IT Effectiveness and Cloud Computing March 2013. Copyright © 2011 Deloitte Development LLC. All rights reserved. 1 Enterprises are faced with important

IT Effectiveness

and Cloud Computing

March 2013

Copyright © 2011 Deloitte Development LLC. All rights reserved.2

Enterprises are faced with important operational risks on the road to cloud computing adoption

Data controls and ownership

Who will own the data when subscribing to a cloud computing service.? Is the data you create, use, and store within a cloud yours? Could your data be viewed, accessed, or used without your knowledge; sold to third parties; used for unknown purposes?

Backup, retention, and disposal

Is data retention meeting your policy requirements? Is deleted data "really" gone or still preserved somewhere within the cloud? How are data backups and restores handled?

Availability and reliability

How is reliability, access, and availability "guaranteed" by cloud services providers? Is it through service level agreements?

Disaster recoveryIs your data protected in the event of a disaster? What are the recovery time objectives and service level agreements?

Legal complianceIs your cloud provider adhering to laws/regulations for your industry and in every jurisdiction which applies?

Key operational and governance issues must be resolved as cloud computing architectures are deployed in the enterprise, requiring new approaches


Enterprises are faced with important operational risks on the road to cloud computing adoption

AssuranceHow will you provide your customers with a level of comfort and assurance on the protection and controls in the cloud environment, especially when involving third parties?

ScalabilityCan your service provider support growing demand from all clients and provide reliable services at high scalability? Are there vendors with mature offerings?

Security and encryption

Is data secure within the cloud environment? How is security enforced and confirmed? What level of encryption is required to enhance security, and how will this impact operational service levels?

Auditing and monitoring

Are you ready to apply enterprise risk management and controls, and auditing and monitoring practices to applications and data residing in cloud environments?

Vendor “lock-in”

What happens if you want to move your data back in house or into another cloud? How open is the existing cloud and what support will the vendor provide?

Tax implications

Is your enterprise ready to adjust tax processes to meet new needs?

Key operational and governance issues must be resolved as cloud computing architectures are deployed in the enterprise, requiring new approaches


For most enterprises, the pace of cloud computing adoption will map to the maturity of the services category

Ad

op

tio

n

Google Apps

Engine

Gmailsalesforce.com

Amazon Virtual Private Clouds

Oracle

On Demand

Microsoft Hosted E-mail

Hosted VMware

Should be actively watched and potentially tested on a small scale. Risks still exist and technology has not been fully tested.

Should be tested through pilot studies. Business owners should be assigned and business cases developed.

Broader implementation should be considered. Scale-up piloting with plans to implement.

Nascent technologypilots

Early adopters, growing adoption

Stable technology,Significant adoption

Amazon Web Services

Mozy

Force.com

IaaS

SaaS

PaaS

Vendors at various stages of maturity

service-now.com

The rate of adoption of cloud computing is tied to the vendors’ levels of technical and functional maturity, and their suitability to enterprise-class levels of performance, reliability, and resiliency

Rightnow

Workday

Copyright © 2011 Deloitte Development LLC. All rights reserved.55 IT Effectiveness

IT: noun. Tools, processes, methodologies, hardware and software used to collect, process and present information

Effective: Adj. Adequate to accomplish a purpose; producing the intended or expected result

What is IT Effectiveness?

IT Effectiveness: noun. A structured assessment of IT and its

alignment to the organisation’s strategic and operational objectives


Are IT Departments incentivised to source cost effective IT Services, even if that means using a third party?

IT Strategy Alignment

Risk : Opposing strategic decisions taken by management and IT lead to the inability of the organisation to react quickly to regulatory or operational change.

User PerceptionRisk: The performance of the workforce may be undermined if IT services do not meet user requirements.

IT Service Delivery Assessment

Risk: Availability of services may be compromised or the cost of the service may be prohibitive.

IT Expenditure Assessment

Risk: expenditure within IT may be inappropriately allocated between investment into “business as usual” activities and activities that support growth and innovation.

Effective sourcing of IT services can bring substantial efficiencies. We look at how IT Management can be challenged on IT sourcing decisions.


User perception


Disaster recovery

Desktop connectivity


User perception





Risk: Availability of services may be compromised or the cost of the service may be prohibitive.


Observations & ActionsProcess Maturity of retained organisation

Organisations strive to improve the maturity of retained processes that have been identified as key interfaces into the industrialised processes.The Transition & Transform phase of vendor on-boarding will implement a robust transition plan, in collaboration with the vendor, to transition the workflows to the selected vendor while implementing retained organisation process re-design.

The retained key interfaces into the build factory have undergone process improvement since the set-up of the build factory. However, process detailing has not been subject to a graded maturity assessment for appropriateness. The grading will help to encourage consistency in design and help the author to identify an appropriate target level of detail.

Maturity

Historic: Processes have been historically executed by knowledgeable personnel with all necessary procedures and supporting documentation not being complete.

Current: The need to industrialise has necessitated the formalisation of some procedures with completed documentation. Some progress has been made but there is a significant lack of “version 1” procedure sets.

Target: To gain maximum benefit from the Build Factory, all interfacing procedures up-stream of the Build Factory are to be universally baselined and subject to change control

1. A methodology should be defined for assessing then grading of the end to end processes that require additional rigour.

Risk: Less formalised and immature processes cannot be effectively industrialised leading to inefficiency, and errors.

Level 1 Level 2 Level 3 Level 4 Level 5

Informal processes using experienced personnel

Process well understood but not fully documented

Structure and mostly documented Highly structure, regularly reviewed Optimised for efficiency and accuracy

Good Practice

Observation

Rationale

Improvement Actions

H C T

Action Theme

1. Demand

2. Accurac

y

3. Tooling

4. Security

Scope Group

People Process

Governance Technology


What is IT Effectiveness?Value added Outputs

Microsoft vs The World

An Audit Perspective

March 2013


When auditing we often focus on the single largest component of the IT environment, namely the Microsoft products

However it would be extremely unusual for an IT environment to function solely on Microsoft products.

Java

Open Office

Adobe

iTunes

Open Source Linux

Chrome

Free / Nag /Shareware

Portable software


What do we do for Microsoft products?

What can we learn from these and how can we apply it to non-Microsoft products?.

MBSAWSUS

Microsoft UpdateCERT AdvisoriesNessusBackTrack

Patch Tuesday


What questions should we ask? And have IT considered any of them?

What are the risks?

Maliciousness, Tampering, Poor QA, Override of Controls

Who are the worst offenders?

IT Departments, IT Experts

Availability and reliability

Ongoing support

Legal compliance Licensing?

Unfortunately there is no one size fits all approach, be aware of the potential issues and know when to ask for expert advice

If it’s not explicitly blocked then it’s probably happening somewhere in your organisation


Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.Deloitte LLP is the United Kingdom member firm of DTTL.

This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.© 2011 Deloitte LLP. All rights reserved.

Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.

Member of Deloitte Touche Tohmatsu Limited

Documents

IT Effectiveness and Cloud Computing March 2013. Copyright © 2011 Deloitte Development LLC. All rights reserved. 1 Enterprises are faced with important