PO1.2:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

PO 1.2 Business-IT Alignment

Control Objective:


Educate executives on current technology capabilities and future directions, the opportunities that IT provides, and what the business has to do to capitalize on those opportunities. Make sure the business direction to which IT is aligned is understood. The business and IT strategies should be integrated, clearly linking enterprise goals and IT goals and recognizing opportunities as well as current capability limitations, and broadly communicated. Identify where the business (strategy) is critically dependent on IT and mediate between imperatives of the business and the technology, so agreed priorities can be established.

Applicability:

Sarbanes-Oxley
HIPAA
GLBA
PCI
FISMA
NIST SP 800-66
Ditscap
Control Exception
User Defined


Risk Association Control Activities:


Implementation Guide:


Process Narrative

IT departments exist to serve the other business units of the organization. But often aligning the goals of the IT organization to those of other units can be a challenge. In order to develop a few concrete steps that companies can take to better align business and IT, consider the following points.

Implement a Business Services Model (BSM)

IT organizations are driven and evaluated by metrics — percentage of uptime, etc. But business owners — non-IT personnel whose business units rely upon a certain application — often feel that IT is measuring the wrong things, and metrics often contradict the actual performance of the organization.

To illustrate this point, let's examine the case of a hypothetical claims processing application. The metrics indicate 99 percent uptime, but business owners are not happy. The cause of their angst is that fact that the application is often down during the early morning and late afternoon hours, the critical times when new claims are submitted and reconciled, respectively. To the business owner, 99 percent uptime is useless if it's not available when they need it. The problem arises from a lack of communication of specific business priorities and the poor translation into vague measures.

The solution may be to implement a Business Services Model (BSM). To accomplish this, both business and IT need to come together and negotiate internally to develop metrics that are linked to business priorities. Business must understand IT's capabilities and limitations, while IT must develop an understanding of the business needs.

Another important step is to discourage "cooking" the metrics, or structuring them so that they will appear more positive. One way to achieve this is to link the IT organization's reward and incentive systems to overall business performance, rather just IT service levels. While this will be an unpopular move, it is an important cultural change that can accelerate the process.

To ensure that metrics will properly measure alignment with business goals and user satisfaction, consider:

  • Be objectively measurable. Include a clear statement of the end result expected.
  • Support customer requirements, including compliance issues.
  • Focus on the effectiveness or efficiency of the process being measured.
  • Allow for meaningful trend or statistical analysis.
  • Apply appropriate industry standards or other external standards.
  • Specify assumptions and definitions for satisfactory performance.
  • Involve those responsible for the performance being measured in the development of the metric.
  • Be accepted by the provider and the customer.


Link Strategic IT Planning to Business Goals


Both the annual and long-term IT plans must be linked to corresponding business plans. To ensure that the IT organization is planning investments that will support the overall business goals, each significant IT project and expenditure must be linked to a specific business goal. Furthermore, the business owner for each item should be identified and sign off on the expenditure.

For example, as part of their planning process, the regional IT units of a large US manufacturer submit individual lists of proposed projects and expenditures to the global IT organization. The global IT group collates these lists, identifies business sponsors for each item, and meets with the global business leadership to prioritize the portfolio. Each line item in the master IT project list is evaluated against the overall business goals, and the business leaders ultimately decide which of the projects are executed.

Create a Three-Dimensional Organization Structure


Most IT organizations are vertically aligned, with various levels of staff reporting into a CIO, who is then responsible to the business leadership. However, some functions such as HR and Finance cut across geographies and practices, and the IT resources that support these systems should be horizontally aligned.

At a large U.S.-based consumer products company, for example, each division has a CIO who heads a vertically-oriented IT unit. Each divisional CIO reports to a global CIO. Additionally, there are executives responsible for all applications that support a particular horizontal function, such as Finance or HR. These executives report to both the global CIO and to the global head for that business function.

The additional advantage of this leadership scheme is that is encourages common systems and platforms, which better serves current needs and enables future growth. This can be extremely beneficial in today's rapidly changing business environment, with large mergers and acquisitions becoming more and more common.

Enterprises should gradually move toward virtual work-groups and reporting frameworks based on common systems, technologies, and business goals.

By following the three recommendations here — implementing a Business Services Model (BSM), linking strategic IT planning to business goals, and creating a three-dimensional organization structure — your IT organization can become more aligned with your company's business goals. And the more aligned with business goals, the more valuable the IT organization becomes. You may even find that other units see yours as indispensable to meeting their goals. Instead of working in a vacuum, you've created a team environment that makes the entire organization work like one big machine.

Process Illustration

Insert a process diagram, flowchart or other visual representation here to illustrate the process narrative.

File:Someimage.jpg

Control Commentary

Insert a description of the control that is applicable to the existing control statement this commentary refers to.

Control Exception Commentary

Insert a description of the control exception that is applicable to the existing control statement this commentary refers to.

Evidence Archive Location

Insert Evidence Description Here.

Control Status and Auditors Commentary

Describe the condition of the applicable control and its effectiveness. Set the color icon to a redlock.jpg, yellowlock.jpg or greenlock.jpg.

File:Redlock.jpg

Remediation Plan

Insert remediation plan, applicability, or any information that indicates what needs to be done.

Supplemental Information:

ISO 17799 4.1 A management framework should be established to initiate and control the implementation of information security within the organization. A suitable management forum with management leadership should be established to approve the information security policy, assign security roles and co-ordinate the implementation of security across the organization. If necessary, a source of specialist information security advice should be established and made available within the organization. Contacts with external security specialists should be developed to keep up with industrial trends, monitor standards and security audit assessment methods and provide suitable liaison points when dealing with security incidents. A multi-disciplinary approach to information security should be encouraged, e.g. involving the co-operation and collaboration of managers, users, administrators, application designers, auditors and security staff, and specialist skills in areas such as insurance and risk management.

ITIL The Business Perspective.

ITIL Business/IS Alignment.

ITIL 4.3 The management governance framework ICT Infrastructure Management, Annex 2B.

ITIL The Contents of ICT Policies, Strategies, Architectures and Plan.

Implementation guidance

Insert guidance in this section if it helps to elaborate upon the subject matter. Examples of evidence that would help guide the end user is desirable.

Retrieved from "http://horseproject.wiki/index.php?title=PO1.2:&oldid=4225"