achieving it governance and compliance using kovair
DESCRIPTION
Achieving IT Governance and compliance using Kovair Globa LifecycleTRANSCRIPT
![Page 1: Achieving IT Governance and compliance using Kovair](https://reader031.vdocuments.net/reader031/viewer/2022020504/568c52aa1a28ab4916b7989a/html5/thumbnails/1.jpg)
Achieving IT Governance and
compliance using Kovair Global
Lifecycle By Bob Aiello, Editor in Chief, CM Crossroads Journal [email protected]
Kovair Software, Inc. 1533 California Circle, Suite # 210 Milpitas, CA 95035 408-262-3871 x 2008
www.kovair.com
1
![Page 2: Achieving IT Governance and compliance using Kovair](https://reader031.vdocuments.net/reader031/viewer/2022020504/568c52aa1a28ab4916b7989a/html5/thumbnails/2.jpg)
T Governance and compliance are increasingly important to senior management who have the
responsibility for the overall control and health of a large corporation. In fact, IT Governance and
compliance are mandated competencies of any organization that wants to stay in business in today’s global technology-centric environment. Public companies are mandated by Federal laws -
including section 404 of the Sarbanes-Oxley Act of 2002 - to establish effective practices such as
reporting and operational controls such as Change Management. Managers who need to implement
these procedures have a number of standards and frameworks to help them, including IEEE 12207
lifecycle processes, ISACA Cobit 4.1, SEI CMMI and the itSMF ITIL v 3.
The Sarbanes-Oxley law has provided the stimulus for many corporations to take a hard look at their
reporting and operational controls, but unfortunately, many firms miss the opportunity to achieve
improved productivity through their effective implementation of these controls. Instead a failed audit
may have them scrambling to quickly meet the letter of the law in order to stay within bounds on
compliance. At best, this may be a missed opportunity. For some companies, this expediency may
ultimately result in lost competitive advantage. Implementing improved controls and processes have the
potential to provide the organization with significant improved productivity and value, and that is
exactly what this white paper is all about.
Many practitioners and line managers complain that some of the industry frameworks explain “what”
needs to be done without giving enough information on “how” to implement these procedures. In this
paper, we will examine exactly how to implement a few of the Cobit controls using the Kovair Global
Lifecycle. The complete Cobit 4.1 framework is available from the ISACA website ( www.isaca.org).
Kovair resources and their affiliates will be glad to discuss exactly how any of the controls in industry
frameworks may be operationalized and achieved through better tools and process.
In this white paper, we will discuss implementing controls to manage changes, IT processes
and (briefly) manage configurations.
The Cobit 4.1 framework has an IT Process called AI6 – Manage Changes which states that all changes,
including emergency maintenance and patches, relating to infrastructure and applications within the
production environment are formally managed in a controlled manner. Changes (including those to
procedures, processes, system and service parameters) are logged, assessed and authorized prior to
implementation and reviewed against planned outcomes following implementation. This assures
© Kovair Software, Inc. 2000 – 2008 2 IT Governance and compliance using Kovair
![Page 3: Achieving IT Governance and compliance using Kovair](https://reader031.vdocuments.net/reader031/viewer/2022020504/568c52aa1a28ab4916b7989a/html5/thumbnails/3.jpg)
mitigation of risks of negatively impacting the stability or integrity of the production environment (Cobit
4.1, AI6).
For many organizations, implementing this control objective may prove to be a difficult task. The
Kovair Global Lifecycle provides the tools and process necessary to remove the ambiguity and realize
improved productivity through the proper implementation of the Cobit 4.1 framework and, of course,
achieve the objectives of IT Governance and compliance. What follows is one brief example of how this
control may be analyzed, interpreted and implemented. Your organization may need to interpret or tailor
this control objective differently but the implementation effort would be the same.
The Cobit AI6 – Manage Changes IT Process states that control over the IT process of
Managing Changes is achieved by:
Defining and communicating change procedures, including emergency changes
Assessing, prioritizing and authorizing changes
Tracking status and reporting on changes
The Kovair Global Lifecycle allows you to define the exact tasks necessary to implement each of the
control practices required to meet the control objective of “setting up formal change management
procedures to handle in a standardized manner all requests (including maintenance and patches) for
changes to applications, procedures, processes, system and service parameters, and the underlying
platforms”. Some of these control practices (the full list is available from ISACA) indicated by the
AI6 control are:
1) Develop, document, and promulgate a change management framework that specifies the policies
and processes including:
Roles and responsibilities
Classification and prioritization of all changes based on business risk
Authorization and approval of all changes by the business process owners and IT
Tracking and status of changes © Kovair Software, Inc. 2000 – 2008 3 IT Governance and compliance using Kovair
![Page 4: Achieving IT Governance and compliance using Kovair](https://reader031.vdocuments.net/reader031/viewer/2022020504/568c52aa1a28ab4916b7989a/html5/thumbnails/4.jpg)
2) Establish and maintain version control over all changes
3) Implement roles and responsibilities that involve business process owners and appropriate technical
IT functions. Ensure appropriate segregation of duties.
4) Establish appropriate record management practices and audit trails to record key steps in the
change management process. Ensure timely closure of changes. Elevate and report to management
changes that are not closed in a timely fashion.
Implementing this example would be straightforward in Kovair and all of the required processes can
be specified exactly as required by the Cobit 4.1 framework. For example, Kovair screens would be developed to allow authorized personnel to enter specific requested changes,
organized by predefined categories. All of the information would be entered via the Kovair-built
screens along with predefined values (defaults). Linked fields can be set to change dynamically based
upon pre-selected values. In Kovair, anything can be configured so that your process works exactly the
way that you need it to.
Potential causes of Risk can be categorized and selected to be assigned to a Change Request. The Risk
list can be organized by Change Request type and updated dynamically to reflect the organization’s
own risk management processes.
Authorization and approvals of all changes can be organized by individuals, groups or even predefined
shared approval boards that can be configured exactly as required by the business needs. In fact,
implementing PO4 – Define the IT Processes, Organization and Relationships - requires that the
processes establish and implement IT roles and responsibilities, including supervision and segregation
of duties. Kovair has a robust structure in place to define all of these relationships explicitly as needed.
There is also the facility to override controls, in emergency situations, with required approvals and
automatic notification of specified audit resources (e.g. head of security, CTO etc.). This provides the
ability to enforce processes and yet also has the flexibility to allow for exceptions by implementing a
specific auditable exception process.
The Kovair Omnibus Integration Bus can be used to integrate with leading testing tools, source code
management repositories and even in-house custom systems. Kovair can be configured to be your central
repository for all information related to a particular change including configuration management. © Kovair Software, Inc. 2000 – 2008 4 IT Governance and compliance using Kovair
![Page 5: Achieving IT Governance and compliance using Kovair](https://reader031.vdocuments.net/reader031/viewer/2022020504/568c52aa1a28ab4916b7989a/html5/thumbnails/5.jpg)
That means that companies using the ITIL v3 framework can use Kovair as the central repository for
the Configuration Management Database (CMDB).
Kovair makes tracking the status of changes very straightforward as all of the required steps and their
individual completion are shown via status reports, history logs and even visual diagrams. Compliance is
much easier when there are sufficient reports to show exactly which steps were completed, and by
whom, as well as all of the related approvals (and rejections). Information can also be summarized and
reported to senior management to provide visibility into all of the required IT controls.
The Cobit framework indicates that AI6 can be measured by:
Number of disruptions or data errors caused by inaccurate specifications or incomplete
impact assessment
Amount of application or infrastructure rework caused by inadequate change specifications
Percent of changes that follow formal change control processes
These are valid metrics that can be communicated to senior management to provide visibility into
the organization’s Change Management process.
Implementing IT Governance and compliance is all about confirming that the right things are done, in
the right time and the right way. It’s also about traceability and providing visibility to all of the
stakeholders involved. Kovair is the robust automated process workflow solution that can help your
organization successfully implement IT Governance and compliance best practices. Are you ready to
use compliance to enhance your organization’s productivity?
© Kovair Software, Inc. 2000 – 2008 5 IT Governance and compliance using Kovair