IS 657 Information Systems

Governance and Risk Management

Part 0 Intro IT Governance
Yüe “Jeff” Zhang, Acct & IS Dept, CSUN

02/17/2021
1
Outline of Part 0
• Why IT governance - IT Challenges
• Governance Overview
Definition
Place in corporate governance
Perspective
Principles
Focus areas

 Next part:
 COBIT 5 Overview
• 5 principles
• 7 enablers
• Evolution of COBIT

2
Learning Objectives (LO) of Part 0
• Understand the needs for governance of
enterprise IT
• Understand what governance of enterprise IT
means
Define supporting structures, framework, and
processes
• Understand the focus areas of IT governance
• Understand the elements and actions required
to develop a framework and its
implementation
3
Why IT governance
- IT Challenges

02/17/2021
4
Governance
• Like “government” and “governor”, it is
derived from the Latin word “gubernare” – the
action of steering a ship
Direction
Status of the system
• A popular definition reflects these ancient
Roman roots by defining governance as
“steering, not rowing”.
• Don MacLean: “HERDING SCHRÖDINGER’S CATS: SOME CONCEPTUAL
TOOLS FOR THINKING ABOUT INTERNET GOVERNANCE”, 2004

Steering ： 掌航 5
 Governance Overview
Enterprise Governance

• Enterprise Governance is a set of responsibilities and

practices exercised by the board and the executive
management.
1. Strategic direction to the
organization
2. Achieving objectives
3. Managing risks
4. Responsible use of resources
5. Balancing performance and conformance

Conformance ： 一致性，符合性 6
 IT Governance: why (1)
• The rising interest in IT governance is driven by
the need for greater accountability for decision-
making around the use of IT
in the best interest of all stakeholders.

• Greater accountability:
Budget
Time
Mission-critical
Threats and ethical responsibilities
7
IT Governance: why (2)

• The rising interest in IT governance is driven by

the need for greater accountability for decision-
making around the use of IT
in the best interest of all stakeholders.

• Around the (new) use of IT

IT can be (and should be) used to enable the company
to undertake new initiatives Enabler - COBIT 5 term
 “IT as enabler of business”
• - “You can do others can’t with your more effective IT”
Can be in negative direction: AVOID certain IT to
avoid certain risks
8
 IT Governance: why (3)
• The rising interest in IT governance is driven by
the need for greater accountability for decision-
making around the use of IT
in the best interest of all stakeholders.

• Stakeholders:
Number
Types
Positions of functioning

9
Why do we need IT governance?
1. Pervasive, mission-critical applications
Info key asset
2. IT spending
3. IS Failure
4. IS Security
5. Compliance pressure

• Supports:
Decision making
Operations

• Note to class: slides #11-30 are examples showcasing the above

points

Compliance ： 合规（政府 / 行业规 02/17/2021

范） 10
 What the IT function does

3
4

1
1

11
 What the IT function does
5

12
 What the IT function does

2
2

13
Decision
Support

Dashboard ： 仪表盘 14
Operations

15
Mission-critical ： Wells Fargo

02/17/2021
16
Mission-Critical: USPS

02/17/2021
17
Mission-Critical: California DMV

02/17/2021
18
Mission-Critical: California DMV

02/17/2021
19
 IT spending is sky rocketing
• US banks will spend on tech in 2019 roughly $67
billion (670 Tons of $100 Bills)
• Banks Spending on Tech
in 2016 — Especially Security

• Annual IT Spending by Western European Healthcare

Providers to
Reach $14.6 Billion by 2018

• Global Airport IT Spending Market

CAGR Growth of 4%
by 2020 20
 IT spending is sky rocketing
• Government IT investments set to rise across
Asia-Pacific
• IT Spending of the APeJ
Public Sector Reached USD 25.3 Billion in 2017

21
Open Government – Los Angeles

02/17/2021
22
Open Government – New York

02/17/2021
23
Open Charlotte (N. Carolina)

02/17/2021
24
Open Charlotte (N. Carolina)

02/17/2021
25
 Major IT Failure Cases
• Obamacare Website （ 2013 ）：
Bugs in the website for the sign-in for the Obamacare caused over
$200 million losses
Expenses for reconfirming the insured was at $85 million
• Denver International Airport (DIA) baggage processing system
(2004):
Delayed operation of the new airport by 16 months
Expenses of the new airport increased by $560 million
It was planned to have bi-directional baggage processing in three
terminals; but there was only out-bound baggage processing, for only
one terminal, that was working
Even the above system did not work right, and cost over $1 million in
monthly maintenance, and had to be stopped in just one year’s
operation 02/17/2021
26
 Some Data about IT Project Failure
• Gartner’s 2002 survey found that 20% of IT
spending was eventually wasted – $600 billion
worldwide; “
waste $100 b on network overspending (2006)”
• IBM surveyed the CIOs of Fortune 1000; 40%
believed that IT investment did not bring intended
return to their organizations
• IT consulting firm The Standish Group found
(2006) that only 35%of IT projects succeeded; the
other 65%either faced severe challenge or just
failed
27
Major IT Security Case - TJX
• “Textbook case”; 2007
• Incident: International crime ring
broke into store network through the
store’s weak Wi-Fi network, and obtain
Admin rights. Hackers stole customer
information and card numbers from TJX
subsidiaries TJ Maxx, Marshalls, and
HomeGoods
• Impact: 90 million credit and debit cards
• Loss: The company estimated $200
million; but privacy and security specialist
Ponemon Institute estimated at over $2
billion

http
://www.bankrate.com/finance/banking/us-data-breache
s-1.aspx#ixzz3WoupJft9
28
 Major IT Security Case - Target
• 2013
• Data breach happened during
Nov 27-Dec 15; more personal
data of customers might have
been stolen before that
• 40 million credit and debit
cards were affected
• 70 million customers’
information was affected
• Target lost 1.5 billion as the
result

http://
www.bankrate.com/finance/banking/us-data-b
reaches-1.aspx#ixzz3WooFuF76
29
 Major IT Security Case -
• 2017
• Identity theft event potentially impacting approximately
145.5 million U.S. consumers
• Information accessed by the hacker (or hackers) in the
breach included first and last names, Social Security
numbers, birth dates, addresses and, in some instances,
driver’s license numbers.
• Credit card numbers for approximately 209,000 U.S.
consumers, and certain dispute documents with personal
identifying information for approximately 182,000 U.S.
consumers were also accessed
https://en.wikipedia.org/wiki/Equifax#Security_failings

30
Major IT Security Case -
• In one suit the law firm Geragos & Geragos has
indicated they would seek up to $70 billion in
damages - the largest class-action suit in U.S.
history
• Equifax shares dropped 13% in early trading the
day after the breach was made public
https://
en.wikipedia.org/wiki/Equifax#Security_failings

31
 Major IT Security Case -
• The breach was facilitated using a flaw in 
Apache Struts 
A patch for the vulnerability was released March 7, yet the
company failed to apply the security updates before the attack
occurred 2 months later.
• The insecure network design which lacked sufficient
segmentation
• Potentially inadequate encryption of personally
identifiable information (PII)
• Ineffective breach detection mechanisms.

https://en.wikipedia.org/wiki/Equifax#Security_failings
32
Compliance Requirements…

02/17/2021
33
Recap:
Why do we need IT governance?
1. Pervasive, mission-critical applications
Info has become key asset
2. IT spending
3. IS Failure
4. IS Security
5. Compliance pressure

02/17/2021
34
IT Challenges: Summary and inference
• Challenges are multi-facet, multi-
functional, critical    Beyond
Company-wide attention needed IT
Company-wide coordination needed
Company-wide institutional mechanism needed
Board-level awareness, vision, and guidance needed
Need to establish accountability
– importance and expenses  accountable

Institutional: 制度 / 机制上，体制上 35
Governance Overview
- Definition
- Focus areas

02/17/2021
36
 IT Governance: High on Priority
• Pervasive use/highly depending  needs high
degree of attention 【 Pervasive 广泛的，触目皆是的】
• Powerful leverage; major impact on businesses,
BOTH directions  value
• IT-related resources have become important
organizational asset
• IT-related risks and opportunities critical to survival
and success of enterprise
• IT projects’ success or failure has major impact on
the firm’s financial status, market position, and
corporate reputation
02/17/2021
37
 IT Governance Should Be High on Agenda
• Successful companies understand IT-related risks, can recognize and
seize the opportunities and benefits brought by IT, and can well
manage the following:
Align IT strategy with corporate strategy;
Ensure the achievement of values to ALL stakeholders
 Realize benefits, control risks, optimize resources
Provide the organizational structure that can promote, in the entire
enterprise, the implementation of IT strategy and goals
Establish constructive relationships and effective communications
among business, IT, and external business partners
Clearly aware and adopt IT control framework Align ：使一
Measure and assess the performance of IT 致，对齐

Key elements of IT Gov 02/17/2021

38
 Preview: The IT Governance Pentagon
• Understand
the Pentagon

39
 Governance Overview
Why IT Governance - data

• “Effective IT Governance is the single most

important predictor of the value an organization
generates from IT”
• “Firms with focused strategies and above
average IT Governance had more than 20%
higher profits than other firms following the
same strategies”

Peter Weill and Jeannie W. Ross, IT Governance

40
 Governance Overview
Why IT Governance - data

• 85% of organizations demand business cases for

change projects
• Only 40% of approved projects have valid (realistic)
benefit statements
• Less than 10% of organizations ensure benefits are
realized post‐project
• Less than 5% of organizations hold project
stakeholders responsible for benefit attainment

41
 Governance Overview
IT Governance

• “IT Governance is the responsibility of

executives and the board of directors, and
consists of the leadership, organizational
structures and processes that ensure that
enterprise IT sustains the organization's
strategies and objectives.”
• - Board Briefing on IT Governance, IT Governance Institute,
2/e, 2003; sponsored by AICPA, ICAEW, IFAC, E&Y, Deloitte,
KPMG, PWC
• https://www.oecd.org/site/ictworkshops/year/2006/37599342.pdf

42
 Governance Overview
IT Governance

• Integrate and institutionalize good practices

• Take full advantage of information
• Satisfy quality, fiduciary and security
requirements
• Optimize resources
• Balance risk versus return

Fiduciary: 信托的 / 合同的（责任） 43

IT Governance Definition (1) – MIT CISR
• “A framework for decision rights and
accountability to encourage desirable behavior in
the use of IT”
• IT Governance Introduction,
http://cisr.mit.edu/research/research-overview/classic-topic
s/it-governance
/

• (CISR - Center for Information Systems Research)

• Will study a well-recognized, widely cited article by two

MIT professors Peter Weill and Jeanne W. Ross
Framework 02/17/2021
44
IT Governance Definition (2) – CIO.com
• Putting structure around how organizations align IT
strategy with business strategy,
• ensuring that
companies stay on track to achieve their strategies and goals,
and
implementing good ways to measure IT’s performance.
• It makes sure that all stakeholders’ interests are taken
into account and that processes provide measurable
results
• http://
www.cio.com/article/2438931/governance/it-governance-definition-and-solutions.h
Goal; Performance;
tml
 -- A very good source for overview Stakeholder
Highly recommended; will discuss online
45
 IT Governance Definition (3) – Wikipedia

• IT governance is
a subset discipline of Corporate Governance
focused on IT systems and their performance and
risk management.

 http://
en.wikipedia.org/wiki/Corporate_governance_of_i
nformation_technology
 http://
en.wikipedia.org/wiki/Corporate_governance
Performance; Risk

46
IT Governance Definition (4) – ISACA
• IT governance is the responsibility of the board of
directors and executive management.
• It is an integral part of enterprise governance
and consists of the
leadership and
organisational structures and
processes that
 ensure that the organisation’s IT sustains and extends
the organisation’s strategies and objectives.
ITGI: Board Briefing on IT Governance, 2/e Responsibility; Structure;
Objective
02/17/2021
47
Essence of IT Governance, “extracted”
• Integral part of enterprise governance
• Duty of the Board and exe mgmt
• makes sure that all stakeholders’ interests are taken
into account
• align IT strategy with business strategy
• on track to achieve their strategies and goals
• performance and risk management.
• implementing good ways to measure IT’s
performance
• processes provide measurable results

48
 Zhang’s “Distillation” of Governance - 1
• Do the right things
(goals cascade) Top management
must be on board of
• in the right ways IT gov
(process control),
• by the right people • Logic
(accountability – RACI* chart), COBIT 5
component
• to achieve stakeholder values
(assured values, optimal risks, controlled costs –
“BRC”: Benefits, Risks, Costs).
• *RACI: Responsible, Accountable, Consulted, Informed –
four levels of involvement in a process
49
Zhang’s “Distillation” of Governance - 2
* * Reference:
IT Governance
Institute,
COBIT 5

Mon
Ent. Strat. Goals
ed r
nito

itore
Mo

d
IT Goals

Cont
rol
Cont
l ed

rol
le d
IT Enabler Goals
© Yue Zhang
2015-2019
R A C I
50
Well-designed, inter-dependent system

02/17/2021
51
 IT Governance Global Status Report 2011

• In 2011, PricewaterhouseCoopers (PwC) was

commissioned by the IT Governance Institute (ITGI)
to conduct the third global survey on IT governance.
The following pages communicate the key findings.

Global Status Report on GEIT— 2011

52
 Governance Overview
Global Status Report on GEIT - 2011

• Value creation of IT investments is one of the most important

dimensions of IT’s contribution to the business (mentioned by
more than nine out of 10 respondents).
 Challenges: Increasing IT costs and an insufficient number of IT staff are
the most common issues experienced
• IT leading or following—there is a correlation between the
position of the head of IT in the enterprise’s hierarchy and the
pro-active nature of the It department.
 70 percent of respondents noted that the head of IT is a member of the
senior management team, but this figure increases to 80 percent for those
enterprises where IT has a proactive role.

53
 Governance Overview
Global Status Report on GEIT - 2011

• A focus on governance—Governance of enterprise IT (GEIT) is

a priority with most enterprises. 2/3 of respondent enterprises
have some GEIT activities in place,
 the most common being the use of IT policies and standards,
followed by
 employment of defined and managed IT processes.
 main driver for activities related to GEIT is ensuring that IT
functionality aligns with business needs,
 the most commonly experienced outcomes are improvements in
management of IT-related risk and communication and
relationships between business and IT.

54
 Global Status Report on GEIT – 2011
Conclusions and Recommendations
• The right governance enablers can ensure the transparency of IT
supply and demand and facilitate decision making about demand
and its prioritisation in pursuit of value delivery to the enterprise
• GEIT initiatives must take a balanced and holistic view of the five
GEIT focus areas
• Governing enterprise IT effectively can help increase project
success rates
• GEIT can help enable the adoption of emerging technologies
such as cloud computing
• Successfully implementing GEIT depends on several factors:
change management, communication, proper scoping and
identification of achievable objectives

55
Governance Overview
IT management vs governance

IT Governance IT Management
Doing the right IT Doing IT right
Needs CIO and executive Sponsored by IT
sponsorship

IT Governance IT Management
Direction Way
Top Managerial/
Operational

56
 The IT Governance Focus Areas - Pentagon

• Understand • Familiar with

the Pentagon the Pentagon

57
 The COBIT Framework
The Need for a Control Framework

“A control framework for IT Governance

defines the reasons IT Governance is needed,
the stakeholders and
what it needs to accomplish.”

• Now to the higher level of “enterprise

governance of IT” (GEIT) – emphasizing
Stakeholder needs – “High on top”
Executive involvement – “Tone at the top”
End-to-end coverage – “Whole enterprise”
58
 The COBIT Framework
Definition and Mission - Definition

• COBIT stands for “Control Objectives for

Information and Related Technology.”
Now just COBIT
• Developed by the IT Governance Institute
(ITGI)
• Promoted/advocated by ISACA
a standard setting body in the areas of information
governance, control, and security for professionals.

59