Upload
ngonhu
View
239
Download
1
Embed Size (px)
Citation preview
ISACA has designed and created the KS Solutions Caselet : Using COBIT® 5 (the ‘Work’) primarily as an educational resource for educational professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, security governance and assurance professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: [email protected]
Web site: www.isaca.org
2
Disclaimer
© 2014 ISACA. All rights reserved.
© 2014 ISACA. All rights reserved. No part of this publication may be used, copied,
reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in
any form by any means (electronic, mechanical, photocopying, recording or otherwise)
without the prior written authorisation of ISACA. Reproduction and use of all or portions of
this publication are permitted solely for academic, internal and non-commercial use and
for consulting/advisory engagements, and must include full attribution of the material’s
source. No other right or permission is granted with respect to this work.
Provide Feedback: www.isaca.org/basic-concepts-caselets
Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
3
Reservation of Rights
© 2014 ISACA. All rights reserved.
Author Krishna Seeburn, Ph.D., CFE, CIA, CISSP, FBCS, LLM, PMP, Riesling Consulting Group,
Mauritius Board of Directors Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government,
Australia, International President Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK,
Vice President Juan Luis Carselle, CISA, CGEIT, CRISC, RadioShack Mexico, Mexico, Vice President Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain,
Vice President Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of
Representatives, USA, Vice President Vittal Raj, CISA, CISM, CGEIT, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President Jeff Spivey, CRISC, CPP, PSP, Security Risk Management Inc., USA, Vice President Marc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Vice President Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Past International President Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Past International
President Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Director Krysten McCabe, CISA, The Home Depot, USA, Director Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, BRM Holdich, Australia, Director Credentialing and Career Management Board Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK,
Chairman Bernard Battistin, CISA, CMA, Office of the Auditor General of Canada, Canada Richard Brisebois, CISA, CGA, Canada Terry Chrisman, CGEIT, CRISC, GE Money, USA Erik Friebolin, CISA, CISM, CRISC, CISSP, PCI-QSA, ITIL, USA Frank Nielsen, CISA, CGEIT, CCSA, CIA, Nordea, Denmark Hitoshi Ota, CISA, CISM, CGEIT, CRISC, CIA, Mizuho Corporate Bank, Japan Carmen Ozores Fernandes, CISA, CRISC, Brazil Steven E. Sizemore, CISA, CIA, CGAP, Texas Health and Human Services Commission,
USA
4
Acknowledgements
© 2014 ISACA. All rights reserved.
Professional Standards and Career Management Committee
Steven E. Sizemore, CISA, CIA, CGAP, Texas Health and Human Services Commission, USA, Chairman
Christopher Nigel Cooper, CISM, CITP, FBCS, M.Inst.ISP, HP Enterprises Security Services, UK
Ronald E. Franke, CISA, CRISC, CFE, CIA, CICA, Myers and Stauffer LLC, USA
Alisdair McKenzie, CISA, CISSP, ITCP, I S Assurance Services, New Zealand
Kameswara Rao Namuduri, Ph.D., CISA, CISM, CISSP, University of North Texas, USA
Katsumi Sakagawa, CISA, CRISC, PMP, JIEC Co. Ltd., Japan
Ian Sanderson, CISA, CRISC, FCA, NATO, Belgium
Timothy Smith, CISA, CISSP, CPA, LPL Financial, USA
Todd Weinman, CPS, The Weinman Group, USA
Academic Program Subcommittee
Kameswara Rao Namuduri, Ph.D., CISA, CISM, CISSP, University of North Texas, USA, Chairman
Umesh R. Hodeghatta, Xavier Institute of Management, India
Matthew Liotine, Ph.D., CBCP, CSSBB, MBCI, University of Illinois at Chicago, USA
Joshua Onome Imoniana, Ph.D., CGEIT, Universidade Presbiteriana Mackenzie, Brazil
Nebil Messabia, Canada
Kumar Srikanteswaran, CISA, CMA, PMP, India
Sadir Vanderloot, CISA, CISM, CCNA, CCSA, NCSA, Sheffield Hallam University, Sweden
Ype van Wijk, Ph.D., RE, RA, Rijksuniversiteit Groningen, The Netherlands
Hiroshi Yoshida, Ph.D., CGEIT, CRISC, Nagoya Bunri University, Japan
This caselet was developed to support the
Basic Foundational Concepts Student Book: Using COBIT® 5,
www.isaca.org/basic-concepts-student-book
5
Student Book
© 2014 ISACA. All rights reserved.
6
How do they benefit a CIO?
How do they benefit an enterprise?
What are frameworks and policies?
A framework defines the way you can create and use something. It can consist of industry standard policies, guidelines, good practices, procedures and processes. Frameworks and policies are important because they provide enterprises with a definition of how they need to conduct business and how to run the enterprise in a more functional way. Frameworks and policies provide industry standard good practices and a blueprint of ways to work.
© 2014 ISACA. All rights reserved.
7
How do they benefit a CIO?
How do they benefit an enterprise?
What are frameworks and policies?
Enterprises become more functional, effective and profitable through the use of frameworks and policies because these provide effective ways to control expenses, streamline repeat processes, implement enterprise infrastructure, develop software, manage assets, etc.
© 2014 ISACA. All rights reserved.
8
How do they benefit employees?
How do they benefit an enterprise?
What are frameworks and policies?
As an employee, frameworks and policies provide you with a baseline to do your job; they help you to formalise a structure within an enterprise and help you work in a more focused and organised way. They are less prone to uncertainty, ensure a better working environment, and help both you and the enterprise succeed.
© 2014 ISACA. All rights reserved.
9
Agenda
• KS Solutions – Profile
• Background Information
• The Problems
• Your Role
• Your Tasks
• Discussion Questions
© 2014 ISACA. All rights reserved.
10
KS Solutions – Profile
Founded in 2000, the mission of KS Solutions is to provide robust, elegant and cost-effective software systems.
Worldwide, more than 1,000 higher education institutions in 60 countries run on its administrative systems.
Hundreds of other non-profits, community service and health care organisations, and other businesses rely on Campus Management to manage their most mission-critical transactions; dynamic relationships; and the complexities of learning, finance, research and regulation.
© 2014 ISACA. All rights reserved.
11
Background – What We Do
• We are primarily a software development company with
focus on higher education administrative systems, non-
profit, community service and health care organisations.
• We provide key administrative software solutions and
services with a focus on management of mission-critical
transactions; dynamic relationships; and the complexities
of learning, finance, research and regulation.
• Our operational offices are located in the UK, USA, India
and Brazil.
What We Do
Org. Structure
Marketing
Industry
Financials
Vision/Values
Investments
© 2014 ISACA. All rights reserved.
12
Background – Vision/Values
Vision on Education
• We foresaw the converging needs of institutions serving
traditional and non-traditional students in a global and
increasingly Internet-driven society.
• Our vision is to ensure that clients achieve rapid delivery
of highly integrated administrative and academic systems
that are easier to maintain over the long term.
• We serve organisations across the higher education
landscape—ranging from career colleges to public and
private institutions, offering non-credit programmes;
professional degrees and certifications; and traditional 2-
year, 4-year, graduate and post-doctoral programmes.
What We Do
Org. Structure
Marketing
Industry
Financials
Vision/Values
Investments
© 2014 ISACA. All rights reserved.
13
Background – Vision/Values
Values
• Customer Focus. Innovation. Performance. Integrity.
Teamwork. These qualities embody our high
standards, culture of innovation, strength in diversity
and ongoing commitment to clients.
• Each quarter, employees recommend and nominate
colleagues who best represent these values through the KS
STARS Awards Programme, which rewards the winners with
substantial cash prizes, inscribed plaques and companywide
recognition.
• We are quite successful externally, but internally we are very
dysfunctional.
What We Do
Org. Structure
Marketing
Industry
Financials
Vision/Values
Investments
© 2014 ISACA. All rights reserved.
14
Background – Vision/Values
• Customer focus—Customers, both external and internal, are at the center of our activities and drive all that we do.
• Innovation—We constantly challenge conventional wisdom to bring about changes that create a new dimension of performance.
• Performance—We strive for excellence in everything we undertake.
• Integrity—We act with a profound sense of integrity and fairness.
• Teamwork—We create a feeling of oneness and team spirit within a work group.
What We Do
Org. Structure
Marketing
Industry
Financials
Vision/Values
Investments
© 2014 ISACA. All rights reserved.
15
Background – Investments
Investing in research and development (R&D) and strategic relationships:
• We are well known for our significant, continuous investment in
research and development.
• To advance our products and introduce new solutions, we
maintain a focus on the gathering of market requirements and
working with clients, advisory boards and industry thought
leaders, to determine our product road map and anticipate the
complexities and challenges facing the industries we serve.
• We also pursue acquisitions and key partnerships that can
provide clients with distinctive operational and technological
advantages. Most recently, this has included the acquisition and
integration of two top-rated, best-in-class solutions: KS
Constituent Relationship Management (CRM) suite and KS
Fundraising software.
What We Do
Org. Structure
Marketing
Industry
Financials
Vision/Values
Investments
© 2014 ISACA. All rights reserved.
16
Background – Financials
• Company Type: Private
• Revenue: US $26 Million
• Total Assets: US $62 million
• Employees: 1200 Permanent
• Number of IT personnel: 500-800
• Founded in 2000
What We Do
Org. Structure
Marketing
Industry
Financials
Vision/Values
Investments
© 2014 ISACA. All rights reserved.
17
Background – Org. Structure
The board:
• Gregorio Zantaz, Chairman and Chief Executive Officer
(CEO)
• Robert Lazaro, Board Member and Chair of Audit
Committee
• John Bernstein, Board Member and Chair of Finance
Committee
• Vivian Carlile, Member
• John Mcdermot, Member
• Plus eight other board members who also act as the non-
executive members of the board
© 2013 ISACA. All rights reserved.
What We Do
Org. Structure
Marketing
Industry
Financials
Vision/Values
Investments
18
Background – Org. Structure
The executive management team:
• Gregorio Zantaz, Chairman and CEO
• Nigel Limpkin, Senior Vice President (VP) and Chief Information Officer (CIO)
• Vicky Lane, Senior VP and Chief Financial Officer (CFO)
• Andrew Right, Senior VP
• Leonard Nimoi, Senior VP and General Field Operations
• Raj Aryan, Senior VP and Managing Director, RA Corporation Pvt. Ltd.
What We do
Org. Structure
Marketing
Industry
Financials
Vision/Values
Investments
© 2014 ISACA. All rights reserved.
19
Background – Org. Structure
Chairman and CEO + Board
Senior Vice President and Chief Information Officer
VP Development
VP Infrastructure /IT Director
VP Quality Assurance Senior Vice President and
Chief Financial Officer
Senior Vice President
Senior Vice President and General Field Operations
VP Consulting and Business Development Services
VP Implementation and Support Services
Senior VP and Managing Director, RA Corporation
Pvt. Ltd.
What We Do
Org. Structure
Marketing
Industry
Financials
Vision/Values
Investments
20
Background – Org. Structure
The board of directors:
• Consists of people with multiple expertise
• Run by the chairman, who is also the CEO
• The board, nevertheless, has an oversight committee in the audit committee that oversees all operational and control aspects.
Management:
• Consists of two levels: one more strategic management consisting of the top senior vice presidents and C-level suite and a more operational management consisting of the vice presidents and all other operational staff under their lead.
What We Do
Org. Structure
Marketing
Industry
Financials
Vision/Values
Investments
21
Background – Org. Structure
Senior vice president and chief information officer:
• Overall responsibility of the development of software solutions and design, and also looks at quality assurance in-house and the Software as a Service (SaaS) solution for hosted services for clients
Senior vice president and general field operations:
• Overall responsibility of business development, client support and also consulting services (looks at implementation, training etc.)
What We Do
Org. Structure
Marketing
Industry
Financials
Vision/Values
Investments
© 2014 ISACA. All rights reserved.
22
Background – Marketing
• We spend quite a varied but large proportion of our budget on marketing and business development activities.
• Our work on the corporate social responsibility front places us on the forefront of our non-profit clients or potential clients.
• Much of our other marketing comes from our work achieved with universities and case studies on the Internet to show what we can do and deliver.
• Free demos are given without much problem, because most solutions have been ported to the cloud/hosting services of KS Solutions itself.
• A diversified approach on the apps developed and delivery methods bring them to the edge of high-level added value to enterprises.
What We Do
Org. Structure
Marketing
Industry
Financials
Vision/Values
Investments
© 2014 ISACA. All rights reserved.
23
Background – Industry
• Software and services delivery company
• The ability to innovate viable products and related services
• Obtaining competitors’ products and services ideas and proposals is a huge advantage.
• Being first to provide interesting solutions driven to client needs in all aspects of the industry gives the upper edge to the competitor.
• A volatile market, because many companies exist in the market from the bigger ones such as SAP, Oracle, etc.
• The solutions need to meet the required standards and ensure that high-level administrative procedures and processes are present.
• It is a challenging market to integrate in, because most universities and non-profits have different operational aspects.
What We Do
Org. Structure
Marketing
Industry
Financials
Vision/Values
Investments
© 2014 ISACA. All rights reserved.
• Major compliance issues with former executive management team (replaced by new executive management team focused on transformation and re-invigorating growth)
• Lack of formalised IT policies, practices and disciplines
• Poor IT governance, reporting and inadequate business intelligence – requires a cultural change
24
The Problems
© 2014 ISACA. All rights reserved.
• Poor IT customer satisfaction and unmet business needs caused business units to ramp up their own systems development functions.
• Inadequate and inappropriate IT skills, competencies and leadership
• Challenge—Drive business process to transform the business for growth and greater profitability using IT
• Self-fund (through cost-reduction programmes) IT budget growth for new initiatives and keeping the lights on
• Lack of business intelligence (multiple sources of inaccurate business information)
25
The Problems
© 2014 ISACA. All rights reserved.
Position: SVP and CIO
Tenure: You have been on this job for only six months and are still trying to accommodate yourself in the environment.
Your Manager: CEO
Your team: You have three VPs who report to you.
26
Your Role
Experience: • 10 years of experience an IT director (four as a
CIO) • Four years of experience in the software
development industry Education: • Undergraduate degree in computer science • Several professional courses in a variety of IT,
management and business-related areas Other: • Good understanding of governance of enterprise
IT and some experience in risk • Good overview of the Capability Maturity Model
Integration (CMMI) model from the Software Engineering Institute (SEI) and a recent introduction to COBIT 5
• Passed CISA exam recently
© 2013 ISACA. All rights reserved.
• New executive management team hired a new CIO who brought in a new senior leadership team in IT.
• New CIO reports to CEO and is part of the senior executive management team.
• Business processes are fragmented.
• The new CIO and reconstituted business/IT executive steering group are to develop a strategy and priorities focused on business growth, creating a performance-based culture that rewards achievement of goals, accountability and innovation, and building strong customer partnerships.
• Further, he worked on developing a transformation plan, which should be approved by the executive management team.
• IT is to be reorganised with some of the following functions: IT strategy and governance (includes PMO, PR/marketing and personnel development), application development, IT operations and infrastructure and enterprise architecture.
27
The Approach
© 2014 ISACA. All rights reserved.
• Work towards the development of a blueprint for an IT governance framework and process. This should help the company move towards a two-year realistic strategic plan (from a three-year plan) linked to an annual operating plan.
• With new IT management team in place for only six months, many initiatives are in process and key results will not be clearly visible or measurable. (They are definitely going in the right direction, but the jury is still out.)
28
The New Leadership Tasks
© 2014 ISACA. All rights reserved.
1. Identify the key problems and processes that need to be reviewed.
2. Identify the application level risk areas.
3. Identify a management-oriented framework for continuous and proactive control self-assessment.
4. Identify the key metrics for enabling assessments of IT performance in business terms.
5. Identify the need for guidelines and map the system development life cycle (SDLC) for the problem identified.
6. Define factors influencing an SDLC risk.
7. Define the potential results for alignment, IT service management and delivery, programme and project management, and performance management.
8. Identify potential critical success factors.
9. Identify potential lessons learned.
29
Your Tasks
© 2014 ISACA. All rights reserved.
1. From the problems identified, what do you find as key issues in this enterprise and why? • Hint: The problems cannot be easily be resolved without key analysis and willingness for
change. Many problems are related to process, guidelines or even not following key standards.
2. Software development is never an easy game these days, but some major companies have been able to counter those problems. They have been able to find solutions to the problems and make software development a real, profitable business on its own. Your challenge is to propose a working strategy that would eventually bring the value to your role and grow profitability. • Hint: Identify the key areas and processes that you think would be a fit for the problems
identified.
3. Develop an approach based on frameworks and guidelines that can help put the company back on track. (You are not limited by what can be done, but you need to bear in mind businesses do not usually have unlimited budgets.) • Hint: Look at COBIT 5 to proceed. (There is no right or wrong approach, everything that is
carried out within an enterprise is dependent on time and urgency and, of course, budget.)
30
Discussions
© 2014 ISACA. All rights reserved.
31
Exhibit 1 – Current Systems Development Life Cycle (SDLC) at KS Solutions
Systems Analysis
Systems Selection and Design
Systems Implementation (Responsibility of VP Implementation
and Support Services)
Preliminary Feasibility
Systems Analysis Report and Project Proposal
Feasibility Study Systems Selection Report
Implementation Review Acceptance
© 2014 ISACA. All rights reserved.