Cloud Transformation Program in today's GRC World: Process-Oriented Framework
-
Upload
ahmed-m-ragab -
Category
Technology
-
view
129 -
download
0
description
Transcript of Cloud Transformation Program in today's GRC World: Process-Oriented Framework
Page 1 of 13
CLOUD TRANSFORMATION PROGRAMS (CTPS) IN
TODAY’S GRC WORLD
Process-Oriented Framework
By: Ahmed Ragab
September 2014
Page 2 of 13
Professional Advice
This paper, including all concepts and frameworks, is provided for general information
and practice guidance purposes only. Users of this document are encouraged to use
the presented concepts/framework with a thorough understanding of its general
application. For more specific framework or special controls as per each organization
industry, it is advised to customize specific controls as per each industry parameters,
however the concept will stay valid across different industries. For any further inquiry,
or contribution, you can contact the author for further improvement.
What’s inside?
Cloud Transformation Program (CTP) framework, GRC alignment with Cloud
Transformation, benefits of GRC assurance model for CTP, CTP’s full cycle, different
stakeholders concerns for any CTP,
Who shall read this?
Cloud Transformation Project/Program (CTP) Managers, IT GRC Officers, Change
Managers, CTOs, CIOs, CISOs, IT Auditors, Cloud Computing Architects, and any other
involved stakeholder in Cloud Transformation Program.
Page 3 of 13
TABLE OF CONTENTS
Wide Spectrum
Introduction
Why Organizations consider CTP
within a Compliance Framework?
CIO, CISO, Board and Compliance
Concerns!
GRC Impact on Cloud
Transformation Programs
Cloud Transformation Program
(CTP) Framework
Page 4 of 13
Today’s business dynamics urged
all organizations to adopt more
flexible platforms either in
management processes or IT
infrastructure. Enterprises started
to maturely recognize the new fast
rate of transformation programs to
accommodate business needs.
Customers can not wait any more.
Operational staffs need business-
driven and objectives-oriented
flexible work environment using
dynamic technology infrastructure.
Investors are so keen about the
investments allocation, as usual!
And finally risk and compliance
governors have their own call to
accommodate such topology and
securely maintain organization’s
momentum.
Changing from normal IT-Centric
operations to more flexible,
services-oriented, and on-demand
IT services became a key factor
while applying effective
investment calculations. Hereby,
thinking about Cloud
Transformation Program (CTP)
became on top of the key
enterprises’ transformation
programs. However, such
programs shall not be designed
focusing only on technology
parameters but also considering
the complementary support by
mature processes and compliance
controls in order to ensure smooth
transformation with compliance.
WIDE SPECTRUM
Page 5 of 13
Cloud Transformation Program
(CTP) is not just a strategic change
management move for enterprises,
it is a turn-key pivotal change
management program that covers
all aspects of organizations;
people, processes, technology,
suppliers, behavior …etc. Such
program normally runs as a capital
project in the organization,
accordingly a special attention
should be paid from the
governance, risk and compliance
point of view. And this is regardless
the type of cloud deployment
model public cloud, private cloud,
hybrid cloud, or even community
cloud deployment model.
This paper will tackle the Cloud
Transformation Program (CTP)
from a process-oriented approach
to empower all leading
experts/architects or such program
managers to apply full-fledged
framework enriched with
compliance pillars, i.e. GRC.
INTRODUCTION
Page 6 of 13
No doubt that every IT Transformation Project has its own ICT controls that ensure the
project success “Technically.” However, tackling CTP needs more assurance on
enterprise-wide controls like Governance, Risk, Compliance, and other operational
controls. From this approach, a full-fledged compliance framework has been adopted to
accommodate any CTP effectively. Figure 1 demonstrates the different components of
CTP within a compliance framework.
WHY
ORGANIZATION
SHALL
CONSIDER (CTP)
WITHIN A
COMPLIANCE
FRAMEWORK?
Page 7 of 13
IT Governance – by implementing all
related ICT controls to ensure
Confidentiality, Integrity and
Availability of Information across the
organizational departments
effectively.
IT Risk Management Controls – to
identify, establish, and maintain risk
governance with an integrated view
to the overall Enterprise Risk
Management (ERM). This will lead to
evaluating risks as well as responding
to it.
Compliance – aligning the entire CTP
with the enterprise compliance
indicators and checklists in order to
maintain conformity with the internal
organizational as well as external
regulatory bodies’ compliance
requirements.
Assurance – by establishing the key
controls for implementing the CTP on
different levels: project management
framework, people-related controls,
technology related controls and
processes-related controls.
Aligned IT Services Management
Processes – since implementing such
program is impacting different aspects
in the ICT organization, IT Services
Management has to be aligned or
established (in case if it hasn’t been
identified before) with the dynamics
and complexity of the running CTP. IT
Services Management processes are
very critical and could be dramatically
changed when organizations
transforms from centralized IT
organization to Cloud-based
environment.
Process Reengineering –
organizations may need to reconsider
business processes reengineering,
where a lot of manual operations
could be automated, and some
manual controls will be swapped. In
addition to some new processes could
be released to support the new cloud
operations and functionalities.
Information Security – as per the
special nature of cloud environment,
a considerable information security
controls shall be implemented and
audited to assure information privacy
and controlling any breach. With the
compliance model mentioned above,
InfoSec is considered as the core
technical compliance with the most
critical applied controls.
Project/Program Management – the
mentioned compliance model will
integrate smoothly with the entire
project management processes since
we will use heaving a lot of PM pillars
like; scoping, change management,
risks, quality, integration…etc.
During the roadmap of
such CTP, organizations
need to adopt such a
comprehensive
compliance framework
to achieve the following:-
Page 8 of 13
CIO, CISO Board and
Compliance Concerns!
Page 9 of 13
Budget-wise, we are in trouble! This only happens when we talk about ROI of
Cloud Transformation Program (CTP) from a narrow dimension, which is a
technology solution. Accordingly, tackling such transformation program shall
consider different stakeholders’ concerns in order to reach the benefits
realization. The following figure summarizes main concerns at the main
leading stakeholders for any CTP:-
CIO, CISO Board
and Compliance
Concerns!
Page 10 of 13
GRC Impact on Cloud
Transformation Programs
GRC models have been progressively improved till we reached GRC
Capability Model proposed by OCEG. Saying this, If we consider this
GRC model as principled performance for assuring successful cloud
transformation program will come with the following assured benefits:-
Mature processes definitions
Reliable processes assessment
Robust controls
Dynamic process change
Agile framework for future processes scalability
Compliance management
Quantitative and qualitative performance indicators
Service quality
Reliable CAPEX, OPEX and TCO calculations
More visibility and applicability of Chargeback and Showback
Time-to-market
Envisioning roadmap
Business integrity
People development and awareness
Page 11 of 13
The following framework is merging different conceptual frameworks to come
up with a full-fledged CTP with a compliance tools across Cloud Transformation
Millstones
CLOUD
TRANSFORMATION
PROGRAM (CTP)
FRAMEWORK
Page 12 of 13
Discovery Phase – Organization’s thorough
understanding is the first milestone where we
consider the four main pillars of understanding
(People, Process, Technology, Project
Management Framework). This covers the
entire organization assets for those pillars like:
competency levels, identified and implemented
processes, existing applications and technology
environment, and the project management
different processes maturity levels.
Analysis Phase – this phase represents a
demarcation stage between different pillars as
well as prepares for the next levels of
understanding and connecting
information/perceptions together in order to
come up with a mature assessment views. From
this stage, we can also come up with the
business case and recommendation for
stakeholders’ approval.
Design Phase – building a conceptual
framework for the implementation, operations
and maintenance, and sustainability model is
the state of the art, where the architects invest
a lot of time and efforts to present a
comprehensive integrated model for the cloud
model and the deployment option.
Implementation Phase – is the hardest stage of
delivery the baby, i.e. implementation phase,
where selecting the right solution,
implementer, resources and the right time to
start the implementation with a considerable
attention towards the time-to-market.
Monitoring and Evaluation Phase – is the time
of measuring the expectations on different
levels: applications’ features, performance,
integrity, security, reliability, flexibility, agility
…etc.
Continual Improvement Phase – is the payback
time! Where users started to maturely progress
inside the new cloud environment, so more
services could be configured and some
Chargeback processes will be triggered to show
the IT Business Value.
All different phases mentioned above shall be
designed and supported by a reliable KPIs with
a GRC compliance features.
This will be released in the next white paper . .
Page 13 of 13
About the Author
Ahmed Ragab, Consulting Services Manager at Panorama Consulting
and Business Solutions, is the author of this conceptual framework.
Ahmed is a hands-on experienced processes reengineering
professional with diversified implementation experience in
Information Security Management Systems, IT Governance, IT Risk
Management, IT Audit and Restructuring Programs. He has
formulated many of implementation and processes assurance
framework.
With an inspired GRC model of the principled performance and
articulating Cloud Transformation Framework, this integrated CTP
framework has been formulated in line with GRC pillars.
For any feedback or inquiry, please contact:-
Ahmed Ragab, MSc, ISMS-LA
Consulting Services Manager
Panorama Consulting and Business Solutions
+965 - 60036963