The Manage Layer

Article
04/25/2008

To help IT professionals effectively plan and optimize IT strategy, MOF provides service management functions (SMFs) that identify the processes, people, and activities required to align IT services to business requirements. SMFs identify and describe the primary activities that IT professionals perform within the various phases of the IT service lifecycle. Although each SMF can be thought of and used as a stand-alone set of processes, it is when they are combined that they most effectively ensure that service delivery is complete and at the desired quality and risk levels.

Service Management Functions Within the Manage Layer

As a foundation of all the lifecycle phases, the Manage Layer integrates the separate activities of all the SMFs through its own SMFs:

Governance, Risk, and Compliance Service Management Function (GRC SMF)
Change and Configuration Service Management Function (CC SMF)
Team Service Management Function

The following table explains these SMFs in more detail.

Table 1. The Manage Layer SMFs

SMF

Deliverable/Purpose

Outcomes

Governance, Risk, and Compliance

Deliverable: IT objectives achieved, change and risk managed and documented

Purpose: Support, sustain, and grow the organization while managing risks and constraints

IT services are seamlessly matched to business strategy and objectives

Change and Configuration

Deliverable: Known configurations and predictable adaptations

Purpose: Ensure that changes are planned, that unplanned changes are minimal, and that IT services are robust

IT services are predictable, reliable, and trustworthy

Team

Deliverable: Clear accountabilities, roles, and work assignments

Purpose: Agile, flexible, and scalable teams doing required work

IT solutions delivered within specified constraints, with no unplanned service degradation, and with service operation that is trusted by the business

Governance, Risk, Compliance (GRC) and Change and Configuration (CC) activities occur throughout the lifecycle, but the perspective, scope, and focus of these activities vary by phase. For example, change management activities in the Plan Phase will be of a different magnitude and will involve different factors and participants than the change management activities in the Operate Phase. Similarly, the concerns of GRC reflect the primary objectives of a phase; these will change focus in terms of decision making, risk analysis, and the specifics of compliance.

GRC and CC create more unified process flows in all areas of the lifecycle by establishing the means for making decisions, balancing tradeoffs, and grounding strategy by managing risks. As the foundation for the IT service lifecycle, the Manage Layer provides a structured and planned way for IT to contribute to the long-term viability and improvement of the organization.

Role of Manage SMFs in the IT Service Lifecycle Phases

The following table lists specific ways that the Manage Layer SMFs help meet the objectives of the three other IT service lifecycle phases. More detailed explanations of the role and value of the Manage Layer SMFs can be found in each of the SMFs as they are described in their respective phases.

Table 2. Focus of Manage Layer SMFs on IT Service Lifecycle Phases

Phase and Its Objective

GRC Focus

CC Focus

Team Focus

Plan:

Ensure that services offered to the business are valuable, predictable, reliable, and cost-effective, and that they respond to ever-changing business needs

Corporate strategy transfer to IT strategy
Governance structure, decision rights
High-level risks
General regulatory environment
Policy definition
Investment determination
Definition of management objectives

Leadership identified and asked to participate in change evaluation
Business process change
Architectural change
Change evaluated across dimensions (financial, application portfolio, security, and so on)

Decision makers identified and involved
Responsibilities for determining risk tolerance assigned
Financial management expertise
Legal and compliance representation

Deliver:

Ensure that those services that the business and IT have agreed on are developed effectively, deployed successfully, and ready for operations

Organizational requirements, both functional and operational, supported by solution architecture
Project stakeholders, methodology, risks identified
Value realization process
Service development lifecycle
Risk mitigation
Internal controls defined
Procedures defined

Solution scope
Resourcing
Project management
Financial impact

Principles for effectively organizing project teams
Accountabilities and role types
Alignment of responsibilities
Assignment of roles

Operate:

Ensure that deployed services are operated, maintained, and supported in line with the service level agreement targets agreed to between the business and IT

Procedures and controls
Recording and documentation

IT environment and configuration
Process and procedure
Standard change

Principles for organizing operations work
Principles for organizing monitoring work
Principles for organizing support work

Internal Controls

The concept behind internal controls is relatively simple. Suppose you know how to do a simple task from start to finish. You know it well and can reliably and consistently achieve the end result. Now suppose you need to have several other people perform the same task; the activities, checks, and balances you put in place to make sure those people do the same task and achieve the same goals make up the internal controls for that task.

But those initial controls address only the task itself. When multiple people are involved, complexity increases rapidly. Suppose it becomes more efficient to split the task up and have certain people address certain parts. Now controls are needed to ensure that individual results mesh as intended and that no one person has managed to defraud the process. In areas of finance, the control issues become even more pronounced. A lack of effective control could result in accounting errors, or even fraud or embezzlement. This is when added layers of control related to access, roles, and segregation of duty become part of the picture.

Internal controls are present in all areas within IT’s scope of responsibility. Some controls relate to the physical environment where the data center infrastructure is located. Other controls involve the technology itself, for example, its configuration and who has access to administrative functions. Some controls address data access and the lifecycle of the data across technologies, from encryption to authorization to recoverability and chain of custody.

Many of the business-related internal controls that affect IT professionals are seen in the line-of-business applications that make up financial, manufacturing, customer relationship, and human resource systems. In these areas the controls need to be expressed as business requirements that drive application features. On top of these business process-related controls, IT professionals must address controls that are specific to the operation of systems and technologies that make up the application platform.

Classifying IT controls into general categories helps identify the nature of the controls while establishing the likely approach to monitoring, testing, and assessing the design and operating effectiveness of the controls. The following table elaborates on controls.

Table 3. Types of Controls, Their Content, and Examples

Control Type

Content

Examples

Administrative

Standards, policies, and procedures, as well as ancillary controls such as communications and awareness training programs

Information classification policy: ensures classification of information and rights of access at each level
Business continuance policy: ensures that all aspects of the business are considered in the event of a disruption or disaster
Change management process: ensures that changes to the IT environment are applied in the correct manner

Technical

Access controls, encryption mechanisms, and other technologies used to protect logical information assets from unauthorized use

Encrypting file system (EFS)
Access control lists (ACLs)
Physical access to computers controlled through password protected screensavers

Physical

Controls that protect the physical devices on which the information is stored or transmitted

Security cables on computers inhibit unauthorized removal of equipment
Locks on doors and windows help control physical access to devices
Universal power supply is available to sustain business activity on computers in case of a power outage
Data and OS are backed up and recoverable to a remote location for business continuance

Demonstrating that an IT service is, in fact, in control is accomplished throughout the IT service lifecycle by:

Defining high-level objectives for each lifecycle phase.
Identifying risks to the achievement of those objectives.
Identifying risk management approaches in the form of matching internal controls for mitigating risks.

Management Review for the Manage Layer

Management is responsible for establishing goals, evaluating progress, and ensuring results. In part, governance consists of the decision-making processes (controls) that help management fulfill this responsibility. Each phase of the IT service lifecycle has one or more management reviews (MRs) that function as management controls. This means that the right people are brought together, at the right time and with the right information, to make management decisions. Every phase has different management objectives, so each phase has uniquely focused MRs with appropriate stakeholders, required decisions, and the type of data needed to make well-informed and fully weighed decisions. The Manage Layer is the same as the lifecycle phases when it comes to the need for management oversight, and there is a management review specifically for the Manage layer.

Policy and Control Management Review

The Policy and Control Management Review (MR) consists of at least biannual reviews that evaluate the effectiveness of the policies and controls in place across the IT service lifecycle. The performance of IT and its partners, the reliability and trustworthiness of services provided, and the ability of IT to respond to the business are all affected by the policy and control environment. Across all phases and SMFs in the IT service lifecycle, explicit attention is given to identifying management objectives, risks that could adversely impact these objectives, and controls put in place to mitigate these risks. This MR is management’s opportunity to assess policies and controls and their impact across the lifecycle in terms of achieving management objectives. The review yields a view of how well risk is being managed and of the likelihood that management objectives will be achieved, and it exemplifies “governance in action” for the Manage Layer.

Core questions for this review include:

Are the right policies in place? (Considering management objectives, regulations, standards, and industry practices)
Are the policies effective? (Compliance reporting, requests for changes to policies, and exceptions granted)
Are the right controls in place? (Based on risk assessments and mitigations, events and incidents not addressed by controls, and costs and benefits of controls)
Are controls operating effectively across the lifecycle?
- Focusing on change and configuration: Are the intended results occurring, any failed changes or rework needed to correct changes?
- Focusing on value realization: Assess the fit between the policy and control environment and the value that the business needs to receive from IT. Is this the right level of control given identified risk impacts and expected returns?

While the Policy and Control MR provides a summary view into the policy and control environment, specific processes for managing policies are described in the MOF Policy SMF.

The purpose of the MR is to provide IT management:

· An understanding of how risks to achieving goals are being addressed.

· An assessment of the burden of control so that it can adjust appropriately for desired benefits.

· An evaluation of behavior as an indicator of policy communication and enculturation.

A set of appropriate controls should be in place to ensure the following goals:

Implement the requirements of organizational policy, including information security policy.
Manage risks associated with management goals and certain general IT controls, such as appropriate access to services or systems.
Document controls and evidence of control activities.

Since controls are central to providing secure and trustworthy services, any changes to controls must be managed. The Policy and Control MR should evaluate the impact of changes to controls made since the previous review. Related effort should be given to reviewing the assessments of potential change impacts made prior to the actual implementation of the changes.

One goal of this MR is to assess the effectiveness of change management of the control environment. This is different than the activities that occur within the MOF Change and Configuration SMF. The focus is on management practices in terms of compliance to policy and control effectiveness.

This MR also evaluates policy and controls that are part of the agreements with external organizations. This includes such things as agreements and contracts related to access to information systems and data as well as security and privacy requirements for the services.

Participants in this MR should be mostly IT senior managers with support provided by Compliance, Policy, and Security team members. Auditors may provide useful insights into the effectiveness and efficiency of controls and considerations for compensating controls. Partners might participate to ensure that policy and control objectives are achievable in their environments. All parties need to understand the risks and mitigations that are being shifted among them and provide assurance that this is being done effectively.

Table 4. Components of the Policy and Control Management Review

Inputs

Analysis

Decisions

Outputs

Operational and security policies
Policy violations, compliance incidents, management action taken since last MR
Policy change requests
Results from the “Enforce and Evaluate” process in the Policy SMF
Changes in regulations, standards, or industry practices
Audit findings, recommendations, issues
Unanticipated risks, incidents
Controls failing or underperforming
Control self-assessments
Minutes and actions from last MR meeting

Evaluate incidents and non-compliance, determine root cause
Review policy enforcement activities
Review audit findings and recommendations
In each lifecycle phase, evaluate policy and control impacts to see if they:
Plan: promote services that the business sees as valuable, predictable, reliable, and cost-effective
Deliver: develop services effectively, deploy successfully, and are ready for operations
Operate: services are operated, maintained, and supported in line with the OLA/SLA and are compliant with policy
Review risk assessments and mitigations for completeness and effectiveness

Whether policy and control performance meets management expectations
Agreement as to root cause of non-compliance and any changes to policy management
Whether control environment is appropriate or if changes are needed

Documentation of MR with actions and accountabilities
Requests for changes to specific policies or controls
Requests for changes to policy management
Requests for changes to control management

The Policy and Control MR should result in identified requests for changes that will improve the management and enforcement of policies as well as improve the management of risk and the overall control environment. Actions for improvements identified during this MR should be documented and a record retained to demonstrate IT engagement with the key processes related to risk, policy, and control management. This will provide transparency and evidence that executive management and the board of directors can use to assess IT management activities.

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.