01 POS TechRisk 2012 FINAL
Enterprise Technology Risk and Performance Assessment December 2012 Executive Summary: Introduction At the request of the Port of Seattle Commissioners and Executive Team, Protiviti was engaged to conduct an Enterprise Technology Risk and Performance Assessment. The project was initiated in the September 2012 timeframe and was completed and finalized in December 2012. The scope consisted of Port technology organization wide and included both the Information Communication & Technology (ICT) and Aviation Maintenance departments. The project consisted of two primary objectives: 1. Execute a technology risk assessment resulting in a thee-year IT Audit plan, including direction on staffing levels and appropriate skills sets to complete the recommended audits. 2. Assess the overall management, efficiency and effectiveness of Port information and communication technology assets and services within the following key areas: Strategy, Operations, Investment, Governance and Risk Management This report encompasses the analysis, conclusions, observations and recommendations derived by Protiviti as a result of the procedures it performed. Procedures performed included a broad set of interviews with organization leadership and process leads; reviews of provided policies, procedures, and process documentation; and detailed benchmarking analysis. 1 2013 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Executive Summary: High-Level Observations Technology is rapidly changing and absolutely critical to the Port's overall operations. Properly aligned technology capabilities are essential to enhancing the efficiency and effectiveness of the Port's business processes through the protection, reliability, availability, and analysis of business information. IT cost benchmarking analysis conducted by Protiviti indicates the Port's IT functions have effectively managed costs, including the following key results: The Port's IT cost profile is in alignment with comparable industry averages. The Port has generally outperformed comparable industries in controlling IT operations (or "run") costs. The Port has successfully shifted more of its IT spend towards growth and transformation of the business from maintaining legacy infrastructure and applications. The Port's IT processes perform favorably compared to organizations of comparable size and industry-groups. 2 2013 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Executive Summary: High-Level Observations (continued) Opportunities exist to: Further mature certain core IT processes. Continue to align ICT and Aviation IT operations. Explore additional avenues for collaborating and communicating with the Commission and C-Level positions. 3 2013 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Executive Summary: Key Observations & Recommendations IT Governance & Alignment The Port's ICT Governance Board provides effective oversight to major IT initiatives and decisions, including investment evaluation / prioritization and risk management. Business units should initiate regular formal strategy discussion and alignment review processes with the IT functions where they are not in place today. Aviation should continue the close alignment of its technology decision-making and communication processes with the ICT Governance Board. IT leadership does not regularly interact with the Port Chief Executive Office (CEO) or Commissioners. The Port IT functions should establish consistent processes and responsibilities focused on strengthening and continuously managing the relationship with IT's business customers. IT Value & Cost Perception Aviation and Corporate functions require (and receive) a more sophisticated set of IT solutions which require a more sophisticated IT function to deliver. Other divisions, while not requiring as sophisticated a set of solutions are still benefiting from a high performing IT function. The basic model for allocating IT costs to business units is generally fair (based on system usage), some of the "lighter" users of IT perceive their allocated share to be excessive. Peer group and performance benchmarking indicate the overall size and cost of the Port's IT function are consistent with the Port's IT objectives. No cost cutting efforts are recommended. 4 2013 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Executive Summary: Key Observations & Recommendations (continued) IT Operational Capabilities, Process Maturity & Alignment The Port IT organization has established a core set of IT processes and capabilities that enable consistent delivery of IT services. The Port should continue to invest in improvements to its IT process, technological, and organizational capabilities including: (1) upgrades to specific data center facilities, (2) expanding the IT security organization, (3) enhancing and maturing IT service continuity processes, and (4) improving the IT service support processes and systems (including change management and service level management). The Port should continue to align and adopt common processes across IT functions, leveraging the existing ICT processes since they have more established practices and structures and also demonstrate higher levels of maturity. IT Project Intake & Analysis The Port has demonstrated strong execution capabilities for IT projects and investments that are initiated through the ICT Governance Board and IT project management organizations. The Port should establish an enterprise-wide IT architectural review process that is required for all projects with potential IT implications, closely integrating with the existing ICT Governance Board and the Airport Technology Investment Committee. 5 2013 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Executive Summary: Key Observations & Recommendations (continued) IT Internal Audit Function The Port does not have a formal IT audit function with the specific skill sets necessary, which limits its ability to independently assess IT risks. The Port should establish an IT audit planning process within its Internal Audit Department. Audit efforts should be closely coordinated with both ICT and AV to ensure scheduling aligns with other IT initiatives and that resources are available. 6 2013 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Technology Risk Assessment IT Risk Assessment Approach IT Risk Assessment Key Stakeholders Interviews / Management Review Management Input and Oversight Document and Data Requests and Approval Understand IT Project Phases Understand IT Determine Risk Prioritize Risk Finalize IT Organization and Environment Universe Universe Audit Plan Structure IT Org Charts Applications Key IT Projects CobiT / ITIL / ITPI Risk Universe Geographic Capability Maturity Audit Hours / Infrastructure Processes Locations Model Timeline Key Inputs Voice / Data Audit Scope / Budgets Departments Perceived Risk Networks Objectives Business Applications / Protiviti Required Audit IT Operations Interaction Infrastructure Experience Skills Data Center Project Management Knowledge Sharing Communication 8 2013 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Proposed IT Audit Plan Q3-Q4 FY12 Q1-Q2 FY13 Q3-Q4 FY13 Q1-Q2 FY14 Q3-Q4 FY14 Q1-Q2 FY15 Q3-Q4 FY15 Technology Risk Assessment FY13 Follow-up FY14 Follow-up Risk Assessment Risk Assessment Risk Refresh Refresh Refresh Assessment & Audit Planning End-Point Data Loss Prevention Scheidt Bachman Security Review Review IT Asset Management IT Change Management Review Diagnostic Data Center Review HIPAA Compliance Business Assessment Continuity/Disaster Recovery Review PeopleSoft Post - Implementation Review Audit Plan Management, Reporting, and On - Going Monitoring Audit Planning and Follow-up Audit projects On-going Projects 9 2013 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Technology Performance: Benchmarking & Metrics Analysis Benchmarking Results Benchmarking Comparisons Protiviti utilized three data points to benchmark the Port's information technology functions across similar organizations: 1. The IT Process Institute's IT Controls Performance which includes comparison data points on organizational size and IT control effectiveness. 2. The IT Process Institute's IT Strategic Alignment Benchmark which includes comparison data points on IT strategy models and alignment practices. 3. Gartner's IT Metrics: IT Spending and Staffing Report for a comparison of IT metrics across a variety of industries. The 2012 version of this report was used in conjunction with prior year reports for multi-year comparisons. 11 2013 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Benchmarking Results Key Themes Alignment with Key IT Metrics: The Port's IT metrics compare favorably with the North American and comparable industry averages (per analysis of key IT metrics from Gartner). Variations in metrics are within an acceptable margin of the comparable industry averages. IT Strategic Focus: Business needs indicate the primary strategic focus of the Port's IT functions should be on partnering with the business to enhance processes in a "Process Optimizer" model. The core IT practices to enable this level of alignment are in place (per the ITPI Strategic Alignment Benchmark). The need for the "Process Optimizer" alignment model is being driven by the expectations of the two largest consumers of Port IT services: Corporate and the Aviation Division. The "Process Optimizer" model also effectively provides for the services required by other Port divisions desiring a lower level of IT alignment (e.g., in a "Utility Provider" model); however, the Port's cost allocation methodology may require revision to more accurately reflect the different divisions' IT expectations and utilization levels. 12 2013 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Benchmarking Results Key Themes (continued) IT Process Performance: The Port's IT processes activities perform as well as or better than organizations of comparable size and industry-groups (per the ITPI IT Control Performance Benchmark). The Port rates as a "High Performer" with two thirds of its measured IT performance metrics rating better than the benchmark average. The Port may realize additional performance gains (against the benchmark peer groups) with targeted improvements to the 12 "foundational" IT process activities. Benchmarking Updates: The Port should consider revisiting these benchmarks every 2 to 3 years. 13 2013 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Capability Maturity Analysis IT Capability Maturity Analysis Summary Current Demonstrated Maturity State: Repeatable to Defined Target Maturity State (1-3 Years): Defined* Change, Continuity Program, Project Configuration & Security Support / Management and Portfolio IT Governance Release Management Service Desk Management Management Optimizing Potential for $$$ increased costs is accepted to ensure process consistency & quality Managed $$ Typical Target Zone: Cost & performance Defined management $ are effectively balanced Repeatable $$ Likelihood of increased costs due to process issues & Initial inconsistency $$$ * Note: Higher levels of maturity may be identified as the "best fit" option once the "Defined" level is consistently achieved by the Port. Current Maturity Partial Demonstration 14 2013 Protiviti Inc Target Maturity CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Capability Maturity Model Matrix Example Change, Configuration and Release Management (includes SDLC) Strategy & Processes & People & Management Methodologies Systems & Data Policies Controls Organization Reports Close alignment of CCR processes are Matrixed functions / World-class process Costs / benefits / risks Real-time system change, configuration, formally enforced, roles adjust quickly to performance; all measured and controls prevent service and release (CCR) automated, monitored initiatives; ownership, changes are "normal"; balanced in portfolio of interruptions; excellent Optimizing practices with business statistically, and are roles, standards and system outages are changes, releases, and data integrity; strategy; new initiatives proactive (i.e., "near cross-training are rare and well-planned projects across automated config. data are agile and misses" identified) inherent in operations infrastructure prevalent successful CCR policy / objectives CCR processes are CCR ownership / roles Management by Process performance Integrated change ingrained into IT integrated; enforced by evident; cross-training exception; few (<1%) benchmarked to plan process systems; increased Costs Managed governance practices; some preventive limits failure points; emergencies / failures; for future; config. "Real-time" trending; service measures controls; monitoring config. teams support config. data proactively integrated with other IT Integrated CMDB with designed into process capability exists multiple Bus managed processes automated detection Policy and strategy Practices understood, CCR roles defined; KPIs analyzed Models include impact 1-2 primary systems define objectives for but largely manual; process ownership periodically; service analysis & risk used to manage success; policy releases include clearly established; thresholds in place; mitigation activities; IT changes; reporting Defined emphasizes that "no rollback plans; config process awareness success measured in process integration structures defined / unauthorized changes" impact analysis In widespread; some terms of ROI/TCO; beginning; history of available; CMDB in are made place; detection of cross-training; CAB infrequent (<2%) changes is traceable place with some data failures is unlikely includes business emergencies/failures (e.g., at CI-level) collection automation Basic policy exists to Change / release Some responsibilities Few metrics defined; Basic models are Some auto-data Typical Target Zone establish authority and process is somewhat understood; limited data gathered through considered, but used collection, but with responsibility; limited consistent; informal training available; CAB periodic audits; inconsistently; mass manual input; config. Repeatable long-term strategy and enforcement / training; established but with somewhat frequent "data changes" are data manually held; vision; informal config. process only IT; some config. (10%) emergencies / normal; limited view of segregated test planning definition beginning coordination failures and change- configurations environments exist related outages No strategy or policy for Processes are informal, Change success results Only anecdotal Process not defined as Manual or redundant managing change to IT differ significantly from heroics and evidence available; "request to close"; data gathering; systems exists between groups, and responsibility not frequent (>20%) siloed processes; accurate config. data Initial are adjusted reactively consistent; siloed emergencies/failures; config. relies on "expert unavailable; changes config. Knowledge frequent change-related knowledge" often cause issues increased Costs outages Current Maturity Partial Demonstration 15 2013 Protiviti Inc 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Target Maturity Confidentiality Statement and Restriction for Use "This report (i.e., report of findings/recommendations, table, chart, summary, etc.) provides management with information about the condition of the Port of Seattle's environment at one point in time. Future changes in environmental factors and actions by personnel may significantly and adversely impact these in ways that this report did not and cannot anticipate. This report is intended for use by Management, solely for the purpose of providing direction to its internal. It is not to be used or relied upon by others for any other purpose whatsoever. " 16 2013 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.