Professional Documents
Culture Documents
JOURNALONLINE 1
objectives, controls and processes. The atlas represents a The same approach was taken for service management (ITIL),
holistic understanding of the system and the numerous quality assurance (ISO 9000) and numerous others.
interrelationships and interdependencies of governance The constellation represents a structured workflow
activities. The figure is not a graphic but a dynamically representing two different orientations—in this case, the
generated visualization rendered from a governance schema management and audit of an activity. The duality presents a
(database) where dozens of governance, management and number of opportunities for coordination and position for
workflow processes are structured. The perspective offers some continuous audit. The chief information security officer
deterministic insights to forces of influence, dualities, (CISO) oversees the process, and the audit function is enabled
synergies, and macro- and micro-level planning structures. by real-time access to the status of the implementation—where
the gaps are, what the risks are, which controls are applied and,
COBIT Constellations most important, how the process is managed. This facility has
Within the universe model, several subject-specific fostered a stronger harmonization between the activities of
constellations were defined to represent lines of activity and managing and monitoring a program.
process models. Based on a use-case approach, all actors and
perspectives (auditor, senior management, process owner, MyStar: Encouraging Ownership
project manager) are represented. A process model for each and Accountability
high-level control objective is established and integrated with The concept of constellations and modeling of processes is
its companion “practitioner” workflow. necessary to establish workflows and, most important,
Take, for example, DS5 Ensure system security and the encouraging ownership and accountability for implementation
correlating processes that would be employed by referencing of controls. A critical success factor to the project was to
ISO 27000 and the establishment of a well-functioning ensure that all actors could interact, participate and contribute
information security management system (ISMS). By creating to the exploration of the universe and drill down to a
a vortex between the COBIT framework and the ISMS process constellation (activity) of interest. In the case of managing an
model, a constellation is formed based on the intended results. ISMS, the standard calls for a plan-do-check-act (PDCA) life
Figure 3 illustrates the concept. Based on the principle of cycle. This point of view is fully represented with the full
duality, the approaches are integrated and a synergy is formed. range of activities of the life cycle.
As figure 4 demonstrates, each activity and “do” task is 6 Degrees: An IT Governance and
fully represented in the system and coupled to assignment of Management Tool Kit
ownership. The figure is indicative of the tight binding of A tool is not the end to the means, but is vital; therefore, a
perspectives reflecting the points of view between audit and tool was needed to examine governance. This article’s
auditee, senior management and project managers, and illustrations represent a tool kit developed and named after the
business units and service providers. The approach has created concept known as the six-link rule: 6 Degrees. True to its
a more harmonious relationship among organizationally name, 6 Degrees has paid dividends in ensuring the necessary
separated peer groups and enabled a more collaborative forum. linkages and harmonization of governance initiatives.
Borrowing from the visualization technologies of the
Hubble Views: Checking and Reporting scientific and informatics industries, the 6 Degrees system was
As processes become increasingly integrated, the value of developed based on five conceptual layers:
this approach becomes apparent in the facility by which one 1. A logical model (database) integrating all high-level
can analyze and report, particularly in the way of Capability structures and processes of the governance system
Maturity Model (CMM)-oriented dashboarding, assessment of 2. A workflow-based input/output interface to ensure process
risk or budgetary reporting. As figure 5 illustrates, telescopic and data-driven currency and accuracy
views enable dynamic monitoring of the governance system 3. A quantitative analysis engine using OLAP methods
and its interconnected subsystems. 4. A visualization gateway to the model adopted from the fields
In the case of the UN, where results-based budgeting serves of social network analysis and complex systems theory
as the basis for justifying funding, linking projects to CMM 5. A real-time reporting and dashboarding facility
performance objectives is vital. Return on investment is tightly The 6 Degrees system was established on the proverbial
coupled to performance objectives (and gaps) related to a shoestring budget using open source resources, but the
maturity indicator for each line of activity. Most important, the returns have proved invaluable. The portal provides a single
supporting data are dynamic and updated through the natural source window and analytical tool kit for extending the
course of the PDCA life cycle. The question “Where are we organization’s ability toward more complex analysis and
today?” is not answered tomorrow. quantitative measurement—what ifs, simulation, cost-benefit
analysis, budget formulation, resource allocation and
business intelligence.
Figures 2 through 5 are generated on demand from of an understanding of the sum of the parts and the strategy of the
workflow-related inputs. 6 Degrees is providing a powerful means whole. Actors have an increased appreciation for their role and
of making invisible patterns of workflow and collaboration in contribution to the governance system. Thanks to the construction
strategically important groups visible. The benefits to audit and of the universe, the system is no longer abstract; it is planned and
continuous improvement have shown tremendous promise. Gap organized. The system has received positive feedback and
analysis, diagnostic reviews, risk assessments and compliance acknowledgment from all these entities. The governance
reports are generated on demand and reflect the multidimensional framework is gaining increasing acceptance as it is woven into the
alignment with resources and processes. culture of the organization. The approach is increasingly
institutionalized and rooted, and it is equally embraced by the
Lessons Learned practitioner, as it is an audit guideline. The approach,
The system was designed to address two main needs: complemented with the tool kit, has provided new capability to the
1. To govern projects, activities and processes using organization toward continuous improvement practices, compliance
strategically constructed integrations among workflows with industry standards and decision-making support
2. To present strategy and report on its implementation to the The tangibility of the benefits is growing and has become
senior management and oversight bodies increasingly evident. Recently, the UN received ISO 27000
Since the initiation of this project, several noteworthy certification. During the certification audit, the organization
benefits have been realized. In particular, the organization was was asked to show auditors its ISMS. The staff members
able to achieve a clearer and controllable reporting system about clicked a button and said “Here.” There were no additional
the performance of the IT function. Predefined metrics have questions, tedious explanations or confusion.
allowed the organization to identify baselines for comparative While many steps lie ahead for this path of ICT governance,
analysis and consistently monitor the performance of the IT a map is drawn and the universe is charted. If Carl Sagan was
function over time. Because of the previously mentioned right, the apple pie should be forthcoming.
mapping among organizational units, projects, activities and
processes, and organizational goals, the system allows for a Author’s Note:
better representation of how resources (financial and human) are Readers are invited to contact the authors for further details.
allocated and used to achieve the goals. The web-based tool 6 Degrees described in this paper will be
The achievements can be best expressed by the greatest benefit made freely available to interested parties upon request.
Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to
the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT
Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of
authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article.
Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly
prohibited.
www.isaca.org