Overheard in the tech blogosphere » IT Governance

Overheard – ISO 38500

Margaret Rouse — Thu, 14 Jan 2010 17:58:21 +0000

The ISO 38500 standard seeks to establish that IT is the entire executive management team’s responsibility and not just the responsibility of the CIO.

Yuga Chaudhari, ISO 38500: A new corporate governance standard for IT

Today’s WhatIs.com Word of the Day is ISO 38500.

Release management – the IT equivalent of herding cats

Margaret Rouse — Fri, 12 Jun 2009 16:28:27 +0000

Studies have shown us that a large majority of IT projects fail either in part or outright for non-technical reasons that could have been prevented with proper planning.

George Spafford, Release policies set standards for rollouts

Today’s WhatIs.com Word of the Day is release management.

As part of a webcast on Understanding the ITIL Trinity of Configuration Change and Release Management, George says that:

29% of projects deliver on-time with expected features
53% are challenged (are delivered on-time without expected features)
18% outright fail outright

It’s not surprising that George attributes these dismal numbers to non-technical factors, including lack of project planning, poor requirements definition, not getting the right stakeholders involved, poor communication and insufficient management oversight.

I’m frankly surprised that the number of projects that deliver on-time with expected features is so high. I would have guessed…3%.

Overheard – Avoiding common audit pitfalls

Margaret Rouse — Fri, 06 Feb 2009 12:55:04 +0000

“Make no mistake — auditors will find fault with your systems, your processes, and the people who operate them. They’re auditors. It’s their job.”

Kelly Jackson Higgins, Experts share tips on how to avoid the most common pitfalls in an audit

If you missed Kelly’s article when it first came out, take moment and read through it. I bet you’ll learn something.

Key points I want to remember:

Two of their most common reasons for failing an audit are poor documentation and poor training programs.
It’s all about proving that data isn’t tampered with — from inside or out.

- Manage change in a consistent manner.
- Clearly define roles and permissions.
- Know who (and where) users are, what role they play and what permissions they have.
- Align physical security with IT security.
- Be ready to demonstrate how you monitor security.
- Be ready to demonstrate how you are able to detect and act on anomalies.
- Map security processes to business processes. A checklist isn’t enough.

Overheard: Governance, risk and compliance in a single $400,000 package

Margaret Rouse — Mon, 28 Jan 2008 13:43:21 +0000

That integration wasn’t quite there when we first implemented the software. We were going on faith regarding the vendor’s promises.

John Wheeler, SunTrust Banks Inc.

This quote came from an article in CFO magazine by John Goff called The Emergence of Convergence. It’s a very well-written analysis of an emerging software genre called GRC (governance, risk and compliance managed with one application.) I really recommend you make time to read it.

My other favorite quote from this article: “Application vendors, who cling to marketing hooks the way cats cling to curtains, have been only too happy to cater to this desire [to converge software].

When I first read the quote from John Wheeler about “going on faith regarding the vendor’s promises,” I thought “uh oh.” But the vendor, OpenPages, came through. That’s reason enough to read the article.