The IIA Announces New IT Audit Guide on Identity and Access Management

The IIA has released the new Global Technology Audit Guide (GTAG®) 9 on Identity and Access Management (IAM).

The mission of GTAG 9 is to provide insight into what IAM means to an organization and to recommend internal audit areas for investigation. It can assist CAEs and other internal auditors in understanding, analyzing, and monitoring their organization's IAM processes.

The IAM process is used to initiate, capture, record, and manage the user identities and related access permissions to an organization's proprietary information. Poor or loosely controlled IAM processes may lead to organizational regulatory noncompliance and an inability to determine whether company data is being misused.

Chief audit executives (CAEs) should be involved in development of the organization's IAM strategy, as well as evaluating the implementation of the strategy and effectiveness of companywide access controls.

A checklist for IAM review is also included in this guide. Download GTAG 9 and other free guidance by visiting: http://www.theiia.org/go?to=eblast_2007_11_28_GTAG9

Ten Principles of IT Governance

This is a Harvard Business School article, taken from http://hbswk.hbs.edu/

You've invested heavily in technology, but where is the payoff? This excerpt from IT Governance, a book published by HBS Press, distills keys to creating greater value from IT.

by Peter Weill and Jeanne W. Ross

From studying and working with hundreds of enterprises, we have distilled the lessons from many outstanding leaders into ten principles of IT governance. We intend these principles to provide leaders with a succinct summary to use as a primer, refresher, or checklist as they refine their IT governance.1

1. Actively design governance
Many enterprises have created disparate IT governance mechanisms. These uncoordinated mechanism "silos" result from governance by default—introducing mechanisms one at a time to address a particular need (for example, architecture problems or overspending or duplication). Patching up problems as they arise is a defensive tactic that limits opportunities for strategic impact from IT. Instead, management should actively design IT governance around the enterprise's objectives and performance goals.

Actively designing governance involves senior executives taking the lead and allocating resources, attention, and support to the process. For some enterprises, this will be the first time IT governance is explicitly designed. Often there are mature business governance processes to use as a starting point. For example, the Tennessee Valley Authority piggybacked its IT governance on its more mature business governance mechanisms, such as its capital investment process. TVA's IT governance included a project review committee, benchmarking, and selective chargeback—all familiar mechanisms from the engineering side of the business.

Not only does overall governance require active design, but each mechanism also needs regular review. Focus on having the fewest number of effective mechanisms possible. Many of the enterprises we studied had as many as fifteen different governance mechanisms, all varying in effectiveness. Fifteen mechanisms may possibly be needed but it's highly unlikely. All fifteen will certainly not be very effective, integrated, and well understood. Many enterprises with effective IT governance have between six and ten integrated and well-functioning mechanisms. One goal of any governance redesign should be to assess, improve, and then consolidate the number of mechanisms. Early in the learning cycle, mechanisms may involve large numbers of managers. Typically, as senior managers better understand IT value and the role of IT, a smaller set of managers can represent enterprise needs.

2. Know when to redesign
Rethinking the whole governance structure requires that individuals learn new roles and relationships. Learning takes time. Thus, governance redesign should be infrequent. Our recommendation is that a change in governance is required with a change in desirable behavior. For example, State Street Corporation, JPMorgan Chase, Carlson Companies, and UNICEF all changed their governance to encourage desirable behaviors resulting from significant changes in strategy. All four enterprises designed governance to achieve their desired balance of business unit autonomy and commonality. State Street, JPMorgan Chase, and Carlson were all attempting to generate more synergies. UNICEF used IT to transform its operations and improve global sharing, information management, transparency, and communication. These transformations involve many other issues besides IT and take many months to implement.

In these types of transformation, IT governance can be used as one of the levers to encourage change. For example, State Street Corporation introduced enterprise-wide IT budgeting, encouraging a shift in perspective from the business unit to the corporation. JPMorgan Chase's buy-hold-sell process accomplished the same objective at a technology level. These governance processes communicate and enforce new desirable behaviors to facilitate organizational transformations.

3. Involve senior managers
In our study, firms with more effective IT governance had more senior management involvement. CIOs must be effectively involved in IT governance for success. Other senior managers must participate in the committees, the approval processes, and performance reviews. For many enterprises, this involvement is a natural extension of senior management's normal activities. For example, MPS-Scotland Yard used its strong existing management committee structure to improve IT governance and gain greater synergies across all its operations. The Information Management Steering Group (IMSG) is one of fourteen strategic committees that connect to the top-level executive committee. This interlocking committee structure ensures senior management attention to IT in the context of the whole enterprise.
CIOs must be effectively involved in IT governance for success.

Senior management necessarily gets involved in strategic decisions. This means that senior management is rarely concerned with the exception process. However, if an exception has strategic implications, it may reach the executive level IT Steering Committee. UPS CEO Mike Eskew explained the top management role: "At some point, if it comes to you, then you say, 'This is the answer.' It's part of our jobs to make those kinds of decisions. Our CIO, Ken Lacy, almost always has it solved by the time it gets to me."2 In firms like UPS, senior management occasionally gets involved in exception decisions because those decisions represent strategy decisions. If the exception request escalates to the CEO, then it's no longer a technology issue. At that point it's a strategic choice.

Many senior managers are willing to be involved but are not sure where to best contribute. It's very helpful for the CIO and his or her staff to communicate IT governance on one page with a picture like the Governance Arrangements Matrix. The matrix provides a vehicle for discussing each senior manager's role and any concerns they have.

4. Make choices
Good governance, like good strategy, requires choices. It's not possible for IT governance to meet every goal, but governance can and should highlight conflicting goals for debate. As the number of tradeoffs increases, governance becomes more complex. Top-performing enterprises handle goal conflicts with a few clear business principles. The resulting IT principles reflect these business principles. Old Mutual South Africa's (OMSA) six IT principles, or "nonnegotiables," as they are called, provide a useful framework or how to use IT. The first principle, which all OMSA business units must observe, states: "The interest and needs of the Group/OMSA come first when exploiting technology or when contracting with suppliers."3 Appropriate stakeholders must be involved in the approval process prior to contracts being signed.

Some of the most ineffective governance we have observed was the result of conflicting goals. This problem was often observed in the government sector, where directives come from many agencies. The result was confusion, complexity, and mixed messages, so the governance was ignored. The unmanageable number of goals typically arose from not making strategic business choices and had nothing to do with IT. We observed that good managers trying diligently to meet all these goals became frustrated and ineffective.

5. Clarify the exception-handling process
Exceptions are how enterprises learn. In IT terms, exceptions challenge the status quo, particularly the IT architecture and infrastructure. Some requests for exceptions are frivolous, but most come from a true desire to meet business needs. If the exception proposed by a business unit has value, a change to the IT architecture could benefit the entire enterprise. We have described the exceptions process of UPS, State Street Corporation, and other enterprises.

All these exemplars have three common elements to their exceptions procedures:
1. The process is clearly defined and understood by all. Clear criteria and fast escalation encourage only business units with a strong case to pursue an exception.
2. The process has a few stages that quickly move the issue up to senior management. Thus, the process minimizes the chance that architecture standards will delay project implementation.
3. Successful exceptions are adopted into the enterprise architecture, completing the organizational learning process.

Formally approved exceptions offer a second benefit in addition to formalizing organizational learning about technology and architecture. Exceptions serve as a release valve, relieving the enterprise of built-up pressure. Managers become frustrated if they are told they can't do something they are sure is good for business. Pressure increases and the exceptions process provides a transparent vehicle to release the frustration without threatening the governance process.

6. Provide the right incentives
There has been so much written about incentive and reward systems in enterprises that we feel the topic is well covered and understood. Nevertheless, a common problem we encountered in studying IT governance was a misalignment of incentive and reward systems with the behaviors the IT governance arrangements were designed to encourage. The typical concern: "How can we expect the governance to work when the incentive and reward systems are driving different behavior?" This mismatch is bigger than an IT governance issue. Nonetheless, IT governance is less effective when incentive and reward systems are not aligned with organizational goals.

A major governance and incentive alignment issue is business unit synergy. If IT governance is designed to encourage business unit synergy, autonomy, or some combination, the incentives of the executives must also be aligned. For example, in a large consumer products firm, the CEO wanted to increase synergies between business units to provide a single face to the small number of important customers that did business with several business units. The CEO and CIO worked together to design IT governance to align the enterprise IT assets to support the new objective. The new IT governance encouraged sharing of customer information, contact logging, pricing, and order patterns across business units. However, it was not until the business unit executives' incentive system was changed from being nearly 100 percent based on business unit performance to being 50 percent based on firm-wide performance that the new IT governance gained traction.

Avoiding financial disincentives to desirable behavior is as important as offering financial incentives. DBS Bank in Singapore does not charge for architectural assistance to encourage project teams to consult with architects. Whenever incentives are based on business unit results, chargeback can be a point of contention. Enterprises can manipulate charges to encourage desirable behavior, but chargeback pricing must be reasonable and clearly understood.

It is hard to overestimate the importance of aligning incentive and reward systems to governance arrangements. If well-designed IT governance is not as effective as expected, the first place to look is incentives.

7. Assign ownership and accountability for IT governance
Like any major organizational initiatives, IT governance must have an owner and accountabilities. Ultimately, the board is responsible for all governance, but the board will expect or delegate an individual (probably the CEO or CIO) or group to be accountable for IT governance design, implementation, and performance—similar to the finance committee or CFO being accountable for financial asset governance. In choosing the right person or group, the board, or the CEO as their designate, should consider three issues.

First, IT governance cannot be designed in isolation from the other key assets of the firm (financial, human, and so on). Thus the person or group owning IT governance must have an enterprise-wide view that goes beyond IT, as well as credibility with all business leaders.
Second, the person or group cannot implement IT governance alone. The board or CEO must make it clear that all managers are expected to contribute to IT governance as they would contribute to governance of financial or any other key asset.

Third, IT assets are more and more important to the performance of most enterprises. A reliable, cost-effective, regulation-compliant, secure, and strategic IT portfolio is more critical today than ever before. The person or group owning IT governance must understand what the technology is and is not capable of. It is not the technical details that are critical but a feel for the two-way symbiotic connection between strategy and IT.

The CIO owns IT governance in the majority of sizable firms today.4 Other enterprises have chosen either another individual (the COO or occasionally the CEO) or a committee (say, of senior business and IT leaders) to own IT governance. We have not observed any one approach that always works best. It takes a very business-oriented—and well-positioned—CIO to deliver on the first consideration and a very technically interested COO or CEO to deliver on the third. Committees have the problem of meeting only periodically and dispersing the responsibility and accountability.

Our recommendation is that the board or CEO hold the CIO accountable for IT governance performance with some clear measures of success. Most CIOs will then create a group of senior business and IT managers to help design and implement IT governance. The action of the board or CEO to appoint and announce the CIO as accountable for IT governance performance is an essential first step in raising the stakes for IT governance. Without that action, some CIOs cannot engage their senior management colleagues in IT governance. Alternatively, the board or CEO may identify a group to be accountable for IT governance performance. This group will then often designate the CIO to design and implement IT governance.

8. Design governance at multiple organizational levels
In large multi-business unit enterprises it is necessary to consider IT governance at several levels. The starting point is enterprise-wide IT governance driven by a small number of enterprise-wide strategies and goals. Enterprises with separate IT functions in divisions, business units, or geographies require a separate but connected layer of IT governance. JPMorgan Chase has IT governance at the enterprise, division, and business unit level. Usually the demand for synergies increases at the lower levels, whereas the need for autonomy between units is greatest at the top of the organization.

The lower levels of governance are influenced by mechanisms designed for higher levels. Thus, we advocate starting with the enterprise-wide IT governance, as it will have implications for the other levels of governance. However, starting enterprise-wide is sometimes not possible for political or focus reasons, and starting at the business unit level can be practical. Assembling the governance arrangements matrixes for the multiple levels in an enterprise makes explicit the connections and pressure points.

9. Provide transparency and education
It's virtually impossible to have too much transparency or education about IT governance. Transparency and education often go together—the more education, the more transparency, and vice versa. The more transparency of the governance processes, the more confidence in the governance. Many firms like State Street Corporation use portals or intranets to communicate IT governance. State Street's portal includes under the section "IT Boards, Committees, and Councils" a description of the Architecture Committee and all the other governance bodies. The portal includes tools and resources, such as a glossary of IT terms and acronyms and the "Computer Contract Checklist." Often portals include lists of approved or recommended products. Templates for proposing IT investments complete with spreadsheets to calculate the IT business value are often available.

The less transparent the governance processes are, the less people follow them. The more special deals are made, the less confidence there is in the process and the more workarounds are used. The less confidence there is in the governance, the less willingness there is to play by rules designed to lead to increased firm-wide performance. Special deals and nontransparent governance set off a downward spiral in governance effectiveness.

Communicating and supporting IT governance is the single most important IT role of senior leaders. The person or group who owns IT governance has a major responsibility for communication. Firms in our study with more effective governance also had more effective governance communication. The more formal vehicles for communication were the most important. For example, CIOs on average assessed their enterprises' documentation of governance processes as ineffective. However, the firms with successful IT governance had highly effective documentation. Highly effective senior management announcements and CIO offices were also important to successful governance.

When senior managers, particularly those in business units, demonstrate lack of understanding of IT governance, an important opportunity is presented. Working with managers who don't follow the rules is an opportunity to understand their objections. These discussions provide insight on whether the rules need refinement as well as a chance to explain and reinforce the governance.

10. Implement common mechanisms across the six key assets
We began the book by describing how IT governance fits into corporate governance. We contend that enterprises using the same mechanisms to govern more than one of the six key assets have better governance. For example, executive committees that address all enterprise issues including IT, such as the one at MPS-Scotland Yard, create synergies by considering multiple assets.

Recall the exercise (in Chapter 1) of listing all the mechanisms implementing each of the six key assets. Each asset may be expertly governed, but the opportunity for synergistic value is lost. For example, a firm implementing a single point of customer contact strategy must coordinate its assets to deliver that uniform experience. Just having good customer loyalty (that is, relationship assets) without the products to sell (IP assets) will drain value. Not having well-trained people (human assets) to work with customers supported by good data and technology (information and IT assets) will drain value. Not having the right buildings and shop fronts to work from or in which to make the goods (physical assets) will drain value. Finally, not coordinating the investments needed (financial assets) will drain value.

Put this way, the coordination of the six assets seems blindingly obvious. But just glance back at your six lists of mechanisms and see how well coordinated—and more importantly, how effective—they are. Many enterprises successfully coordinate their six assets within a project but not across the enterprise via governance. In designing IT governance, review the mechanisms used to govern the other key assets and consider broadening their charter (perhaps with a subcommittee) to IT rather than creating a new, independent IT mechanism.
These ten management principles highlight many of the key findings in our work with enterprises. Attention to all of them should lead to greater value from IT. The leadership of the
CIO is also critical to creating IT value.

Excerpted by permission of Harvard Business School Press. Excerpted from IT Governance by Peter Weill and Jeanne W. Ross. Copyright © 2004 by Peter Weill and Jeanne W. Ross. All Rights Reserved.

Peter Weill is the director of the Center for Information Systems Research (CISR) and a senior research assistant at Massachusetts Institute of Technology's Sloan School of Management.

Jeanne W. Ross is Principal Research Scientist at CISR.

Notes:
1. Many of the examples in this section are further descriptions or summaries of examples in earlier chapters where the sources are identified.
2. Marianne Broadbent and Peter Weill, "Effective IT Governance. By Design," Gartner EXP Premier Report, January 2003, p. 60.
3. Quotation from video of interview with Mike Eskew, Chairman and CEO of UPS, discussing IT governance an investment with Jeanne Ross and Peter Weill, MIT Sloan School of Management School Center for Information Systems Research, February 2002 MIT Sloan School of Management.
4. A survey taken by one of the authors using an audience response system at a meeting of fifty CIOs in May 2003 found the following patterns of IT governance ownership: CIOs 56 percent, CEOs 8 percent, COOs 13 percent, committee of senior IT leaders 3 percent, committee of senior business and IT leaders 13 percent.

Openings with Wipro USA

Job Title: Mainframe professionals required at ST.LOUIS, MO for Wipro, USA

Years of exp.:3 to 6 years

Job Description:
Wipro Technologies is looking for candidates with 4 to 6 years of experience in Mainframe Technologies. The candidate should have hands-on experience in mainframe technologies like IMS, COBOL, JCL and DB2.The candidate should have experience in coding, designing and implementing the project. The candidate should have good communication and client management skills.

Responsibilities:
At Wipro Technologies, the candidate will be responsible for the coding, designing and implementation of the project. The candidate will be based out of client location and will be responsible to handle the project in our client site independently and will co-ordinate with the offshore team for project deliverables.

Send us the updated resume asap with the following details (mandatory) to gautam.kar@wipro.com
1. Current Salary
2. Expected Salary
3. Time required to join
4. Ready to relocate to St.Louis, MO
5. Do you require work authorization in US as this is for full time position?
6. Are you open for permanent position?
7. Contact Number
8. Email
9. Convenient time for telephone Interview

Factors That Make B-2-B Marketing Projects Unique

Is business-to-business marketing really different to marketing to the general public? Although there is a cross over, business-to-business marketing is different from consumer marketing in deep and fundamental ways and this most certainly affects the way that b2b marketing should be carried out.

Business-to-business marketing is about meeting the needs of other businesses, though ultimately the demand for the products made by these businesses is likely to be driven by consumers in their homes.

There are four key factors that make business-to-business markets special and different to consumer markets:

· The decision making unit is far more complex in business-to-business markets than in consumer markets
· Business-to-business products and their applications are more complex than consumer products
· Business-to-business marketers address a much smaller number of customers who are very much larger in their consumption of products than is the case in consumer markets
· Personal relationships are of critical importance in business-to-business markets.

COMPLEXITY OF THE DECISION MAKING UNIT
In most households, even the most complex of decisions is confined to the small family unit while items such as clothes, food and cigarettes usually involve just one person. The decision making unit (DMU) in business-to-business markets is highly complex or at least it has the potential to be so. Ordering products of low value and low risk (such as the ubiquitous paper clip) may well be the responsibility of the office junior. However, the purchase of a new plant that is vital to a business may involve a large team who makes their decision over a protracted period. Often the DMU changes during this negotiation period as specialists enter and leave it to make their different contributions.

This complexity has implications for business-to-business markets. The target audiences for b2b communications are amorphous, made up of groups of constantly changing individuals with different interests and motivations. Buyers seek a good financial deal. Production managers want high throughput. Health and safety executives want low risk. And those are just their simple, functional needs. Each person who is party to the DMU will also bring their psychological and cultural baggage to the decision and this can create interesting variations to the selection of products and suppliers.

Given the complexity of the decision making unit and the many influences on these decisions, it should be no surprise that it is difficult to arrive at a needs based segmentation in business-to-business markets.

COMPLEXITY OF THE PRODUCT
Just as the decision making unit is complex in relation to business-to-business markets, so the same rule applies for the actual products in these markets. Business-to-business products are far more likely to be complex than is the case with their counterparts in consumer markets.

Where the purchase of a consumer product requires little expertise, the purchase of an industrial product frequently requires a qualified expert. Where consumer products are largely standardised, industrial products are often bespoke and require high levels of fine-tuning. Even relatively complex consumer products tend to be chosen on fairly simple criteria.

Industrial products, on the other hand, frequently have to be integrated into wider systems and as a result have very specific requirements and need intimate, expert examination and modification.

These differences have a great impact on the way consumer and industrial products are marketed. Buyers of consumer products are not interested in the technical details of what they are buying. As a result, consumer products are frequently marketed in ways that are superficial or even vacuous.

Business-to-business campaigns seek to educate their target audience by providing specific factual information. Many target companies in business-to-business campaigns are already well-informed on the product area, in which case promotional material may have to go as far as offering product specifications. Often, however, campaigns are promoting products that the target market is unaware of – in such cases, the physical benefits of the product must be concisely conveyed.

LIMITED NUMBER OF BUYING UNITS
Almost all business-to-business markets exhibit a customer distribution that confirms the Pareto Principle or 80:20 rule. A small number of customers dominate the sales ledger. Nor are we talking thousands and millions of customers. It is not unusual, even in the largest business-to-business companies, to have 100 or less customers that really make a difference to sales.

There is also a matter of scale. In consumer markets there are reasonable limits to the amount that a single person can buy and use of any product. The range of spend between the largest and smallest buyer in a business-to-business universe is likely to be much much larger than the range of spend between the largest and smallest buyers in consumer markets. Small numbers of customers of widely different sizes is a major distinguishing feature of business-to-business markets and this requires a completely different marketing approach to that required for consumer markets.

IMPORTANCE OF PERSONAL RELATIONSHIPS
The fourth distinguishing feature of business-to-business markets is the importance of the personal relationship. A small customer base that buys regularly from the business-to-business supplier is relatively easy to talk to. Sales and technical representatives visit the customers. People are on first name terms. Personal relationships and trust develops. It is not unusual for a business-to-business supplier to have customers that have been loyal and committed for many years.

The differences between business-to-business markets and consumer markets that have been outlined are clearly considerable.

Special Requirements Of B2B Marketing
· Creating personal relationships
· Offering high levels of service and support
· Close targetting through direct marketing


Common Ground Between B2B & Consumer Marketing
· Understanding customer needs
· Communicating vital messages about the company and its products
· Building a brand

Special Requirements Of Consumer Marketing
· Reaching large numbers of potential customers with promotional messages
· Ensuring consistenly high standards at the point of sale
· Creating loyalty amongst fickle consumers

The common challenge for both business-to-business and consumer marketers is to truly understand their customer needs and to be able to communicate that their products or services really are special in being able to satisfy them. There is usually substantial room for improvement in both respects.

ClientFirst Consulting Group, LLC Project Manager Openings

ClientFirst Consulting Group, LLC is recruiting for the following two openings:

1- Project Manager
Rapidly growing consulting firm interested in ERP systems implementation project manager. Experience in the following vertical markets preferred but not required: government, not-for-profit, K-12 education. Additional experience in business process improvement, organizational change management and application systems selection helpful. Contract or full time. Contact us at hrla@clientfirstcg.com

2- Project Manager
Rapidly growing consulting firm interested in ERP systems implementation project manager. Direct experience in Great Plains implementation and project management required. Experience in the following vertical markets preferred but not required: government, not-for-profit, K-12 education. Additional experience in business process improvement, organizational change management and application systems selection helpful. Contract or full time. Contact us at hrla@clientfirstcg.com

Please contact the recruiter directly.

Kiva.org - Supporting Projects that Make a Genuine Difference

"Act as if what you do makes a difference. It does." William James

I have been following Kiva.org since it was given considerable publicity by the Clinton Global Initiative in 2006. My personal experience with it has been successful. I loaned out a very small amount ($25) to a lady in Africa via Kiva.org and was notified recently that she has re-paid it in full. I can now lend these funds out to another entrepreneur with a budding project in some part of the world where small amounts go a long way.

Kiva is an organization that allows people to lend money via the Internet to small businesses in developing countries. It is a 501(c)(3) non-profit organization headquartered in San Francisco, supported by donations from its users and through partnerships with businesses and other institutions.

Kiva allows microfinance institutions around the world, called "Field Partners", to post profiles of qualified local entrepreneurs on its website. Lenders browse and choose an entrepreneur they wish to fund. Kiva aggregates loan capital from individual lenders and transfers it to the appropriate Field Partners to disburse and administer. As the entrepreneurs repay their loans, the Field Partners remit funds back to Kiva. Once a loan is fully repaid, the Kiva lenders can withdraw their principal or re-loan it to another entrepreneur.

Lenders' funds are transferred to Kiva through PayPal, which does not collect its usual fees in this case. Field Partners generally charge interest from their borrowers, although Kiva claims to keep track of how much interest is charged and will not work with those charging unfair interest rates. Kiva lenders do not receive any interest because of US Government regulations.

Kiva claims that its borrowers have a historical repayment rate of about 99.7%.

The Seven C’s of Success

Taken from http://www.briantracy.com/

After having studied top achievers and peak performers over the past 25 years, Tracy has concluded that these unique men and women have, in most cases, mastered what he calls the Seven C's of Success.

1. Clarity - Eighty percent of success comes from being clear on who you are, what you believe in and what you want.
2. Competence - You can't climb to the next rung on the ladder until you are excellent at what you do now.
3. Constraints - Eighty percent of all obstacles to success come from within. Find out what is constraining in you or your company and deal with it.
4. Concentration - The ability to focus on one thing single-mindedly and see it through until it's done takes more character than anything else.
5. Creativity - Flood your life with ideas from many sources. Creativity needs to be exercised like a muscle, if you don't use it you'll lose it.
6. Courage - Most in demand and least in supply, courage is the willingness to do the things you know are right.
7. Continuous learning - Read, at the very least, one book a week on business to keep you miles ahead of the competition.