Readings
- In your own words, how would you define a control environment?
- Define the three kinds of common controls and give two examples of each from your everyday life.
- What is the role of the board of directors in IT governance?
- Which of the EDM processes do you think is most important and why?
- If you’re working, have you seen examples of active IT governance in your organization?
The DentDel Case
Think about the following questions before class next week.
- What processes were ineffective and allowed this situation to occur.
- Where could stronger IT governance have helped DentDel avoid this situation?
Nathan A. Van Cleave says
1. In your own words, how would you define a control environment?
The control environment in an organization consists of all the policies, standards, processes, and values or culture that help ensure the organization’s goals and objectives are attained while preventing or limiting risks that may negatively affect the organization.
It is important to emphasize, if an organization’s board/executive levels have robust controls in place that align to its core values, it will often trickle down to the operational levels and further protect itself from risks and vulnerabilities and offer a stronger probability that it will be successful in reaching its organizational objectives.
Jason Wulf says
1. In your own words, how would you define a control environment?
A control environment sets expectations of behavior by introducing parameters and consequences for those that fall outside of expected norms in an actively monitored environment.
Example, when someone goes to prison their behavior in that environment is regulated and monitored. Monitoring occur with cameras, guards, and check-ins. Consequences such as extended time in prison, lack of privileges, or other disciplinary action occur when a person does not follow the controls.
Nathan A. Van Cleave says
5. If you’re working, have you seen examples of active IT governance in your organization?
My current company is a great example of an organization with an expansive and comprehensive control environment.
It begins at the top with the Board of Directors and Corporate Executive Team (CET). Here the core company values of “Respect, Integrity, Transparency, and Patient Focus” helped shape the strategic priorities of:
Grow a diversified, global strategy
Deliver more products of value
Simplify the operating model
Create a culture of individual empowerment
Build Trust
These strategic priorities in turn allow the organization to build thorough business, risk, financial and IT strategies. Since this company operates in a heavily regulated industry, its critical to have clear, concise, overarching values and strategy that other areas, like IT, can more efficiently align its strategies and priorities around.
As robust as this control environment is, it is not without opportunities for improvement. The CISO reports into the CIO but neither sits directly on the CET or Board. Instead the CIO rolls up to the Chief Financial Officer as IT one of a number of global support functions.
There is a definitive reason for this CIO to CFO reporting structure as IT costs are inherently intertwined to an organization’s financials. The CIO does have an IT strategy that is clearly defined around a simplification model, which points back to a strategic priority and is heavily invested in the core values of the company. Moreover, the simplification strategy has allowed the organization to see the 30k foot view of the IT landscape. (infrastructure, network, project, future roadmap, costs)
Richard Flanagan says
Nathan,
Do you think IT is viewed as a strategic enabler by your CET or is seen more as a costly accounting tool that needs to be controlled? if the former, who speaks for what IT might bring to the table at the CET? If not, how does the CIO get close to the key business leaders?
Nathan A. Van Cleave says
Richard,
Thanks for inquiring. In my relatively short time (3 years) of being a part of the IT “rank and file” I have gotten the sense that IT is viewed as a strategic enabler. I’ve met Sir Andrew Witty (CEO) in person and he has engaged the US portion of IT each time he has visited from the UK. He has a strong reputation of engaging people at multiple levels of the organization. He also signed off on adding Values Assurance as a product to our Audit and Assurance organization’s remit.
There is regular IT advocacy at the CET. As I mentioned, all IT functions and our CIO report into the CFO, He sits on the CET, and as I understand, there is IT visibility through his ownership of Global Support Functions (IT, HR, etc). To what extent, I am left to guess.
Additionally, I understand that, at least on a semi-yearly basis, the CIO and/or CISO make presentations at the CET about key Information Protection & Privacy and overall IT Strategic priorities (i.e. how we are trending towards our Key Performance Indicators for our Simplification strategy, Updates on how the recent US Pharma reorganization affected the IT support and delivery organizations, etc).
Conversely, I do see my company succumbing to fiscal pressures to reduce IT resources; correlating to a wider industry trend. Doing more with less seems to be a common IT Strategy. We have gone through a reorganization over the past couple years where we did not retain a wealth of knowledge, experience, wisdom and talent. From that perspective, it gives a strong signal that IT is seen as a bloated, expendable resource rather than a strategic enabler.
There were, however, reductions across the organization, not just IT, so I cannot fairly say that IT is viewed as simply dollars to be trimmed. Overall, though I enjoy working there, I do believe that the values, in general, are held in high esteem by everyone and reflect the overall governance strategy.
Richard Flanagan says
This all sounds good, but you can see how hard it is to really know if the organization is seeing IT as having a valuable mission or not. High level exec’s are smart, they know what they should say, even if its not what they believe. Thats why this is so hard to audit. In my experience having IT reporting to the CFO is a bad thing for IT, but not always. On the flip side, having regular IT related discussions with the executive committee is a good thing, unless IT is viewed as a disaster that needs fixing. So where does that leave us here, no answer without a lot more digging.
Candace T Nelson says
Hi Nathan, Richard –
When my former boss and I facilitated the implementation of COSO 2013 (global retailer), we identified a gap in that there was no direct communication between the CIO and the Board of Directors related to routine compliance initiatives (e.g. PCI, PII). To address this gap, we (Internal Audit) recommended that the CIO present annually at a minimum – and more often if deemed necessary – the results of PCI compliance reviews, penetration testing, etc. directly to the Board and the change was implemented. I am curious as to who keeps your Board of Directors apprised of technology compliance (HCP, HIPAA and Aggregate Spend) compliance since I used to work for a global pharmaceutical company as well. Presumably it is your Company’s CFO.
Joseph Henofer says
Nathan,
It looks like your company has a solid foundation of IT governance. In your post, you stated that “As robust as this control environment is, it is not without opportunities for improvement.” What would be some of the improvements you would suggest? Do you think the company can benefit from having the CIO on the Corporate Executive Committee along with the CFO instead of the current alignment? I agree with you that having the CIO report to the CFO helps monitor and control spending for the company, which helps keep the financial alignment on a consistent track. By having the CIO report directly to the CEO you may have the tendency of your cost to get out of control, because of the investment of new technologies and risky projects with high returns. In my opinion, it all depends on what type of business you’re in that will dictate the hierarchy of your senior management. If you’re a company that is focused on new innovating products and have the opportunity to take the fiscal risk than the CIO to CEO path may be your choice, but if you are financially conservative than the CIO to CFO path may be your best choice.
Richard Flanagan says
Don’t fall into the trap of thinking that having shared services report to the CFO is the only way to control cost. Lines of business have costs too but you don’t see them under the CFO. The reason I said earlier that having the CIO report to the CFO is usually bad for IT is that it implies that IT is seen as a cost center to control rather than a valuable tool to be exploited. Think of research and development in a product company. Its a hugely expensive cost center that produces no income yet companies invest a lot of money into because they know that the future products it produces will be important to their future revenues. Its an investment and hence not a cost center. This is how most CIO’s would like to be viewed.
.
Nathan A. Van Cleave says
My company is a global pharma organization with three primary sources of revenue; consumer healthcare products, vaccines, and pharmaceuticals. Aside from those, we have a few joint ventures and extensive R&D and manufacturing divisions. I think we touched on it a bit in the Stars case where the question around whether having a centralized IT function was better than not.
In the case of my company, there are so many different needs that R&D would need vs. Pharma vs Consumer vs Manufacturing. We have specific areas of IT that serve and support the different departments. For instance, I am in US Pharma IT which is a sub-group of Global Pharma IT. As a whole, Global Pharma IT supports all pharma business units world wide.
I’m getting off track a bit. But to Richard’s original point, I do think that having a CIO at the Executive team level would be beneficial, but somewhat secondary considering this example. We may spend $4M on a new global CRM system and that is a huge costs for any organization. However, and this is my naivete coming, that $4M pails in comparison to the millions of dollars spent on what it takes to bring a viable pharma/vaccine product to market. So the long winded response would be, that my company views IT as a critical function and enabler for organizational success,
Jason Wulf says
Hi Rich,
I’m curious what your thoughts are of having a CISO and a CRO (Chief Risk Officer) report to a CFO or be independent. I personally don’t believe these position should be under the CIO as organization bias and group think could occur.
Richard Flanagan says
I think it really depends on the organization, how big it is, what types of risk its most worried about. I know Jan handled risk at 3M and at R&H it was in the Insurance group under the CHief Counsel. I think it’s a mistake to get hung up on titles. I do think the CISO should report to Risk not the CIO.
Andres Galarza says
Joseph,
What I actually reacted to in Nathan’s quote was that the CISO reports to the CIO. Per the “IBIT Report: Implementing Board Oversight of Cybersecurity” we had for this week’s reading, this organizational structure presents a, “clear segregation of duties conflict of interest” and I agree completely.
The CISO needs to fulfill his or her responsibility to point out problems that are overseen by the CIO. This could be made very difficult by a CIO that sees the CISO as a subordinate. I took this lesson from the readings to mean that the CISO should have an equal place on a committee as some of the other committee chiefs, such as the CRO and CFO.
Joseph Henofer says
Andres,
I also agree that CISO should have an equal place on the committee as the other committee chiefs do, but it may be a difficult transition for some organizations. Information Security hasn’t been a top focus for most companies until recently. I would think that adding the CISO to the committee would not be a difficult task but in my work experience, I have seen that the C-suite structure setup more like Nathan’s company versus what many books and articles have stated. As information security becomes more of a priority for companies, I believe that they will adapt to a more efficient C-suite structure as the one that is stated in the articles and readings.
Deepali Kochhar says
Q 1. In your own words, how would you define a control environment?
Control environment provides discipline and structure for the achievement of primary objectives of the system.
• Creates reliability in processes and operations
• Helps in assigning authority and responsibility
• Helps in creating preventive environment against any kind of frauds such as data breach, security and financial etc.
• Safeguards Infrastructure
• Ensure data integrity
Richard Flanagan says
Love your first comment on reliability. We will talk about how this is related to quality later on but establishing an environment that all produces the right results is much cheaper, in the long run, than fixing the problems that come up if you don’t. A good control environment is intended to make sure that the company get the behaviors it desired from the members of the organization.
Sean Patrick Walsh says
I can’t remember if I read it one of the many readings I’ve completed in the last week, or if it was in one of the videos, but I remember something along the lines of “ask anybody in the manufacturing industry and they’ll tell you it’s easier to build quality into a product/process initially than it is to add it in later.” Is that along the lines of what your saying about long-term costs, or does it go into something deeper?
Deepali Kochhar says
Sean,
To explain this in a very simple language, cost of doing first time right is much lesser than the time, cost and resources involved in the rework if executed in an unplanned manner.
Sachin Shah says
great comment. Its very important in IT or manufacturing to do things right the first time. That take planning, testing, development, approval and implementation. Each is part of control, otherwise a company or department is just layering a bunch of stop gap fixes instead of building it correctly the first time around.
Deepali Kochhar says
Q 5. If you’re working, have you seen examples of active IT governance in your organization?
I have worked on one of the IT governance project when I was working with KPMG. The project was to align IT Systems to the business strategies for one of the leading quick service restaurant chain.
The business objective of the chain was to increase their overall operational efficiency and meet customer satisfaction.
For this I was involved in designing IT strategy to implement industry leading products across multiple service lines
First of all, we designed & conducted market research on current technology offerings by various vendors for QSR industry; analyzed the research results to conduct vendor and product assessment followed by recommendation and implementation of the IT systems which provided an increase in revenue by 7% annually hence meeting the business objectives and ensuring the effectiveness of IT Governance.
Richard Flanagan says
How did you link the IT project to the results? Did the client go back and satisfy itself that the results were really caused by the systems and not a better economy that let people eat out more?
Deepali Kochhar says
Company did a revenue analysis based on technological segments which were implemented as a part of IT systems and found that the revenue cumulatively increased by 7 percent by considering all the technological implementation.
The analysis included process time statistics which calculated the time saved in completing a process due to fast and better IT systems.
Customer facing technology was also one of the parameter on which they analysed the results and found that it is helping control cost and maximize the profits.
Richard Flanagan says
But how did faster time savings turn into growth? I’m nitpicking because I think many IT projects are tied to general financial goals but not a business strategy. Higher revenue is an outcome, what was the business thinking about how these new systems woulls change processes which in turn would improve results. I’ve found such strategic thinking rare.
Deepali Kochhar says
Q 3. What is the role of the board of directors in IT governance?
Board of directors have primary responsibility in achieving effective IT Governance. They are responsible for:
• Approving policies, ensuring appropriate monitoring and reviewing metrics, reports and trend analysis.
• Members of the board need to be aware of the organization’s information assets and their criticality to ongoing business operations. They need to monitor the Business impact analysis(BIA) and risk assessment results.
• They should define and communicate the penalties for non-compliance
• They are responsible for the approval of the assessments of key assets to be protected which helps in ensuring that protection levels and priorities are appropriate to a standard and answerable to questions like:
o Is IT is going in right direction
o Are we getting enough value from IT?
o Is our IT cost too high?
o Are the projects meeting the timelines?
Janet Yeomans says
Deepali,
It’s important to understand that the board’s role with respect to IT governance is primarily oversight. While it’s true that the board needs to understand and approve the IT governance structure, once the structure is in place the board monitors to be sure it is being adhered to and that the results are as expected.
The board also approves the operating plan for the company each year along with supporting financial projections. In this context, the board implicitly approves the total amount budgeted for IT each year.
To summarize, the board will not typically be involved in details of IT strategy and implementation which are the responsibility of the IT organization. This includes details of expenditures undertaken by IT that are in the scope of the approved high level corporate operating plan.
Sean Patrick Walsh says
Is it common for boards of corporations to create sub-committees to oversee IT as a whole, or for specific segments of IT-related business aspects?
Richard Flanagan says
I was surprised to hear Rob mention this as I have not heard of any before. It’s a good idea though.
Jason Wulf says
3.What is the role of the board of directors in IT governance?
In evaluating the question, I looked at each portion of the question.
Role is defined by the Merriam-Webster dictionary as “a function or part performed especially in a particular operation or process”
Board of Directors is defined by the Merriam-Webster dictionary as “A group of people who manage or direct a company or organization”.
Governance is defined by the Merriam-Webster dictionary as “The way that a city, company, etc., is controlled by the people who run it”.
According to ISACA, “IT Governance is part of a wider Corporate Governance activity but with its own specific focus”
See https://www.isaca.org/Certification/CGEIT-Certified-in-the-Governance-of-Enterprise-IT/Prepare-for-the-Exam/Study-Materials/Documents/Developing-a-Successful-Governance-Strategy.pdf
Looking at academic papers I found “IT governance is the responsibility of the Board of Directors and executive management.”
See Defining IT Governance, A Consolidation of Literature
http://www.ics.kth.se/Publikationer/Working%20Papers/EARP-WP-2005-MS-04.pdf
Not satisfied with those definitions, I decided to research their role in a RACI model format.
According to ISACA, “IT Governance is part of a wider Corporate Governance activity but with its own specific focus”
See https://www.isaca.org/Certification/CGEIT-Certified-in-the-Governance-of-Enterprise-IT/Prepare-for-the-Exam/Study-Materials/Documents/Developing-a-Successful-Governance-Strategy.pdf
I came across a ISACA COBIT related article that gave me a new perspective of the board of directors role.
“The board shall be responsible for IT governance and put it on its agenda IT management is responsible for the implementation of IT governance framework structures, mechanisms and processes ; an IT committee should be implemented to advise the board; and a chief information officer (CIO) should be appointed to lead IT management in the implementation of the IT governance framework.”
“IT should be aligned with the performance and sustainability objectives of the organization.
The aim of the practices of this principle is to ensure that the IT strategy is aligned with the business strategy of the organization and its processes.
In relation to this principle, the board is accountable for establishing processes to identify and exploit opportunities to optimize performance and sustainability of the organization through the use of IT. ”
“IT should form an integral part of the company’s risk management, “A risk committee and audit committee should assist the board in carrying out its IT responsibilities.”
“The goal of the practices of this principle is the joint engagement of IT and other areas on corporate risk management. The board, on this principle, demands that all legal compliance is integrated with risk management. ”
“The board should ensure that information assets are managed effectively.”
“the board must adopt/develop communication guidelines that support a communication program that meets the expectations of stakeholders.”
See http://www.isaca.org/Knowledge-Center/Research/Documents/COBIT-Focus-4-Steps-to-Integrate-IT-and-Corporate-Governance_nlt_Eng_1214.pdf
Based on my research, the board of directors is responsible for delegating management responsibility of IT governance, ensuring that IT assets are properly managed, verifying that a risk committee is keeping them apprised of the risk, and be accountable for IT governance and the associated policies.
Joseph Henofer says
Jason,
I like the way you broke down the question and defined each aspect to get a better understanding of what the question was asking. Would you agree that the vision and leadership of the board of directors will dictate how and where a company may go in the future? If yes, what are your thoughts on having strong senior management but a weak Board of Directors, can a company still be effective? After reading through the PDF’s, I now have a better understanding of what the job role is for the Board of Directors in relation to IT Governance and how their actions for the company can impact its growth or decline going forward.
Jason Wulf says
Of course. The vision and leadership of the board drives the company into the future.
A company is only as strong as its weakest link. A good board of directors will figure out and correct the issues, such as weak IT leadership. In regards to weak leadership at the core of the company, the board of directors, I would recommend finding another company to work for. A bad board of directors is a difficult fix for even best senior management.
Kevin Blankenship says
I would echo this. Strong senior management can only accomplish so much without backing from the Board of Directors. If there is not a strong vision or direction put forward, management will be left treading water, which is a dangerous place to be in a competitive industry.
Joseph Henofer says
1. In your own words, how would you define a controlled environment?
A controlled environment establishes a particular direction for the overall culture of an organization. By establishing this direction for the organization this will give them the visibility into the actions, policies, and values that both the board of members and senior management have set forth for the organization’s day to day activities.
When you establish a strong control environment with a top-down approach this puts your company in a position to grow and become more consistent with both business and IT strategies.
Richard Flanagan says
Joseph,
Think also about risk. The control environment helps the company to operate in the right way, thereby avoiding some of the risks that could endanger it. A poor control environment can allow behaviors that can threaten jobs (see the reference on this weeks schedule) or the company (think Enron).
Joseph Henofer says
2. Define the three kinds of common controls and give two examples of each from your everyday life.
Preventive control – Preventable controls are controls that are used to proactively reduce the impact of a risk. The two examples of preventive controls I use in my everyday life are my sunglasses and seatbelt. Last year I had Lasik eye surgery and I found that the bright light from the sun gave me really bad headaches, so by wearing sunglasses, it prevents headaches from occurring especially on bright days. My seatbelt in my car prevents me from further injuring myself or eliminates an injury altogether if I get into an accident.
Detective control – Defective controls are controls that identify that an event has taken place. The two examples of detective controls in my everyday life are the text alert from my banking in regards to my checking account and my car alarm. My bank sends me a text if more than a certain amount of money is deducted from my account. If the bank sends me this alert this informs me to investigate the transaction to my account. The other example is my car alarm. The alarm will notify me that some kind of event is happening with a loud noise. This will prompt me to investigate and take action.
Corrective control – Corrective controls are controls that fix errors or bring back to a non-compromised state. The two examples of corrective controls in my everyday life are Microsoft Word (auto correct) and my anti-virus application for my laptop. When I compose a document in MS Word and the word is spelled wrong, the application is set to correct the spelling of the word. The anti-virus application also fixes errors. For instance last week I received a message stating that spyware was located on my system, the antivirus was able to clean the file and return my system to a safe state.
Richard Flanagan says
Good examples but I would quibble about the anti virus. I think it is actually a combination of all three. I prevents virus from being put on your system (preventative), it tries to find any that are already there (detective) and as you say it eliminates any it finds (corrective). Such a combination is common and is usually referred to as “layered controls.”
Jason Wulf says
In the taxidermy of controls, wouldn’t antivirus be considered a technical or logical control?
Xiaodi Ji says
Joseph,
I have a confuse about the example about the sunglasses. I think it may belong to the detective control.
In my opinion, you wore the sunglasses after you realize that “the bright light from the sun gave me really bad headaches”. It means you find the problem after error or risk happens, so I think this example more like detective control.
Joseph Henofer says
Xiaodi,
I believe the reason why I wore the sunglasses would be considered a detective control. After looking back at what I wrote I should have used the example of sunglasses should be used on bright days to prevent your eyes from harm.
Joseph Henofer says
3. If you’re working, have you seen examples of active IT governance in your organization?
The IT governance committee in my organization is actively looking to leverage a Cloud Access Security Brooker (CASB) so the company has better visibility and controls setup into where and what the internal employees are uploading to cloud storage providers. In the last few years, the cloud storage infrastructure has been on a rise with companies like Dropbox, Box, Microsoft One drive and Carbonite, making it convenient and easy to store data in the cloud. My company is investigating the business needs of the CASB and how it will align with our IT strategy so internal users and potential clients can use the cloud storage infrastructure in a secure way.
Another example of my organization being an active IT governance is the creation of their new Client Notification Policy, specifically addressing an Information Security Breach. Recently companies, Target and Home Depot, have been hit with information security breaches lowering the trust and reputation of those companies. Due to these incidents, my organization has decided to create a policy that will complement but not supersede its obligations set forth by state law.
Andres Galarza says
Joseph,
Your two points left me with the following questions.
Are CASBs vendor-neutral? If they aren’t, I wonder if your company has other, complimentary, controls in place. For example, is there a company policy that excludes all cloud-based storage other than say, Dropbox, from being used by employees? In addition to the above policy, are their technical controls (limited Admin Account Access) that prevent someone with malicious intent from simply installing a different cloud-storage application?
Joseph Henofer says
Hello Andres,
CASB’s are vendor neutral. We have policies and controls in place for data, which identifies how data should be handled, standards for the use of this data, and the specific security controls. At this time we do not exclude any cloud base storage providers. By investigating CASB’s we can get a better idea of what cloud storage providers are being used by employees and develop a policy and procedures.
Xiaodi Ji says
Joseph,
I think that cloud real help us a lot in working and studying, which make every thing easy for sharing and working together. However, sometimes I worry about its security. How does your company solve this problem?
On the other hand, I am wondering that what kind of security policy does your company set to ensure enterprise’s information security?
Joseph Henofer says
Xiaodi,
We do have policies and controls in place that address how this data should be handled, but we do have a few employees that want to circumvent both policies and controls. I don’t know if you can ever completely solve the problem, but mitigating the risk to an acceptable level as per our general counsel is more of our focus. Our Confidential data policy identifies how confidential data should be handled, standards for the use of this data, and it outlines specific security controls to protect data.
Xiaodi Ji says
Joseph
Thank you for your reply.
I do not have effective ways to solve this problem. I just know that today, the information security is quite a serious problem. Every company takes care about it and spends huge number of money to build a internal security system, but we always can see some terrible news on the Internet. So this is the reason why I want to know how your company ensure information security and mitigate the risk.
Richard Flanagan says
We will talk more about this later in the course. Its a questions of categorizing your data and then giving people access to only what they need. Depending on the organization this can be very general or very specific.
Yulun Song says
1. In your own words, how would you define a control environment?
The control environment is the upper management’s attitudes and also refers to some other factors, including internal controls, integrity, organization’s structure, etc. The upper management’s attitudes will influence in the internal controls of an organization and it is important for upper management to understand and well manage internal controls within an organization.
For example, within an organization, upper management will care about the attitudes and behaviors of all different employees, day-to-day responsibilities, and short-term and long-term goals of the organization.
Upper management also needs to know the importance of potential risks, building a secure organization. For example, the loss of a key person’s flash drive and password is a crucial concern. If management and employees within the organization do not care about the internal risks, the costs of the risks would be really high.
Xiaodi Ji says
Yulun,
I agree with you that control environment rely on upper management’s attitudes. However, I think control environment is not the attitudes of upper management. Although the upper management’s attitudes can change or improver enterprise’s control environment, the important word is environment, which is one kind of atmosphere. For example, in the party, the holder’s attitudes can influence the people who attend the party. However, his/her attitudes is not the environment of the party.
Sean Patrick Walsh says
I agree with your assessment regarding upper management attitudes. I have personally witnessed what can and will happen when superiors highly regard policy, and when they disregard policy. The management’s attitudes toward policy and its importance are very influential in overall internal culture shaping and many times paramount to the success of failure with policy.
Richard Flanagan says
Yulun,
I think you have the idea but remember, its about knowing what behaviors you want the organization to have and then setting the expectation that only those behavior will be accepted. This is the tone, If thoroughly incorporated into the organization, everyone understands and acts accordingly or identifies problems and they get corrected. If not, you can have all the policies you want but people will know that you won’t enforce them.
Ernest H Chan says
2. Define the three kinds of common controls and give two examples of each from your everyday life.
Preventative controls are proactive measures to mitigate the exposure and impact of risks.
Example 1: The Launch of a web-based Change Control Software
CA Service Desk Manager (CASDM) is used in a multi-state health insurance firm I worked for. CASDM manages IT changes through Change Orders (CO) and their subsequent Work Flow Tasks (WFT).
Change Initiator of a project are required to enter the following information on the Change Order before Manager’s approval and Change Management’s review:
– Change Description
– Change Type (i.e. Scheduled versus Emergency)
– Implementation Start Date and Time
– Implementation End Date and Time
– Infrastructure (i.e. Servers, Firewalls, etc) Impacted in the Configuration Item fields
– Implementation & Backout Plans
– Proofs of testing artifacts
– User Acceptance Test sign-offs
– Work Flow Tasks for Systems Admin/Network Admin/Database Admin
Once a CO is approved, the CO will go into “Ready for Review” status for the Change Management (CM) weekly meetings. CM personnel can raise issues and possibly reject if 1) multiple COs are requesting to change the same infrastructure within 72 hours; 2) implementation duration of a change exceeds the corporate guidelines; 3) information on a CO appears to be inadequate.
Example 2: The Implementation of Virtual Desktop Interface (VDI)
A banking corporation where I worked as a consultant a year ago implements only virtual desktops in their office. The company does not set up any desktop computers or laptops for use. The VDI terminal, resembling to a Cable TV box, does not have local hard drive or USB ports, but an earphone jack, power supply port and ethernet port. When it is powered on, it brings up a login page to a virtual desktop designated to authorized personnel of the company. The implementation of VDI reduces the risks of data exposure and safeguard their intellectual property.
Detective controls are reactive measures to capture and monitor reported events before turning into incidents.
Example 1: The Provisioning Server monitoring tool on Linux
Systems Admins at the same multi-state health insurance firm installed nmon analyzer as part of the servers provisioning standards. Nmon analyzer, in capture mode on Linux, collects data on file system usage, disk I/O, CPU, memory, paging, top processes and so on by running low-impact OS commands and reading system logs. In that organization, nmon is used to analyze and pinpoint processes that spike CPU/memory usage, I/O activities and file system thresholds. Once a sample dataset is collected, the dataset can be parsed into its graphical analysis tool or other log reading software like Splunk.
Technical personnel use the data to locate root causes.
Example 2: The deployment of Performance Diagnostic Software
New Relic is deployed as a performance diagnostic software at an internet startup I worked for. The software can aid analysis on performance degradation due to internal IT application changes. It cannot detect system changes from external users. When external users reported slow response time using the web browsers, the company turned to New Relic in real time to perform triage. NewRelic can break down the real-time system overview into different layers and record the outcomes of process threads:
– Application layer (i.e. currently running threads),
– Database layer (i.e. currently executing SQLs and Stored Procedures),
– Network layer
– Operating system layer
The software itself comes with a mobile app that monitoring personnel can configure alerts to go to their smartphones.
Corrective controls are remedial measures to restore services and systems availability.
Example 1: Database Crash
Database users often initiated long-running reports or poorly written queries from their terminals in Pre-Production on a Friday afternoon and hoped that queries would be finished on their return on the following Monday. They failed to realize other “scheduled” activities such as high-volume load tests on a Saturday afternoon and backup systems maintenance tasks at midnight on Sunday. The collision of activities had caused database or server to shut down due to out of virtual memory or paging space. As a Database Administrator, database server and/or database instance had to be re-started before web applications could re-establish connectivity and access.
Example 2: I can’t think of an example different from Example 1 under corrective controls.
Jason Wulf says
Corrective controls fix problems found by detective controls.
Would this example work for you?
You’ve got an AC unit in the server room. The temperature gets unseasonable hot up to 127 degree Fahrenheit (In Arizona). The server room thermostat detects (A detective control) that things are getting a little too hot. The backup system AC unit (A corrective control) automatically comes on to fix the issue.
Wenlin Zhou says
In your own words, how would you define a control environment?
The control environment is the internal control of the environment. It stands for the upper manager’s attitude and awareness in the organization in order to reduce the risk of the entity. This environment includes many aspects such as business structure, corporate culture, values, operating style, human resource policies and procedures.
The upper manager should take positive attitude to control environment. I think that business governance has to be transparent and clear to follow for its lower-level. The employees should get more training in order to know the company’s policy and mission. The control environment is that how a company is operated by its management, reflecting such matters as their philosophy and operating style.
Sheena Thomas says
I agree with you statement.
Attitude reflects leadership! If upper management is concerned with reducing the risk of the entity then this will filter down to the different departments.
Training is so important within an organization. If the employees are aware of the policies and they reason why the policies are in place, I think they would be more keen on following them.
Richard Flanagan says
Sheena,
Training is important but you need to ask yourself if its really being done to meet compliance regulations or is the organization serious about its employees learning and following the policies. I would look for consequences of violating the policies. Do you see examples in performance reviews, have people been fired? If so, then you have a company that is serious about their “tone.”
Yang Li Kang says
In your own words, how would you define a control environment?
A control environment can be defined as the rules, policies, standards or culture created by upper management to over see business processes and function within the the company. It is put in place in order to add value to the company by reducing and mitigating potential risks internally.
Brou Marie Joelle Alexandra Adje says
In your own words, how would you define a control environment?
Control environment refers to an organization culture in which there is an emphasis on internal control and compliance to rules and regulations. That is an organization in which management and employees have a preventive attitude toward risk, such as elaborated policies and/or risk management measures. In other words , control environment is the basis of an effective system.
Janet Yeomans says
You are exactly right about the importance of an organization’s culture as a critical determinant of it’s control environment. It is also important to recognize that the culture results from underlying factors such as policies, management styles and actions. Perhaps most important is the tone set at the top of the organization by its senior leaders: no cutting corners, unerringly do the right things and do them right, the rules apply to everyone. This tone must resonate throughout the organization and be “part of its DNA”.
Neil Y. Rushi says
I agree with Brou, if the management and employees are on the same page, they can work together to help mitigate risk in the workplace. Also Jan has a great point, if the leaders at the top do their jobs in the right away and straightforward, employees will follow suit. Employees will break rules if management does also which may result in high security risks. So in this case, it starts at the top and trickles down to the employees.
Anthony Clayton Fecondo says
I think the idea of having employees with a preventative mindsight really speaks to the importance of a good control environment and emphasizes that control environments are cultural and affect the employees of the company. If a given company’s control environment can cause its people to be thinking ‘wow this a risk, what controls can we implement to minimize this risk?’, then that shows how control environments can snowball. The stronger controls you start with, the more control focused your employees are, the more controls they identify and implement in the future, and so on. Similarly, the opposite probably holds true. If your company does not implement sufficient controls, the employees will likely see controls as unimportant, and (much like the article Rich had us read) neglect implementing them as the company grows which ends poorly.
Essentially, what I’m getting at is that a healthy control environment is important for compliance, but its bigger than that because it establishes a cultural view point and way of doing things within the company.
Binu Anna Eapen says
3. What is the role of the board of directors in IT governance?
IT Governance is primarily the responsibility of board of directors and senior management for the proper functioning of the IT in alignment with the business objectives managing the resource available and making policies and decision to in an cost effective and efficient way.
Following are the roles of the board of directors in IT Governance:
1. Approve policy
2. Ensure appropriate monitoring and reviewing metrics are in place
3. Reports and trend analysis and take necessary actions
4. Should identify the keys assets and its value and approve and validate the processes in place.
5. Should abide by the compliance rules and also define and communicate penalties for non-compliance.
As per ISACA, Information Security Governance: Guidance for Information security managers, 2008 (Pg 92 CISA Review manual) to achieve the below outcomes, the responsibility of the board of directors is mentioned below:
1. Strategic alignment: Require demonstrable alignment
2. Risk Management:
Establish risk tolerance.
Oversee a policy of risk management
Ensure regulatory Compliance
3. Value Delivery: Require reporting of security activity costs
4. Performance Measurement: Require reporting of security effectiveness.
5. Resource management: Oversee a policy of knowledge management and resource utilization
6. Process Assurance: Oversee policy of assurance process integration.
Janet Yeomans says
Binu,
With respect to your points 3-5 above, I want to be sure we’re clear about the role of the board in relation to the role of management. The board should hold management accountable for necessary taking necessary actions to correct something that board monitoring shows to be off track, but the board will not itself take actions. The board monitors outcomes and oversees adherence to approved strategy.
Key assets are generally identified by management and a list is likely to be presented to the board as part of IT strategy. So the board is not directly involved in the analysis that leads to identification of key assets.
Regarding compliance, the board must absolutely approve and respect compliance policies. Each compliance rule generally specifies the consequence(s) for failure to comply. Enforcement is the responsibility of management and management must assure the board that this is done consistently. Updates (new rules or revisions to existing rules) to the organization’s compliance manual are generally presented by management and approved by the board each quarter. Please note that IT compliance is just one area of the organization’s operations covered by compliance.
Binu Anna Eapen says
Got it
Sean Patrick Walsh says
1. In your own words, how would you define a control environment?
A control environment is a business environment with proactive steps built into its processes to control and ensure the business is meeting its objectives. The environment is further created with strict policy adherence, training, and building an entire culture around the controls and their purposes. A control environment builds confidence in stakeholders that the business is carrying out its strategy and mitigating risks when doing so.
Sean Patrick Walsh says
3. What is the role of the board of directors in IT governance?
The role of the board is to ensure the business properly leverages and aligns its IT with its core objectives and strategy. The board should ensure that there is ownership in place, both at the board level and management level, and may create a committee of some type to oversee the business’s IT facets. Depending on the industry, the board may also appoint specific personnel to ensure regulatory and industry compliance within its IT framework (i.e. HIPPA, PCI, SOX).
Richard Flanagan says
Sean,
See Jan’s comments about the role of boards. Oversight and active management is not the same thing. The board oversees what senior management is doing and the outcomes they are producing but they are not taking the actions themselves.
Ryan P Boyce says
1. In your own words, how would you define a control environment?
A control environment is, essentially, the result of what control measures are put in place in an organization. The control environment is not solely responsible for the culture of the organization but it plays a large part as the controls of an organization will drive how people are managed and perform their day to day duties. A company with less controls will experience a control environment that is relaxed, naturally. Conversely, a company that puts in place many controls varying in degree of scope and duration, will experience a more rigid culture because of a strict control environment. An example of this would be a banking firm who is required to keep data extremely secure. Procuring or producing any IT related products (applications, hardware, personnel) would be subject to a great deal of controls, thus making the control environment far more robust than, say, a small non-profit company.
3. What is the role of the Board of Directors in IT Governance?
Very simply, the role of the board or any governing body of an organization in terms of IT Governance is to remain open and understanding of the needs of IT Governance and the IT organization as a whole. It is not the board’s job to determine “how” to implement governance strategies, rather, it is their job to determine “why”. It is the board’s job to make the ethical decision to approve IT Governance proposals set forth by the CIO and upper management. It is also the board’s job to decide whether or not the changes proposed align with the overall strategy of the organization and its beliefs and values. Lower level decision making such as, ‘are Cisco switches more secure than Checkpoint switches’, should be left to individual IT units. Beyond determining “why” it behooves the organization to develop and implement IT Governance strategies, it is also the board’s job to determine how to finance these activities. A board, for example, might determine that, in an effort to remain in good standing with the public after a data breach, the company will hire a third party consulting company to conduct a forensic analysis and determine the extent of the breach. It would have been the board’s decision to put some governance in place in the best interest of its customers and to appropriate the funds necessary to allow this to happen.
5. If you’re working, have you seen examples of active IT governance in your organization?
My current employer is putting in expansive disaster recovery plans. We envision a scenario where our main data centers are lost completely for a multitude of reasons. From this scenario we have to be prepared to experience minimal downtime and be able to restore necessary systems in minimal amounts of time. As part of this process, we are building out an environment offsite that will be able to handle such a scenario. This project needs to be highly visible to executives as it encompasses a large part of my employer’s continuity plans. I have personally seen executive’s names on emails that correspond to this disaster recovery project. I believe putting disaster recovery measures in place is a form of IT governance. While this may seem like a necessary initiative and, by all measures it most likely is, the board of the organization has an obligation to make sure certain systems are functional even after a disaster occurs. Business continuity and disaster recovery projects are forms of IT governance best practices.
Richard Flanagan says
Ryan,
Regarding #`1, remember it is a matter of tone. You can have all the controls but are you using them?
On #5, we will be spending the next several weeks talking about how company’s decide where to invest their IT dollars. Any single project can be a good decision or a bad one. This sounds like a good one, but keep this example in mind as we talk about enterprise architecture, IT strategy and portfolio management.
Andrew P. Sardaro says
1. In your own words, how would you define a control environment?
A control environment is managements expected behavior and desired results through the use of policy, procedures and practices. A successful control environment has an established culture to add value and avoid risk.
At Temple our Performance Development System holds all administrative employees to exemplary service as so our students, parents, colleagues, patients and community members have a positive experience when working with Temple University. Staff not adhering to the Temple University Exemplary Services Guidelines will be rated accordingly.
Andrew P. Sardaro says
Define the three kinds of common controls and give two examples of each from your everyday life.
• Preventive controls: These are controls that are in place to avoid a problem from ever happening. Examples from my everyday life are as follows. I am an avid biker for sport and commuting purposes. Flat tires are a normal occurrence for bikers, but I reduce this risk by checking my tires psi level and for defects on the outer tire prior to riding. Another example is at work we use a ticket tracking system for incident management. If we have a time sensitive ticket, we set a target date on the call as so we do not exceed the due date for the request.
• Detective Controls: Detective Controls are in place to notify, alert you that a problem or breach exists. Examples from my everyday life are as follows. I use Wells Fargo banking, and I set up notifications on my debit card for all purchases that exceed a certain amount of money. This has helped me on two different occasions for unauthorized charges against my card. Another example is I am enrolled in Temple’s TU Alert system. I receive text, and email notifications of dangerous incidents on Temple’s campus and surrounding neighborhood to avoid the location.
• Corrective Controls: Corrective Controls are in place when something goes wrong and allow you to quickly recover and minimize downtime. Examples from my everyday life are as follows. In cases where I get a flat tire when biking, I always carry a spare tube, patch kit and co2 to quickly return to my ride. Another example is when a user at Temple accidentally deletes or saves over a required document version. We use Windows Volume Shadow Copy and Veeam backup /restore utilities to recover the file for the user.
Magaly Perez says
Jan Yeomans section:
1.In your own words, how would you define a control environment?
A control environment is an established setting in which regulations and procedures are used and enforced by governing bodies of an organization; their main purpose is to influence the control consciousness of their establishment such as providing discipline and structure.
Overall, internal control can aid an organization’s success, by ensuring its attainment of basic business goals. However, internal control cannot change characteristically poor management. Also, shifts in policy and procedures, competitors’ engagements or economic conditions can undermine a control environment.
It affects IT in the following ways:
• Creates reliability in IT processes and operations
• Helps in assigning authority and responsibility
• Helps in creating preventive environment against any kind of frauds such as data breach, security and financial etc.
• Safeguards IT Infrastructure
• Ensure data integrity
Janet Yeomans says
Magaly,
You connect all of the pieces well and your point about poor management undermining the benefits of a control environment that look good on paper is excellent. Tone is set at the top. Do the right things and do them right. No short cuts, no rule bending.
Ahmed A. Alkaysi says
2. Define the three kinds of common controls and give two examples of each from your everyday life.
The three common controls are:
Preventive – which are used to “mitigate the occurrence of risk.”
Detective – which are used to analyze or research whether a “predefined event occurred.”
Corrective – these are used to remedy and restore “the current state to an approved state.”
An example of Preventive: I need a password to login to my computer. This is to mitigate the risk of someone who is unauthorized to access my computer.
An example of Corrective: A file uploaded to a document management application has been overwritten by an older version. I revert the changes so that the latest file is now on the application.
Ahmed A. Alkaysi says
5. If you’re working, have you seen examples of active IT governance in your organization?
Yes I have. Working in the financial industry, we take controls seriously. An example would be, before any production release we walk through the changes that are going to be implemented, who is responsible for the changes, and what the resiliency plan is in case the change doesn’t go as expected.
There is also a change management system. For any document or code changes, we are required to describe when, what, and why we made the change and review it with team members, team leads, and managers.
One other example I have noticed, there are teams in our organization dedicated to make sure our applications are compliant and able to pass an audit. In the case that the application is unable to meet compliance, a “break” is opened and the issue needs to be resolved in a specified number of days.
Andres Galarza says
Ahmed,
I was curious to who exactly is held responsible if a change leads to a break that needs to be fixed. Is there a development team leader or someone else that approves these changes? Is the resiliency plan (in the event of a break) facilitated by some sort of version control?
Ahmed A. Alkaysi says
3. What is the role of the board of directors in IT governance?
The role of the board is to provide oversight and make sure there are processes and procedures in place for controls. The board sets the vision for the company and promote values around controls throughout the company. They develop the strategies for business and evaluate metrics to make sure IT is meeting the business’ objectives. They also need to make sure to delegate the roles and responsibilities of the different aspects of IT governance to the correct individuals or teams. In case the worst occurs (cyber breaches and the like), the board must make the decisions needed during the remediation process.
Loi Van Tran says
Ahmed,
This is a very good summary of the role of the Board of Directors in IT governance. I like to highlight the board’s meaningful oversight of the company’s proactive actions to mitigate cyber risks. Board Members may not have the technical expertise to monitor’s the organizations cyber risk, so it is important that when the board selects a person or entity who “owns” the process, that they are able to frame cyber risks in business risks term.
Anthony Clayton Fecondo says
I especially like that you said the board’s role is oversight. The board won’t actually take any direct action involving IT governance. The IT department will formulate, implement, and monitor IT governance. I see the board as knowing the direction that the company as a whole should be headed, but on a grand scale. They have the macro viewpoint of the company because there are too many facets of a business for them to be deeply involved in. So rather than dictate exactly what the IT department does with governance, the board just confirms that the it aligns with the corporate mission, vision, and values statements. On top of that, the board might appoint the CIO to feel more assured that the person in charge of the department understands the goals of the organization at large.
Overall, I think you pretty much nailed the role of the directors, I just wanted to emphasize a few specifics and see what you thought about them!
Ahmed A. Alkaysi says
1. In your own words, how would you define a control environment?
There are many different factors that can be included in the control environment. One way I will define it is: it is a set of values, policies, practices, and processes that allow objectives being met in a risk optimizing way. In a strong control environment, business is able to meet its objective by mitigating the risks involved in achieving them. The control environment should also have clear roles and responsibilities for all teams and individuals involved. This way, people aren’t doing redundant work and the chances of straying off the path of compliance is further mitigated.
Joseph Henofer says
The DentDel Case Q&A
1. What processes were ineffective and allowed this situation to occur.
The first process that was neglected in the DentDel Inc. case was that both the executive committee and general counsel were not consulted on the project. By not bringing the project up for discussion with the governance committee, the project was a bust and now the company will have to pay for their financial mistake. Most successful enterprises exist to create value for their stakeholders, which to many stakeholders may be interpreted as different or conflicting things. By not consulting with the governance committee the CFO, CIO and VP of Sales did not create any value for the company. They actually cost the company a financial loss. I understand what the CFO, CIO, and VP of Sales were trying to do by updating their infrastructure on ordering equipment for customers, but at the same time, a project of this magnitude needed to have the approval of both the executive committee and general counsel.
The other process that was ineffective was the lack of communication between the CFO and executive committee. This is made clear when the CFO realizes that the project is over budget and the write-off would have to be disclosed to the SEC. By not communicating the project and project issues to the CEO and COO so they could present and get approval for the project, this put the CEO in a difficult situation. I would have thought that a CFO who is part of the executive committee should have taken a more proactive approach to communicating the entire project to the executive committee before allocating such a large amount of money.
The last process that I felt that was ineffective was the overall direction of the executive committee and general counsel. In this case, it seemed that the company didn’t have a direction it wanted to pursue once the industry was changed. I actually applaud the CIO for taking the initiative to come up with a cost-effective solution to help make the company adapt to the changing industry. I get the impression that the CFO was more worried about the financial savings the company would receive from the project, instead of the overall position and value of the company. This was clear when limited discussions were taken place within the group after the CIO presented the savings and operation benefits.
Deepali Kochhar says
Q 2. Define the three kinds of common controls and give two examples of each from your everyday life?
Three types of common controls are:
Preventive:
• Detect problem before they arise and make adjustments
• Monitor both operations and inputs
• Prevent an error, omission or malicious act from occurring
• Segregate duties
• Control access to physical facilities
• Use well designed documents to prevent errors
• EXAMPLE: Employ only qualified person, use access control software to allow only authorized, use of encryption software to prevent unauthorized disclosure of data
Detective:
• Controls that detect and report the occurrence of an error, omission or malicious act
• EXAMPLE: Duplicate checking of calculations, review of activity log to detect unauthorized access
Corrective
• Minimize the impact of a threat
• Identify the cause of the problem
• Modify the system to minimize the future occurrence of the problem
• EXAMPLE: Disaster recovery planning, Backup procedures
Joseph Henofer says
The DentDel Case Q&A
2. Where could stronger IT governance have helped DentDel avoid this situation?
I believe that the IT governance could have been stronger in the DentDel company by providing direction and communication with its corporate executive committee . The DentDel company showed a lack of direction because the CFO took it upon himself to lead the project to a point that cost the company a great financial lost as well as a potential reputation loss. For example, the CFO was able to approve a budget for a project that would restructure their whole ordering process for sales in a ten minute discussion, without any approval from the corporate executive committee or general counsel. This makes me question if their IT strategic plans were aligned with their financial plans in a consistent and efficient way. An example of this was stated when the CFO would sit in on meetings affecting financial issues and there was not a chairperson elected to oversee the other parts of the project.
The other instance that a stronger IT governance could have of helped the company was in their communication structure about the project. The group’s desire to implement the project quickly and lack of communication to the proper groups ultimately put them in a position to fail. This was very clear when the budget and plan for the project was approved without executive committee and general counsel input. I would believe that if they involved the general counsel and the rest of the executive committee they may have avoided some or all of the issues that were raised in the last meeting. The other instance where the communication was lacking is after the last status meeting where the CFO was informed about how far the project was over budget and what the financial consequences would be if they didn’t stop the hemorrhaging of money. This poses the question did the CFO sit in any of the meetings that affected financial issues? The case study states, one of the roles of the CFO was to sit in on meetings affecting financial issues, so I would think that at some point before the last meeting the ad hoc project committee would discuss in some capacity whether they were under, on target or over for the project. This lack of communication whether it be on the ad hoc committee or the CFO side positioned this company into financial disaster. If DentDel had a stronger IT governance that provided direction and better communication then the project would have had the opportunity for success.
Fred Zajac says
Define the three kinds of common controls and give two examples of each from your everyday life.
1. Preventative
a. Checking the lights on the dashboard of my car will tell me if:
i. I’m going to run out of gas
ii. Engine is going to need service
iii. Oil is low
b. Checking to see if the security system is set at night will tell me if:
i. There is a fire
ii. An intruder
iii. Unexpected guest
2. Detective
a. Looking at my 13 year old son’s weekly school report will alert me if:
i. He was unprepared
ii. Late to Class
iii. Disruptive
b. Checking my Ameritrade account regularly will alert me if:
i. Missed trade opportunities
ii. Generated a diminishing return
iii. Any news on holdings
3. Corrective
a. Organizing my tasks will fix:
i. My forgetfulness
ii. Arguments
iii. Late / Missed Appointments
b. Putting my 2-4-year-old sons in time-out or bribing them will fix
i. Fighting with each other
ii. Not doing what I ask
iii. My wishful thinking…
Joseph Henofer says
Fred,
Would you consider that checking the lights on the dashboard of your car is more of a detective control then preventative control? For instance, when the check oil light comes on it’s detecting that there is an issue with the oil. Now if you get your oil changed every 3,000 miles or every three months regardless of the light indicating you need to check the oil that would be preventative.
Folake Stella Alabede says
1. In your own words, how would you define a control environment?
A control environment can be seen as the foundation on which an effective internals control structure for an organizations daily activity is built.
The effectiveness of the control environment depends largely on the tone set by the organization. The Board of directors/management/executives should set a tone that influences control consciousness and stresses the importance of adherence to these controls put in place to help the organization achieve its objectives; and this could be expressed in many different forms such as policies, procedures, guidelines, cultural values etc
Yulun Song says
3. What is the role of the board of directors in IT governance?
Nowadays, businesses and organizations target Information Technology more than before. So IT governance is created to govern those policies and practices to ensure IT run smoothly.
So the board of directors of IT governance should focus on organization’s IT resources, risks and information and related technology support to business objectives. The role of the board of directors should evaluate, approve strategic plans, set priorities, review major initiatives and operational performance.
Board members should consider getting involved in IT oversight: balancing the strategic project and technology for competitive advantages; balancing the major technology implementation with complicated installation period and related costs; being aware of information security and privacy.
http://www.litcom.ca/understanding-boards-role-governance/
Priya Prasad Pataskar says
Q] In your own words, how would you define a control environment?
– Control environment defines the organizational attitude and is implemented by the top management. It establishes a common platform of structure and discipline for all employees.
– A control environment makes it easy to understand how efficiently objectives are achieved. It gives an understanding of area of improvement for the organization.
– Boards of directors formulate policies and procedures, basically standard best practices for all to follow and ensure by delegation of authority that the policies are followed. It ensures business environment is always under government.
Ex. The organization is at risk from external hackers. After realizing the risk BOD along with the Security team decides to ensure application scan must be done twice a month. A report must be generated and risks must be mitigated. BOD may sign on the policy and Security team to whom the task is delegated must perform the scan. If scan is not done in time, a valid exception must be raised. The BOD should request for a report of containing scan results, frequency of scan, exceptions raised and status of mitigation actions. A controlled environment will be in a position to lower the risk from external factors and efficiently concentrate of business processes.
Xiaodi Ji says
1.In your own words, how would you define a control environment?
Control environment: It is an atmosphere in daily work. Everybody does what they should do and maintain self-motivated
2. Define the three kinds of common controls and give two examples of each from your everyday life.
Preventive controls: Making plans, policies or forecast to reduce risks or avoid errors
Doing laundry. Our parents and some websites tell us which kind of clothes can do laundry together(Policies). Then we decide how to separate clothes to two or three stack(Plan).
Traveling. Before we visit some place with tour group, they will give us a schedule to tell us when we should take plant and when it is free for us to shopping. Meanwhile, they also give us some paper to tell us what should we do if we cannot find group or are robbed.
Detective controls: Finding out whether the errors happen after the activities.
Doing laundry. Double checking each stack, which we separated(activities), to make sure that we do not mix any trouble in it. For example, we do not put red socks into white stack.
Programming. After we finish writing code(activities), we will double check our code to find out whether they follow the design and whether they are correct in logical and grammar.
Corrective controls: Starting forecast to correct error.
Doing laundry. We find that we put a dark blue T-shirt in the white clothes in the washing machine when it full of water(error happen). We click the stop button and find out that T-shirt(error). Taking it out of washing machine(Fixing error).
Cooking. We find that we put much salt(error) in the dish during we cook Chinese food. We will try to put some sugar or water to dilution it(Fixing error).
3. What is the role of the board of directors in IT governance?
Making sure that IT department does well. It is a decision-making level.
a. Voting CIO to manage IT department.
b. Checking IT audio reports to control budget.
c. Making key decisions to ensure IT area works well.
d. Examining IT activities to estimate efficiency.
4. Which of the EDM processes do you think is most important and why?
I think that EDM04 Ensure Resource Optimization is the most important processes. First of all, resource optimization can make thing more efficient. Take Microsoft as an example. When they started creating Window 7, a lot of technicians and equipments are transferred for other operating system to this. They even announced that they will stop update for Window 98 and Window Me. It helped Microsoft create this system very quickly and achieve great success.
Then it can save many money. For example, for the finance department, the stability and the speed of calculation is the most significant. Thus, their computers just need equip basic display card or just use onboard video card rather than high-powered one, which will save a lot.
Finally, material resources can be turned to best account, such as reusing monitor, keyboard, mouse, and hard disk, fixing or combining hardware to get more powerful and useful computer, and using old computer to do simple job. Therefor, I think resource optimization is not only a good way for enterprise to save cost and increase efficiency, but it also set a good control environment.
5. If you’re working, have you seen examples of active IT governance in your organization?
No, I am not working.
Alexander B Olubajo says
Xiaodi,
In its own different way or form of capacity each of these EDM processes are definitely important, but wouldn’t you agree that EDM01: Ensure governance framework setting and maintenance might just be more important than the others because it ensures that there is a framework / solid foundation in place for IT to build upon? My thinking is that without this core foundation laid down there would be no structure/order for the other processes to follow.
What do you think?
Xiaodi Ji says
Alexander
At first, I thought EDM01 is not the most important one because framework always does not do what it should do just like plan. Sometimes when we make plan and want to follow it, we find that it just can be work in some period. Then, even we rewrite the plan and want to use it remains us, we do not follow the plan The same thing happen in the company. Companies create some effective ways to manage employees but some employee break it and get extra gain, which can copy by other employees. On the other hand, if we alway follow the framework, it may limit employees’ creativity. This is the reason why I did not choose this.
I will reconsider, however, my answer for this question based on you idea and some people’s ideas. I think that making this core foundation is very important. I also think that changing it based on the development of the enterprise may is also the key for EDM01.
Thank you for your reply. It’s really help me reevaluate my point.
Priya Prasad Pataskar says
Q2] Define the three kinds of common controls and give two examples of each from your everyday life.
A organization has to safeguard itself against the various risks and build a security framework to ensure controlled environment. The various types of controls to ensure efficiency in the governance of an organization are
Directive Controls:Controls that formulate a policy or procedure for organization to follow.
ex. in everyday life : Preparing a monthly budget
Deterrent Controls: Controls which are restricted with a warning or caution
ex. in everyday life : Warning on the electric board displaying danger sign
Preventive Controls: Controls that are established in order to avoid risks
ex. in everyday life : Having a insurance plan
Setting up passwords to secure authentication to online bank accounts
Detective Controls: Conducting reviews and validating if controls are in order
ex. in everyday life : Reviewing the budget plan in case of sudden expenditure
Corrective Controls: These controls establish a corrective action in case of failure of control to keep the risk at minimum
ex. in everyday life : Maintenance of car or changing spare parts must be done in case of failure
Source [http://www.theiia.org/chapters/pubdocs/242/Internal_Controls_Basics_IIA_040709.pdf]
Silas Adams says
I responded to the same question albeit incorrectly and I had to subsequently leave a comment to that effect. I enjoyed reading yours because it gives really tangible ‘everyday’ examples. I just wanted to add an example of a compensating control. A compensating control is a control wherein the original control (detective, preventive, directive etc…) leaves an (x) amount of residual risk from the original risk they were attempted to mitigate. For example without the control you have 100% risk, when the control is placed in operation you have 30% residual risk (meaning you mitigated 70% of it), but management says their risk tolerance is 5% risk – in order to accomplish this you need to place a compensating control in operation to meet that risk tolerance level. During my day to day I witness this type of control in place fairly often.
Again I liked your comment and the perspective you took on it. Be well!
Silas Adams says
I should clarify after re-reading my comment. There is a point of diminishing return when it comes to implementing controls. Hence the need for compensating controls. If the business deems that investing an additional dollar in investing in layered controls to cover one control gap or mitigating a risk they will implement less costly compensating controls that would prove to be incrementally more financially viable.
This would cause them to implement a compensating control to mitigate residual risk as opposed to implementing another preventative, detective or corrective control.
Richard Flanagan says
Good discussion of compensating and layered controls. The important issue for now is that there is always risk and no one can eliminate it entirely. Therefore there is a natural tension between setting up controls to minimize risk and the cost of doing so. Whenever we look at a set of controls remember to take things in this order:
1. Are the controls sufficient? meaning if they are working well will them minimize the risk,
2. Are they effective? meaning are they producing the expected results
3. Are they efficient? meaning are they the least expensive way of doing it.
Abhay V Kshirsagar says
Priya,
One example for Deterrent Control that I see everyday is the email Temple sends us with all sorts of warning. For example, we usually get emails saying that no Temple employee will ever ask us for our TU Access net password. And, we should never share it with anyone.
Vaibhav Shukla says
The board of directors can play very important role in IT Governance.
It is most important to keep IT goals aligned with the business goals rather then viewing them as separate entity as the increase role of board of directors will increase business value from IT and improve the monitoring of IT-related risks.
The ideas chalked out during the board meetings are of strategic importance for organization so it is highly important to keep an IT agenda during the board meetings for bringing a business value to the IT governance.
Furthermore it has been seen in the past that when policies are being governed from top it sets a different tone among the lower level in terms of implementation of policies effectively.With the growing importance of cybersecurity and as the issues involving the cybersecurity are constantly changing it has been seen that there cannot be constant policies and implementation rules for the longer duration within an organization so the board has to be proactively involved with IT governance and should have a regular meetings with the IT steering committee to remain informed with the IT risks and policy.The organizations where the board is updated with IT policies it is easy for the IT steering committee to pool out resources and money in a faster manner to implement their goals.
The board of directors is also the final escalation point for the IT issues and their resolution
Andres Galarza says
Vaibhav,
Your point of setting a tone resonates with me. I liked the snippet from our readings that argued that something like information security training, needs to be led by the highest levels in the organization. Nothing is more deflating than leadership who mandates “Cyber Awareness Training” for an organization of hundreds of people, but claims to be “too busy” to finish the training himself or herself.
Janet Yeomans says
Vaibhav,
Your point about IT, and certainly cyber security, being dynamic vs. static in an important one. Board members must be looking ahead and prepared to ask the right questions of management. Management must be held accountable for having a thoughtful, researched response. A fruitful discussion can then ensue.
Mansi Paun says
Vaibhav, Great point about the funding being relatively easier for projects that the Board is well-informed about.
I’ve often heard acquaintances complaining about projects getting scrapped due to funding issues despite the project being of great value whereas seemingly unimportant projects were underway with budget left to spare. Ofcourse there could be other reasons for the Board’s decisions but it certainly helps if the Board is kept looped-in as they have the final say and can approve exceptions.
Richard Flanagan says
Vaibhavi,
Take a look at Jan’s comments. I read you note as the board taking an active role in management. Remember, it really oversees what management is doing and not actively managing the organization itself. Its important to keep the roles straight.
Silas says
Q1: In your own words, how would you define a control environment?
I would define it as the intangible pervasive IT culture. It is the atmosphere under which a control conscious organization can be created and maintained. It is fragile in the sense that it can be changed by organizational leadership with relative ease. As with anything involving management with intangible organizational characteristics, it must be periodically revisited such that the organization doesn’t begin to lose its IT control environment. The environment must be aligned with business objectives, able to ensure that information presented to stakeholders is complete and accurate and also promotes operational efficiency and effectiveness. Once the control environment is established, the tone is there and the organization is control conscious, the internal controls can begin to take shape.
Richard Flanagan says
Silas,
Why did you limit your definition to “IT culture”?
Silas Adams says
Q1: In your own words, how would you define a control environment?
I would describe it as the intangible pervasive IT control consciousness. Meaning that the IT control environment is the atmosphere under which an IT control conscious organization can be created and maintained. Much like any intangible organizational characteristic (such as culture), the IT control environment must be revisited periodically to ensure that it hasn’t waned and the environment is still intact and sending a consistent tone. It can be easily changed, as leadership can change the IT control environment with relative ease. It can’t be segregated from business objectives or by business segments, it must be a system in which all pieces of the organization must partake. The control environment must be created in such a way that organizational strategic objectives are considered, additionally the control environment must be designed such that any information disseminated out to stakeholders must be complete and accurate, lastly, the control environment must have a collective consideration around promoting operational efficiency and effectiveness. To me an IT Control Environment is an organizational collective tone and is the foundation upon which internal controls can begin to take shape to manage risk and aid the business in meeting its strategic objectives.
Silas Adams says
Q2: Define the three kinds of common control and give two examples of each from your everyday life.
While I was confused by the language in this question, and I think (which please correct me if I’m wrong) Dr. Flanagan was referring to common types of IT controls in place within organizations. I’ll answer the question from that perspective.
1. Information Systems Development
2. Computer Operations
3. Logical Access
1a. Example of controls from my work is ensuring that system software changes or application changes do not get migrated into production with first being tested in a testing environment and authorized and approved prior to migration. Inherently the control would dictate that there be segregation of duties throughout the process.
1b. Another example would be that all vendors that have hosted applications in place at the client provide a SOC1 report evidencing that the vendor has similar controls in place with regards to system software changes and application changes.
2a. Batch processing errors must be researched and resolved. For example if an investment firm automatically receives pricing updates from the DTCC/NSCC and the batch job runs overnight and automatically updates the prices, if that batch job were to fail it must be researched and resolved in a timely manner. There are many controls over such instances of batch failures, the resulting losses could be fairly large.
2b. Any disaster recovery controls, for instance if backups need to be rotated offsite or if they’re using a hot-site to replicate data real-time since they’re RTO is really low there are controls around DRP testing, operation and even recovery tests.
3a. Logical access is a pervasive issue that can have extensive ramifications throughout a business, for example if a person who can request access also has the ability to approve access then what is stopping them from having access to Vendor Management applications and the General Ledger for the business? Nothing, if they meet all sides of the fraud triangle there is nothing preventing them from performing fraudulent acts.
3b. Access revoked in a timely manner, it is important for organizations to revoke access of terminated employees (and I’m sure we all know why). A common issue is the user’s access is revoked at the active directory level but not at the application level. If the application authenticates through the AD and its Single sign-on the business usually just removes the AD access. This is a common IT control failure. The user’s access must be removed at both levels for the control to be considered suitably designed and operating effectively.
If I totally botched this question (Q2) my apologies, I hope someone learned something.
Silas Adams says
Seems like I messed this up, with regard to preventive, detective and directive controls. But I’ve given examples of two of the three up above! Also Dr. Flanagan, why isn’t a ‘Compensating Control’ not considered?
Silas Adams says
Q5: If you’re working, have you seen examples of active IT governance in your organization?
Since I work with a lot of different clients (11) – I’ve seen examples of both active IT governance and not so active IT governance and I enjoy seeing the ramifications of each example as we perform testing around IT General Controls and Business Process Controls.
Personally the most rewarding thing I see with organizations with active IT governance is during testing the clients know exactly who is responsible for certain controls and they can provide evidence extremely timely without a lot of changing of hands. Organizational roles and responsibilities are clearly defined and they can execute on providing evidence, and flow and process narratives in simple and easy ways to understand. This definitely isn’t the case when there are cases of not-so-active IT governance. It becomes arduous and we end up having to manage the client from beginning to end to bring testing to fruition and there often tends to be issues within these organizations. I would assume it would be due to the fact that since it isn’t clear who is responsible for what, the control will simply not operate for an extended period of time. This leads to dramatic financial and business impact.
Andres Galarza says
“Define the three kinds of common controls and give two examples of each from your everyday life.”
Like others have stated already, I took the three “kinds” of controls to be preventative, detective and corrective.
I really enjoyed reading through the “SANS Top 20 Critical Security Controls” list in the IBIT report. As I read through them, I wondered how they might be applied to my own home office/network. I’m still a networking/IT novice, so the execution of some of the controls left me scratching my head. For example:
– “Limitations and Control of Network Ports, Protocols and Services”
I’d classify this as a preventative control. Through readings for this class and others, I know a step I could take to mitigate my risk would be to close my Telnet port (Port 23), if it’s open. However, I’d be lying if I said that I’d ever done this before and I assume it’s turned on by default.
– “Inventory of Authorized and Unauthorized Devices”
I’d classify this as a detective control. This seems like an incredibly straight forward task on paper. However, I then started to wonder how I would confirm what devices are connected to my network. How about my wireless network? Another control in this family applies to software, and that may also prove challenging. I know enough to open up Task Manager and see what Processes are running, but I’m not entirely confident I’d be able to pick out something wrong unless it was painfully obvious.
Even if I’m not sure how to resolve the above two controls at this point, I feel like through this program, I’m moving in the right direction.
Richard Flanagan says
I encourage everyone to take a close look at the SANS Top 20. They are the basis for a company’s good security housekeeping.
Silas Adams says
The DentDel Case:
I’d like to frame the issue a little differently.
– What the company does: Wholesale distributor, purchases and resells dental equipment in BULK
– Industry shift from direct sales approach to consumer-driven order processing through internet
Issues:
– OLD WAY = Taking orders in paper and having a physical transfer of orders nightly for processing.
– NEW WAY = Orders come in via the internet
Risks:
– OLD WAY = Risk of human error is extremely high; this is a revenue impacting event and as such is considered (on all accounts) a high risk area and would be subject to rigorous testing. This is a mid-size company as an $8 million write-off would be considered material.
Action:
– They are undertaking a substantial change with how they record sales and process them to ultimately book their revenue.
So what processes were ineffective and allowed this situation to occur. (COBIT 5)
PROJECT BUDGET OVERAGE
1. Stakeholders needs were not addressed (no Goals Cascade type assessment was used). The Enterprise’s Goals were not addressed and as such were not aligned or guided the IT Related Goals. There was no Board of Director buy-in and not all C-suite executives were involved (some were not even on the ‘ad hoc committee.’ The goals cascade defines tangible objectives and responsibilities which maximizes the benefits realized, optimizes resource utilization and is important to optimizing the risk associate with project implementation. As a result the project was tracking a 56% budget overage only 1/4 of the way through the project. The project would definitely have to be shut down so that the firm’s viability isn’t compromised.
INTERNAL DIFFICULTIES
2. Covering the enterprise end-to-end. There were no clearly defined roles, activities and relationships during the project’s implementation. They created an ‘ad-hoc’ committee. Some issues with that is, who does that committee report to? What were the roles in the committee? If Rafael only sat in meetings affecting financial issues, who dictated what in the project’s implementation process required Rafael’s buy-in?
In my opinion the project should have a flow similar to this:
1. Risk assessment
2. Business case
3. Present to C-Suite and Board
4. Upon approval create and oversight committe
5. Establish project timeline and critical path
6. Establish progress checkpoints using the critical path
7. Identify acceptable levels of scope creep
8. Begin project
9. Oversight committee meet regularly for monitoring
Ahmed A. Alkaysi says
1. What processes were ineffective and allowed this situation to occur.
The biggest reason this situation occurred was because of mismanagement by Cedric, Instead of evaluating possible solutions to the problem that DentDel was facing, Cedric chose to create this brand new IT system around the P-Phone just because he owned one. This proved to be costly, as the phones had terrible signals and in the end.
Cedric also refused to listen to Sarah, the VP of sales, advice. She mentioned to Cedric that the Dentist’s had no time to visit with the sales team, and would prefer if they could order online. Instead of utilizing this free advice, Cedric became angry and refused to listen.
2. Where could stronger IT governance have helped DentDel avoid this situation?
One thing that could have helped avoid this situation was having a clear managerial structure around the project itself. Instead of having an ad hoc committee running this project, their should have been a chairperson established and a project manager involved. A member of the audit team should also have been involved from the beginning, making sure that the project deadlines were met and they were on track financially.
This project should also have been presented to the executive leader, to make sure this project received full backing and support, as it is made evident by the IT staff that business was not providing enough resources and attention.
Richard Flanagan says
Ahmed,
Dentdel certainly does have the problems you highlight. I would say, however, that the major problem is that there is no effective control environment. No one is being held accountable for doing things in the right way. No steering committee, no enterprise architecture, no project management process, no effective project review, etc. Dentdel’s approach seems to be that management can do whatever they think will generate results without regards to how its getting done. That generates a very risky environment and, in this case, the risk was realized.
Ahmed A. Alkaysi says
4. Which of the EDM processes do you think is most important and why?
I think EDM01 Ensure Governance Setting and Maintenance. Successful IT projects begin from the top. The most important aspect for any project is a stable structure or framework which established the principles, processes, and practices. IT strategies that do not align with business strategies will ultimately cause any IT project to fail. This EDM, if followed, ensures that these projects will meet the business’ goals and objectives.
Fangzhou Hou says
In your own words, how would you define a control environment?
The control environment includes the factors that have important influence in establishing a policy or project to minimize the risks. It also stands for the understanding, attitude, and action about the internal control of upper management. The control environment ensures the efficiency of implement of the internal control.
The upper management should take the responsibility to prevent the potential risks damage the benefit of the organization. For example, if the upper management of a company underestimate the significance of internal control, the organization may not have any implement in data backup and disaster recovery, which is a huge risk for the company’s information assets. If the servers damaged by the natural disaster or hacking, the company may lose all information of contracts, orders, and projects.
Loi Van Tran says
Fangzhou, thanks for the post.
We are starting to read and hear how important tone at the top is to an organizations security program. Management, up to and including board members, has to provide oversight, guidance, and strict enforcement of policies and procedures to ensure that its security program is successful. They also have to make sure that IT strategy aligns with the business strategy.
Alexander B Olubajo says
1. In your own words, how would you define a control environment?
I would define a control environment as a group or set of effective policies and/or procedures, defined by the executive officers, with consequent actions that employees must adhere to and/or follow, which in turn develops and sets the standard of the organization’s daily operation in regards to achieving the company’s business goals and objectives.
Alexander B Olubajo says
2. Define the three kinds of common controls and give two examples of each from your everyday life.
[A]. Preventive Controls: are measures put in place and/or taken to either avoid the occurrence of a problem or reduce it’s impact after it has occurred.
Ex: i). Reading up on documentations, guides, release notes, bug fixes etc. prior to performing a major significant upgrade to company-wide application software.
ii). Simulating the upgrade (procedures & implementation) in a staged environment in order to fully test the upgrade before proceeding to carry out in the Production environment.
Both examples/scenarios allows me to know the possible risks involved and to avoid them during the course of the upgrade.
[B]. Detective Controls: are control measures that look to identify and detect problems that may have been foreseen
Ex.: i). When an application goes down or become unresponsive as a result of a configuration change, I look at the log files to know the time and cause of the error, and the access logs to determine who made the configuration change.
ii). I setup and use monitoring systems (e.g SolarWinds, Zabbix) to monitor the state and health of the systems that host some of the application lifecycle tools/software I administer. This allows me to detect, for example, when a machine is running out of allocated memory or storage.
p.s.: This example of using monitoring systems can also be implemented as a preventive control measure.
[C]. Corrective Controls: are control measures that are executed to take immediate actions against problems that have already occurred, with the aim of reducing its impact.
Ex.: i) I backup an application’s data prior to every upgrade or change in configuration so that I can restore it’s data if it gets corrupt during the course of the upgrade. Also, if after the upgrade the application behaves abnormally, I can restore it to its previous working state as a fall back plan.
ii). When an application’s web server goes down for unexpected reasons, I immediately setup a re-direct straight to the application server, which allows users/customers to by-pass the proxy server and have access to the application.
Alexander B Olubajo says
3. What is the role of the board of directors in IT governance?
In a much broader scope, the role of the board of directors in IT governance is to ensure that the processes, controls, structures etc. put in place and adopted by the IT organization/department within the company very much aligns and is in accordance with achieving their business goals/objectives.
In short from the instructors best form of defining IT governance, simply put, the role of the board of directors in IT governance is ensuring the right things (i.e processes, policies, company values etc) are done right (i.e controls).
The board of directors are to ensure IT is aligned to the company’s business strategy. They are to ensure IT is doing things that will produce the most value for the company. To aid in gauging some of these things, their role is to ensure IT is operating under a defined process with controls.
Some questions that will aid the board of directors to effectively execute their office and carry-out their roles are:
Whether or not IT project are run well to meet/satisfy their goal
Whether or not IT services meet their customers/end-users needs.
Whether or not IT protects the information that is vital to both the organization and customers.
Said Ouedraogo says
In your own words, how would you define a control environment?
Control environment is the set of values, policies, and procedures defined by the management of a company in order to operate in an optimal way and make the company secure.
It includes management operating style and philosophy. That being said, a good/positive control environment depends on the quality and performance of the management
Andrew P. Sardaro says
5. If you’re working, have you seen examples of active IT governance in your organization?
I work at a university which has numerous controls in place. One example is our data classification policy designed by our Information Security Department. This policy clearly assigns a level of sensitivity to data and outlines the handling of that data. The data is broken down as confidential, sensitive and unrestricted. Most crucial is understand the importance of securing/handling of confidential data, the restriction/approval process of the data, and the annual auditing of where that data resides and who has access.
I also participate in weekly IT change management meetings where our CM board oversee planned changes throughout the business calendar. Some examples of the types of changes: systems and network maintenance, software distribution or removal, Active Directory cleanup, database upgrades. Careful attention is placed on minimizing the impact/downtime as so the above mentioned is available and reliable.
Loi Van Tran says
I also work with a company who has a very good Change Management policy. Every change to the production system is carefully submitted, reviewed, and approved before any modification would take place. Some of the processes include initiating a request, review/approve by Internal Review Board, review/approve by Corporate Review Board. Once the request is approved through the appropriate channels the request is run through development environment, two types of testing environment ( development/security and users testing), and finally into production. Top management ensures that strict adherence to policy is enforced to ensure that nothing goes into production that may have adverse affects on CIA. This type of IT governance creates a culture where the employees knows that the must do the right things and do it right the first time.
Xiaodi Ji says
Andrew,
Everybody knows that information classification and security are quite important. However, if the enterprise does this, it will increase the cost and make a simple things become complex. Meanwhile, some employees cannot understand this polices because it spends much time in doing no-sence steps. How does you company balance this?
Andrew P. Sardaro says
Xiaodi,
Great question. I agree that substantial time, and effort goes into the classification of data, securing of the data (network, local storage) and the auditing processes. I also agree that some users do not fully understand the different data sensitivities. Finding that balance between costs and results is tough
.
Our Information Security department does a great job of educating departments as to identifying and handling this data. They promote data security awareness through education. They provide a classification grid to reference, meet with departments to evaluate what data is being used within the business processes and act as liaisons for when a vendor solution may be used.
I would say you find that balance through the education and prevention methods established versus the cost occurred if you have to recover from a breach.
Xiaodi Ji says
Andrew
Thank you for your reply.
How much times does your Information Department give this education? once a week? once a month? or just teach new employees when they enter the enterprise?
Andrew P. Sardaro says
Xiaodi,
Our Information Security dept educates users on data security issues at HR orientations, technical steering committees and on one on one dept/user basis as needed. It is a combination of existing meetings where they are complimentary with their info, and meetings where the efforts need to be more detailed (vendor evaluations).
Andrew
Said Ouedraogo says
What is the role of the board of directors in IT governance?
The Board’s general responsibilities are:
Ensure that some board members possess IT skills
Establish IT controls
Review and approve IT audit reports
Set IT budget
Approve critical decisions such as major IT acquisitions, IT capital investments, IT systems.
Determine whether IT is functioning effectively
Source: http://www.books24x7.com/assetviewer.aspx?bookid=37797&chunkid=838328294&rowid=8¬eMenuToggle=0&leftMenuState=1
Alexander B Olubajo says
4. Which of the EDM processes do you think is most important and why?
I think EDM01: Ensure Governance Framework Setting and Maintenance is the most important EDM process or at least is slightly more important than than the others. Taking a step back to review the description of EDM01 process, we learn that it “analyses and articulates the requirement for the governance of enterprise IT, putting in place and maintaining effective enabling structures, principles, structures, processes, and practices, with clarity of responsibilities and authority to achieve the enterprise’s mission, goals, and objectives.”
Now, from this, we can somewhat conclude that this process paves the way for the other four processes to flourish or be effective. This reason I say so is because EDM01 process ensures that there is a framework, a solid foundation in place for IT to build upon. My thinking is that without this core foundation laid down there would be no structure/order for the other processes to follow. Therefore, it’s deemed as the most important.
Looking at EDM05: Ensure stakeholder transparency, I also believe that as long as EDM01 process has been properly implemented and put in place, there should be no need to take extra measures to ensure stakeholder transparency. Simply put, if there exists a well-defined and functioning process, it should be visible across the company.
Yu Ming Keung says
In your own words, how would you define a control environment?
Control environment is a set of standards, processes, and structures achieved by the upper management to provide the basis for carrying out internal control to trickle down throughout the organization. A well-functioned internal control can define culture and behavior within an organization.
Conversely, if upper management failed to demonstrate and communicate throughout the organization, it will lead to a weak control environment within an organization which means internal controls, risk managements and business governance will not be value throughout the organization. It will lead to inconsistency such as differences in value, business ethics and behavior between the lower level and the upper level.
For example:
Enforcement of integrity and ethical values by upper management
management’s philosophy and operating style
Yu Ming Keung says
Define the three kinds of common controls and give two examples of each from your everyday life.
Preventive – controls that prevent the loss or harm and reduce the risk from happening in the first place. Examples of preventive controls
Segregation of responsibilities in our organizations
Firewalls on our PCs
Insurance
Detective – controls that monitor activity to record issues after it has happened.
Investigation of debit card fraud which happened to me recently. Citibank called me recently about three fraudulent transactions happened in Binghamton, NY, They are going to make further investigation to trace the false transactions.
Corrective – controls that restore the system or process back to the state prior to a harmful event
1. Restore all the data in our phones
2. Void a check after discovering an error
Andrew P. Sardaro says
3.What is the role of the board of directors in IT governance?
The primary responsibility for the Board of Directors is to establish effective IT Governance within an organization. The board provides a vision and sets the tone for the organization top down. The role of the board of directors is to make sure the right things are done right.
Board responsibilities:
• Establish an IT and business alignment. Determine how an organizations goals and objectives are addressed within IT.
• Establish IT ownership at the strategic level.
• Ensure that IT controls are established within the organization to increase percentage of success with organizations goals and objectives.
• Oversight of business/cybersecurity risks. Approve critical IT assets and confidential business and customer data to be secured.
• Determine the IT value delivered within the organization through monitoring and determine effective and ineffective areas
• Approve critical decisions such as IT acquisitions
• Monitor IT resources as to how they are managed and planned.
Abhay V Kshirsagar says
Prof. Jan Yeomans’s section
Role of Board of Directors in IT Governance:
Information technology plays a critical role in an organization’s strategic transformation and its performance. Today, the IT is a crucial part of an organization’s overall enterprise strategy. The role of IT as an “engine room” has changed to IT as an enabler.
This is where IT governance comes into the picture: the decisions are to be made for IT investments. Thus, organizations continue to increase their IT expenditure and it also becomes important to check the returns on those investments.
IT governance is a part of enterprise governance and board members have to make sure that business goals and IT is aligned. Meaning, the objectives defined in the business strategy are addressed within the IT strategy. Board members should set a tone at the top to raise awareness among employees. It is important for the employees to understand data classification and are aware of their responsibilities in the context of protection of that data. Throughout different ITACS courses, we have learned that even the best security systems are ineffective, if employees fail to follow the security policies.
Board members should be aware as to how IT creates value; how IT can be utilized to gain a competitive advantage. The board members should further assess risk related to the IT security: assets, customer data and critical infrastructure.
Source: http://www.litcom.ca/understanding-boards-role-governance/
Joshua Tarlow says
2. Define the three kinds of common controls and give two examples of each from your everyday life.
Preventative: Preventative controls are designed to mitigate the probability or stop the risk before it occurs. This control does not address the risk/incident after it occurs.
One example can be locking my front door. A locked door helps to prevent a person without a key from entering my house. While it is still possible to pick the lock, it does lower the probability that the incident will occur.
Another example is a pass code for my iPhone. Without a pass code anyone can pick up my phone an use it. If a six digit code is used instead of four, it becomes exponentially harder to guess/break. Most iPhones allow for ten attempts, and there is a very low probability that it will be guessed for either a four or six digit code.
An example of a preventative control can be restricting access to sensitive data to specific employees. Restricted access will decrease the probability of a risk because sensitive data will be harder to access, and fewer access points are less opportunities for unauthorized access.
Detective: Detective controls are designed to investigate if a security incident occurred. These controls do not prevent the risk, but help understand the incident by collecting information to determine how the problem occurred, and also how to mitigate future risks.
An example can be the alarm for my house. While the alarm does serve as a preventative control, it also has detective controls. For example, if my wife and I scheduled a dog walk, we are able to check our account to see the every time the front door is opened and closed. This data allows to verify if our dog was in fact walked, and how long the walk was. My wife and I are able to know if our dog was walked, and for how long. If there is an incident with our dog, we are able to verify specific information from our alarm account.
Another Example is if my credit card account preferences are set to text me every time the card is used in an online transaction. If the credit card number is stolen, it will not prevent its unauthorized use, but I will know very quickly that the card is compromised and will quickly cancel it. Minimizes the damage done to my account and credit score.
Corrective: This type of control attempts to repair the damage from a security incident. Corrective controls are used after the incident occurs, and is separate from the investigation. While information from the investigation can be helpful to repairing the damage, its main goal is not to collect information itself.
One example would be if my computer were attacked with ransomware and my hard drive was encrypted. I can avoid paying the ransom and still recover my data if I regularly back up my hard drive and/or important data. With a proper back up I will be able to wipe the hard drive and restore my system from a back up without losing any data.
A carpet cleaner can be another corrective control. If spill coffee on my carpet I can use a carpet cleaner to remove the coffee from the fabric. The cleaner does not prevent the incident, nor does it gather information. It simply restores the carpet to a condition prior to the spill.
Janet Yeomans says
Joshua,
Good points, and while you’re correct that detective controls won’t eliminate risk, it’s important to recognize that they can limit risk of further harm. The sooner you know there’s been a breach and the faster you respond to it, the lower the risk of repeats. In your credit card example, once you realize that your credit card number has been stolen, you can immediately alert the issuing bank and they will block additional charges. At least the thief won’t go on a global shopping spree on your card.
Jianhui Chen says
1. In your own words, how would you define a control environment
Control environment sets the culture and rules, which influence the consciousness of its employee. The integrity, ethical values and competence of employees.
2. Define the three kinds of common controls and give two examples of each from your every day life.
Preventive control: organization launch specific policy and rules to prevents the problem from occurring. For example, the stop signs are set up on a intersection by DMV, to prevent many car traffic accidents. And if I want to change my work computer, I need to get my manager’s approval.
Detective control: A type of internal control mechanism intended to find problems within a company’s processes. For example, the supermarket will use security camera to limit the opportunity for employees or customers to misuse or steal the store’s assets. And the traffic camera to detect traffic regulation violations such as speeding to prevent some car accidents.
Corrective control: It mitigate the damage when the problem occurred. For example, I back my computer data to protect myself from computer data loss. And I pay a car insurance to mitigate the loss when car accidents take place.
http://www.investopedia.com/terms/q/quality-control.asp
Paul Linkchorst says
Professor Yeoman’s Section
Q1: In your own words, how would you define a control environment?
Based on my internship experiences as both an Internal and IT Auditor, I would define a control environment as the attitude of those throughout an organization towards how its members “control” or gain confidence that business processes are working properly and reliably. Since controls are just policies and procedures that aim to increase effectiveness, efficiency, and reliability or certain processes, it is up to those in management positions to develop these procedures and policies as well as enforce them.
In a positive control environment, those managers and executives set a “tone” which identifies that controls have a positive effective on processes and are beneficial in meeting that organization’s objectives. Due to this positive attitude toward internal controls, that tone is carried throughout an organization which can result into a well-designed internal control system that is properly followed throughout the organization.
In contrast, an organization that has a negative control environment, there is no tone at top of the organization supporting a good control environment. An organization can have on paper a very robust and well-designed control environment but ultimately have a tone where the controls are not followed and become ineffective. Likewise, a company with a negative attitude might not have even have internal controls designed into their business processes. Ultimately, a control environment is the attitudes of which an organization’s members have toward an internal control system.
Andrew P. Sardaro says
4. Which of the EDM processes do you think is most important and why?
EDM01: Ensure Governance Framework Setting and Maintenance
I feel that EDM01 is the most crucial process as it sets the IT groundwork for an organization, provides an IT enterprises vision, and enables the other four EDM processes to succeed. The other four EDM processes will not be successful unless the groundwork EDM01 process in established successfully.
EDM process description from the Cobit 5 Reference Guide:
• Analyse and articulates the requirement for the governance of enterprise IT, establish and maintain effective enabling structures, principles, processes, and practices (controls), with clarity of responsibilities (roles) and authority to achieve the enterprise’s mission, goals, and objectives.
The EDM01 process supports the achievement of a set of primary IT-related goals:
• 01 Alignment of IT and business strategy
• 03 Commitment of executive management for making IT-related decisions
• 07 Delivery of IT services in line with business requirements
ISASCA COBIT 5 Enabling Processes EDM01-EDM04, page 30.
Ahmed A. Alkaysi says
Andrew,
I agree with you on EDM01 being the most crucial. It all starts at the top. Without clear business objectives, mission, and goal, the right IT strategy will not be implemented. Establishing a governance framework will integrate business and IT strategies. It will also help make sure compliance is being met.
Sheena Thomas says
I totally agree with you and your reason why you feel EDM01 being the most crucial process. I have a totally different answer, but you argument is valid. Before you can move on to the other EDM processes, a company has to establish a vision and IT groundwork within an organization, for the other processes to succeed.
Ivy M. McCottry says
I’m in agreement with this reply chain. EDM01 definitely sets the tone for and direction of other EDM areas. EDM01 also establishes how to think about and approach the other EDM areas because of the expectations that EDM01 sets. For instance, if EDM01 establishes that governance is light because the firm deals with a lot of public information that does not require change or restriction, that light-handed approach would flow to EDM03.
Wen Ting Lu says
Q: Define the three kinds of common controls and give two examples of each from your everyday life.
A:
Preventive Control – These are controls that prevent the loss or harm from occurring
Ex:
– Set up passwords to secure authentication to our private information such as cellphone, computer and online banking accounts.
-Always wear seat belt when inside a vehicle, it saves lives and prevent injuries in the event of an incident.
Detective Control – These controls monitor activity to identify instances where practices or procedures were not followed.
Ex:
-Reconcile bank statements to make sure each transaction is correctly stated, also check to see whether each transaction match with the receipts I have kept.
-Temple has security camera everywhere, if anything unexpected happen we are able to look back at the recorded video to detect the potential threat.
Corrective Control- These controls restore the system or process back to the state prior to a harmful event
Ex:
-Restore data from back up. I always make a duplicate copy of files in case I lost the USB that I use for storing homework, photos, etc.
– Creating contingency plans. If my car breaks down on the day I have to be somewhere on time, I need to figure out the alternatives to get to the destination either by public transportation or have someone drive me there.
Wen Ting Lu says
Q:In your own words, how would you define a control environment?
A: A control environment is the cornerstone of the internal control system, it supports and decides other elements. In an organization, the control environment represents upper management’s attitudes, awareness and actions towards controls and focus they have on IT controls. The “Top-Down” approach to control are most often use in the organization environments, it means that the managements set the tone for the focus of and adherence to controls.
A good control environment will include communicating ethics, employing good staffs who have positive influence, participation and professionalism. Also, management’s philosophy and operating style is very important in a good control environment.
Mansi Paun says
Q-5 If you’re working, have you seen examples of active IT governance in your organization?
A-5
I’ve been fortunate to have worked in various capacities, for a long-standing IT Hardware, Software & Services solutions company. While I was there, I witnessed efficient IT governance practices being followed. Some that are noteworthy and I would like to share are listed below:
• Control Environment: The CEO and Country leadership encouraged values of Integrity, Innovation, Trust & Personal responsibility in all relationships and Dedication to every client’s success throughout the year. Strong emphasis was laid on doing things right.
• Workplace security controls were in place – Printer controls, Physical access control, Laptops and Desktops were to be physically secured using Kensington locks. Each computer on the network had whole-disk encryption software, antivirus and firewall installed besides other checks like P2P or disk-sharing. Password-sharing was considered as a serious violation. For any non-compliance on the system, notification was sent to the Asset owner and followed up with reminders and then escalation to management if the non-compliance was not fixed.
• Timely and Accurate billing to client was ensured.
• Employees were encouraged to claim accurate expenses
• Employees were motivated to undergo trainings and upskill themselves.
• Daily status calls with the Account Managers were held to discuss if there were any critical issues in the previous 24 hours and best practices were shared in cases where the Project teams were unsure of the course of action.
• Client infrastructure related Compliance activities like Server patching, Issues, Risks and APAR tracking were given importance.
• Audits and Project Management Reviews were viewed in a serious light.
• Documentation of SOWs, Roles and Responsibilities, Policies and Procedures was thorough and management helped inculcate this practice.
• Employees were encouraged to report any violations, threats or harassment without fearing retaliation. Strict confidentiality where required, was assured.
Noah J Berson says
5. If you’re working, have you seen examples of active IT governance in your organization?
I was recently working for a company that was in the process of increasing their IT governance. Their issue stemmed from not having a firm head of IT position, like the one Khan was appointed to. From there, a lot of bad habits were formed from before I joined the organization. There were a few IT governance issues I tried to tackle personally as someone working with the company’s de facto head of IT.
The greatest failure I noticed was a lack of knowledge documents. There was little written down of how each system or database the company used could be accessed. Most knowledge required talking to a specific employee who had been working with the database for so long. This made it hard to catch up new employees meaning a lot of wasted company time. I took it as a personal project to document my position and to recommend to the head of IT and the boss that employees spend a bit of time creating knowledge documents.
Another governance issue that was an exact replica of an issue Khan from STARS faced was the abuse of critical projects. Whenever an issue arose from a client, it was always marked critical. Whenever a task was marked at a medium level, it never floated above the pile of critical projects. IT began a conversation with developers and brainstormed adding a suggested timeline feature to projects. The boss was extremely happy with this as it meant the clients requests were being taken care of in a more rational fashion.
Daniel Warner says
Noah, I worked for a company that had similar IT Governance issues. The lack of knowledge documents was shocking. The ERP system that was used lacked any documentation and/or training which led to serious issues when new users were being introduced to the program. Like you mention above, whenever someone had a question about a particular aspect of the company, whether it be a pricing or inventory issue, there were a select few that had the knowledge and then the remainder fielded questions to those individuals throughout the day. This led to slow down, and some serious issues with our customers, in which several stopped working with our company due to issues that could have been avoided with documentation.
Ming Hu says
Q: Define the three kinds of common controls and give two examples of each from your everyday life.
Preventive controls – these controls proactively mitigate risks by preventing from occurrence, such as password protection – use username and password to access your Gmail account, identity authentication – swipe your ID card to enter tech-center.
Detective controls – these controls are designed to find errors within the organization, including anti-virus software, which could detect malware.
Corrective controls – these controls help mitigate damage once a risk has materialized, such as recovery systems.
Candace T Nelson says
2. Define the three kinds of common controls and give two examples of each from your everyday life.
a. Preventive controls are designed to provide reasonable assurance that errors or irregularities will not occur.
i. I lock my doors to prevent unauthorized access to my home and personal belongings.
ii. My personal laptop is password protected to prevent unauthorized access to proprietary, classified or personally identifiable information contained within.
b. Detective controls are designed to provide reasonable assurance that errors or irregularities that have occurred will be identified / detected.
i. I compare the cash balance per my checkbook against my monthly bank statement to determine whether unauthorized transactions.
ii. I compare my mortgage balance per the bank against the amortization table contained in the original loan agreement to ensure electronic payments have been applied correctly and that the loan principal is being properly amortized.
c. Corrective controls are designed to restore systems or processes to their normal state after a harmful event /disruption occurs.
i. My home is equipped with a back-up generator that provides for electricity in the event of a power failure.
ii. I have an external hard drive that I utilize to back up my personal computer in the event of a crash.
Candace T Nelson says
1. In your own words, how would you define a control environment?
A control environment is the product of the collective attitudes and actions of senior management within an enterprise with regard to internal controls; it sets the tone of the organizational culture respecting control compliance thereon, e.g. do as I say vs. do as I do.
Loi Van Tran says
Q2. Define the three kinds of common controls and give two examples of each from your everyday life.
Preventive Controls are used to proactively mitigate the concurrence and/or impacts of risks.
1. A preventative control used by current employer are it’s policies and procedures for remote access, hard drive encryption, SSO, and two-factor authentications. My employer used a series of authentication methods to allow its employees to obtain access to it’s network and applications. It first encrypts it’s hard drives on computer assets, where the user must enter a username and password to decrypt the hard drive to get access to the OS. Once you get pass the hard-drive encryption you need a smart badge to log into your account. Additionally the smart card would also be needed to connect to the companies network. Some applications can only be accessed through phone-token, where a one-time key is text to a registered phone which is then inputted into the application before the user can access the information.
2. Another preventive control used is it’s System Access Requests, where it uses workflow tools to approve system access to privileged information systems.
Both of these controls limits access to sensitive information and mitigates the occurrence of unauthorized access to its assets and data.
Detective Controls are controls used after the fact to identify if a predefined event occurred
1. An example of a detective control that I use is keeping logs of the devices that connects to my WiFi networks and the type of information and/or websites that they’re accessing. This is useful to help identify unauthorized devices that are connected to my WiFi.
2. I use system and program logs to see why a program or operating system crashed.
Corrective Controls are used to restore the current system back to its approved state.
1. I use system back ups to restore my computer and mobile devices when my computer is exposed to a virus or won’t work properly.
2. The later versions of Microsoft software like Word, Excel, and PowerPoint comes with a Recovery option, which I use on a regular basis. Sometimes I forget to save or close out of a document without saving, and thankfully Microsoft let’s you recover the unsaved documents.
Candace T Nelson says
3. What is the role of the Board of Directors in IT governance?
• Elect the Chief Information Officer (CIO) based on recommendations made by the Chief Executive Officer.
• Ensure a Board member(s) possess sufficient IT technical, governance, risk and controls knowledge /skills to enable provision of guidance and direction.
• Ensure IT technology and resource strategy / structure is aligned with and adequately supports the organizational / business strategy and objectives.
• Monitor IT capital budgets and related spend.
• Maintain awareness of emerging technology risks affecting the general market and specific business sector.
• Create an Audit Committee of financial and IT subject matter experts responsible for overseeing managements conduct respecting financial reporting and routine assessment of internal control fitness.
Sheena Thomas says
I agree with your post, you points are all valid, but would you have c level exec’s report on the emerging technology risk? Would you have the Audit Committee report to the Board or the C level execs?
Folake Stella Alabede says
• Ensure a Board member(s) possess sufficient IT technical, governance, risk and controls knowledge /skills to enable provision of guidance and direction.
Hi, i just have a little addition to this second bullet point,
its sometimes possible that some board members of a company have ‘limited” knowledge about technical IT, so “governance also helps to provide guidance and tools to boards of directors, executive managers, and CIOs to ensure that IT is appropriately aligned with corporate goals and policies”.
Because, you really cant give proper guidance/direction on something you don’t fully understand right ?
I’ve read about cases where attempts are made to increase the understanding of how IT operates to members of the Board, and more importantly, how IT can be used to leverage the business and provide a competitive advantage for the firm
Kevin Blankenship says
Define the three kinds of common controls and give two examples of each from your everyday life.
1 -Preventative controls are put in place to minimize or remove the effects or occurrences of a risk.
An example of preventative controls are access badges to a building or restricted area. Using badges with RFID allows security to restrict access to particular areas, or know who has access and room or building.
Another example is the backup of my phone. I store both a local and cloud copy of my phone data, in case anything happens to my phone that prevents me from accessing the data there. This is in case my phone becomes broken or missing.
2- Detective controls are put in place to tell if an event or risk that had been previously defined has taken place.
My phone has an app that takes a picture using the front camera if my passcode is entered wrong too many times. This picture would then be emailed to me, so I can tell when my phone is being used and who is using it without my permission.
A simpler control are fire alarms. They are a very straightforward way to warn me of smoke or fire, and allow for me to respond accordingly to the situation.
3 -Corrective controls are used to restore functionality or integrity back to a system that allows that system to re-operate at a defined level following a risk event.
Following my preventative control example of my phone’s backup; if I lose my phone or break it, I can easily purchase a new phone and restore my backups, either from my computer or over the air from the cloud. Restoring my data puts my phone back at its previous operating level and ensures the integrity of my data.
Anti-virus software can also be used as a corrective measure. An infected file can be quarantined and isolated from the system, allowing the functionality to return as normal without risk of infection again.
Loi Van Tran says
Good post Kevin,
I’m not sure I agree with the second example in your preventive controls. Backing up your phone seems more like a corrective control. I think a more suitable preventive control for your phone may be password protection or fingerprint scanner.
Folake Stella Alabede says
2. Define the three kinds of common controls and give two examples of each from your everyday life.
The three types of common controls are preventive controls, detective controls and corrective controls.
-Preventive controls are processes and activities that prevents the possibility of a risk occurring.
-Detective controls in risk management are controls that promptly detect the occurrence of an incident -Corrective controls are controls that are put in place to resolve an incidence. Corrective controls may also require putting controls in place to prevent future occurrence of a detected occurrence.
Two examples of each from everyday life.
Preventive controls:
1. I lock the door to my house behind me every morning when I leave for work. This is to safeguard the assets in my house and prevent unwanted open physical access/entry into my house. I also lock my computer with passwords and file locks to prevent unwanted electronic access.
2. At my job, some internet web-sites are prevented, there is no access to yahoo mail, gmail etc, and sometimes I cannot even open some of the class articles posted for this course, and I have to either read the articles on my phone or wait to get home to read the articles. This is my organizations firewall configuration to prevent virus infiltration I guess?
Detective Controls
1. I have an electronic /computerized device that came with my car and displayed on the dashboard over the week-end a picture of my car with the 4 tires and air gauge of 36, 35, 36, 18, so of course I knew I had a flat tire.
2. At work, we have controls in place that notifies if there is a duplicate entry or posting or purchase.
Corrective Controls
I recently had an accident with a kitchen knife. I know to always put d knife with blade facing down in the dryer hanger, but I recently had a visitor who did the opposite and put the knife upright with the sharp edge up. So I wanted to pick a spoon and got slashed by the knife.
So what I did to correct this ? I moved all d knives in the kitchen to a hidden place, (extreme right ? some organizations also operate like that ) so going forward, any visitor that needs a knife for anything will have to ask me where d knife is, and then I can tell them to place d knife facing down in d dryer basket after wash and use
Sheena Thomas says
1.In your own words, how would you define a control environment?
In my opinion a controlled environment consist of many levels:
A controlled environment starts with the Board understanding that the Business Strategy, IT, and Security should aligned with each other. They should leverage the CIO & CISO to better understand the risk(s) to make an informed decision as to whether a company will accept, mitigate or transfer the risk a company may face.
Mandatory awareness training is required for all personal. This training will educate end users on the risk(s) the organization face and the controls that are put in place to mitigate the risk.
Ongoing communication should exist between business and IT departments. Every department should understand its role in aligning with the business strategy of the organization. For example, think of an ecommerce company, the business department would understand inventory, pricing, etc, the IT department would know the technology in place to get the product to the customer and the Security department would make sure the technology used and online transactions are completed in a secure manner.
All Policies, procedures, configuration baselines, guidelines and standards are enforced within an organization through internal audits, change management, job rotation, etc. There should be action taken against anyone who knowingly or unknowingly violate a policy.
Mengxue Ni says
A control environment is effective and efficient internal control systems that operate in an organization in order to:
• prevent external and internal frauds
• follow regulations and laws
• safeguards its asset
• achieve its strategy objectives
• help to provide reliable financial reports to stakeholders
Sheena Thomas says
You’re reply is interesting, I never thought about preventing external an internal fraud as it relates to IT governance. But now that I am think about it, some company expressly financial institutions have controls such as job rotation, least privilege, role base access to prevent employees from committing fraud.
Daniel Warner says
To piggyback off of your comment Sheena. I remember reading an article about a French financial institution (I can’t recall the name) that had that exact issue. They had no job rotation, and access was granted to some employees that didn’t need access in certain areas, but due to the lack of oversight everyone went about their day. I recall that one employee had managed to steal millions due to the lack of oversight and the areas that this employee monitored were not monitored by any other employee and management just listened to whatever this employee had said about his accounts and didn’t put anything other checks in place.
Sheena Thomas says
2. Define the three kinds of common controls and give two examples of each from your everyday life.
Preventative Controls are to stop something malicious from reaching its intended target. A firewall or Intrusion Prevention System are good examples of preventative controls. A firewall will drop traffic based on rules and the IPS will prevent traffic based on allow and/or deny policies set by the administrator.
Detective Controls is defined as making someone or something aware of an event that has occurred. An IDS is a good example of a detective control. The IDS can detect malicious activity and trigger alerts/alarms based on a policy or threshold put in place.
Corrective Controls are defined as remediating a physical, administrative, and/or technical issue that occurred. Re-imaging a machine, installing cctv cameras and/or creating a policy can all be classified as a corrective control.
I am a Security Analyst for a university, within this role, I am responsible for the system monitoring tool. This tool is can detect, alert, alarm, correlate, and prevent malicious activity on a host and / or the network. This tool to give us centralize visibility into the university’s environment. I also a part the vulnerability management process, which covers both the preventative and corrective controls. During this process we determine the security posture of a server and/or application. If any vulnerabilities are identified during this process, the system owners must take corrective action to remediate all vulnerabilities discovered.
Andrew P. Sardaro says
The DentDel Case:
1. What processes were ineffective and allowed this situation to occur.
You have a case where the wholesale distributor business is going through a significant change from a direct sales approach to a faster, more efficient, consumer driven internet order process.
The original marketing plan for DentDel was to employ a sale force to expedite the ordering of supplies. The wholesale business is extremely competitive, and DentDel separated themselves from their competitors by expediting the ordering and delivery of dental products.
While I understand trying to keep their competitive sales edge by updating their process with technology, they did so without consulting the executive committee, steering committee and proceeded with a project that was not managed or budgeted correctly. The CIO, CFO and VP of sales avoided all governance measures in place and cost the company financially and perhaps damaged their reputation. This project was created without consulting and placing stakeholders needs first.
I also question the established control environment throughout DentDel as the CIO, CFO and Sales VP proceeded as if there were no consequences or risk failure with this project.
2. Where could stronger IT governance have helped DentDel avoid this situation?
The wholesale distributor business model is changing for dental suppliers. A change of this magnitude needs to be discussed with the entire executive committee and general counsel prior to a project being drawn up. Better direction and guidance was needed to approve this project. I also think that once the project started, there was no clear manager or lead for the project. We see where the CFO is taking ownership and interest in matters of finance, there is an ad hoc committee overseeing the project, Cedric is allowed to spend money on inferior phones.
Sheena Thomas says
1. What is the role of the board of directors in IT governance?
– They should understand the business needs of an organization, have a basic understand of what and why a particular technology is implemented.
-Hold c level execs responsible for explaining the risk that confronts the company from a business and IT prospective. Once the risk is understood by the board, they need to ensure that the risk(s) are being properly mitigated. This could happen through internal audits, projects, controls, frameworks, etc.
-They should be aware of any federally regulated standards the company must adhere too.
– They should understand the data that is being stored or sent over the network and what controls are in place to protect the data. How client and employee data is being protected.
-They should make sure proper funding is being allocated throughout the departments to ensure the business needs are handled in a secure manner.
Jaspreet K. Badesha says
I agree, apart of their job is to ensure that business strategy / goals and IT strategy/goals are aligned. They are also ensuring that the right people are being help accountable for their actions and decisions.
I also believe that the board is one to set the tone at the top and the emphasis on following policies throughout the organization.
Daniel Warner says
1. In your own words, how would you define a control environment?
A control environment can be viewed as the attitudes, beliefs and actions of management in regards to internal control. The senior management’s views permeate into the tone of the entity, which then drives whether or not employees accept and adhere to the internal control policies and procedures.
Sachin Shah says
I agree the senior management or leadership in the end dictate whether the employees or staff buy into the idea. Leadership can not walk in a gray area and need to let the staff know the importance and negative consequence if not followed.
Daniel Warner says
5. If you’re working, have you seen examples of active IT governance in your organization?
Yes, I fortunately work for a great company where the tone at the top flows down into how the employees respect the company’s information and data. We have no internal IT department, but we have strict adherence to protect client data. For example, our policy is that client data is only stored on our hosted server which has adequate security. Sometimes when working on an assignment it may be easier to store client data on our local servers, but due to the respect given to management and also how management actively follows the same policy drives the user (me) to adhere and not try to circumvent for the sake of ease.
Ivy M. McCottry says
5. If you’re working, have you seen examples of active IT governance in your organization?
I’ve seen IT governance in both the public and private sector. During my federal career, we followed procedures associated with the Freedom of Information Act (FOIA) for disclosing or not disclosing information about federal lease contracts such as locations.
In the private sector with a tech company, I see IT governance in action on a daily basis. We have a Compliance Officer that encourages all employees to “do the right thing” and a Chief Security Office with a Chief Security Officer that sets many policies, among them are parameters and guidelines on access and markings for information based on sensitivity and intended audience. We have internal training that addresses privacy laws and social engineering. We also have gate-keeping processes for global trade for technological goods. For instance, physical and digital assets such as devices and the firmware for those devices are exchangeable. Therefore, when the U.S. recently sanctioned trade activities with China’s ZTE because of ZTE’s involvement with Iran, U.S. companies followed suit. I received both verbal and written directives for stopping work until U.S. trade policies regarding ZTE changed.
Folake Stella Alabede says
3. What is the role of the board of directors in IT governance?
The importance of Board Oversight
IT governance is typically the primary responsibility of the board of directors and executive management (including the Chief Information Officer). It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends its strategies and objectives.
When it comes to IT governance, board members should oversee 4 areas:
• Business-IT strategic alignment – The level to which the goals and objectives outlined in the business strategy are addressed within IT strategy;
• IT value delivery – The measure of business value being delivered by the IT organization;
• IT resource management – The method by which IT resources are being planned and managed;
• IT risk management – The security of IT assets and privacy of critical business and customer data;
A lack of board oversight for IT activities is dangerous; it puts the firm at risk in the same way that failing to audit its books would.
The question is no longer whether the board should be involved in IT decisions; the question is, how? Having observed the ever-changing IT strategies of hundreds of firms for over 40 years, we’ve found that there is no one-size-fits-all model for board supervision of a company’s IT operations. The correct IT approach depends on a host of factors, including a company’s history, industry, competitive situation, financial position, and quality of IT management. A strategy that works well for a clothing retailer is not appropriate for a large airline; the strategy that works for eBay can’t work for a cement company. Creating a board-level committee is not, however, a best practice all companies should adopt. For many firms—consulting firms, small retailers, and book publishers, for instance—it would be a waste of time.
Roles and Responsibilities of the Board of Directors
Board members should aspire to evaluate and in certain instances, approve strategic plans, major programs/projects and establish priorities among competing requests for resources to ensure that everyone is aligned on those initiatives. They should also conduct formal periodic reviews of major initiatives, and operational service performance.
Finally, Board members normally act as a final escalation point for major IT/business issues and their resolutions.
There are certain situations where the board specifically needs to consider getting involved in IT oversight, such as:
• A strategic project that will leverage an emerging technology for competitive advantage
• A major technology implementation project with a long installation period and substantial costs
• Any initiatives related to information security and privacy
In such situations, senior level management should spend time discussing the organization’s technology initiatives. It is also critical for board members to discuss with management about the associated technology risks and how the organization protects sensitive information.
IT governance exists so that enterprise leaders can ensure that IT is successfully supporting the organization’s goals and mission. IT governance helps upper management to raise awareness and understanding among employees. Such governance also helps to provide guidance and tools to boards of directors, executive managers, and CIOs to ensure that IT is appropriately aligned with corporate goals and policies and that IT meets and exceeds expectations of the organization.
http://www.litcom.ca/understanding-boards-role-governance/
https://hbr.org/2005/10/information-technology-and-the-board-of-directors
Ivy M. McCottry says
2. Define the three kinds of common controls and give two examples of each from your everyday life.
I recognize that there are a number of responses about this and will therefore be brief.
Preventive controls: establish parameters and expectations for how a process should work (who, what, where, when, why, how) in effort to mitigate risk
Detective controls: flag when someone or something deviates from the parameters and expectations of a desired state
Corrective controls: push someone or something to a state or condition that aligns with risk mitigation
Example of a preventive control: At work, we have a business code of conduct that establishes permissible activities in the work environment and with stakeholders (customers, partners, etc.). There are incentives to follow the code such as continued employment and avoidance of legal action.
Example of a detective control: My employer doesn’t like for people to use the Google browser. However, there are no controls in place that prevent you from installing the browser. A detective control is used to thwart Google browser utilization. Specifically, a proxy server flashes a warning on your screen about your use of a non-compliant browser. The proxy warning makes using the non-compliant browser inconvenient because it slows down your workflow/Internet browsing by taking over the workstation screen.
Ivy M. McCottry says
3. What is the role of the board of directors in IT governance?
Based on the readings and a recent review of a committee charter for Wells Fargo, my interpretation of the role of the board of directors in IT governance is ensuring accountability from IT leadership, risk management leadership and general corporate leadership for the appropriate controls (preventive, detective, and corrective as well as administrative, technical, and physical) for fostering sound IT that is aligned with strategic goals and that supports strategic goals (ex. anti-breach, anti-leak, anti-theft etc.). This looks like the board of directors lending credible expertise from years of corporate leadership experience to IT leadership as well as risk management leadership for how to navigate an evolving environment that changes because of technology that creates new risk and new risk that affects technology needs. Given that, the role of the board of directors is advisory in nature and reported to for accountability reasons.
Ivy M. McCottry says
I’ll add that the board does contribute to vision and direction. However, execution is not at the board level which is why I emphasized the advisory nature.
Jaspreet K. Badesha says
Very thorough and good description. The board definitely helps shape and set policies for the organization but you’re right they do not execute the policy. Their role is as you mentioned, more so in the advisory arena.
Folake Stella Alabede says
5. If you’re working, have you seen examples of active IT governance in your organization?
I’m currently working as one of the Internal Auditors for a multi-national organization, so we definitely have active IT governance in place in my organization.
My company is largely a business oriented process, we have in place lots of Business Risk Assessment for the many different businesses we have, but not one IT related Risk Assessment, and this is not due to lack of trying. So the Internal Audit team is trying to see if we can present this again this new fiscal year, and probably get it approved, because we the audit team believe that there should be some IT Risk Assessment in place.
Anthony Clayton Fecondo says
What is the role of the board of directors in IT governance?
In terms of IT governance, the board of directors are responsible for appointing a CIO, reviewing IT audit reports, evaluating the mission, vision, and values statements to make sure they align with the corporation’s culture, signing off on major investments, and evaluating the overall effectiveness of the IT department,
Essentially, the board of directors focus on the macro environment of IT governance. While the board doesn’t make specific IT governance rules, it monitors the IT departments actions in order to evaluate its effectiveness and to make sure that its helping the corporation as a whole to achieve its goals.
As far as my two cents goes, I believe that the board of directors needs to have an understanding of IT governance and, more importantly, understand the importance IT governance has both within the IT department and throughout the corporation. If the board appreciates the role that IT governance plays in their company, it will be easier to get support and funding for critical systems and software.
Anthony Clayton Fecondo says
In your own words, how would you define a control environment?
A control environment is an aspect of company culture which embodies the general consensus regarding the seriousness and organizational impact that the implementation and maintenance of controls plays within the company.
One part of my definition that I think merits extra attention is the fact that control environment becomes part of a company’s culture. The reason this is important is because if a firm sets a strong stance on thorough controls from the get-go, then that attitude will be ingrained in the company and will essentially take care of its self going forward. Conversely, if a company has a lax approach to controls, that problem will have deep roots and rectifying the problem will be troublesome.
Sachin Shah says
2. There are 3 types of controls – define and give 2 examples in your everyday life:
A. Preventive Control: In my experience a preventive control is when an organization or department takes a proactive approach. This control is to assist in avoiding a problem from happening. This is no avoid the risk of bad decisions and when leadership knows there is a possibility of a bad outcome and it is better to plan beforehand.
Examples:
At our server farm\center we have a UPS for power. We use this in case our generator fails and we lose power. At this point instead of all the systems, computers, and power in the hospital going down if there is an issue with the power lines or PECO. Instead the power reverts to the UPS for a short period while the staff and PECO works on rectifying the power issue.
The second example is of HIPPA policies that are placed at work. These are policies that are explained to us prior to starting employment in a hospital. The policies are extensive, yet the bottom line is that we are not allowed to search patient information and share with outside people. If we look at patient information outside the scale of work issues, we face the risk of being terminated and fined. These are both proactive measures of control.
B. Detective Control: I consider this to be the process or discovery phase of when leadership knows when a problem exists or is occurring.
Examples:
The first example of Detective control in my everyday life would be a variety of alarms: fire alarms, house alarms, or car alarm. In these cases the issue is being detective when occurring or immediately after. If there is extensive smoke the fire alarm goes off that alerts individuals to leave the premises and proceed to a safe location. The safe thing with a car or house security alarm, it is not going to prevent a robbery from starting, yet when it does and alert goes off to scare the robber or contact the police, etc.
The second example I can think of are in my commute where I get traffic alerts on my phone. This helps me know if I need to take an alternate route to destination. Once upon a time, I used the radio in the mornings to tell me if school was cancelled or roads were shut down etc. Obviously times have changed and information is more current. At work we also have email alerts setup if many of our FTP jobs or stored procedures have failed or are currently in a down state.
C. Corrective Control: This is a reactive control of addressing an issue. This control is what leads to future Preventive or Detective controls being put in place. This is post mortem and how the stake holder react to when something unexpectedly goes wrong.
Example:
At all jobs you see a first aid kit on site. In my job if you go into ICU rooms, you need to put on gloves and a protective gown. There may be hazardous bacteria or conditions and one may get cut etc, hence after going into rooms, you must put on hand sanitizer or if one is in a job and gets cut, they may need band aid, alcohol adhesive, or medicine.
I have an iphone and a corrective measure is to back it up. I do this so if I lose my phone, which I have, I can re-import the data.
Sachin Shah says
2. There are 3 types of controls – define and give 2 examples in your everyday life:
A. Preventive Control: In my experience a preventive control is when an organization or department takes a proactive approach. This control is to assist in avoiding a problem from happening. This is no avoid the risk of bad decisions and when leadership knows there is a possibility of a bad outcome and it is better to plan beforehand.
Examples:
At our server farm\center we have a UPS for power. We use this in case our generator fails and we lose power. At this point instead of all the systems, computers, and power in the hospital going down if there is an issue with the power lines or PECO. Instead the power reverts to the UPS for a short period while the staff and PECO works on rectifying the power issue.
The second example is of HIPPA policies that are placed at work. These are policies that are explained to us prior to starting employment in a hospital. The policies are extensive, yet the bottom line is that we are not allowed to search patient information and share with outside people. If we look at patient information outside the scale of work issues, we face the risk of being terminated and fined. These are both proactive measures of control.
B. Detective Control: I consider this to be the process or discovery phase of when leadership knows when a problem exists or is occurring.
Examples:
The first example of Detective control in my everyday life would be a variety of alarms: fire alarms, house alarms, or car alarm. In these cases the issue is being detective when occurring or immediately after. If there is extensive smoke the fire alarm goes off that alerts individuals to leave the premises and proceed to a safe location. The safe thing with a car or house security alarm, it is not going to prevent a robbery from starting, yet when it does and alert goes off to scare the robber or contact the police, etc.
The second example I can think of are in my commute where I get traffic alerts on my phone. This helps me know if I need to take an alternate route to destination. Once upon a time, I used the radio in the mornings to tell me if school was cancelled or roads were shut down etc. Obviously times have changed and information is more current. At work we also have email alerts setup if many of our FTP jobs or stored procedures have failed or are currently in a down state.
C. Corrective Control: This is a reactive control of addressing an issue. This control is what leads to future Preventive or Detective controls being put in place. This is post mortem and how the stake holder react to when something unexpectedly goes wrong.
Example:
At all jobs you see a first aid kit on site. In my job if you go into ICU rooms, you need to put on gloves and a protective gown. There may be hazardous bacteria or conditions and one may get cut etc, hence after going into rooms, you must put on hand sanitizer or if one is in a job and gets cut, they may need band aid, alcohol adhesive, or medicine.
I have an iphone and a corrective measure is to back it up. I do this so if I lose my phone, which I have, I can re-import the data.
Richard Flanagan says
I think your corrective control examples are more preventative. The ICU gown prevents you from getting infected. The backup prevents you from losing data. I think corrective controls in these cases would be the cleaning an ICU room gets after the patient has left and the restore process you use, after you have lost data (using the backup you created). Remember preventative can reduce the extent of the damage as well as the likelihood of the risk.
Jaspreet K. Badesha says
1. A control environment is the set of rules and guidelines that influence the corporation. This sets a level of expectation of the company and the consequences that the company will suffer if they are non-compliant. The tone for this environment is generally set from the top and passed down (which policies and guidelines to have and what the consequences should be).
Jaspreet K. Badesha says
3. The role of the board of directors in IT governance is one of leadership and influence. The main thing the board does is set a tone for the organization and how it will enforce policies, procedures, consequences, their mission for the business and IT department, etc. They will ensure that their IT needs are aligned with their business strategy. They will lead the change in their environment and enforcement of IT auditing. The board will hold the different departs underneath them accountable (such as the IT department). The board oversees the high level and what needs to be done, lower level management implements the ‘how’.
“According to the standard view, the board is a governing body that does not execute policy, but rather shapes and sets policy, supervises the actions of the CEO and corporate executives and decides on CEO succession.”
http://aisel.aisnet.org/cgi/viewcontent.cgi?article=1925&context=amcis2006
Sachin Shah says
3. What is the role of the board of directors in IT governance?
The role of the board of directors in IT governance is to be a final say in what IT Changes gets passed or not. At work every week we have a Change Control meeting where the board decides what changes go into production and which get rejected. The decision is based on what is presented:
– Why is this change being done?
– What is the business impact?
– Who requested this?
– How much system down time? Which systems?
– Was this fully tested
– Are end users aware
– Does this change fit into other long term department initiatives?
The committee is a final say. It saves time on multiple meetings and hundreds of emails. If something is rejected there is a internal meeting with only stakeholders and the governance committee. This leads to less people being involved yet the important decision makes understanding that somethis is being missed and that needs to be addressed prior to approval.
Richard Flanagan says
Sachin,
What do you mean by IT changes? The board would not be involved in any but the very biggest IT decisions. In my company an example was the choice to spend $260 MM on SAP but otherwise they were almost never directly involved.
Jaspreet K. Badesha says
Three types of controls are Administrative, Technical and Physical controls.. Administrative controls basically govern the overall controls for information security through policy, regulations and guidelines. Administrative controls set the tone and the regulations, guidelines and policies on using the other 2 types of controls. Without having administrative controls in place there would not be formal implementation of the others. Logical controls are both application and technical controls such as firewalls and antivirus protection. Physical controls are locks on doors, gates and security systems to prevent intruders access to secure areas. The most common ones we see every day are the technical and physical controls.
Sachin Shah says
5. If you’re working, have you seen examples of active IT governance in your organization?
Yes we have a Change control meeting once a week and no changes can be implemented prior to that meeting. The meeting is every Wednesday at 9 am. All the implementers are responsible for explaining their changes. The request must be requested by 1 pm on Tuesday with testing results, stakeholder’s request, backup plan, and any contingency\downtime plan. All of this is to be methodical as it does not matter if it’s a big company or “small shop”, ALL changes need to be accounted for and approved.
Richard Flanagan says
Sachin,
Change management is one of the five most important controls in IT (my opinion) but it is still on the “Done Right” side of IT governance. For the next several weeks we are focused on the “Right Things” side of IT governance. Look for examples of this. They will be at the higher levels of the organization, perhaps only the CIO would be involved from IT. Think who approves the budget and selects the projects?
Sachin Shah says
1. In your own words, how would you define a control environment?
I think a control environment encompasses of two key things: accountability and enforcement. In any IT companies there are ad hoc requests and then there are some requests that have department or business wide impact. These large changes need to be accounted for and must follow a set of processes from initial request to implementation. The enforcement is that if these processes are not followed there will be consequences and employee punishment. That fear is the basis of control and making it mandatory to follow these processes. Without executive or leadership backing, things such as standard requests or projects would be just “winged”. There needs to be an intake process, explanation, management notification, testing, and approval. All of these things are parts of a true “control” environment.
Ivy M. McCottry says
The DentDel Case
1. What processes were ineffective and allowed this situation to occur?
EDM01: IT efforts and business strategy were not aligned. Project stakeholders excluded executive management from the decision making. IT service delivery was not in line with business requirements. Project stakeholders pursued IT service delivery after a business case review at one level though the project value and impact to service delivery overall warranted the involvement of executive management.
EDM02: The project didn’t align with business strategy. It seemed to be the result of people thinking something would be nice or convenient and running after it (ex. using the Pear P-Phone because Cedric currently used the device). The intent for improving workflow for the salesforce was good. However, the methodology of giving salesforce workflow improvement was costly. Project costs were not transparent at the highest levels and the appropriate subject matter expertise wasn’t fully available or engaged in the project. In my opinion, a cost exceeding $20,000 should require more than one level of review if $20,000 is an unusual number for a business unit cost. Additionally, the relevance of the desired new platform was too great for the company as a whole for executive management to not be involved. It was critical to the direction of the company’s business model. It was going to totally change product channels, key activities, key resources, and finance (revenue and costs).
EDM03: Consideration of how the project write-off would affect shareholders materialized only after damage was done. Shareholder interests would have been in the conversation earlier with the involvement of executive management because of necessary transparency about project costs.
EDM04: As previously noted, project stakeholders did not have appropriate resources in terms of subject matter expertise fully engaged in the project.
EDM05: No one really set expectations for the project because high level decision makers weren’t involved and accountability wasn’t inherent.
2. Where could stronger IT governance have helped DentDel avoid this situation?
EDM01: DentDel needs stronger governance policies for stewarding IT projects. This looks like briefings to executive management about IT projects and involvement of executive management in IT projects for projects that have a certain level of impact to the business model and service delivery and/or projects that reach a certain dollar value.
EDM02: DentDel went from portable fax machines to a complete platform development project to help salesforce activities. Where’s the cost benefit analysis for different technology options? I don’t know if we can assume it was in the business case but we know that it’s needed. We also know that the company needs visibly to IT project costs and overall strategy. It’s one thing to have a technology refresh; it’s another to implement a complete overhaul and that is where alignment with business strategy is essential.
EDM04: The resource issue here was money. $20MM is not a drop in the bucket. IT agility is a goal for EDM04. I wonder if off-the-shelf software or SaaS could have been used with customization to lower costs and provide agility. I would ask, “What drives the need to build the platform and what degree of customization is needed”?
EDM05: IT needs some level of reporting to stakeholders beyond project-level stakeholders. Whether a large project is underway or not, there is still value in knowing that IT activities are going what’s needed and appropriate for supporting business as usual and anything outside of that.
Folake Stella Alabede says
Wow Ivy, thanks so much for that breakdown.
I’ve been trying to really read up and understand the EDM process since i saw the no 4 question for this week, and your breakdown of the Dentdel case using the EDM has given me a perfect understanding.
Thanks for the detailed explanation
Folake Stella Alabede says
hmnnn, ok, so i’m reading this over and i just wanted to ask Ivy, is this like a standard EDM process ? Thanks
Ivy M. McCottry says
Stella- thank you for the feedback. To my knowledge, this is not a standard process. Since COBIT is new to me, I used the EDM information to assess what went well and what did not go well in the DentDel situation.
Folake Stella Alabede says
The DentDel Case
1. What processes were ineffective and allowed this situation to occur.
The following are the processes that led to the ineffectiveness and allowed the situation to occur are:
a) A lack of board oversight for IT activities
(or to better phrase it, since the case says “it was decided that Sarah, Cedric and Chuck would oversee the project as an ad hoc committee”, a lack of policies and procedure for employees to follow, how can these 3 people just set up an ad hoc committee and make decisions involving millions of dollars ??? )
b) The decision to use a Pear P Phone as the platform for the application was based on the personal preference of Cedric James as no analysis was carried out.
c) There was no project management plan constituted
The case stated that “Because of the desire to implement the project development quickly, the project was not presented to the executive committee”
d) The Sales team was not carried along in the project, (they were the ones doing the sale, I feel they would have been able to meaningfully contribute to the project)
e) The company lacked a proper IT governance structure, thus there was no defined process/policy on how an IT project should be handled.
f) The company board was not carried along for a project that might have a regulatory implication and also affect the shareholders.
g) The Audit/Compliance units were not carried along.
h) No risk or market analysis was carried out.
2. Where could stronger IT governance have helped DentDel avoid this situation?
IT governance would have helped DentDel avoid this situation at the conception stage as IT governance would have considered the IT strategy as well as the Business strategy.
When it comes to IT governance, one of the area board members should oversee is:
• Business-IT strategic alignment – The level to which the goals and objectives outlined in the business strategy are addressed within IT strategy;
A lack of board oversight for IT activities is dangerous; it puts the firm at risk in the same way that failing to audit its books would.
IT governance exists so that enterprise leaders can ensure that IT is successfully supporting the organization’s goals and mission; Such governance also helps to provide guidance and tools to boards of directors, executive managers, and CIOs to ensure that IT is appropriately aligned with corporate goals and policies and that IT meets and exceeds expectations of the organization
Alexander B Olubajo says
The DentDel Case
1. What processes were ineffective and allowed this situation to occur.
I don’t even think they had processes to begin with, and if they did they weren’t well defined. The first thing I was able to identify that allowed this situation to occur was Cedric solely decided on the platform that the company would use to build their new order entry system. There was no evident process put in place to determine why the switching to the Pear P-Phone is the best option for the sales team.
A process that was ineffective was how the so-called committee was put together and how they communicated. They was no clear structure that determined the qualifications required in order to be part of the project team. It seemed like Cedric just gather players he felt/knew would be needed to see the project approved. They barely met collectively as a group to discuss the project. No one to oversee the general progress of the project and some of them just did what they felt was right for the project without consulting other members. To sum this all up, there was very poor project management.
The fact that the project wasn’t presented to the executive committee, which comprises of the CEO, COO, CFO, and general counsel is another this situation was allowed to occur. It clearly shows that there isn’t any form of governance in place within the company and no control processes. With this type of culture within the company, individual departments will feel they can do whatever they want since there is no form of accountability in DentDel.