Achieving IT Governance and compliance using Kovair Global Lifecycle

By Bob Aiello, Editor in Chief, CM Crossroads Journal

raiello@acm.org

Kovair Software, Inc. 1533 California Circle, Suite # 210 Milpitas, CA 95035
408-262-3871 x 2008 sales@kovair.com www.kovair.com

T Governance and compliance are increasingly important to senior management who have the responsibility for the overall control and health of a large corporation. In fact, IT Governance and compliance are mandated competencies of any organization that wants to stay in business in todays global technology-centric environment. Public companies are mandated by Federal laws including section 404 of the Sarbanes-Oxley Act of 2002 - to establish effective practices such as reporting and operational controls such as Change Management. Managers who need to implement these procedures have a number of standards and frameworks to help them, including IEEE 12207 lifecycle processes, ISACA Cobit 4.1, SEI CMMI and the itSMF ITIL v 3. The Sarbanes-Oxley law has provided the stimulus for many corporations to take a hard look at their reporting and operational controls, but unfortunately, many firms miss the opportunity to achieve improved productivity through their effective implementation of these controls. Instead a failed audit may have them scrambling to quickly meet the letter of the law in order to stay within bounds on compliance. At best, this may be a missed opportunity. For some companies, this expediency may ultimately result in lost competitive advantage. Implementing improved controls and processes have the potential to provide the organization with significant improved productivity and value, and that is exactly what this white paper is all about.
Many practitioners and line managers complain that some of the industry frameworks explain what needs to be done without giving enough information on how to implement these procedures. In this paper, we will examine exactly how to implement a few of the Cobit controls using the Kovair Global Lifecycle. The complete Cobit 4.1 framework is available from the ISACA website ( www.isaca.org). Kovair resources and their affiliates will be glad to discuss exactly how any of the controls in industry frameworks may be operationalized and achieved through better tools and process.

In this white paper, we will discuss implementing controls to manage changes, IT processes and (briefly) manage configurations.
The Cobit 4.1 framework has an IT Process called AI6 Manage Changes which states that all changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment are formally managed in a controlled manner. Changes (including those to procedures, processes, system and service parameters) are logged, assessed and authorized prior to implementation and reviewed against planned outcomes following implementation. This assures
Kovair Software, Inc. 2000 2008
2

IT Governance and compliance using Kovair

mitigation of risks of negatively impacting the stability or integrity of the production environment (Cobit 4.1, AI6). For many organizations, implementing this control objective may prove to be a difficult task. The Kovair Global Lifecycle provides the tools and process necessary to remove the ambiguity and realize improved productivity through the proper implementation of the Cobit 4.1 framework and, of course, achieve the objectives of IT Governance and compliance. What follows is one brief example of how this control may be analyzed, interpreted and implemented. Your organization may need to interpret or tailor this control objective differently but the implementation effort would be the same. The Cobit AI6 Manage Changes IT Process states that control over the IT process of Managing Changes is achieved by: Defining and communicating change procedures, including emergency changes Assessing, prioritizing and authorizing changes Tracking status and reporting on changes

The Kovair Global Lifecycle allows you to define the exact tasks necessary to implement each of the control practices required to meet the control objective of setting up formal change management procedures to handle in a standardized manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms. Some of these control practices (the full list is available from ISACA) indicated by the AI6 control are: 1) Develop, document, and promulgate a change management framework that specifies the policies and processes including: Tracking and status of changes
3

Roles and responsibilities Classification and prioritization of all changes based on business risk Authorization and approval of all changes by the business process owners and IT

Kovair Software, Inc. 2000 2008

IT Governance and compliance using Kovair

2) Establish and maintain version control over all changes 3) Implement roles and responsibilities that involve business process owners and appropriate technical IT functions. Ensure appropriate segregation of duties. 4) Establish appropriate record management practices and audit trails to record key steps in the change management process. Ensure timely closure of changes. Elevate and report to management changes that are not closed in a timely fashion. Implementing this example would be straightforward in Kovair and all of the required processes can be specified exactly as required by the Cobit 4.1 framework. For example, Kovair screens would be developed to allow authorized personnel to enter specific requested changes, organized by predefined categories. All of the information would be entered via the Kovair-built screens along with predefined values (defaults). Linked fields can be set to change dynamically based upon pre-selected values. In Kovair, anything can be configured so that your process works exactly the way that you need it to. Potential causes of Risk can be categorized and selected to be assigned to a Change Request. The Risk list can be organized by Change Request type and updated dynamically to reflect the organizations own risk management processes. Authorization and approvals of all changes can be organized by individuals, groups or even predefined shared approval boards that can be configured exactly as required by the business needs. In fact, implementing PO4 Define the IT Processes, Organization and Relationships - requires that the processes establish and implement IT roles and responsibilities, including supervision and segregation of duties. Kovair has a robust structure in place to define all of these relationships explicitly as needed. There is also the facility to override controls, in emergency situations, with required approvals and automatic notification of specified audit resources (e.g. head of security, CTO etc.). This provides the ability to enforce processes and yet also has the flexibility to allow for exceptions by implementing a specific auditable exception process.
The Kovair Omnibus Integration Bus can be used to integrate with leading testing tools, source code management repositories and even in-house custom systems. Kovair can be configured to be your central repository for all information related to a particular change including configuration management.
Kovair Software, Inc. 2000 2008
4

IT Governance and compliance using Kovair

That means that companies using the ITIL v3 framework can use Kovair as the central repository for the Configuration Management Database (CMDB). Kovair makes tracking the status of changes very straightforward as all of the required steps and their individual completion are shown via status reports, history logs and even visual diagrams. Compliance is much easier when there are sufficient reports to show exactly which steps were completed, and by whom, as well as all of the related approvals (and rejections). Information can also be summarized and reported to senior management to provide visibility into all of the required IT controls. The Cobit framework indicates that AI6 can be measured by: Number of disruptions or data errors caused by inaccurate specifications or incomplete impact assessment Amount of application or infrastructure rework caused by inadequate change specifications Percent of changes that follow formal change control processes These are valid metrics that can be communicated to senior management to provide visibility into the organizations Change Management process. Implementing IT Governance and compliance is all about confirming that the right things are done, in the right time and the right way. Its also about traceability and providing visibility to all of the stakeholders involved. Kovair is the robust automated process workflow solution that can help your organization successfully implement IT Governance and compliance best practices. Are you ready to use compliance to enhance your organizations productivity?

Kovair Software, Inc. 2000 2008

IT Governance and compliance using Kovair