Professional Advice
This paper, including all concepts and frameworks, is provided for general information and practice guidance purposes only. Users of this document are encouraged to use the presented concepts/framework with a thorough understanding of its general application. For more specific framework or special controls as per each organization industry, it is advised to customize specific controls as per each industry parameters, however the concept will stay valid across different industries. For any further inquiry, or contribution, you can contact the author for further improvement.
What’s inside?
Cloud Transformation Program (CTP) framework, GRC alignment with Cloud Transformation, benefits of GRC assurance model for CTP, CTP’s full cycle, different stakeholders concerns for any CTP,
Who shall read this?
Cloud Transformation Project/Program (CTP) Managers, IT GRC Officers, Change Managers, CTOs, CIOs, CISOs, IT Auditors, Cloud Computing Architects, and any other involved stakeholder in Cloud Transformation Program.
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Cloud Transformation Program in today's GRC World: Process-Oriented Framework
1. Page 1 of 13
CLOUD TRANSFORMATION PROGRAMS (CTPS) IN TODAY’S GRC WORLD
Process-Oriented Framework
By: Ahmed Ragab
September 2014
2. Page 2 of 13
Professional Advice
This paper, including all concepts and frameworks, is provided for general information and practice guidance purposes only. Users of this document are encouraged to use the presented concepts/framework with a thorough understanding of its general application. For more specific framework or special controls as per each organization industry, it is advised to customize specific controls as per each industry parameters, however the concept will stay valid across different industries. For any further inquiry, or contribution, you can contact the author for further improvement.
What’s inside?
Cloud Transformation Program (CTP) framework, GRC alignment with Cloud Transformation, benefits of GRC assurance model for CTP, CTP’s full cycle, different stakeholders concerns for any CTP,
Who shall read this?
Cloud Transformation Project/Program (CTP) Managers, IT GRC Officers, Change Managers, CTOs, CIOs, CISOs, IT Auditors, Cloud Computing Architects, and any other involved stakeholder in Cloud Transformation Program.
3. Page 3 of 13
TABLE OF CONTENTS
Wide Spectrum
Introduction
Why Organizations consider CTP within a Compliance Framework?
CIO, CISO, Board and Compliance Concerns!
GRC Impact on Cloud Transformation Programs
Cloud Transformation Program (CTP) Framework
4. Page 4 of 13
Today’s business dynamics urged all organizations to adopt more flexible platforms either in management processes or IT infrastructure. Enterprises started to maturely recognize the new fast rate of transformation programs to accommodate business needs. Customers can not wait any more. Operational staffs need business- driven and objectives-oriented flexible work environment using dynamic technology infrastructure. Investors are so keen about the investments allocation, as usual! And finally risk and compliance governors have their own call to accommodate such topology and securely maintain organization’s momentum.
Changing from normal IT-Centric operations to more flexible, services-oriented, and on-demand IT services became a key factor while applying effective investment calculations. Hereby, thinking about Cloud Transformation Program (CTP) became on top of the key enterprises’ transformation programs. However, such programs shall not be designed focusing only on technology parameters but also considering the complementary support by mature processes and compliance controls in order to ensure smooth transformation with compliance.
WIDE SPECTRUM
5. Page 5 of 13
Cloud Transformation Program (CTP) is not just a strategic change management move for enterprises, it is a turn-key pivotal change management program that covers all aspects of organizations; people, processes, technology, suppliers, behavior …etc. Such program normally runs as a capital project in the organization, accordingly a special attention should be paid from the governance, risk and compliance point of view. And this is regardless the type of cloud deployment model public cloud, private cloud, hybrid cloud, or even community cloud deployment model.
This paper will tackle the Cloud Transformation Program (CTP) from a process-oriented approach to empower all leading experts/architects or such program managers to apply full-fledged framework enriched with compliance pillars, i.e. GRC.
INTRODUCTION
6. Page 6 of 13
No doubt that every IT Transformation Project has its own ICT controls that ensure the project success “Technically.” However, tackling CTP needs more assurance on enterprise-wide controls like Governance, Risk, Compliance, and other operational controls. From this approach, a full-fledged compliance framework has been adopted to accommodate any CTP effectively. Figure 1 demonstrates the different components of CTP within a compliance framework.
WHY ORGANIZATION SHALL CONSIDER (CTP) WITHIN A COMPLIANCE FRAMEWORK?
7. Page 7 of 13
IT Governance – by implementing all related ICT controls to ensure Confidentiality, Integrity and Availability of Information across the organizational departments effectively.
IT Risk Management Controls – to identify, establish, and maintain risk governance with an integrated view to the overall Enterprise Risk Management (ERM). This will lead to evaluating risks as well as responding to it.
Compliance – aligning the entire CTP with the enterprise compliance indicators and checklists in order to maintain conformity with the internal organizational as well as external regulatory bodies’ compliance requirements.
Assurance – by establishing the key controls for implementing the CTP on different levels: project management framework, people-related controls, technology related controls and processes-related controls.
Aligned IT Services Management Processes – since implementing such program is impacting different aspects in the ICT organization, IT Services Management has to be aligned or established (in case if it hasn’t been identified before) with the dynamics and complexity of the running CTP. IT Services Management processes are very critical and could be dramatically changed when organizations transforms from centralized IT organization to Cloud-based environment.
Process Reengineering – organizations may need to reconsider business processes reengineering, where a lot of manual operations could be automated, and some manual controls will be swapped. In addition to some new processes could be released to support the new cloud operations and functionalities.
Information Security – as per the special nature of cloud environment, a considerable information security controls shall be implemented and audited to assure information privacy and controlling any breach. With the compliance model mentioned above, InfoSec is considered as the core technical compliance with the most critical applied controls.
Project/Program Management – the mentioned compliance model will integrate smoothly with the entire project management processes since we will use heaving a lot of PM pillars like; scoping, change management, risks, quality, integration…etc.
During the roadmap of such CTP, organizations need to adopt such a comprehensive compliance framework to achieve the following:-
8. Page 8 of 13
CIO, CISO Board and Compliance Concerns!
9. Page 9 of 13
Budget-wise, we are in trouble! This only happens when we talk about ROI of Cloud Transformation Program (CTP) from a narrow dimension, which is a technology solution. Accordingly, tackling such transformation program shall consider different stakeholders’ concerns in order to reach the benefits realization. The following figure summarizes main concerns at the main leading stakeholders for any CTP:-
CIO, CISO Board and Compliance Concerns!
10. Page 10 of 13
GRC Impact on Cloud Transformation Programs
GRC models have been progressively improved till we reached GRC Capability Model proposed by OCEG. Saying this, If we consider this GRC model as principled performance for assuring successful cloud transformation program will come with the following assured benefits:-
Mature processes definitions
Reliable processes assessment
Robust controls
Dynamic process change
Agile framework for future processes scalability
Compliance management
Quantitative and qualitative performance indicators
Service quality
Reliable CAPEX, OPEX and TCO calculations
More visibility and applicability of Chargeback and Showback
Time-to-market
Envisioning roadmap
Business integrity
People development and awareness
11. Page 11 of 13
The following framework is merging different conceptual frameworks to come up with a full-fledged CTP with a compliance tools across Cloud Transformation Millstones
CLOUD TRANSFORMATION PROGRAM (CTP) FRAMEWORK
12. Page 12 of 13
Discovery Phase – Organization’s thorough understanding is the first milestone where we consider the four main pillars of understanding (People, Process, Technology, Project Management Framework). This covers the entire organization assets for those pillars like: competency levels, identified and implemented processes, existing applications and technology environment, and the project management different processes maturity levels.
Analysis Phase – this phase represents a demarcation stage between different pillars as well as prepares for the next levels of understanding and connecting information/perceptions together in order to come up with a mature assessment views. From this stage, we can also come up with the business case and recommendation for stakeholders’ approval.
Design Phase – building a conceptual framework for the implementation, operations and maintenance, and sustainability model is the state of the art, where the architects invest a lot of time and efforts to present a comprehensive integrated model for the cloud model and the deployment option.
Implementation Phase – is the hardest stage of delivery the baby, i.e. implementation phase, where selecting the right solution, implementer, resources and the right time to start the implementation with a considerable attention towards the time-to-market.
Monitoring and Evaluation Phase – is the time of measuring the expectations on different levels: applications’ features, performance, integrity, security, reliability, flexibility, agility …etc.
Continual Improvement Phase – is the payback time! Where users started to maturely progress inside the new cloud environment, so more services could be configured and some Chargeback processes will be triggered to show the IT Business Value.
All different phases mentioned above shall be designed and supported by a reliable KPIs with a GRC compliance features.
This will be released in the next white paper . .
13. Page 13 of 13
About the Author
Ahmed Ragab, Consulting Services Manager at Panorama Consulting and Business Solutions, is the author of this conceptual framework.
Ahmed is a hands-on experienced processes reengineering professional with diversified implementation experience in Information Security Management Systems, IT Governance, IT Risk Management, IT Audit and Restructuring Programs. He has formulated many of implementation and processes assurance framework.
With an inspired GRC model of the principled performance and articulating Cloud Transformation Framework, this integrated CTP framework has been formulated in line with GRC pillars.
For any feedback or inquiry, please contact:-
Ahmed Ragab, MSc, ISMS-LA
Consulting Services Manager
Panorama Consulting and Business Solutions
aragab@panoramacbs.com
+965 - 60036963