Executives Guide to IT Governance

Founded in 1807, John Wiley & Sons is the oldest independent publishing company in
the United States. With offices in North America, Europe, Asia, and Australia, Wiley
is globally committed to developing and marketing print and electronic products and
services for our customers professional and personal knowledge and understanding.
The Wiley Corporate F&A series provides information, tools, and insights to corpo-
rate professionals responsible for issues affecting the profitability of their company, from
accounting and finance to internal controls and performance management.
 Executives Guide to
IT Governance
Improving Systems Processes with
Service Management, COBIT, and ITIL

ROBERT R. MOELLER

John Wiley & Sons, Inc.

Cover image: Max Delson Martins Santos/iStockphoto
Cover design: John Wiley & Sons, Inc.

Copyright 2013 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by
any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted
under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permis-
sion of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright
Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600,
or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the
Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011,
fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in pre-
paring this book, they make no representations or warranties with respect to the accuracy or completeness
of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness
for a particular purpose. No warranty may be created or extended by sales representatives or written sales
materials. The advice and strategies contained herein may not be suitable for your situation. You should
consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss
of profit or any other commercial damages, including but not limited to special, incidental, consequential,
or other damages.

For general information on our other products and services or for technical support, please contact our
Customer Care Department within the United States at (800) 762-2974, outside the United States at (317)
572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included
with standard print versions of this book may not be included in e-books or in print-on-demand. If this book
refers to media such as a CD or DVD that is not included in the version you purchased, you may download this
material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Moeller, Robert R.
Executives guide to IT governance : improving systems processes with service management, COBIT, and
ITIL / Robert R. Moeller.
1 online resource. (Wiley corporate F&A series)
Includes bibliographical references and index.
Description based on print version record and CIP data provided by publisher; resource not viewed.
ISBN 978-1-118-22495-3 (pdf) ISBN 978-1-118-23893-6 (epub) ISBN 978-1-118-26354-9
(mobipocket) ISBN 978-1-118-13861-8 (o-book) ISBN 978-1-118-54017-6 (cloth)
1. Information technologyManagement. 2. Information technologyAuditing.
3. Electronic data processing departmentsAuditing. I. Title.
HD30.2
004.0684dc23
2012050404

Printed in the United States of America

10 9 8 7 6 5 4 3 2 1
 Dedicated to my best friend and wife, Lois Moeller.
Lois has been my companion and partner for over 40 years,
whether we are on our Lake Michigan sailboat,
skiing in Utah or elsewhere,
visiting museums and traveling to interesting places in the world,
vegetable gardening in the backyard,
or jointly cooking its produce.
 Contents

Preface xiii

PART I: IT GOVERNANCE CONCEPTS

Chapter 1: Importance of IT Governance

for All Enterprises 3

Chapter 2: Fundamental Governance Concepts

and Sarbanes-Oxley Rules 9
Sarbanes-Oxley Act 10
Other SOx RulesTitle II: Auditor Independence 18
SOx Title III: Corporate Responsibility 22
Title IV: Enhanced Financial Disclosures 24
What Is IT Governance? 28
Notes 35

Chapter 3: Enterprise Governance and GRC Tools 37

The Road to Effective GRC Principles 38

Importance of GRC Governance 39
Risk Management Component of GRC 40
GRC and Enterprise Compliance 42
Importance of Effective GRC Practices and Principles 45

PART II: FRAMEWORKS TO SUPPORT EFFECTIVE IT GOVERNANCE

Chapter 4: IT Governance and COSO Internal Controls 49

Importance of Effective Internal Controls and COSO 50

COSO Internal Control Systems Monitoring Guidance 65

vii
viii Contents

Wrapping It Up: Importance of COSO Internal Controls 66

Notes 66

Chapter 5: COBIT and the IT Governance Institute 67

An Executives Introduction to COBIT 68

The COBIT Framework and Its Drivers 70
COBIT Principle 1: Establish an Integrated IT Architecture Framework 72
COBIT Principle 2: Stakeholder Value Drivers 74
COBIT Principle 3: Focus on Business Context 75
COBIT Principle 4: Governance and Risk Management Enablers 78
COBIT Principle 5: Governance and Management Performance
Measurement Structures 80
Putting It Together: Matching COBIT Processes and IT Goals 81
Using COBIT in a SOx Environment 84
COBIT in Perspective 85
Notes 86

Chapter 6: ITIL and IT Service Management Guidance 87

ITIL Fundamentals 88
ITIL Service Strategy Components 91
ITIL Service Design 94
ITIL Service Transition Management Processes 99
ITIL Service Operation Processes 102
IT Governance and ITIL Service Delivery Best Practices 106
Note 107

Chapter 7: IT Governance Standards: ISO 9001, 27002, and 38500 109

ISO Standards Background 110

ISO 9000 Quality Management Standards 112
ISO IT Security Standards: ISO 27002 and 27001 115
ISO 38500 IT Governance Standard 118
Notes 123

Chapter 8: IT Governance Issues: Risk Management, COSO ERM,

and OCEG Guidance 125

Risk Management Fundamentals 126

COSO ERM Definitions and Objectives: A Portfolio View of Risk 134
COSO ERM Framework 136
Other Dimensions of the COSO ERM Framework 152
The OCEG GRC Red Book, Risk Management, and IT Governance 153
Notes 157
 Contents ix

PART III: TOOLS AND TECHNOLOGIES TO MANAGE THE

IT GOVERNANCE INFRASTRUCTURE

Chapter 9: Cloud Computing, Virtualization, and Portable,

Mobility Computing 161

Understanding Cloud Computing 162

IT Systems and Storage Management Virtualization 168
Smartphone and Handheld IT Device Governance Issues 175
Note 176

Chapter 10: Governance, IT Security, and Continuity Management 177

Importance of an Effective IT Security Environment 177

Enterprise IT Security Principles: Generally Accepted Security Standards 178
Importance of an Effective, Enterprise-Wide Security Strategy 185
IT Continuity Planning 186
The Business Continuity Plan and IT Governance 188
Notes 193

Chapter 11: PCI DSS Standards and Other IT Governance Rules 195

PCI DSS Background and Standards 196

Gramm-Leach-Bliley Act IT Governance Rules 203
HIPAA: Health Care and Much More 208
Notes 216

Chapter 12: IT Service Catalogs: Realizing Greater Value from

IT Operations 217

Importance of IT Service Catalogs 219

Role of a Service Catalog in the IT Service Provider Organization 221
An IT Service Catalogs Content and Features 223
IT Service Catalog Management 224

PART IV: BUILDING AND MONITORING EFFECTIVE

IT GOVERNANCE SYSTEMS

Chapter 13: Importance of IT Service-Oriented Architecture for

IT Governance Systems 231
SOA Applications and Service-Driven IT Applications 232
SOA Governance, Internal Control Issues, and Risks 235
Planning and Building an SOA Implementation Blueprint 236
SOA and IT Governance 242
Notes 245
x Contents

Chapter 14: IT Configuration and IT Portfolio Management 247

IT Configuration Management Concepts 248

ITIL Best Practices for IT Configuration Management 250
The Configuration Management Database: An Often
Difficult Concept 254
Establishing an Enterprise CMDB 255
IT Portfolio Management 259

Chapter 15: Application Systems Implementations and

IT Governance 263

The Systems Development Life Cycle: A Basic Application

Development Technique 264
IT Rapid Development Processes: Prototyping 266
Enterprise Resource Planning and IT Governance Processes 268

Chapter 16: IT Governance Issues: Project and

Program Management 275

The Project Management Process 275

PMBOK Standards 277
Another Project Management Standard: PRINCE2 280
IT Systems Portfolio and Program Management 280
The Program Management Office (PMO), a Strong Governance
Resource 284
Project Management, the PMO, and IT Governance 286
Note 286

Chapter 17: Service Level Agreements, itSMF, Val IT,

and Maximizing IT Investments 287

ITIL Service Management Best Practices and the itSMF 288

Open Compliance and Ethics Group (OCEG) Standards 292
Val IT: Enhancing the Value of IT Investments 298
Notes 305

PART V: MONITORING AND MEASURING ENTERPRISE

MANAGEMENT AND BOARD GOVERNANCE

Chapter 18: Enterprise Content Management 309

ECM Characteristics and Key Components in the Enterprise Today 310
ECM Processes and IT Governance 310
Creating an Effective ECM Environment in the Enterprise 314
 Contents xi

Chapter 19: Internal Audits Governance Role 319

Internal Auditing History and Background 320

Internal Auditing and the IT Auditor 323
Internal Audits IT Governance Activities and Responsibilities 323
Internal Audit IT Governance Standards 329
Internal Audit IT Governance Procedures 329
Note 334

PART VI: IT GOVERNANCE AND ENTERPRISE OBJECTIVES

Chapter 20: Creating and Sustaining an Ethical

Workplace Culture 337

Importance of Mission Statements 337

Enterprise Codes of Conduct 340
Whistleblower and Hotline Functions 347
Launching an Ethics Program and Improving
Enterprise Governance Practices 352
Note 353

Chapter 21: Impact of Social Media Computing 355

What Is Social Media Computing? 356

Social Media Examples 358
Enterprise Social Media Computing Risks and Vulnerabilities 365
Social Media Policies 367
Notes 370

Chapter 22: IT Governance and the Audit Committees IT Role 371

The Enterprise Audit Committee and IT Governance 371

Audit Committee IT Governance Responsibilities 374
Audit Committee Briefings and IT Governance Issues 375

About the Author 377

Index 379
 Preface

I
N TO DAY S W O R L D O F E V ER- C H A N GI N G ECO N O M I C CO N D I T I O NS and
increased regulatory activities, governance is becoming an increasingly important
issue for all sizes of enterprises, whether public corporations, not-for-profits, or private
businesses. Enterprise governance concepts consist of a series of broad areas of enter-
prise activity, starting first with managements accountability and fiduciary responsi-
bilities to its customers, employees, regulators, and all other stakeholders. This requires
the implementation of guidelines and programs to ensure that management acts in good
faith and that the overall enterprise is protected from wrongdoing or fraud. In addition,
enterprise governance includes management processes and policies to promote strate-
gic and economic efficiency. The management of economic efficiency involves how the
corporate governance system intends to optimize results and meet its objectives. This
promotion of strategic efficiency also calls for an enterprise to promote and establish
public policy objectives that are not always directly measurable in economic terms but
include such things as a strong ethics program, the promotion of quality, and employee
welfare.
Effective enterprise governance, of course, requires strong management skills to
make important decisions and provide leadership. There is also a very strong require-
ment for information technology (IT) systems and processes in particular. This impor-
tant area, IT governance, is the overall topic of this executive guide.
In the earlier days of IT systems and processes, senior operations management often
delegated many aspects of IT operations to specialists responsible for building, operat-
ing, and maintaining an enterprises IT resources. While there was frequent talk about
engaging the management and users of IT systems with the specialists and developers of
their IT resources, operations management often experienced disappointments. New IT
initiatives often did not meet their planned objectives, were delivered late, had security
and internal control vulnerabilities, or too soon became obsolete due to poor planning
or assessments of management needs. To improve matters today, there is a need for bet-
ter processes to manage and coordinate all aspects of an enterprises IT resourcesthe
need for IT governance.
This book is an executives guide to this important concept of IT governance. Our
focus is not on the IT specialist installing IT hardware, software, and network con-
nections, nor on such important resources as internal auditors who test and review IT
processes. Rather, this guide is directed to the enterprise executive who has some under-
standing of IT processes but is interested in learning more about the issues and processes

xiii