• No results found

ITSM Governance In the world of cloud computing

N/A
N/A
Protected

Academic year: 2021

Share "ITSM Governance In the world of cloud computing"

Copied!
29
0
0

Loading.... (view fulltext now)

Full text

(1)

ITSM Governance

(2)

Housekeeping

Welcome to the Webinar

Use the control panel to ask

questions

Can you see & hear us?

enter your name & city to confirm

(3)

About your Sponsors

We are a non-profit organization dedicated to

promoting IT industry best practices and IT Service

Management for the IT Service Management

community across the Greater Toronto Region (GTR).

Since 1999 Navvia has been helping organizations of

all sizes implement robust ITSM process and tools

through:

ITSM Consulting

ITSM Education

(4)

Welcome to the Presentation!

David Mainville

CEO / Co-founder

[email protected]

(5)
(6)
(7)
(8)
(9)

What is governance?

Governance is the application of consistent

management, cohesive policies, guidance, processes

and decision-rights for a given area of responsibility.

(10)
(11)

So Why ITSM Governance?

Outsourcing

Security

Regulatory

Issues

Cloud

Computing

Mobility

(BYOD)

(12)

Governance frameworks

ITIL

Provides guidance on the

processes

COBIT

Widely accepted by the IT

audit community

Defines controls, processes

and audit tests (evidence)

ISO20000

Defines a standard for a

Service Management System

Our experience shows that the

best approach is to use a

combination of frameworks for

(13)

ITSM governance roles

Prescriptive

role assigns

authority and accountability

Audit

role reports on

compliance to process

owners, executives and

directors

Coordination

role assigns and

coordinates the governance

tasks

Monitor

role tracks

governance reporting for the

audit role

User/Provider

roles execute

the governance tasks

An ITSM “Program Office” or “Governance

Board” is the ideal place to center your

(14)

An ITSM governance approach

EVIDENCE

TASKS

CONTROLS

PROCESS

CHANGE   MANAGEMENT AI6.1   STANDARDS  &   PROCEDURES   AI6.2 ASSESSMENT  &   AUTHORIZATION AI6.3   EMERGENCY   CHANGES Task  1

Provide  Evidence  of  Change  Mgmt.  System

Emergency   Change  Categories

Emergency   Change  Reports

Task  2

Provide  Evidence  of  Emergency  Change   Handling Documented   Emergency   Procedures Review  of   Emergency   Changes AI6.4   TRACKING  AND   REPORTING AI6.5   CHANGE  CLOSURE   &  DOC

(15)

ITSM governance & service delivery

Actual Service Levels

Desired Service Levels

—

Ungoverned processes “wear down” over time

—

The result is service variability versus consistency

(16)

Achieving ITSM governance

Define your processes

Identify the Control Objectives

Assign Accountability for Control

Objectives

Require evidence of compliance

Measure and report on process

compliance

Understand roles and responsibilities as

(17)

The Service Management Office

Service Management Office

SME

Communications

Metrics

Design

CSI / SIP

(18)

Are governance

requirements different for

Cloud Computing?

(19)
(20)
(21)
(22)

Governing a cloud application

Requirement Comment

Data  Classification Is  the  Data  being  stored  public,  internal,  confidential,  restricted  or  highly  restricted? Physical  Security Does  the  vendor  meet  all  security  standards  for  datacenter  access?

Authentication What  are  the  policies  and  technology  are  in  place  to  limit  access  to  data  to  right  people? Authorization Who  at  the  vendor  site  is  authorized  to  access  the  data,  what  controls  are  in  place? Audit  Logging What  security  logs  are  maintained  by  the  vendor  /  what  is  logged  by  the  system?

Confidentiality What  policies  /  technology  exist  to  ensure  company  data  is  kept  confidential  – is  Payment  Card  (PCI)  or  Personally   Identifiable  Information  (PII)  stored  in  the  cloud  application?

Virus  Protection What  policies  and  technologies  are  in  place  to  ensure  the  data  remains  virus  free?

Security  Config Has  the  vendors  infrastructure  been  configured  to  ensure  against  vulnerabilities  – is  it  audited? Patch  Mgmt. What  policies  /  technology  is  in  place  to  ensure  critical  updates  are  applied  in  a  timely  manner? Physical  Config. How  is  our  data  segregated   from  the  vendors  other  clients?

(23)

Governing a cloud application

Requirement Comment

Disaster  Recovery What  policies  and  technology  are  in  place  to  address  a  disaster  and  support  resumption  of  service  (failover,   backups,  offsite  storage,  backup  facilities…)

Human  Resource   Security

What  policies  and  practices  are  in  place  to  ensure  the  vendors  personnel  are   a)trained  in  security  practices  and  b)   have  been  adequately  screened   (background  checks)

Compliance What  audit  protocols  /  practices  does  the  vendor  have  in  place  to  ensure  compliance  to  their  internal  policies  and  processes Software  Config

Mgmt.

What  policies,  practices  and  technologies  exist  to  ensure  the  vendor  has  adequate  control  over  their  source  code   libraries  and  that  there  is  a  separation  of  duties  between  development  and  production

Insurance  /  Risk What  levels  of  coverage  does  the  vendor  have  to  protect  from  Identity  Theft,  Cyber-­‐Extortion,  Cyber-­‐Terrorism,   Information  Asset  Network  Security,  Web  Content,  Errors  and  Omissions,  Network  Business  Interruption

Financial  Risk Is  the  cloud  vendor  viable?    What  protections  exist  if  they  were  to  become  in  solvent? Communications What  policies  and  practices  are  in  place  by  the  vendor  to  communicate  security  incidents?

Data  Retention How  long  does  the  vendor  retain  the  data,  how  is  it  protected,  how  can  the  data  be  extracted  from  the  cloud  application  if  the  contract  is  terminated

(24)

Related reading

Defines the standard for a

Service Management

System (part 1&2)

Guidance for Service

Managers on the Use of

COBIT to support ITIL &

ISO/IEC 20000

How to use COBIT

Controls to support

ISO/IEC 20000

How to use COBIT

Controls to support ITIL

V3

http://www.itgovernance.co.uk/

http://www.isaca.org/

http://www.isaca.org/

http://www.isaca.org/

ISO/IEC 20000

COBIT to ISO/IEC 20000

COBIT User Guide

COBIT to ITIL V3

(25)

Cloud Security Alliance

SM

https://cloudsecurityalliance.org/

Security Guidance for Critical

Areas of Focus in Cloud

Computing

Cloud Controls Matrix v3.01 - Fundamental

security principles to guide cloud vendors and to

assist prospective cloud customers in assessing

the overall security risk of a cloud provider.

(26)
(27)

Cloud Computing/ SAAS will

continue to grow

IT must remains accountable for

governing cloud apps

Understanding the role IT has in

managing cloud apps is crucial to

your career

(28)
(29)

Thank You!

We  appreciate  your  feedback  and  will  be  sending  a  brief  survey  as  

well  as  a  link  to  the  slides  on  the  ITSMF  website.  

References

Related documents

Similarly, the odds of indicating a higher level of achievement increase by 1.12 (a 12% raise) for each year increase in the duration of the relationship. Another variable with

Fosilna goriva danas i dalje ĉine veliku većinu pogona cestovnih motornih vozila u svijetu, ali zbog podloţnosti oscilacijama u cijeni i sve većem zagaĊenju okoliša primjenjuju se

The current study has demonstrated that combined functional and anatomic assessment of coro- nary artery stenosis is possible in a simple imaging procedure and has

On-line authenticating the Subject at Assurance Level 1 or higher level using an external Identity Provider;3. In-person visit at a service desk, or

The Cheltenham: Diaspora project is part of a wider programme of local historical research activities, led by the history team at the University of Gloucestershire.. Previously,

In contrast, when information rents are small (e.g., because costs are relatively homogeneous or there are many potential contractors), or when the value of innovation is high

Market surveillance is carried out according to the “Regulation on Procedures and Principles of Market Surveillance of the Products to be performed by the MIT”, which was published in