Pass the CGEIT exam (first exam – December 2008)
Adhere to the ISACA Code of Professional Ethics
Agree to comply with the CGEIT Continuing Education Policy
Provide evidence of appropriate IT governance work experience as defined by the CGEIT Job Practice

Based on my work experience I should have no problem qualifying (as long as I pass the exam!). Reference materials for study are available as free downloads on their website. I did register as an Isaca member to get the discount, so now I am an official Isaca member.

It’s been awhile since I have studied like this but I like it! I look forward to sharing more about my experience in seeking these certifications.

How to Pass the ITIL Foundations Certification Exam I’ll take a br

PO2.4 Integrity Management

2008-08-21T11:40:09Z

CobiT definition:

Define and implement procedures to ensure the integrity and consistency of all data stored in electronic form, such as databases, data warehouses and data archives.

Bill says,

“All data stored in electronic form” is one hell of a big task, but if you are to implement the proper level of controls that is truly what you are on the hook for. Once you have classified your data you will have a list of what is important to your business and what you need to control. Now you have to design and implement the procedures that ensure that data is what you think it is and it has the visibility that you think it should have.

Integrity of the data is fairly simple for static data, you really just need to be able to maintain an archived version that you can compare it to proving it’s integrity, assuming of course that you have the security of that data established properly.

The biggest challenge to integrity management is in your transactional database where your staff, and perhaps even your customers, are responsible for maintain some aspect of that data. This is where you need to automate as much as possible so that you are not relying on human nature, but no matter how much of that you do you will still be on the heck for documenting those processes and controls.

Integrity management is difficult but important. If you have followed the steps within this control objective you should be well on your way to achieving a good level control.

The fourth step in Defining the Information Architecture is integrity management.

PO2.3 Data Classification Scheme CobiT definition: Es
PO3.2 Technology Infrastructure Plan CobiT definition: Cr
PO3.4 Technology Standards CobiT definition: To

PO2.3 Data Classification Scheme

2008-07-19T22:20:18Z

CobiT definition:

Establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public,
confidential, top secret) of enterprise data. This scheme should include details about data ownership; definition of appropriate
security levels and protection controls; and a brief description of data retention and destruction requirements, criticality and
sensitivity. It should be used as the basis for applying controls such as access controls, archiving or encryption.

Bill says,

What I really like about CobiT is it forces you to look at things in a comprehensive way. For data classification you really need to analyze every bit of data you collect, categorize it, and decide who will have access, how you will control it, etc – but those are future controls. For this one it is all about defining the classification of data.

Let’s look at some non-traditional data that really does need to be captured in your classification scheme. For example, you probably use WebEx for data conferencing. And I am sure you realize that there is a lot of data archives pertaining to the meetings held through WebEx – many of which can have very telling titles.

As an aside, if you are using WebEx make sure you do not have your site open to the public – or you have strict rules and controls in place regarding what people can use as the subject line in meetings. Prior to us turning this off I saw some pretty awkward meeting titles that were open for all to see – employees, customers and competitors.

So you probably have never thought about that data but you need to. What parts are important? I know for me we record the monthly usage locally because after three months we lose access to it through WebEx. Who has access to that? How can we be sure we know who is responsible for archiving it? These are all important questions that you need to go through as part of the classification exercise.

Don’t be scared off by how much data you have, this is work that needs to be done!

The third step in Defining the Information Architecture is defining the data classification sceme.

PO2.4 Integrity Management CobiT definition: De
PO2.2 Enterprise Data Dictionary and Data Syntax Rules CobiT definition: Ma
PO3.2 Technology Infrastructure Plan CobiT definition: Cr

PO2.2 Enterprise Data Dictionary and Data Syntax Rules

2008-07-12T14:12:29Z

CobiT definition:

Maintain an enterprise data dictionary that incorporates the organisation’s data syntax rules. This dictionary should enable the
sharing of data elements amongst applications and systems, promote a common understanding of data amongst IT and business
users, and prevent incompatible data elements from being created.

Bill says,

Establishing and maintaining a data dictionary for a complex application is difficult but not impossible, particulary if the application and the underlying data structure and processes don’t change much. But when you start defining an overall data dictionary for your enterprise it becomes a much more difficult challenge. When building a data dictionary, however, don’t feel as though it needs to be perfect – better than to have a mess documented than not at all.

In today’s corporate IT applications space integration between applications is critical. The ability to integrate between applications effectively is contingent on a good enterprise data dictionary. If you have not done this then you are not doing the corporate governance that you should be doing.

An important component of this is to understand what the data means and ensuring that both the business and IT are in alignment. For example, we have a phone system that records ACD transaction and one of the pieces of data that comes out of this application is abandoned calls. What does that mean to you? Does it mean something different to sales? In our case IT thought they knew what abandoned calls meant and sales thought it meant something else. When in fact the vendor defined it to mean even something else! SLAs had been established around this key piece of data and nobody in the business truly understand what it actually meant.

The second step in Defining the Information Architecture is establishing an enterprise data dictionary along with corresponding data syntax rules.

PO2.3 Data Classification Scheme CobiT definition: Es
PO2.4 Integrity Management CobiT definition: De