Governing IT with ITIL and COBIT

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013, Donald E. Stephens Convention Center

@IIAChicago #IIACHI

Governing IT with ITIL and COBIT for Process Excellence Pam Nigro, CRMA, CISA, CGEIT, CRISC Manager Operational Assurance Health Care Service Corporation (a Mutual Legal Reserve Company, an Independent Licensee of the Blue Cross and Blue Shield Association)

Agenda 1

IT Governance

2

ITG’s Challenges

3

Frameworks

4

HCSC’s Journey Begins

5

Measurements and Lessons Learned

© 2013, Health Care Service Corporation, Pam Nigro

-2-

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

IT Governance It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently. Warren Buffet, CEO, Berkshire Hathaway

© 2013, Health Care Service Corporation, Pam Nigro

-3-

IIA Chicago Chapter 53rd Annual Seminar 2013, HealthCenter Care Service Corporation, Pam Nigro April 15, 2013/ Donald E. Stephens© Convention

Definition of IT Governance

Choose one…

© 2013, Health Care Service Corporation, Pam Nigro

-4-

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Simple Version 3 key pieces to the puzzle

What

What IT decisions need to be governed?

Who

IT Governance  Is simply the management of risk & compliance.

How

Who is How are assigned those accountability? decisions governed?

© 2013, Health Care Service Corporation, Pam Nigro

-5-

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Simple Version 3 key pieces to the puzzle

What

What IT decisions need to be governed?

Who

IT Governance  Is simply the management of risk & compliance.

How

Who is How are assigned those accountability? decisions governed?

© 2013, Health Care Service Corporation, Pam Nigro

-6-

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Simple Version 3 key pieces to the puzzle

What

What IT decisions need to be governed?

Who

IT Governance  Is simply the management of risk & compliance.

How

Who is How are assigned those accountability? decisions governed?

© 2013, Health Care Service Corporation, Pam Nigro

-7-

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

IT Governance

© 2013, Health Care Service Corporation, Pam Nigro

-8-

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Challenges To open a shop is easy, to keep it open is an art. Chinese Proverb

© 2013, Health Care Service Corporation, Pam Nigro

-9-

IIA Chicago Chapter 53rd Annual Seminar 2013, HealthCenter Care Service Corporation, Pam Nigro April 15, 2013/ Donald E. Stephens© Convention

HCSC ITG’S Challenges/Drivers Strategic goals and to support key business objectives

1

Ensure Availability & Reliability in ITG Services 2 Reinvest in Technology to Support Growth 3

Allow for Ease of Mergers and Acquisitions 4 Simplify and Standardize ITG Processes 5 Commitment to Regulatory Compliance

© 2013, Health Care Service Corporation, Pam Nigro

- 10 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

HCSC ITG’S Challenges/Drivers Strategic goals and to support key business objectives

1

Ensure Availability & Reliability in ITG Services 2

Reinvest in Technology to Support Growth 3

Allow for Ease of Mergers and Acquisitions 4 Simplify and Standardize ITG Processes 5 Commitment to Regulatory Compliance

© 2013, Health Care Service Corporation, Pam Nigro

- 11 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

HCSC ITG’S Challenges/Drivers Strategic goals and to support key business objectives

1

Ensure Availability & Reliability in ITG Services 2 Reinvest in Technology to Support Growth 3

Allow for Ease of Mergers and Acquisitions 4 Simplify and Standardize ITG Processes 5 Commitment to Regulatory Compliance

© 2013, Health Care Service Corporation, Pam Nigro

- 12 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

HCSC ITG’S Challenges/Drivers Strategic goals and to support key business objectives

1

Ensure Availability & Reliability in ITG Services 2 Reinvest in Technology to Support Growth 3

Allow for Ease of Mergers and Acquisitions 4

Simplify and Standardize ITG Processes 5 Commitment to Regulatory Compliance

© 2013, Health Care Service Corporation, Pam Nigro

- 13 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

HCSC ITG’S Challenges/Drivers Strategic goals and to support key business objectives

1

Ensure Availability & Reliability in ITG Services 2 Reinvest in Technology to Support Growth 3

Allow for Ease of Mergers and Acquisitions 4 Simplify and Standardize ITG Processes 5 Commitment to Regulatory Compliance

© 2013, Health Care Service Corporation, Pam Nigro

- 14 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Frameworks Every knowledge worker in modern organization is an "executive" if, by virtue of his position or knowledge, he is responsible for a contribution that materially affects the capacity of the organization to perform and to obtain results. Peter Drucker in The Effective Executive (1966)

© 2013, Health Care Service Corporation, Pam Nigro

- 15 -

IIA Chicago Chapter 53rd Annual Seminar 2013, HealthCenter Care Service Corporation, Pam Nigro April 15, 2013/ Donald E. Stephens© Convention

Why Use a Framework? Benefits • Enable effective governance • Align with business goals • Standardize process and approach • Enable structured audit and/or assessment • Control cost • Comply with external requirements

© 2013, Health Care Service Corporation, Pam Nigro

- 16 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

What is the IT Infrastructure Library?

An operational level of service management and the framework Financial

What are my IT services? Customer

How do we monitor and measure our services?

© 2013, Health Care Service Corporation, Pam Nigro

Processes

Learning & Growth

Are we following best practices for our processes?

- 17 -

What are best practices for managing my services?

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

The IT Infrastructure Library (ITIL) Config Mgmt. Service Level Mgmt.

Access Mgmt.

Problem Mgmt.

ITIL Processes

Incident Mgmt.

Change Mgmt.

Release Mgmt. Knowledge Mgmt.

© 2013, Health Care Service Corporation, Pam Nigro

- 18 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Control Objectives for Information and Related Technologies – (COBIT) To realize business goals IT solutions need to be developed or acquired and integrated into the business process

The strategy and domain of IT planning

Service delivery, management of security and continuity, service support for users, and management of data

Regular assessment of IT processes for quality and compliance with control requirements © 2013, Health Care Service Corporation, Pam Nigro

- 19 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Key Questions Plan & Organize

Acquire & Implement

 Are Business and IT strategy aligned?

 Will the new or revised systems work properly when implemented?

 Is business achieving optimum use of its IT resources?

 Will changes be made without upsetting current business operations?

 Are the quality of IT systems and services appropriate for business needs?

© 2013, Health Care Service Corporation, Pam Nigro

- 20 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Key Questions Delivery & Support

Monitor & Evaluate

 Are IT costs optimized?

 Can IT performance be measured?

 Is the work force able to use IT systems productively?

 Can problems be detected before it is too late?

 Are adequate performance requirements such as security, integrity and availability in place?

© 2013, Health Care Service Corporation, Pam Nigro

 Is independent assurance needed to ensure critical areas are operating as intended?

- 21 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

ITIL v3 and COBIT Alignment Over 75% of ITIL v3 processes map to COBIT 4.1

Description

COBIT

ITIL

Service Desk

DS8

SO1, SO6

Incident Management

DS8

SO4

Problem Management

DS10

SO4

Change Management

AI6, AI7

ST4.2, ST5.1

SDLC Process

PO10

ST3, SD3

Physical Security

DS12

ST3

Operations Management

DS13

SO4, SO5

AI7

ST4

Release Management

© 2013, Health Care Service Corporation, Pam Nigro

- 22 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

HCSC‘s Journey Begins There is nothing more difficult to carry out, nor more doubtful of success or dangerous to handle than to initiate a new order of things. Nicolo Machiavelli, The Prince

© 2013, Health Care Service Corporation, Pam Nigro

- 23 -

IIA Chicago Chapter 53rd Annual Seminar 2013, HealthCenter Care Service Corporation, Pam Nigro April 15, 2013/ Donald E. Stephens© Convention

The Process Excellence Program Multi-workstream program ensuring: • • • • • • •

Consistent products and services Predictable service delivery (“On-Time, On-Budget, and On-Quality”) Integrated processes across ITG Leveraging “best practices” to re-engineer, not “patch” processes Customer focused service model Organizational and strategic alignment Achieve regulatory compliance

Problem

Change Config Release

Incident Operations

SLM

Policy Risk Controls

…A new way for ITG to conduct its business!

© 2013, Health Care Service Corporation, Pam Nigro

- 24 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Organizational Challenges and Barriers Complexity of Barrier

High

Low

Fragmented tools No standards Custom-made integration

Poor process quality Non-integrated processes Inconsistent processes

Inappropriate tools

Technology

© 2013, Health Care Service Corporation, Pam Nigro

Poor governance

People refusing to change

Poor leadership

Closed culture

Poor customer perception Low morale

Unrealistic customer expectations Lack of skills

Funding

Process

- 25 -

People

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Communicate Formal and Informal Communications  Team Meetings  Held “Coffee Clutches”  Developed a slogan “Put PEP in Your Step”

Training  Instructor Led Classroom  Webinars

© 2013, Health Care Service Corporation, Pam Nigro

- 26 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Incentives IT Process Framework  Establish an IT Process Framework designed to standardize and increase predictability of select ITG processes utilizing industry best practices

Regulatory Compliance  Achieve and exceed compliance with mandated security and controls  Establish COBIT-compliant framework, and assess IT controls

© 2013, Health Care Service Corporation, Pam Nigro

- 27 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Initial COBIT Maturity Assessment • Intentionally left blank

© 2013, Health Care Service Corporation, Pam Nigro

- 28 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

3 Key Drivers Config Mgmt. Service Level Mgmt.

Access Mgmt.

Problem Mgmt.

ITIL Processes

Incident Mgmt.

Change Mgmt.

Release Mgmt. Knowledge Mgmt.

© 2013, Health Care Service Corporation, Pam Nigro

- 29 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Service Level Management Clearly document and outline the level of service

Results and operational trend reports can be used to prioritize service improvement activities. © 2013, Health Care Service Corporation, Pam Nigro

Negotiating the SLA Contract

Service Level Agreement (SLA)

- 30 -

Report to the business and ITG Sr. Management

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Change Management

Change Advisory Board (CAB)

Governing IT Changes

Production Operations Group (POG)

Reliability Committee

© 2013, Health Care Service Corporation, Pam Nigro

- 31 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Release Management Distributed Mainframe Multiple Tools  Multiple source code libraries  Multiple release methodologies

CA Endevor  All mainframe source code libraries in Endevor  Standard code development lifecycle  Standard release methodology

2006

2009

Ad Hoc

© 2013, Health Care Service Corporation, Pam Nigro

- 32 -

Serena Dimensions  Distributed source code for financially significant apps  Standard code development lifecycle  Standard release methodology

2013

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Measurements and Lessons Learned It is not the strongest among the species that survive nor is it the most intelligent. It is those that are most adaptive to change. Charles Darwin

© 2013, Health Care Service Corporation, Pam Nigro

- 33 -

IIA Chicago Chapter 53rd Annual Seminar 2013, HealthCenter Care Service Corporation, Pam Nigro April 15, 2013/ Donald E. Stephens© Convention

Increase in Availability • Intentionally left blank

© 2013, Health Care Service Corporation, Pam Nigro

- 34 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Mean Time to Repair (in hours) • Intentionally left blank

© 2013, Health Care Service Corporation, Pam Nigro

- 35 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

IT General Controls Maturity level • Intentionally left blank

© 2013, Health Care Service Corporation, Pam Nigro

- 36 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Initial COBIT Maturity Assessment • Intentionally left blank

© 2013, Health Care Service Corporation, Pam Nigro

- 37 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Current COBIT Maturity Assessment • Intentionally left blank

© 2013, Health Care Service Corporation, Pam Nigro

- 38 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Lessons Learned Key Leadership Principles for Creating and Sustaining a Successful IT Governance Culture and Environment

Make Tradeoffs - One size

Proactively Design and Manage - Take smaller steps

does not fit all. When is enough, enough?

Avoid over engineering

PEP Program (ITIL/COBIT) Commitment & Provide the Right Incentives - 30%

Assign Ownership & Accountability - Get and

Process; 70% People

© 2013, Health Care Service Corporation, Pam Nigro

keep leadership commitment

- 39 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

IT Governance

© 2013, Health Care Service Corporation, Pam Nigro

- 40 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Thank you for your attention! Any Questions?

© 2013, Health Care Service Corporation, Pam Nigro

- 41 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Contact Details Pam Nigro, CRMA, CISA, CGEIT, CRISC Manager, Internal Controls and IT Risk Management [email protected]

Health Care Service Corporation, Health Care Service Corporation, (HCSC) is a Mutual Legal Reserve Company, an Independent Licensee of the Blue Cross and Blue Shield Association operating Blue Cross and Blue Shield of Illinois, Texas, New Mexico, and Oklahoma.

pam_nigro@ bcbsil.com

© 2013, Health Care Service Corporation, Pam Nigro

- 42 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Appendix

© 2013, Health Care Service Corporation, Pam Nigro

- 43 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Why Implement ITIL? Circle of Perspectives Financial Perspective 1.

 Operational excellence focus to drive down costs  Bottom Line: IT can “do more, with less”

Customer Perspective

2.

 Enable a single point of accountability  Align internal metrics to reflect IT user experience

Business Perspective

3.

 Manage increasing IT service complexity  Create a common vocabulary for communication

4.

Learn & Growth Perspective  Break down organizational silos with process focus  Leverage industry accepted “best practices” and do not re-invent the wheel

© 2013, Health Care Service Corporation, Pam Nigro

- 44 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center

Control Maturity Control Maturity Level 1 - Unreliable

People No Responsibility

Process No Policy No Procedures Missing Control Design

Technology

Maturity Model Non Existent

Level 2 - Informal

Informal Responsibility New Personnel Non-Routine

Informal/Ineffective Policy Informal/Ineffective Procedures Informal/Ineffective Control Design Informal/Ineffective Control Activity

Manual

Initial / Ad-Hoc

Level 3 Standardized

Formal Responsibility Adequate Personnel Routine

Formal/Effective Policy Formal/Effective Procedures Formal/Effective Control Design Formal/Effective Control Activity

Manual

Repeatable But Intuitive

Level 4 - Monitored

Limited Automation Periodic Compliance Testing Periodic Reporting

Limited Automation Periodic Compliance Testing Periodic Reporting Periodic Update/Change Improvement

Automated

Defined Processes

Level 5 - Optimized

Automation Real-Time Monitoring Daily Reporting

Automation Real-Time Monitoring Daily Reporting As Required Update/Change Improvement

Automated

Managed And Measureable

© 2013, Health Care Service Corporation, Pam Nigro

- 45 -

IIA Chicago Chapter 53rd Annual Seminar April 15, 2013/ Donald E. Stephens Convention Center