Enterprise Technology Risk and 
Performance Assessment 

December 2012

Executive Summary: Introduction 
At the request of the Port of Seattle Commissioners and Executive Team, Protiviti was
engaged to conduct an Enterprise Technology Risk and Performance Assessment. 
The project was initiated in the September 2012 timeframe and was completed and finalized
in December 2012. 
The scope consisted of Port technology organization wide and included both the Information
Communication & Technology (ICT) and Aviation Maintenance departments. 
The project consisted of two primary objectives: 
1.  Execute a technology risk assessment resulting in a thee-year IT Audit plan, including
direction on staffing levels and appropriate skills sets to complete the recommended
audits.
2.  Assess the overall management, efficiency and effectiveness of Port information and
communication technology assets and services within the following key areas:
Strategy, Operations, Investment, Governance and Risk Management 
This report encompasses the analysis, conclusions, observations and recommendations
derived by Protiviti as a result of the procedures it performed. 
Procedures performed included a broad set of interviews with organization leadership and
process leads; reviews of provided policies, procedures, and process documentation; and
detailed benchmarking analysis. 
1      2013 Protiviti Inc 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Executive Summary: High-Level Observations 
Technology is rapidly changing and absolutely critical to the Port's overall operations.
Properly aligned technology capabilities are essential to enhancing the efficiency and
effectiveness of the Port's business processes through the protection, reliability,
availability, and analysis of business information. 
IT cost benchmarking analysis conducted by Protiviti indicates the Port's IT functions
have effectively managed costs, including the following key results: 
The Port's IT cost profile is in alignment with comparable industry averages. 
The Port has generally outperformed comparable industries in controlling IT
operations (or "run") costs. 
The Port has successfully shifted more of its IT spend towards growth and
transformation of the business from maintaining legacy infrastructure and
applications. 
The Port's IT processes perform favorably compared to organizations of comparable
size and industry-groups. 

2      2013 Protiviti Inc 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Executive Summary: High-Level Observations (continued) 
Opportunities exist to: 
Further mature certain core IT processes. 
Continue to align ICT and Aviation IT operations. 
Explore additional avenues for collaborating and communicating with the
Commission and C-Level positions. 






3      2013 Protiviti Inc 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Executive Summary: Key Observations &
Recommendations 
IT Governance & Alignment 
The Port's ICT Governance Board provides effective oversight to major IT initiatives and decisions, including
investment evaluation / prioritization and risk management. 
Business units should initiate regular formal strategy discussion and alignment review processes with the IT
functions where they are not in place today. 
Aviation should continue the close alignment of its technology decision-making and communication
processes with the ICT Governance Board. 
IT leadership does not regularly interact with the Port Chief Executive Office (CEO) or Commissioners. 
The Port IT functions should establish consistent processes and responsibilities focused on strengthening
and continuously managing the relationship with IT's business customers.
IT Value & Cost Perception 
Aviation and Corporate functions require (and receive) a more sophisticated set of IT solutions which require
a more sophisticated IT function to deliver. 
Other divisions, while not requiring as sophisticated a set of solutions are still benefiting from a high
performing IT function. 
The basic model for allocating IT costs to business units is generally fair (based on system usage), some of
the "lighter" users of IT perceive their allocated share to be excessive. 
Peer group and performance benchmarking indicate the overall size and cost of the Port's IT function are
consistent with the Port's IT objectives. No cost cutting efforts are recommended. 
4      2013 Protiviti Inc 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Executive Summary: Key Observations &
Recommendations (continued) 
IT Operational Capabilities, Process Maturity & Alignment 
The Port IT organization has established a core set of IT processes and capabilities that enable consistent
delivery of IT services. 
The Port should continue to invest in improvements to its IT process, technological, and organizational
capabilities including: (1) upgrades to specific data center facilities, (2) expanding the IT security
organization, (3) enhancing and maturing IT service continuity processes, and (4) improving the IT service
support processes and systems (including change management and service level management).
The Port should continue to align and adopt common processes across IT functions, leveraging the existing
ICT processes since they have more established practices and structures and also demonstrate higher
levels of maturity. 

IT Project Intake & Analysis 
The Port has demonstrated strong execution capabilities for IT projects and investments that are initiated
through the ICT Governance Board and IT project management organizations.
The Port should establish an enterprise-wide IT architectural review process that is required for all projects
with potential IT implications, closely integrating with the existing ICT Governance Board and the Airport
Technology Investment Committee. 


5      2013 Protiviti Inc 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Executive Summary: Key Observations &
Recommendations (continued) 
IT Internal Audit Function 
The Port does not have a formal IT audit function with the specific skill sets necessary, which limits its ability
to independently assess IT risks. 
The Port should establish an IT audit planning process within its Internal Audit Department. 
Audit efforts should be closely coordinated with both ICT and AV to ensure scheduling aligns with other IT
initiatives and that resources are available. 







6      2013 Protiviti Inc 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Technology Risk Assessment

IT Risk Assessment Approach 
IT Risk Assessment 
Key Stakeholders Interviews /                                              Management Review
Management Input and Oversight 
Document and Data Requests                                           and Approval 

Understand IT
Project  Phases                          Understand IT        Determine Risk        Prioritize Risk          Finalize IT 
Organization and
Environment         Universe          Universe          Audit Plan 
Structure 

IT Org Charts          Applications         Key IT Projects        CobiT / ITIL / ITPI        Risk Universe 

Geographic                                     Capability Maturity      Audit Hours /
Infrastructure           Processes 
Locations                                              Model             Timeline 
Key Inputs                           Voice / Data                                                Audit Scope /
Budgets                          Departments        Perceived Risk 
Networks                                          Objectives 
Business                        Applications /         Protiviti         Required Audit
IT Operations 
Interaction                             Infrastructure           Experience              Skills 

Data Center 

Project Management                Knowledge Sharing                Communication 

8      2013 Protiviti Inc 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Proposed IT Audit Plan 
Q3-Q4 FY12   Q1-Q2 FY13    Q3-Q4 FY13    Q1-Q2 FY14    Q3-Q4 FY14    Q1-Q2 FY15    Q3-Q4 FY15 
Technology              Risk Assessment  FY13 Follow-up               FY14 Follow-up 
Risk Assessment              Risk Assessment
Risk                    Refresh                     Refresh                     Refresh 
Assessment &
Audit Planning 

End-Point                 Data Loss Prevention
Scheidt Bachman            Security Review
Review 

IT Asset Management          IT Change Management
Review                 Diagnostic
Data Center Review

HIPAA Compliance                Business
Assessment               Continuity/Disaster
Recovery Review

PeopleSoft Post - Implementation Review
Audit Plan Management, Reporting, and On - Going Monitoring

Audit Planning and Follow-up         Audit projects           On-going Projects 
9      2013 Protiviti Inc 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Technology Performance: 
Benchmarking & Metrics Analysis

Benchmarking Results 
Benchmarking Comparisons 
Protiviti utilized three data points to benchmark the Port's information technology
functions across similar organizations: 
1. The IT Process Institute's IT Controls Performance which includes comparison
data points on organizational size and IT control effectiveness. 
2. The IT Process Institute's IT Strategic Alignment Benchmark which includes
comparison data points on IT strategy models and alignment practices. 
3. Gartner's IT Metrics: IT Spending and Staffing Report for a comparison of IT
metrics across a variety of industries. The 2012 version of this report was used in
conjunction with prior year reports for multi-year comparisons. 




11     2013 Protiviti Inc 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Benchmarking Results 
Key Themes 
Alignment with Key IT Metrics: The Port's IT metrics compare favorably with the North
American and comparable industry averages (per analysis of key IT metrics from Gartner). 
Variations in metrics are within an acceptable margin of the comparable industry
averages. 
IT Strategic Focus: Business needs indicate the primary strategic focus of the Port's IT
functions should be on partnering with the business to enhance processes in a "Process
Optimizer" model. The core IT practices to enable this level of alignment are in place (per
the ITPI Strategic Alignment Benchmark). 
The need for the "Process Optimizer" alignment model is being driven by the
expectations of the two largest consumers of Port IT services: Corporate and the
Aviation Division. 
The "Process Optimizer" model also effectively provides for the services required by
other Port divisions desiring a lower level of IT alignment (e.g., in a "Utility Provider"
model); however, the Port's cost allocation methodology may require revision to more
accurately reflect the different divisions' IT expectations and utilization levels. 

12     2013 Protiviti Inc 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Benchmarking Results 
Key Themes (continued) 
IT Process Performance: The Port's IT processes activities perform as well as or better
than organizations of comparable size and industry-groups (per the ITPI IT Control
Performance Benchmark). 
The Port rates as a "High Performer" with two thirds of its measured IT performance
metrics rating better than the benchmark average. 
The Port may realize additional performance gains (against the benchmark peer
groups) with targeted improvements to the 12 "foundational" IT process activities. 
Benchmarking Updates: The Port should consider revisiting these benchmarks every 2
to 3 years. 




13     2013 Protiviti Inc 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Capability Maturity Analysis 
IT Capability Maturity Analysis Summary 
Current Demonstrated Maturity State: Repeatable to Defined 
Target Maturity State (1-3 Years): Defined* 
Change, 
Continuity   Program, Project
Configuration &                            Security      Support /
Management    and Portfolio                       IT Governance 
Release                           Management    Service Desk 
Management 
Management 

Optimizing                                                                                  Potential for
$$$                                                              increased costs is
accepted to ensure
process consistency
& quality 
Managed 
$$ 
Typical Target Zone: 
Cost & performance
Defined                                                                                  management 
$                                                                           are effectively
balanced 

Repeatable 
$$ 
Likelihood of
increased costs due
to process issues &
Initial 
inconsistency 
$$$ 
* Note: Higher levels of maturity may be identified as the "best fit" option once the 
"Defined" level is consistently achieved by the Port.                                Current Maturity           Partial Demonstration 
14     2013 Protiviti Inc                                                                                             Target Maturity 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

Capability Maturity Model Matrix Example 
Change, Configuration and Release Management (includes SDLC) 
Strategy &         Processes &         People &         Management
Methodologies       Systems & Data 
Policies             Controls           Organization           Reports 
Close alignment of     CCR processes are    Matrixed functions /    World-class process    Costs / benefits / risks   Real-time system
change, configuration,   formally enforced,     roles adjust quickly to   performance; all       measured and        controls prevent service
and release (CCR)    automated, monitored   initiatives; ownership,   changes are "normal";  balanced in portfolio of  interruptions; excellent
Optimizing  practices with business  statistically, and are    roles, standards and   system outages are    changes, releases, and  data integrity;
strategy; new initiatives  proactive (i.e., "near    cross-training are      rare and well-planned    projects across        automated config. data
are agile and         misses" identified)      inherent in operations                     infrastructure         prevalent 
successful 
CCR policy / objectives  CCR processes are    CCR ownership / roles  Management by       Process performance   Integrated change
ingrained into IT       integrated; enforced by  evident; cross-training   exception; few (<1%)   benchmarked to plan   process systems;        increased Costs 
Managed   governance practices;  some preventive     limits failure points;   emergencies / failures;  for future; config.    "Real-time" trending;
service measures     controls; monitoring    config. teams support   config. data proactively  integrated with other IT  Integrated CMDB with
designed into process   capability exists       multiple Bus          managed           processes           automated detection 
Policy and strategy     Practices understood,   CCR roles defined;     KPIs analyzed        Models include impact  1-2 primary systems
define objectives for    but largely manual;     process ownership     periodically; service    analysis & risk        used to manage
success; policy       releases include      clearly established;     thresholds in place;    mitigation activities; IT   changes; reporting
Defined   emphasizes that "no   rollback plans; config   process awareness    success measured in   process integration    structures defined /
unauthorized changes"  impact analysis In     widespread; some     terms of ROI/TCO;    beginning; history of    available; CMDB in
are made          place; detection of    cross-training; CAB    infrequent (<2%)      changes is traceable   place with some data
failures is unlikely       includes business       emergencies/failures     (e.g., at CI-level)        collection automation 
Basic policy exists to    Change / release      Some responsibilities   Few metrics defined;    Basic models are      Some auto-data         Typical Target Zone                                                                                                                  establish authority and  process is somewhat    understood; limited     data gathered through   considered, but used    collection, but with
responsibility; limited    consistent; informal     training available; CAB  periodic audits;        inconsistently; mass    manual input; config.
Repeatable  long-term strategy and  enforcement / training;  established but with   somewhat frequent    "data changes" are    data manually held;
vision; informal        config. process        only IT; some config.    (10%) emergencies /   normal; limited view of   segregated test
planning            definition beginning     coordination          failures and change-    configurations        environments exist 
related outages 
No strategy or policy for  Processes are informal,  Change success results Only anecdotal        Process not defined as  Manual or redundant
managing change to IT  differ significantly     from heroics and      evidence available;    "request to close";     data gathering;
systems exists        between groups, and   responsibility not      frequent (>20%)      siloed processes;      accurate config. data
Initial 
are adjusted reactively   consistent; siloed       emergencies/failures;   config. relies on "expert  unavailable; changes
config. Knowledge     frequent change-related knowledge"          often cause issues        increased Costs 
outages 
Current Maturity             Partial Demonstration 
15     2013 Protiviti Inc  2012 Protiviti Inc 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.                          Target Maturity

Confidentiality Statement and Restriction for Use 
"This report (i.e., report of findings/recommendations, table, chart, summary, etc.) provides management with information about the condition of the
Port of Seattle's environment at one point in time. Future changes in environmental factors and actions by personnel may significantly and adversely
impact these in ways that this report did not and cannot anticipate. This report is intended for use by Management, solely for the purpose of providing
direction to its internal. It is not to be used or relied upon by others for any other purpose whatsoever. " 


16     2013 Protiviti Inc 
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.