The IT organization of X-Bank (original name withheld) was facing a great deal of challenges with day-to-day IT service delivery. While critical activities, such as end-of-day, backup and restore functions, and scheduled server reboot for certain critical servers were documented on paper for regulatory compliance reasons, most processes were at best documented in individual employees’ heads.
There was poor change control; something broke every other day and it was perfectly acceptable to have unplanned downtime of banking services for a few hours every month. Often, the unplanned downtime was due to, for example, failed system upgrades or security configuration modifications by the security administrators without proper impact assessments. Fortunately, the enterprise’s internal control department had some oversight over the critical banking infrastructure; otherwise, banking operations could have suffered a total systemic failure.
In the marketplace, relatively smaller banks were recording better performance and were perceived as more reputable than X-Bank. Within the bank, the business executives did not trust IT’s ability to effectively and efficiently support business objectives, and IT was obviously overwhelmed with the challenges.
A turning point came when the chief executive officer (CEO) was stranded in the UK on a business trip. His debit card did not work for the entire three days that he was away nor did those of the other senior executive who had accompanied him. Unfortunately, it was the policy of the bank that middle to senior management staff were not permitted to hold bank accounts with other financial institutions; thus, they were stranded with little means to help themselves.
On return, the CEO initiated a process that resulted in the hiring of a chief information officer (CIO)—a very experienced CIO. His objectives were very clear:
- Stabilize the IT organization to effectively and efficiently support the business objectives.
- Minimize business disruptions caused by unplanned IT operations.
- Justify any (every) further investment in IT.
The CIO commenced meetings with new and existing consultants of the organization, the outcome of which culminated in the selection of COBIT 4.1 as the most rounded approach to achieving the desired outcomes. Additionally, the project was bundled with a security assessment exercise.
The CEO was clear on the results he desired and why he hired a CIO so he was taken by surprise when, after committing to giving whatever was required as a sign of support, the first thing the CIO asked for was his active participation in the transformational changes in the IT organization. The lesson was: Active and sustained senior management commitment is very important for the successful implementation of the desired organizational changes.
The project kicked off with interview sessions to clearly document senior business management’s view and expectations of IT, followed by similar sessions with the CIO and IT management, to get IT goals and a view of the IT organization. These were documented using the COBIT 4.1 Implementation Tool Kit as shown in figures 1 and 2.
Following the determination of business and IT goals, the core of the gap assessment exercise commenced. The focus was on the 34 processes, not on the 210 controls. Several interviews and process review sessions then followed from Plan and Organize (PO) all the way to Monitor and Evaluate (ME), although not necessarily in order as sessions were based on available resources.
Process Spotlight: PO9 Assess and Manage IT Risks
A good example was the risk management process (PO9), which was assessed as nonexistent, even though there was an operational risk (Ops Risk) department in place with a well-developed financial risk management practices around credit, loans, etc. The issues found included:
- No risk assessment framework in place
- No definition of impact ratings nor probability ratings
- No risk rankings
- No periodic risk assessment exercises as part of the organizational culture. IT managers generally used high, medium and low informally in approval memos.
In line with the COBIT guidelines, the first line of action to address these issues was to review the available options for risk management frameworks (for ease of standardization). NIST Risk Management Framework was identified and readily adopted.
The organization focused on the primary goals of confidentiality, integrity and availability as well as one important secondary goal: reliability.
Within four weeks, the organization had concluded a comprehensive risk assessment exercise, had a clear view into the organization’s information risk posture and had easily adopted the parameters used by the Ops Risk department. Risk management started influencing change management and information security controls implementation (two high-risk areas identified during the risk assessment exercise).
The assessment resulted in implementation of some quick-win initiatives, starting with instituting and enforcing a formalized change management process (COBIT 4.1 AI6) to move from maturity level 3 to maturity level 4.
Measurements and metrics were set and business units were mandated to be formally involved in the change management process.
The business units immediately felt some benefits. The resulting change accountability and communication made the business even more interested in other COBIT initiatives. And, the business unit heads felt a great deal of ownership, as the changes were occurring only with their consent.
By the time the exercise was concluded, the enterprise had good insight into its maturity for all 34 COBIT processes plotted against short- and long-term goals, as shown in figure 3.
Observations and Recommendations
It was a little challenging to get the noncore IT areas (e.g., procurement, financial control [responsible for budget], human resources [HR]) to understand the importance of their functions to the success of the IT organization. As part of PO7 (Manage IT human resources), HR, as a case in point, did not consider IT resource career paths and training requirements as important enough; hence, IT trainings were often cancelled for cost savings or resource demands. This disconnect was initially extended to the COBIT implementation exercise and it required some escalation to the CIO to get HR to cooperate with the assessment exercise.
Prioritizing and Plans of Action
Once the assessment exercise was concluded, the enterprise set out to commence remediation initiatives. Activities were prioritized according to three categories:
- Quick wins—Achievable within one month and with minimal/no budgetary implications
- Key business goal initiatives—Initiatives aligned with achievement of business goals rated seven to 10 in figure 1.
- Other gap items—All other gap items that could be delayed until completion of those items in categories 1 and 2.
Monitoring and Measuring
Responsible, Accountable, Consulted and Informed (RACI) charts were developed for all 34 processes, and the CIO was not willing to accept excuses for noncompliance to newly developed practices. Metrics and measurements were evolving and these were aligned with performance metrics and appraisal systems for the entire IT organization.
Initiatives such as updating scorecards to reflect performance metrics and IT organizational key performance indicators (KPIs), as well as rewards and sanctions, were key to getting operational staff to accept the cultural changes that came with the remediation activities.
Within 18 months, the results were clearly visible; as such, it was not difficult for X-Bank to achieve ISO 27001 certification status shortly thereafter (though as a separate initiative).
Olabode Olaoke, CISA, ISO 27001 LI, ITIL, P2P
Is an information systems security and governance consultant at Digital Jewels Limited (DJL). Olaoke currently leads the information security and IT service management practices at DJL with several standards implementation exercises including ISO 27001, ISO 20000, Payment Card Industry Data Security Standards (PCI DSS) and BS 25999.