ITSM Governance
Housekeeping
•
Welcome to the Webinar
–
Use the control panel to ask
questions
–
Can you see & hear us?
•
enter your name & city to confirm
About your Sponsors
We are a non-profit organization dedicated to
promoting IT industry best practices and IT Service
Management for the IT Service Management
community across the Greater Toronto Region (GTR).
Since 1999 Navvia has been helping organizations of
all sizes implement robust ITSM process and tools
through:
•
ITSM Consulting
•
ITSM Education
What is governance?
Governance is the application of consistent
management, cohesive policies, guidance, processes
and decision-rights for a given area of responsibility.
So Why ITSM Governance?
Outsourcing
Security
Regulatory
Issues
Cloud
Computing
Mobility
(BYOD)
Governance frameworks
•
ITIL
–
Provides guidance on the
processes
•
COBIT
–
Widely accepted by the IT
audit community
–
Defines controls, processes
and audit tests (evidence)
•
ISO20000
–
Defines a standard for a
Service Management System
Our experience shows that the
best approach is to use a
combination of frameworks for
ITSM governance roles
•
Prescriptive
role assigns
authority and accountability
•
Audit
role reports on
compliance to process
owners, executives and
directors
•
Coordination
role assigns and
coordinates the governance
tasks
•
Monitor
role tracks
governance reporting for the
audit role
•
User/Provider
roles execute
the governance tasks
An ITSM “Program Office” or “Governance
Board” is the ideal place to center your
An ITSM governance approach
EVIDENCE
TASKS
CONTROLS
PROCESS
CHANGE MANAGEMENT AI6.1 STANDARDS & PROCEDURES AI6.2 ASSESSMENT & AUTHORIZATION AI6.3 EMERGENCY CHANGES Task 1Provide Evidence of Change Mgmt. System
Emergency Change Categories
Emergency Change Reports
Task 2
Provide Evidence of Emergency Change Handling Documented Emergency Procedures Review of Emergency Changes AI6.4 TRACKING AND REPORTING AI6.5 CHANGE CLOSURE & DOC
ITSM governance & service delivery
Actual Service Levels
Desired Service Levels
Ungoverned processes “wear down” over time
The result is service variability versus consistency
Achieving ITSM governance
•
Define your processes
•
Identify the Control Objectives
•
Assign Accountability for Control
Objectives
•
Require evidence of compliance
•
Measure and report on process
compliance
•
Understand roles and responsibilities as
The Service Management Office
Service Management Office
SME
Communications
Metrics
Design
CSI / SIP
Are governance
requirements different for
Cloud Computing?
Governing a cloud application
Requirement Comment
Data Classification Is the Data being stored public, internal, confidential, restricted or highly restricted? Physical Security Does the vendor meet all security standards for datacenter access?
Authentication What are the policies and technology are in place to limit access to data to right people? Authorization Who at the vendor site is authorized to access the data, what controls are in place? Audit Logging What security logs are maintained by the vendor / what is logged by the system?
Confidentiality What policies / technology exist to ensure company data is kept confidential – is Payment Card (PCI) or Personally Identifiable Information (PII) stored in the cloud application?
Virus Protection What policies and technologies are in place to ensure the data remains virus free?
Security Config Has the vendors infrastructure been configured to ensure against vulnerabilities – is it audited? Patch Mgmt. What policies / technology is in place to ensure critical updates are applied in a timely manner? Physical Config. How is our data segregated from the vendors other clients?
Governing a cloud application
Requirement Comment
Disaster Recovery What policies and technology are in place to address a disaster and support resumption of service (failover, backups, offsite storage, backup facilities…)
Human Resource Security
What policies and practices are in place to ensure the vendors personnel are a)trained in security practices and b) have been adequately screened (background checks)
Compliance What audit protocols / practices does the vendor have in place to ensure compliance to their internal policies and processes Software Config
Mgmt.
What policies, practices and technologies exist to ensure the vendor has adequate control over their source code libraries and that there is a separation of duties between development and production
Insurance / Risk What levels of coverage does the vendor have to protect from Identity Theft, Cyber-‐Extortion, Cyber-‐Terrorism, Information Asset Network Security, Web Content, Errors and Omissions, Network Business Interruption
Financial Risk Is the cloud vendor viable? What protections exist if they were to become in solvent? Communications What policies and practices are in place by the vendor to communicate security incidents?
Data Retention How long does the vendor retain the data, how is it protected, how can the data be extracted from the cloud application if the contract is terminated