The Manage Layer
To help IT professionals effectively plan and optimize IT strategy, MOF provides service management functions (SMFs) that identify the processes, people, and activities required to align IT services to business requirements. SMFs identify and describe the primary activities that IT professionals perform within the various phases of the IT service lifecycle. Although each SMF can be thought of and used as a stand-alone set of processes, it is when they are combined that they most effectively ensure that service delivery is complete and at the desired quality and risk levels.
Service Management Functions Within the Manage Layer
As a foundation of all the lifecycle phases, the Manage Layer integrates the separate activities of all the SMFs through its own SMFs:
- Governance, Risk, and Compliance Service Management Function (GRC SMF)
- Change and Configuration Service Management Function (CC SMF)
- Team Service Management Function
The following table explains these SMFs in more detail.
Table 1. The Manage Layer SMFs
Governance, Risk, and Compliance
Deliverable: IT objectives achieved, change and risk managed and documented
Purpose: Support, sustain, and grow the organization while managing risks and constraints
IT services are seamlessly matched to business strategy and objectives
Change and Configuration
Deliverable: Known configurations and predictable adaptations
Purpose: Ensure that changes are planned, that unplanned changes are minimal, and that IT services are robust
IT services are predictable, reliable, and trustworthy
Deliverable: Clear accountabilities, roles, and work assignments
Purpose: Agile, flexible, and scalable teams doing required work
IT solutions delivered within specified constraints, with no unplanned service degradation, and with service operation that is trusted by the business
Governance, Risk, Compliance (GRC) and Change and Configuration (CC) activities occur throughout the lifecycle, but the perspective, scope, and focus of these activities vary by phase. For example, change management activities in the Plan Phase will be of a different magnitude and will involve different factors and participants than the change management activities in the Operate Phase. Similarly, the concerns of GRC reflect the primary objectives of a phase; these will change focus in terms of decision making, risk analysis, and the specifics of compliance.
GRC and CC create more unified process flows in all areas of the lifecycle by establishing the means for making decisions, balancing tradeoffs, and grounding strategy by managing risks. As the foundation for the IT service lifecycle, the Manage Layer provides a structured and planned way for IT to contribute to the long-term viability and improvement of the organization.
Role of Manage SMFs in the IT Service Lifecycle Phases
The following table lists specific ways that the Manage Layer SMFs help meet the objectives of the three other IT service lifecycle phases. More detailed explanations of the role and value of the Manage Layer SMFs can be found in each of the SMFs as they are described in their respective phases.
Table 2. Focus of Manage Layer SMFs on IT Service Lifecycle Phases
Phase and Its Objective
Ensure that services offered to the business are valuable, predictable, reliable, and cost-effective, and that they respond to ever-changing business needs
- Corporate strategy transfer to IT strategy
- Governance structure, decision rights
- High-level risks
- General regulatory environment
- Policy definition
- Investment determination
- Definition of management objectives
- Leadership identified and asked to participate in change evaluation
- Business process change
- Architectural change
- Change evaluated across dimensions (financial, application portfolio, security, and so on)
- Decision makers identified and involved
- Responsibilities for determining risk tolerance assigned
- Financial management expertise
- Legal and compliance representation
Ensure that those services that the business and IT have agreed on are developed effectively, deployed successfully, and ready for operations
- Organizational requirements, both functional and operational, supported by solution architecture
- Project stakeholders, methodology, risks identified
- Value realization process
- Service development lifecycle
- Risk mitigation
- Internal controls defined
- Procedures defined
- Solution scope
- Project management
- Financial impact
- Principles for effectively organizing project teams
- Accountabilities and role types
- Alignment of responsibilities
- Assignment of roles
Ensure that deployed services are operated, maintained, and supported in line with the service level agreement targets agreed to between the business and IT
- Procedures and controls
- Recording and documentation
- IT environment and configuration
- Process and procedure
- Standard change
- Principles for organizing operations work
- Principles for organizing monitoring work
- Principles for organizing support work
The concept behind internal controls is relatively simple. Suppose you know how to do a simple task from start to finish. You know it well and can reliably and consistently achieve the end result. Now suppose you need to have several other people perform the same task; the activities, checks, and balances you put in place to make sure those people do the same task and achieve the same goals make up the internal controls for that task.
But those initial controls address only the task itself. When multiple people are involved, complexity increases rapidly. Suppose it becomes more efficient to split the task up and have certain people address certain parts. Now controls are needed to ensure that individual results mesh as intended and that no one person has managed to defraud the process. In areas of finance, the control issues become even more pronounced. A lack of effective control could result in accounting errors, or even fraud or embezzlement. This is when added layers of control related to access, roles, and segregation of duty become part of the picture.
Internal controls are present in all areas within IT’s scope of responsibility. Some controls relate to the physical environment where the data center infrastructure is located. Other controls involve the technology itself, for example, its configuration and who has access to administrative functions. Some controls address data access and the lifecycle of the data across technologies, from encryption to authorization to recoverability and chain of custody.
Many of the business-related internal controls that affect IT professionals are seen in the line-of-business applications that make up financial, manufacturing, customer relationship, and human resource systems. In these areas the controls need to be expressed as business requirements that drive application features. On top of these business process-related controls, IT professionals must address controls that are specific to the operation of systems and technologies that make up the application platform.
Classifying IT controls into general categories helps identify the nature of the controls while establishing the likely approach to monitoring, testing, and assessing the design and operating effectiveness of the controls. The following table elaborates on controls.
Table 3. Types of Controls, Their Content, and Examples
Standards, policies, and procedures, as well as ancillary controls such as communications and awareness training programs
- Information classification policy: ensures classification of information and rights of access at each level
- Business continuance policy: ensures that all aspects of the business are considered in the event of a disruption or disaster
- Change management process: ensures that changes to the IT environment are applied in the correct manner
Access controls, encryption mechanisms, and other technologies used to protect logical information assets from unauthorized use
- Encrypting file system (EFS)
- Access control lists (ACLs)
- Physical access to computers controlled through password protected screensavers
Controls that protect the physical devices on which the information is stored or transmitted
- Security cables on computers inhibit unauthorized removal of equipment
- Locks on doors and windows help control physical access to devices
- Universal power supply is available to sustain business activity on computers in case of a power outage
- Data and OS are backed up and recoverable to a remote location for business continuance
Demonstrating that an IT service is, in fact, in control is accomplished throughout the IT service lifecycle by:
- Defining high-level objectives for each lifecycle phase.
- Identifying risks to the achievement of those objectives.
- Identifying risk management approaches in the form of matching internal controls for mitigating risks.
Management Review for the Manage Layer
Management is responsible for establishing goals, evaluating progress, and ensuring results. In part, governance consists of the decision-making processes (controls) that help management fulfill this responsibility. Each phase of the IT service lifecycle has one or more management reviews (MRs) that function as management controls. This means that the right people are brought together, at the right time and with the right information, to make management decisions. Every phase has different management objectives, so each phase has uniquely focused MRs with appropriate stakeholders, required decisions, and the type of data needed to make well-informed and fully weighed decisions. The Manage Layer is the same as the lifecycle phases when it comes to the need for management oversight, and there is a management review specifically for the Manage layer.
Policy and Control Management Review
The Policy and Control Management Review (MR) consists of at least biannual reviews that evaluate the effectiveness of the policies and controls in place across the IT service lifecycle. The performance of IT and its partners, the reliability and trustworthiness of services provided, and the ability of IT to respond to the business are all affected by the policy and control environment. Across all phases and SMFs in the IT service lifecycle, explicit attention is given to identifying management objectives, risks that could adversely impact these objectives, and controls put in place to mitigate these risks. This MR is management’s opportunity to assess policies and controls and their impact across the lifecycle in terms of achieving management objectives. The review yields a view of how well risk is being managed and of the likelihood that management objectives will be achieved, and it exemplifies “governance in action” for the Manage Layer.
Core questions for this review include:
- Are the right policies in place? (Considering management objectives, regulations, standards, and industry practices)
- Are the policies effective? (Compliance reporting, requests for changes to policies, and exceptions granted)
- Are the right controls in place? (Based on risk assessments and mitigations, events and incidents not addressed by controls, and costs and benefits of controls)
- Are controls operating effectively across the lifecycle?
- Focusing on change and configuration: Are the intended results occurring, any failed changes or rework needed to correct changes?
- Focusing on value realization: Assess the fit between the policy and control environment and the value that the business needs to receive from IT. Is this the right level of control given identified risk impacts and expected returns?
While the Policy and Control MR provides a summary view into the policy and control environment, specific processes for managing policies are described in the MOF Policy SMF.
The purpose of the MR is to provide IT management:
· An understanding of how risks to achieving goals are being addressed.
· An assessment of the burden of control so that it can adjust appropriately for desired benefits.
· An evaluation of behavior as an indicator of policy communication and enculturation.
A set of appropriate controls should be in place to ensure the following goals:
- Implement the requirements of organizational policy, including information security policy.
- Manage risks associated with management goals and certain general IT controls, such as appropriate access to services or systems.
- Document controls and evidence of control activities.
Since controls are central to providing secure and trustworthy services, any changes to controls must be managed. The Policy and Control MR should evaluate the impact of changes to controls made since the previous review. Related effort should be given to reviewing the assessments of potential change impacts made prior to the actual implementation of the changes.
One goal of this MR is to assess the effectiveness of change management of the control environment. This is different than the activities that occur within the MOF Change and Configuration SMF. The focus is on management practices in terms of compliance to policy and control effectiveness.
This MR also evaluates policy and controls that are part of the agreements with external organizations. This includes such things as agreements and contracts related to access to information systems and data as well as security and privacy requirements for the services.
Participants in this MR should be mostly IT senior managers with support provided by Compliance, Policy, and Security team members. Auditors may provide useful insights into the effectiveness and efficiency of controls and considerations for compensating controls. Partners might participate to ensure that policy and control objectives are achievable in their environments. All parties need to understand the risks and mitigations that are being shifted among them and provide assurance that this is being done effectively.
Table 4. Components of the Policy and Control Management Review
- Operational and security policies
- Policy violations, compliance incidents, management action taken since last MR
- Policy change requests
- Results from the “Enforce and Evaluate” process in the Policy SMF
- Changes in regulations, standards, or industry practices
- Audit findings, recommendations, issues
- Unanticipated risks, incidents
- Controls failing or underperforming
- Control self-assessments
- Minutes and actions from last MR meeting
- Evaluate incidents and non-compliance, determine root cause
- Review policy enforcement activities
- Review audit findings and recommendations
- In each lifecycle phase, evaluate policy and control impacts to see if they:
- Plan: promote services that the business sees as valuable, predictable, reliable, and cost-effective
- Deliver: develop services effectively, deploy successfully, and are ready for operations
- Operate: services are operated, maintained, and supported in line with the OLA/SLA and are compliant with policy
- Review risk assessments and mitigations for completeness and effectiveness
- Whether policy and control performance meets management expectations
- Agreement as to root cause of non-compliance and any changes to policy management
- Whether control environment is appropriate or if changes are needed
- Documentation of MR with actions and accountabilities
- Requests for changes to specific policies or controls
- Requests for changes to policy management
- Requests for changes to control management
The Policy and Control MR should result in identified requests for changes that will improve the management and enforcement of policies as well as improve the management of risk and the overall control environment. Actions for improvements identified during this MR should be documented and a record retained to demonstrate IT engagement with the key processes related to risk, policy, and control management. This will provide transparency and evidence that executive management and the board of directors can use to assess IT management activities.
This accelerator is part of a larger series of tools and guidance from Solution Accelerators.
|Solution Accelerators Notifications