IT Manager's Handbook: Getting Your New Job Done (58 page)

Maintaining evidence might be considered a polite euphemism for the popular CYA acronym. However, in truth, the evidence proves to anyone who might ask (regulators, Legal, auditors, etc.) that you're actually operating by the established policies. Maintaining evidence is essentially good record keeping and is a good habit for all to have, especially in the business world. Also, record keeping just might get people in the habit of doing more careful documentation.

8.9 Methodologies and Frameworks

In light of all the activity surrounding compliance, you should be aware of a number of methodologies, frameworks, and processes developed by third parties. Although these weren't designed specifically for compliance activities, many organizations have adopted them to help provide increased structure to monitor and maintain their compliance activities. Oftentimes, these methodologies, processes, and frameworks are adopted and incorporated into all projects and activities by your organization's Project Management Office.

IT Governance

IT governance is a framework to help ensure that IT's strategies are aligned with those of the business, that they are delivering value and addressing stakeholder's needs, etc. A proper framework for IT governance can identify how IT is functioning overall and how well IT is returning on the business's investment in IT. As IT spending and the department itself continue to grow, many organizations have implemented a governance framework as an effective way ensuring that IT hasn't become (or doesn't become) a large sinkhole for resources. This is done at the behest of upper management, who often feel that they don't have sufficient knowledge or insight into IT to judge its overall effectiveness, value, efficiency, and so on.

Senior IT management may also use a governance framework to help decide which projects should move forward, receive investment and resources, and which projects or functions should be cut back or canceled.

The IT Governance Institute (
www.itgi.org
) defines five IT governance domains:

•
Strategic alignment.
To ensure that an organization's IT investments are aligned with the organization's strategic goals and will deliver business value.

•
Value delivery.
For optimizing expenses to ensure delivery on time and on budget and of appropriate quality.

•
Risk management.
To ensure the safeguard of IT assets: security, controls, disaster recovery, confidentiality, privacy, vulnerabilities, etc.

•
Resource management.
Ensuring the optimal investment, use, and allocation of IT resources (people, applications, technology, facilities, data).

•
Performance measurement.
Tracking project progress and delivery and monitoring IT services.

Because it covers so many perspectives, different organizations may emphasize different aspects. For example, in some organizations, the governance oversight may be involved primarily with project management. In others, it may primarily be about compliance activities.

Committee of Sponsoring Organizations (COSO)

From its own website,
COSO
“is dedicated to guiding executive management and governance entities toward the establishment of more effective, efficient, and ethical business operations …”

COSO has developed a framework to help organizations evaluate and improve their risk management. The COSO framework for internal controls has several components:

•
Internal environment

•
Objective setting

•
Event identification

•
Risk assessment

•
Risk response

•
Control activities

•
Information and communication

•
Monitoring

The COSO framework has been adopted by thousands of organizations to help address their compliance activities.

Control Objectives for Information and Related Technology (
COBIT
)

COBIT was developed by the Information Systems Audit and Control Association and the IT Governance Institute and is essentially a set of documents that provide guidance for computer security. Much of COBIT is available at no cost.

COBIT breaks down the control structure into four major areas:

•
Planning and organization

•
Acquisition and implementation

•
Delivery and support

•
Monitoring

These are then broken down even further into 34 subcategories.

IT Infrastructure Library (ITIL)

ITIL
is published by the Office of Government Commerce in Great Britain. It focuses on IT services and is often used to complement the COBIT framework. In 2008, DimensionData reported the results of a survey showing that 60 percent of U.S. CIOs and 66 percent of organizations outside the United States are working with ITIL.

ITIL consists of six sets:

1.
Service support

2.
Service delivery

3.
Planning to implement service management

4.
ICT (Information and Communication Technology) infrastructure management

5.
Applications management

6.
The business perspective

Within these, a number of very specific disciplines are described.

Although ITIL was originally created by a UK government agency, it's now being adopted and used around the world for best practices in the provision of IT service. The main focus of ITIL is IT service management. While not designed specifically for compliance, the ITIL is often mentioned in the same sentences as COBIT and COSO.

Capability Maturity Model Integration (CMMI)

CMMI is a framework for process improvement, developed at Carnegie Mellon University's Software Engineering Institute. CMMI is designed to achieve process improvement across a project, a department, or a whole organization. CMMI can help bring together functions that are often done separately, set goals and priorities, and be a mechanism for appraising current processes.

The CMMI is probably best known for its five maturity levels:

1.
Initial

2.
Managed

3.
Defined

4.
Quantitatively managed

5.
Optimizing

Each level represents the next step toward full process maturity and is characterized by several of the 25 defined “process areas.” Organizations can have their maturity level determined by using a
Standard CMMI Appraisal Method for Process Improvement
(
SCAMPI
) appraiser. CMMI appraisal results at the higher levels are coveted by many organizations and are a point of pride. Many organizations will do press releases after getting a particularly good appraisal result.

International Organization for Standards (ISO 9000)

The International Organization for Standards (known globally as “ISO”) is the world's largest developer of standards. ISO standards address everything from standardization of paper sizes, credit card sizes, public information signs, performance and safety, technology connections and interfaces, etc. ISO isn't a government organization; it's essentially a network of standards organizations from over 100 countries. ISO standards are voluntary; however, they often become requirements dictated by the marketplace.

The ISO 9000 standard, originally developed in 1987 and revised every few years since, provides a framework for quality management throughout the processes of producing and delivering products and services. ISO 9000 really consists of the following three components:

•
ISO 9000 Quality management systems.
Fundamentals and vocabulary.

•
ISO 9001 Quality management systems.
Requirements.

•
ISO 9004 Quality management systems.
Guidelines for performance improvements.

ISO 9000 has five main sections:

1.
Quality management system.
Covers ensuring that an organization has established what its processes are, how they interact with each other, what resources are required, and how processes are measured and improved.

2.
Management responsibility.
It is management's responsibility to set policies, objectives, and review the systems, as well as communication to the organization about processes.

3.
Resource management.
Covers a wide range of specific resources, including human resources (such as numbers of competent workers, training, etc.), infrastructure, suppliers and partners, financial resources, and the work environment.

4.
Product realization.
Covers the processes that are needed to provide the product/service.

5.
Measurement analysis and improvement.
Collecting metrics about the products, customer satisfaction, and the management systems and ensuring continual improvement.

The continuous improvement cycle of ISO 9000 can be summed up with the popular acronym of PDCA—Plan, Do, Check, Act.
PDCA
was originally developed by Walter Shewhart in the 1930s and is sometimes called the “Shewhart Cycle.” It was popularized by W. Edwards Deming, and some have come to refer to it as the “Deming Wheel.”

Six Sigma

Six Sigma was originally developed as a process for measuring defects in manufacturing and as a way to work toward the elimination of those defects. Since its original incarnation for manufacturing, it has been adopted by many organizations across a wide range of industries.

At the core of Six Sigma are two methodologies:

1.
The
DMAIC
methodology has five phases and is for the refinement of existing processes:

•
Define
the project goals and customer (internal and external) deliverables.

•
Measure
the process to determine current performance.

•
Analyze
and determine the root cause(s) of the defects.

•
Improve
the process by eliminating defects.

•
Control
future process performance.

2.
The
DMADV
methodology also has five phases and is for the creation of new processes:

•
Define
the project goals and customer (internal and external) deliverables.

•
Measure
and determine customer needs and specifications.

•
Analyze
the process options to meet customer needs.

•
Design
(detailed) the process to meet customer needs.

•
Verify
the design performance and ability to meet customer needs.

The Six Sigma methodology also has roles and certifications that go by names such as Green Belt, Black Belt, Master Black Belt, and Champion.

8.10 It's Not Just Regulatory Compliance

While this chapter provides a taste of the world of IT compliance, as required by various pieces of legislation, there are other compliance activities outside of enacted statutes.

Electronic Discovery

Frequently, IT departments are involved in many of the lawsuits that are brought against an organization. It's becoming more and more common for lawsuits to require a search for e-mail, documents, and system logs.

•
Class action lawsuits against a company (perhaps by investors or customers)

•
Disgruntled employees (often claiming wrongful termination) may bring action against an organization

•
Allegations by current employees of discrimination or harassment

•
Invasion of privacy concerns (e.g., one employee claiming that another has had unauthorized access to the first employee's documents and e-mails)

•
Lawsuits brought by partners, suppliers, customers, vendors, etc.

IT has found itself working with increasing frequency with the company's Legal department to provide information about IT operations (e.g., e-mail archiving policy, availability of backup tapes, responses to subpoenas). As such, it's becoming increasingly common for IT to review policies and procedures with in-house lawyers before considering them approved.

Information and Records Retention

Usually, the Legal department defines how long different type of business records must be retained. It is important to remember that is up to the user and business owners of those files and records to hold on to them, and then delete them when appropriate. While IT is essentially the custodian of those files and can assist with implementing procedures to comply with retention requirements, it is not up to IT to determine when files can be deleted. However, IT (with input from legal and the business departments) can set policies on the retention of backup tapes, which should not be used as an archival mechanism. Remember, backups are just copies of the files.

Working with Auditors

It's usually not sufficient for IT to simply establish their own procedures to meet regulatory compliance. Very often, they need to prove their compliance to external auditors as well as internal auditors. The discussion earlier in the chapter about maintaining evidence (section
“Hidden Benefits of Maintaining Evidence”
on
page 238
) goes a long way to help you prove that you're doing what you're claiming.