• No results found

The Top Ten Most Commonly Used Metrics in IT Development

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "The Top Ten Most Commonly Used Metrics in IT Development"

Copied!
27
0
0

Loading.... (view fulltext now)

Download now ( 27 Page )

Full text

(1)

#L09 – Without Which None: Key

Data Points for IT Governance

Metrics

Jennifer Bayuk, CISA, CISM, CGEIT

Independent Information Security Consultant www.bayuk.com

(2)

Session Content

1. How to compartmentalize complex IT infrastructures in order to label them 2. Application component labeling

3. Index-sharing requirements for commonly used metrics

4. Simple and effective ways to efficiently collect data on IT-related initiatives

5. How to align risk assessment activities with accountability for IT project and service

(3)

IT Architecture Components

• Application components

• Component to software mapping

• Component to hardware mapping

• Virtual machines

(4)

Application components

Web Services

APPLICATION

Web2.0 Desktop GUI

Authentication Message Bus

CODE BASE REUSABLE SOFTWARE Data Services Database CONTAINER COMPONENTS Web Server Load Balancer Monitoring INFRASTRUCTURE COMPONENTS Network Operating Sys

(5)

Component to software mapping

Web Services

Authentication Interface

Message Bus Interface

Database Interface

Web Server Config

(6)

Component to hardware mapping Server 1 Server 2 Auth Services Server 3 Message Bus Interface Database Interface Server 4 Web Services Compute Module Message Bus Interface Server 5 Message Bus Server 6 Database Management System Database Interface Database Interface Auth Interface Web Server

Web Service GUI

Web Server

Web Service GUI

Load Balancer

Monitor Network

(7)

Virtual machines

Web Services

Operating System

Operating System of Virtual Device Web Services Operating System Auth Services Operating System Admin Console Points of administration. Virtual OS Config Utilities

(8)

Potential Data Sources

• Enterprise Management System

• Configuration Management Database

(9)

Potential data source on components architecture

– OS and Infrastructure focused

• Enterprise Management System

– IP centric asset inventory

– Requires coordinated data entry or

feeds to align with business process

Typically snmp, may be client-server-based.

(10)

Potential data source on components architecture

– Provides relationships between

configuration items

• Configuration Management Database

– Operations focused

– Requires coordinated data entry or feeds to

align with asset inventory and/or business process

Typically used to support operations and service desk.

CPU DISK PROCESS

X231 HXL2Z GZETS CPU DISK PROCESS X231 HXL2Z GZETS

The system shall provide an administrator with the capability to monitor the state of availability of critical system resources (e.g., overflow indication, lost messages, and buffer queuesThe system shall prevent buffer overflow conditions that allow for unauthorized access. 3For software and data created or modified in the system, the system shall provide an administrator with the capability to retrieve the user-ID along with the date and time associated with that creation or modification.

(11)

Potential data source on components architecture

– Provides accountability for maintenance of

software

• Application Inventory

– Development focused

– Requires coordinated data entry or feeds to

align with asset inventory

(12)

Data Source Consolidation APPLICATION data… COMPONENT ASSET data… Enterprise Management System ASSET data… Application Inventory Configuration Management Database COMPONENT UNIVERSE METRICS

(13)

Metrics How-to:

• Start with known data on environment

• Quantify or otherwise represent unknowns • Link control-relevant data to known data • Anticipate decision requirements

(14)

Known Indexes for consolidation

1. Application Index or Acronym

2. Vendor Software Release Identifier 3. Network IP Address

(15)

Identify Gaps

1. Application Index or Acronyms

• e.g.: without associated equipment

2. Vendor Software Release Identifier

• e.g.: not associated with any application

3. Network IP Address

• e.g.: with no equipment serial numbers

4. Equipment Serial Number

(16)

Potential control-related extensions

1. Security Software Configuration 2. Change Authorization Correlation 3. Security Review or Audit Scope 4. Information Classification

5. Outsourcing Arrangements 6. Application Impact

7. Business Recovery Objectives 8. System Development Projects

(17)

Potential accountability extensions

1. Line of Business

2. Development Team Acronym

3. IT Manager Realm of Responsibility 4. Support Escalation Chain

(18)

Link Indexes for Control and Accountability to Management Strategies

– Risk Assessment Reports

– Role and Responsibility Assignments

– Business Recovery Test Plans

– Outsourcing Statements of Work

(19)

Link Indexes APPLICATION data… COMPONENT ASSET data… Enterprise Management System ASSET data… Application Inventory Configuration Management Database COMPONENT UNIVERSE

From Data Consolidation slide

Common Indexes cannot be expected to exist in different realms and different management domains.

Expectations for linkage must be articulated.

APPLICATION BCP Data IMPACT IT Manager Support team Control Attributes Accountability Attributes COMPONENT Security Review Database Identity Management Database

(20)

Example: Strategic Alignment

Hardware owned by LOB personnel not

associated with any application

Vendor- provided Software charged to LOB not associated with any

application

LOB2 LOB1

(21)

Example: Risk Management

Percentage of Applications by Recovery Type

LOB2 LOB1 LOB3 Customer Service Only Customer Service Only Customer Service Only

(22)

Example: Value Delivery

Application Satisfaction Index

LOB1 LOB2 LOB3

100%

25%

75%

92%

Business Leader Survey 2008

This is the list of applications that IT supports for your business unit. For each application, please rate each statement T or F::

1. The application provides value to my business. 2. The application budget is worth the product delivered. 3. Application functionality meets expectations. 4. Support for the application is adequate for user needs.

Survey Analysis

Creates Index

(23)

Example: Resource Management Component Reuse Custom API 1 Log Utility Represents number of applications that require a component of the designated type Custom API 2 Custom API 3 Custom API 4 Component Type: Apache In-House Developed Oracle Sybase MS-SQL FoxPro Web Server DBMS 100% Progress Access Informix

(24)

Example: Performance Measurement

(25)

Summary

Manage holistically by incorporating architecture, metrics, and risk into one

conceptual framework.

(26)

For More Information:

Jennifer Bayuk, CISA, CISM, CGEIT

Independent Information Security Consultant www.bayuk.com

[email protected]

(27)

References

Download now ( PDF - 27 Page - 141.08 KB )

Related documents

Toward a Collectivist National Defense

The same point applies to the case of the state as well: Even if the lives of the individuals within a state are not threatened, they may nevertheless be permitted to use lethal

Voluntary Placements in Child Welfare: A Comparative Analysis of State Statutes

Hill, K. Prevalence, experiences, and characteristics of children and youth who enter foster care through voluntary placement agreements. Three approaches to qualitative

Government Transparency Report. January June 2015

Between January and June 2015, we received 190 requests from state, federal, and international government agen- cies for account information from 227 Tumblr URLs.. Below we

Picturebooks in Teacher Education: Eight Teacher Educators Share their Practice

Eight university teacher educators and four doctoral students examined the response of 1108 pre-service teachers to 80 Canadian picturebooks at six teacher education sites

Chinese Agriculture Development Cooperation in Africa: Narratives and Politics

Despite some debate and criticism about Chinese agriculture cooperation in Africa, this framing works as a powerful narrative because it arrives at a convenient point of convergence

New Federal Time Accounting Guidance

¾ Additional exception to time accounting requirements for employees who work 100% on a Schoolwide Program (SWP) at a school that has consolidated ALL its funds and programs in

Marketing Strategy of Processed Catfish (Pangasius Sutchi) Products in Koto Mesjid Village XIII Koto Kampar District Riau Province

Penelitian mengenai strategi pemasaran ini dilaksanakan bulan Juni-Juli tahun 2014 di Desa Koto Mesjid dan lokasi pemasaran hasil olahan patin. Penelitian ini

Mot en felles europeisk forsvarsadministrasjon? : forsvarsadministrasjonens handlingsrom, og iverksettingsmyndighet, i EUs flernivåadministrasjon

Om EU skal få oppfylt sitt ønske om en fungerende felles forsvars- og sikkerhetspolitikk vil dette bære preg av mer overordnet myndighet til Kommisjonen og underlagte byrå, som