Operational Improvement through GRC

In a roundtable hosted and moderated by Deloitte & Touche, Business Management asks a number of experts for their views on how to effectively integrate IT with your governance, risk and compliance (GRC) initiatives.

Deborah Golden is a Principal in Deloitte & Touche LLP’s Security and Privacy Services practice, where her understanding of ERP technology, internal controls, business applications and information protection can assist clients in integrating the management, authentication and authorization of their disparate identities into underlying networks, applications and operating systems. Deborah has over 13 years of information technology, security and consulting experience encompassing various industries, including technology, telecommunications, manufacturing, financial services, and media and publishing. Deborah continues to leverage her knowledge in these areas to expand upon Deloitte & Touche LLP’s Identity and Access Management practice and overall service offerings to include new and dynamic approaches to an ever-evolving marketplace.

In order to find out what some of the leading solutions providers make of the growing interest in IT management and governance, she poses questions to Clifford B. Meltzer, Senior Vice President of the Network Management Technology Group at Cisco Systems, Inc.; Roger Mallett, Senior Architect within Hewlett-Packard’s International Expertise Team; Ronnie Ray, Vice President of Product Management at InfoVista; and Joel Trammell, co-founder and CEO of NetQoS.

BMUS. What is the role of information technology in governance, risk and compliance today? What technology solutions does your organization offer to the marketplace in an effort to facilitate the convergence of various compliance efforts?
RR. IT has a primary seat at the table in ensuring governance, risk management and compliance. The information flow through various applications, processes and systems that support the business provides the key data and metrics that enable the control and management objectives used to assess and assure compliance. InfoVista solutions enable monitoring and measurement of risk and assessment of compliance as it relates to infrastructure preparedness, and the availability and quality of IT services to support critical business functions. For example, ensuring that sufficient network capacity is prioritized by the enablement of network QoS to support business critical applications that are the source of compliance data. These applications can range from business systems like ERP or converged, collaborative communication platforms like IP telephony, messaging or e-mail. InfoVista can also characterize the risk of service non-availability (e.g. access to business applications) based on historical performance trends and current workloads.

JT. Most organizational risks come from change. Whatever the driver – whether it is a new business initiative, governance requirements or competitive initiatives – resulting changes to personnel, applications and the IT infrastructure introduce risk. This can be mitigated by adequate planning, pre/post-change monitoring of metrics, and a running audit of the change process. However, not all changes are planned; for example, when a network device is inadvertently misconfigured causing the degradation of application performance. In these cases, the IT organization must conduct triage as an efficient, integrated operation where siloed functions collaborate on problem isolation and resolution. The NetQoS Performance Center helps IT organizations mitigate the risks of changes – planned or unplanned. It measures and baselines the end-user response times before and after changes (such as an application rollout) to show the impact. It also provides visibility into traffic flows and device performance statistics across the network to promote cross-functional collaboration and proactive service level management.

RM. HP remains in close contact with its customers who are telling us that corporate governance is an area where they would like to see software solutions supporting their processes. As corporate governance is the system by which companies are directed and controlled, HP is finding particular interest in this area from customers who are in a service provider environment; outsourcing has created governance problems that have to be designed and managed. The role of IT in governance is key to provide real time information that can be used to manage the service and contract relationships that exist in today’s complex business environments. The role is also to provide information that helps customers maintain regulatory compliance. Successful companies rely on IT to support business requirements and financial control points, and HP software supports these requirements through a range of automated and integrated products to support regulatory compliance.

CM. IT computing operations, applications, data, storage and servers that comprise the enterprise infrastructure play a vital role in the delivery of business services. As such, the role of IT in governance, risk and compliance is becoming increasingly critical and requires creation, tracking and reporting on multiple policies that control asset utilization, impact network performance and availability. Cisco’s Proactive Automation of Change Execution (PACE) solution combines products and services that accelerate operational success by helping IT organizations to securely automate and control changes and configurations in their networks. The solution allows enterprises to meet compliance requirements, accelerate growth, ensure business continuity and increase user productivity. PACE assures that configuration policies and procedures are standardized, implemented and monitored consistently across and organization. Workflow-based capabilities allow for integration of change management capabilities with operational and business processes. This allows for convergence and oversight of required compliance efforts and becomes the facilitator of process evolution throughout the organization.

BMUS. How much is the focus on improving governance, risk, and compliance challenges changing your organization’s technology solution offerings? Does this focus on governance, risk and compliance alter how your organization undertakes major information technology development initiatives?
RR. InfoVista’s focus is on infrastructure enablement for business and communication applications in general. Specific compliance efforts and data requirements as it relates to business systems have less of an impact on our solution offerings. The goal here is to assure performance of the underlying infrastructure and IT services that ultimately provide the metrics for assessment of compliance to governance and risk objectives. That said, the requirements for meeting common criteria for security and audit purposes that drive change and control of a management platform like InfoVista does have a direct impact on our technology development initiatives. This includes ensuring support for security standards in data encryption, storage, presentation, user access privileges and communication with other management applications.

CM. The growing awareness of governance, risk, and compliance requirements for IT has made a profound impact on the technology solutions Cisco is delivering today. Specifically configuration and change control technology has evolved from multiple, disparate, point products, narrowly focused on automation of specific technologies and domains, to a much more comprehensive approach to life-cycle change management. Cisco’s PACE solution allows change to be managed in a much more holistic way and architected such that automation and other change control function can be easily integrated with IT processes. PACE’s flexibility is fundamental to meeting the business needs of the enterprise for which it manages.

JT. Typically, our customers’ IT governance initiatives go beyond meeting compliance laws. They are reviewing and updating policies and workflows to provide more accountability, improve responsiveness, and demonstrate more value to the business. IT executives are holding their organizations and providers accountable by measuring how well they are delivering application services to end-user constituents, as well as IT’s effectiveness in business terms. In most cases, however, their organizations lack the know-how, tools and processes to do this. NetQoS advocates a performance-first approach to enterprise network management and our products were designed to enable IT to measure and validate application and network performance. We assert that the best way to determine how well IT is delivering application services and to understand the impact of change is by measuring application performance from the user’s perspective. Focusing solely on infrastructure status and utilization metrics can be misleading and have little relevance to the business.

RM. Fortunately, HP has been working within this business environment for some years and recognised the importance of governance, risk and compliance at an early stage. HP developed its OpenView’ suite with this in mind, then made the major step of filling the gaps in its portfolio by buying world-class software companies such as Peregrine and Mercury Interactive. Our focus always considers the business requirements of our customers and business partners. HP is fairly unique in the marketplace in that we build and sell hardware and software, provide consulting and implementation services, and also have a managed services division (outsourced IT services). HP therefore understands the future of IT and technological innovation before almost anyone else!

BMUS. How do your solutions address the need to align an underlying technology infrastructure to business processes in an effort to monitor the management of service level agreements (SLAs)?
CM. Cisco’s PACE solution for change management and compliance is a natural extension to our Network Application Performance Analysis (NAPA) solution. NAPA has the capability to monitor Service Level Agreements and perform other advanced performance analysis functions including diagnostics and planning. The Cisco NAPA solution provides valuable information about the performance of the network and the applications running on it. It is able to both provide macro indicators and highly granular measurements to bridging the gap between the network and the application performance. It uses both real time monitoring and advanced analytics to predict and diagnose SLA conformance and issues. The PACE solution complements NAPA by managing the execution of the changes suggested by the NAPA analysis.

RR. First, InfoVista provides accurate measurement of delivered service quality for a broad range of business services. These include legacy and IP network connectivity, IP based services like DNS, e-mail and ftp, converged communication services like IP telephony and messaging and generic web-enabled business applications. Next, InfoVista collects detailed performance and health metrics from enterprise-wide network and data center infrastructures at the largest global corporations and service providers for supporting SLA aggregation, capacity planning and troubleshooting. It can also integrate data from external management systems as necessary in order to meet SLA assessment requirements. The next step after collection of end-to-end and infrastructure metrics is to represent them in a realistic model – key to creating meaningful data representations that align the IT infrastructure with business services. InfoVista’s underlying object-model architecture provides the flexibility to model relationships and properties that reflect the aggregation and presentation schema for SLA reporting. Finally, SLA reporting needs to be customized to the specific business group or entity that has contracted for the service. InfoVista’s flexible and personalized portal interface provides the visibility to real-time and historical SLA performance and adherence. When the metrics are not in compliance or may be trending towards a breach, specific rules can be set for alerting external management systems and support staff to proactively monitor and resolve a problem.

JT. NetQoS delivers software products that are used in over 600 of the world’s largest enterprise networks, from energy to financial services, government to transportation, and enterprises to service providers. IT executives, LoB liaisons, network technicians and architects use the NetQoS Performance Center to monitor how well critical applications are performing across the enterprise network. The NetQoS Performance Center uniquely baselines application performance by the hour-of-day, day-of-week, week-of-month, and month-of-quarter, to accommodate normal business cycles. Baselines may be established for all or selected applications and groups of users, and can be used to establish SLA targets. The NetQoS Performance Center then monitors end-user application performance and alerts staff immediately when service level thresholds are breached. Furthermore, to reduce mean time to repair, it automatically collects diagnostic data at the time slow-downs occur to aid technicians, avoid fingerpointing and speed resolution.

RM. The way that corporate governance is delivered varies with every company, although there should always be a clear hierarchy in the decision-making; a separation of strategy and operational governance (this allows decisions to be focused on their areas of expertise); it should be understandable, available and well-communicated; and it should be supported by IT in terms of information, costs and management reporting.

BMUS. Describe how the process and/or technology defined in your response to the question above is similar or different based upon the type of internal (i.e. employee) or external (i.e. customer) end-user. Does the end-user have the capability to self-monitor your organization’s service delivery capabilities and/or does your organization have the ability to self-monitor the end-user’s experience based upon information technology and the parameters set forth within the SLAs?
RR. Internal providers today frequently have less formal mechanisms for agreeing, measuring and reporting on service levels. Advanced IT organizations that operate in a shared service structure, are certainly taking steps to describing and adhering to SLAs to create standardized service offerings. They are also signing up to penalties and chargebacks as an input to cost allocation and business accounting policies. The key difference between external and internal service level reporting is the criticality of service level visibility. While internal contracts may not always enforce visibility, external contracts differentiate on the timeliness, quality, depth and level of interactivity of performance and service level reporting. External customers who demand different kinds of SLAs and personalized reporting are open to pay for this visibility as an additional premium service.

JT. The NetQoS Performance Center’s web portal may be accessed by anyone with the necessary security credentials. This gives IT executives and service providers the ability to expose key service level performance metrics within their own organizations and to their clients, if they choose. Service level attainment, infrastructure utilization, IT cost allocation and myriad other reports may be e-mailed automatically, sent in PDF format and annotated if necessary. The CIO of a major healthcare equipment supplier has become so dependent on the NetQoS Performance Center to view SLA performance that he monitors it on the television in his living room.

CM. Cisco NAPA solution provides visibility to the performance of your network and application resources. It uses a variety of data sources to provide an intuitive and integrated end-to-end view of network traffic, protocol types, and application and host bandwidth usage. It provides a centralized network view of the application performance, tracks the application response times, localizes the cause of application performance problems, and can account for the impact of other traffic on application performance. The tools provide critical performance information through a GUI for troubleshooting, traffic analysis, monitoring, and capacity planning. It includes comprehensive, preconfigured reports that provide a complete assessment of performance. The tools in NAPA automatically establish a baseline network performance level and then proactively monitor for various deviations to that baseline so that network performance problems can be identified and resolved before end users are severely affected. Today alarms relative to baseline and user-defined metrics, localizes issues, and troubleshoots network problems can send alerts to IT staff and/or users automatically.

RM. The process and technology solution that HP offers can be used to support both internal employee and the customer/external end-user. HP provides tools and hardware to support the business requirement – this ultimately helps the employee (because the company is more successful) and external customers (because the service or end-product provided almost always benefits from improved performance, enabled through improved business focus). HP’s AssetCenter and ServiceCenter offer customers the opportunity (provided both parties agree) to self-monitor service delivery. Both offer modern SOA and web capability. SLAs set the agreed standards, whilst technology independently monitors and reports on the performance.

With the automation of ITIL processes (i.e. change management), describe how your organization’s solutions address not only the information technology control objectives, but also improve functional service and quality to internal and external constituents.

RR. InfoVista solutions incorporate both automated and manual mechanisms to deal with new service or infrastructure provisioning or any subsequent change thereof as it relates to performance monitoring and reporting. Automated re-discovery keeps in step with new services or devices as they are added. Provisioning rules can ascertain the service and business ownership of these assets and automatically augment the existing object model and business grouping. The discovery process also examines and identifies the type of application, system or device that is now visible on the network and automatically provisions the right management reporting, collection and aggregation. InfoVista maintains a historical record of the overall service performance, along with the health of supporting infrastructure through the inevitable moves, adds and changes. Infrastructure aggregations can also be automatically adjusted based on rules throughout this process of complex but very real dynamic shifts in the infrastructure.

JT. Beyond providing the information critical to these control processes, the NetQoS Performance Center provides the visibility and automation of service level disciplines necessary to move from reactive to proactive service level management. Instead of learning about application outages or brownouts from frustrated users calling the help desk, NetQoS provides early warning when performance is abnormal and isolates the problem source to the network, server, or application so that the appropriate technicians can be assigned. This performance-first approach differs from traditional infrastructure management, which, while necessary, is not sufficient because resource utilization is not a proxy for performance. To achieve this paradigm shift demands a performance-first mindset in IT and an investment in new management technologies and processes. Executive sponsorship is required.

RM. The HP ServiceCenter (service desk software tool) solution supports the ITIL best practice methodology, from the core areas of incident, problem and change management to sophisticated reporting opportunities including digital dashboard. The primary aim of ServiceCenter is to provide support to all users – a first-time fix for incidents that occur. Management reporting provides key indicators on where the greatest problems exist (in terms of volume and complexity) and how to best resolve them if they occur in the future. Resolution methods can be recorded in the online knowledge management system that is available within the ServiceCenter product. HP listens to its customers – both individually and collectively via user groups. This helps define future functional improvements and product direction allied to HP’s knowledge of technological opportunities.

CM. Cisco’s PACE solution automates much of the change management processes. If an organization concerned with issues surrounding governance and compliance doesn’t have an automated change management process in place, they are relegated to doing those functions through a series of manual steps. When the auditors come, they have to be able to provide the data they are looking for. If you can do that in an automated fashion, not only will your system be more resilient, but your team will have more time to spend on those key initiatives to get you where you need to be. One of the key challenges organizations face is in understanding where to start. How do they go from where they are at today to putting a change management process in place? Cisco’s Advanced Services team offers services to help with this. Cisco offers services that help organizations assess, define, and validate their network configuration and change management processes.

BMUS. When monitoring information technology infrastructures, to what extent has your monitoring software aligned the technology itself to the internal and external business requirements of the organization to reflect the complete business service management lifecycle?
CM. Cisco has the benefit of providing embedded monitoring and measurement technology to directly leverage and capture relevant data for a given service supported by that technology. Cisco’s Network and Applications Monitoring follows a lifecycle approach and have open interfaces that allow integration into the customer’s specific business workflow. Starting from the planning phase, Cisco’s NAPA solution collects information from the network that allows the planning solution to understand what is in the network today and the network and applications are performing. This allows organizations to plan for network or application rollouts that are planned for success from the beginning. Likewise, tools within the NAPA solution help with the troubleshooting, monitoring and even optimization of the network coving all the complete business service management lifecycle.

RR. As converged services are being rolled out on enterprise IP networks, it requires the right level of understanding and deployment of network QoS to differentiate between critical and non-critical services. InfoVista provides depth and expertise in reporting on performance by class of service and additional layers of policing and shaping if deployed. Support for the complete service management lifecycle also demands integration with external business and IT management systems to share and mediate data and workflows that together assure enhanced service delivery. As a best-of-breed provider, InfoVista has packaged integration with market-leading fault and network management systems. Finally, enterprises today inevitably have a ‘mixed bag’ of technologies from multiple equipment vendors and platforms resulting from successive M&As and partnering relationships. InfoVista provides single-pane coverage of these underlying technologies by abstracting them to a common set of meaningful KPIs that support business-prioritized decision-making.

JT. The NetQoS Performance Center is enables IT organizations to measure and optimize application service delivery across wide area networks. It provides convenient methods for base-lining current performance levels, monitoring user response times against service level targets, and measuring the impacts of changes to the infrastructure or to the workload composition. It has been operationalized in hundreds of very large, complex IT infrastructures as a key component of business service management processes. However, the degree to which it aligns with the business service management lifecycle is less dependent on the technology than it is on the maturity of the IT operations disciplines within the organization and on the conviction of the IT leadership.

RM. HP has developed high quality monitoring systems to manage infrastructures. One of the greatest operational threats to a company is IT system downtime – accurate monitoring is a key means of avoiding downtime (downtime equals loss of revenue in most instances). HP believes that Business Service Management is the way by which HP can deliver a convergence between IT and business. This breaks the long time divide and enhances business process (including SOA, modelling and monitoring) with business perspective (project and portfolio management). Service management supports best practice alignment to application lifecycle management. The Mercury acquisition has provided HP with business infrastructure monitoring tools that have been integrated into the HP software solution set.

BMUS. What are the challenges you envision organizations may face in terms of managing not only the collection, but also the retention and management of configuration data?
RR. The challenges in collecting, maintaining and retaining detailed configuration management data exist from both real-time and historical perspectives. In a real-time sense, the challenges relate to the discovery of services and resources and the periodicity, depth, volume and computation of collected information. In a historical sense, it relates to the storage, archival and access to the raw and aggregated data as and when required. What adds complexity to both of these dimensions is the necessity of maintaining and updating the configuration and inventory information with dynamically changing relationships within an infrastructure environment.

JT. The ability to correlate a change in application service delivery to a specific configuration event (e.g. server addition, network upgrade or software patch) can mean the difference between financial losses or gains, but often this capability is missing. Configuration changes – intended and unintended – account for a high percentage of major service interruptions, so it is critical for configuration data to be current and easily correlated with performance data. Similarly, most IT organizations are unable to determine with accuracy the cost of resources consumed by applications and groups of users, and to easily reassess these costs in a changing environment. When costs can only be estimated, the return on IT investments is hard to prove.

CM. New laws are changing the way companies collect, retain, and manage information, and auditors will be seeking documentation and demonstration of consistent and repeatable processes and controls. Company’s executives are now reaching out to IT to access and provide record of policies, process, and procedures that control access and protect the integrity of financials systems and business applications, across networks, servers and into databases where the data is stored. As IT organizations start to address SOX, questions are being raised on how far does it reach, what is affected, and what should be reviewed and reported. Cisco’s PACE and NAPA solutions provide consistent and repeatable processes and controls. These tools help stakeholders understand and feel confident in the internal IT controls.

RM. There are numerous reasons for companies to collect configuration data, but the main drivers usually start with the need to obtain and manage core data to understand what they own: where it is, who has it and what the associated costs are. This quickly develops into the need to understand the configuration of equipment for support profiling, part replacement; cost management and advanced knowledge for projects (i.e. determine which items of equipment will fail in a software roll out project before the project starts). Configuration management forms part of IT asset management and is important in terms of understanding and managing IT infrastructure.

BMUS. To what extent have various risk and compliance requirements, such as Sarbanes-Oxley, driven your customer’s needs to improve the overall change management approach? What types of manual, automated and/or monitoring controls are in place to evaluate, measure, resolve, and monitor the entire change management lifecycle across the disparate information technology infrastructure?
RR. InfoVista is made aware of changes in the infrastructure either through its own discovery process or from its linkage to external provisioning and management systems. Both manual and automated mechanisms are available to customers to adjust the monitoring and analytics to adapt to the new configuration.

CM. Government regulations have certainly had an impact in driving our customer’s needs to improve their overall change management approach. It’s no longer acceptable to have change happening without the controls in place to audit for compliance. Cisco’s PACE solution provides the tools necessary to monitor change on the network. The tools automatically check changes for compliance. Compliance to government regulations as well as compliance to best practices as well as designs put in place to achieve certain SLAs.

JT. Frequent change is a given in IT environments, which is why a disciplined change management process is vital for avoiding change-related service outages and brownouts. With the increased penalties associated with Sarbanes-Oxley, a misstep is no longer affordable. Additionally, ITIL, COBIT and other governance initiatives afford the incentive and structure for implementing such processes. Many NetQoS customers use pre-production labs to test new or upgraded systems and application software before deploying them broadly. Some have invested in modeling tools to simulate future state and perform what-if analyses. The NetQoS Performance Center is widely used to measure key performance metrics before, during, and after changes are made. These metrics quickly highlight if, for example, a Quality of Service policy change produced the desired improvement in VoIP quality between locations; or whether a server memory upgrade reduced latency in database transactions; or if the latest software release performs better over the WAN than its predecessor.

RM. Risk and compliance requirements have raised the profile of asset management to the C-level – CEO’s want to be certain that control points are in place before they are willing to put their name to a legal document stating that they are satisfied that assets (control points are in place) are properly controlled. In this instance, US legislation has driven management and organizational change. AssetCenter, supported by HP’s Enterprise Discovery, provides our customers with a ready-built solution to manage assets and meet compliance regulations. Information discovered on the network is reconciled with data held within AssetCenter and changes are identified as requiring decisions on whether they are wanted on the network or if they should be removed. HP has automated tools that are scaleable and flexible as well as enabling risk to be minimized and compliance standards to be met. Monitoring and reporting controls are incorporated with AssetCenter to provide consistency and enable required standards to be met. Changes are flagged to the customer’s service desk tool (ServiceCenter or Service Desk) where change management processes can be properly measured, monitored and resolved. Proper management of change will reduce risk to system downtime and ensure quality services can be achieved.

BMUS. What Key Performance Indicators (KPIs) are leveraged throughout organizations to measure the innovation, growth, maintenance, and productivity of your information technology infrastructure, as well as their alignment to the appropriate business objectives and overall performance. How are these KPIs integrated within the organization’s risk and compliance framework? How do your technology solutions enable such efforts?
RR. Service quality and infrastructure performance improvements over time periods have been used to assess the effectiveness of different groups. KPI’s like quality delivered per unit cost of IT operations and infrastructure investments also can provide a baseline to assess improvements over time. When costs are matched against the volume or value of business transactions, then the impact of IT on business performance becomes clearer and decision-making more business-driven. For example, a large retail bank makes future capacity investment decisions in retail branch bandwidth by comparing the ratio of customer foot traffic to bandwidth usage at a particular location.

JT. You can’t manage what you don’t measure. KPIs can be used to gauge the effectiveness of discrete IT functions or provide a measure of how well the collective is performing. Examples of the KPIs that NetQoS customers use to gauge the effectiveness and efficiency of their own IT organizations are: (i) the percentage of time in the last 24 hours or in the last month that critical end-user response times were outside of formal or informal service level targets; (ii) utilization rates of key infrastructure devices and network circuits relative to normal baselines; (iii) MOS scores showing the quality of VoIP communications; and (iv) the percentage of network resources consumed by specific applications and users. The NetQoS Performance Center enables customers to monitor these KPI’s via its customizable web-based portal, and integrates with customers’ risk and compliance frameworks via convenient data and report integration to/from other data sources, applications and portals.

RM. Bottom line always equates with financial performance, typically cost against budget expectations. Risk management has far more serious consequences if the name of the company falls into disrepute. There are instances where ‘bad news’ stories have directly affected the share price of the company – this can be related to software license compliance, financial management of assets or performance failures. Having automated tools such as AssetCenter and quality processes will deliver ongoing benefits in the form of compliance and risk reduction. KPI’s provide performance-monitoring standards that can be monitored against previous figures to provide instant information on which decisions can be made. HP technology collects the data and provides reports automatically. This enables companies to focus on what they do best – run their businesses.

CM. Innovation may be measured across multiple domains. With regard to technology innovation, Cisco looks at patents submitted and granted, patents incorporated into products or business services. On the other hand to represent innovation in IT services we look at the number of IT services offered and delivered to business services and productivity metrics and or cost savings and business revenue increases. Growth of the IT infrastructure can be measured as the percentage increase of the IT expenses including hardware, software, maintenance and services year over year and IT growth in expense year-on-year as a percentage of total business expense growth yr/yr among others. Cisco’s PACE solution will report compliance aberrations on a device basis and also report the network level aberrations as well. PACE will also report the detailed audit trails associated with protecting customer’s network infrastructure that transports the enterprise’s critical data. Not only do the tools provide valuable impact on the bottom line, the tools help stakeholders understand and feel confident in the internal IT controls.

This article is an abridged version of the full roundtable discussion. For additional insight from Deloitte & Touche, HP, InfoVista, NetQoS and Cisco, please visit the Business Management website at www.busmanagement.com to read the full text.