02 POS TechRisk 2012 FINAL
Enterprise Technology Risk and Performance Assessment December 2012 Table of Contents Executive Summary 2 Technology Risk Assessment 9 Technology Performance: Benchmark & Metrics Analysis 23 IT Controls Performance Benchmark Results 27 IT Strategic Alignment Benchmark Results 37 Gartner Benchmark Matrix Analysis 45 Technology Performance: Process Maturity Analysis 56 Appendix A: IT Audit Risk Universe 72 Appendix B: Benchmarking Overview 79 Appendix C: Six Elements of Infrastructure 96 Appendix D: Five Elements of IT Governance 103 Appendix E: Capability Maturity Model Matrices 108 1 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Executive Summary: Introduction At the request of the Port of Seattle Commissioners and Executive Team Protiviti was engaged to conduct an Enterprise Technology Risk and Performance Assessment. The project was initiated in the September 2012 time frame and was completed and finalized in December 2012. The scope consisted of Port technology organization wide and included both the Information Communication & Technology (ICT) and Aviation Maintenance departments. The project consisted of two primary objectives: 1. Execute a technology risk assessment resulting in a thee-year IT Audit plan, including direction on staffing levels and appropriate skills sets to complete the recommended audits. 2. Assess the overall management, efficiency and effectiveness of Port information and communication technology assets and services within the following key areas: Strategy, Operations, Investment, Governance and Risk Management This report encompasses the analysis, conclusions, observations and recommendations derived by Protiviti as a result of the procedures it performed. 2 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Executive Summary: Procedures Performed Conducted interviews with key IT and business leads including leadership from the Airport, Seaport and Real Estate divisions, as well as corporate and the audit committee. Requested and reviewed documentation related to core processes, upcoming projects, application inventory, infrastructure, service level agreements, budgets (including budget projections and allocations,) risk management, risk assessments, strategy and operations. Gathered key data points for benchmarking purposes using Gartner and IT Process Institute (ITPI) research sources. Refined benchmarking results to better align with Port's organizational structure and industry. Compiled a technology auditable universe and risk ranked those elements based on key criteria (e.g., impact on strategy, operations, regulation, etc.). Established a three-year IT audit plan based on the IT audit risk ranking exercise. Based on the overall analysis resulting from both the IT Risk Assessment and performance benchmark, documented key observations and recommendations for enhancing overall process and technology maturity and improving organizational interactions. 3 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Executive Summary: High-Level Observations Technology is rapidly changing and absolutely critical to the Port's overall operations. Properly aligned technology capabilities are essential to enhancing the efficiency and effectiveness of the Port's business processes through the protection, reliability, availability, and analysis of business information. IT cost benchmarking analysis conducted by Protiviti indicates the Port's IT functions have effectively managed costs, including the following key results: The Port's IT cost profile is in alignment with comparable industry averages. The Port has generally outperformed comparable industries in controlling IT operations (or "run") costs. The Port has successfully shifted more of its IT spend towards growth and transformation of the business from maintaining legacy infrastructure and applications. The Port's IT processes perform favorably compared to organizations of comparable size and industry-groups. 4 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Executive Summary: High-Level Observations (continued) Opportunities exist to: Further mature certain core IT processes. Continue to align ICT and Aviation IT operations. Explore additional avenues for collaborating and communicating with the Commission and C-Level positions. 5 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Executive Summary: Key Observations & Recommendations IT Governance & Alignment The Port's ICT Governance Board provides effective oversight to major IT initiatives and decisions, including investment, evaluation / prioritization, and risk management. Business units should initiate regular, formal strategy discussions and alignment review processes with the IT functions where they are not in place today. Aviation should continue the close alignment of its technology decision-making and communication processes with the ICT Governance Board. IT leadership does not regularly interact with the Port Chief Executive Office (CEO) or Commissioners. The Port IT functions should establish consistent processes and responsibilities focused on strengthening and continuously managing the relationship with IT's business customers. IT Value & Cost Perception Aviation and Corporate functions require (and receive) a more sophisticated set of IT solutions which in turn require a more sophisticated IT function to deliver them. Other divisions, while not requiring as sophisticated a set of solutions, are still benefiting from a high performing IT function. The basic model for allocating IT costs to business units is generally fair (based on system usage), some of the "lighter" users of IT perceive their allocated share to be excessive. Peer group and performance benchmarking indicate the overall size and cost of the Port's IT function are consistent with the Port's IT objectives. No cost cutting efforts are recommended. 6 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Executive Summary: Key Observations & Recommendations (continued) IT Operational Capabilities, Process Maturity & Alignment The Port IT organization has established a core set of IT processes and capabilities that enable consistent delivery of IT services. The Port should continue to invest in improvements to its IT process, technological, and organizational capabilities including: (1) upgrades to specific data center facilities, (2) expanding the IT security organization, (3) enhancing and maturing IT service continuity processes, and (4) improving the IT service support processes and systems (including change management and service level management). The Port should also continue to align and adopt common processes across IT functions, leveraging the existing ICT processes since they have more established practices and structures and also demonstrate higher levels of maturity. IT Project Intake & Analysis The Port has demonstrated strong execution capabilities for IT projects and investments that are initiated through the ICT Governance Board and IT project management organizations. The Port should establish an enterprise-wide IT architectural review process that is required for all projects with potential IT implications, closely integrating with the existing ICT Governance Board and the Airport Technology Investment Committee. 7 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Executive Summary: Key Observations & Recommendations (continued) IT Internal Audit Function The Port does not have a formal IT audit function with the specific skill sets necessary, which limits its ability to independently assess IT risks. Going forward, the Port should establish its own IT audit planning process within its Internal Audit department. Audit efforts should be closely coordinated with both ICT and AV to ensure scheduling aligns with other IT initiatives and that resources are available. 8 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Technology Risk Assessment IT Risk Assessment Approach IT Risk Assessment The IT risk assessment approach, as presented on the slide that follows, is built on the foundation of Protiviti's Technology Risk Model and uses this framework to identify the universe of potential auditable areas (the risk universe) within an organization's technology footprint. This model utilizes commonly used IT internal control frameworks such as ITIL (IT Infrastructure Library) and CobiT (Control Objectives for IT) to help identify and narrow down the list of potential IT audits. To ensure the effectiveness and accuracy of the process, management involvement and oversight is required through out the effort. The goal is to identify all of the different factors affecting the IT environment and risk rank them appropriately. 10 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. IT Risk Assessment Approach (continued) IT Risk Assessment Key Stakeholders Interviews / Management Review Management Input and Oversight Document and Data Requests and Approval Understand IT Project Phases Understand IT Determine Risk Prioritize Risk Finalize IT Organization and Environment Universe Universe Audit Plan Structure IT Org Charts Applications Key IT Projects CobiT / ITIL / ITPI Risk Universe Geographic Capability Maturity Audit Hours / Infrastructure Processes Locations Model Timeline Key Inputs Voice / Data Audit Scope / Budgets Departments Perceived Risk Networks Objectives Business Applications / Protiviti Required Audit IT Operations Interaction Infrastructure Experience Skills Data Center Project Management Knowledge Sharing Communication 11 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Technology Risk Universe The IT Risk Universe matrix, located in the appendices of this report, is populated with the individual IT elements identified within the Port's IT environment. The risk universe elements were determined through the following sources: Topical areas of interest based on interviews performed and documentation received from various Port sources Data and information derived from the performance benchmark efforts Protiviti experience and methodology Once the IT Risk Universe was populated with the various IT elements, they were categorized as a component, process, application or project as it relates to the IT environment: Protiviti then rated each risk based on its impact to the following criteria: Strategic / Planning Financial Organization / Operations Regulatory / Legal Exposure Service / Marketplace Data Integrity / Information A raw risk rating for each risk was calculated based on the criteria above assuming that internal controls are not in place. We then calculated the final residual risk rating taking into account the strength of the internal control environment. Considerations for the internal control environment rating included results of the performance benchmarks (i.e., maturity of processes), strength of team, focus and level management oversight and focus. The 3 year IT Audit plan is provided on the following slide. 12 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Proposed IT Audit Plan Q3-Q4 FY12 Q1-Q2 FY13 Q3-Q4 FY13 Q1-Q2 FY14 Q3-Q4 FY14 Q1-Q2 FY15 Q3-Q4 FY15 Technology Risk Assessment FY13 Follow-up FY14 Follow-up Risk Assessment Risk Assessment Risk Refresh Refresh Refresh Assessment & Audit Planning End-Point Data Loss Prevention Scheidt Bachman Security Review Review IT Asset Management IT Change Management Review Diagnostic Data Center Review HIPAA Compliance Business Assessment Continuity/Disaster Recovery Review PeopleSoft Post - Implementation Review Audit Plan Management, Reporting, and On - Going Monitoring Audit Planning and Follow-up Audit projects On-going Projects 13 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. High-Level IT Audit Project Scopes The tables below outline the suggested IT audits for 2013, 2014 and 2015 along with the recommended scope of effort, suggested skill sets to execute the review and estimation of necessary hours to complete. 2013 IT Audit Plan Estimated IT Audit Recommended Effort Suggested Skill Sets Hours PeopleSoft Post- Conduct a post implementation review 1 to 3 Experience with ERP 250 to 300 hours Implementation months after go live implementations Review (PeopleSoft preferred.) Analyze business and IT requirements and verify that the implemented solution aligns with those Good understanding of the original expectations. following: Verify that testing procedures and controls Project risk Management adequately mitigate risk around the system SOD configurations implementation. Native PeopleSoft Ensure that core IT general controls were control configurations considered and applied to the implemented solution. Data Migration and Testing Strategies Review developed roles within the implemented solution to ensure that segregation of duty risks SDLC have been identified and addressed. Note: Protiviti would normally recommend a detailed review prior to go live. However, constricted project timelines and the ability to quickly engage an appropriate party to execute the review may introduce additional risk to the effort. 14 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. High-Level IT Audit Project Scopes (continued) 2013 IT Audit Plan Estimated IT Audit Recommended Effort Suggested Skill Sets Hours Scheidt Bachman Working with a cross functional Port team support a Understanding of 250 hours Parking System detailed analysis and review of the current Scheidt application architecture Review Bachman install. Strong information security Determine whether core controls are in place and skills (CISSP preferred.) whether they're operating effectively in the following Strong IT audit skills (CISA areas: preferred.) Security: System is protected against unauthorized access (both physical and logical). Availability: System is available for operation and use as committed and agreed, Data integrity: System processing is complete, accurate, timely and authorized. Support substantive testing efforts. Note: the team may also draw upon any PCI testing efforts involving the system. 15 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. High-Level IT Audit Project Scopes (continued) 2013 IT Audit Plan Estimated IT Audit Recommended Effort Suggested Skill Sets Hours Detailed Data Center Review will cover all in scope data centers Clear understanding of 200 hours Review Data Center design and Review all policies and procedures and other architecture. documentation associated with the management and design of the data center. Knowledge of data center control best practice Assess the redundancy, maturity, and stability of around the following: physical, logical, and environmental controls within the data center. Physical security Determine monitoring and response capabilities of Infrastructure Monitoring IT within the data center environment. HVAC and Review and comment on current data center environmental strategy. management Identify design and management gaps. Power management and Verify the ability of the data center locations to redundancy perform as a recovery sites in the event of a Capacity & Change disaster. Management Preventative Maintenance 16 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. High-Level IT Audit Project Scopes (continued) 2014 IT Audit Plan Estimated IT Audit Recommended Effort Suggested Skill Sets Hours End Point Security Review policies and procedures associated with the Information Security 200 hours Review management of end-user devices. Certified (CISSP / CISA preferred) Document and assess controls associated with laptop encryption, firewalls, anti-virus, patch Solid understanding of management, and PDA / Blackberry / iphone encryption and available security, etc. end point security products. Assess current toolsets utilized for managing lost to stolen end point devices. Review and comment on end point security strategies. IT Asset Document and evaluate the IT asset management Understanding of asset 300 hours Management Review process to determine overall effectiveness of cross- management lifecycle and organizational IT group's ability to manage IT related toolsets. assets. ITIL Foundations or Evaluate the IT procurement process and Practitioner Certifications associated controls. Assess the overall maturity of the IT asset management procedures using industry leading practices (e.g., ITIL) as a comparison point. Review Maximo and related work flows to validate its effectiveness relative to the Port's asset management lifecycle process. 17 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. High-Level IT Audit Project Scopes (continued) 2014 IT Audit Plan Estimated IT Audit Recommended Effort Suggested Skill Sets Hours HIPAA Compliance The scope of this assessment includes those Personnel with experience 300 hours Assessment systems and network elements at the Port that evaluating and interpreting store, process or transmit credit Personal Health the HIPAA Security Rule of Information (PHI) including the support processes, 1996 and HITECH. system documentation, and system configurations Strong IT Audit and related to compliance efforts. Information Protection Obtain an clear understanding and document the skills (CISA, CIPP) data flow of how PHI is collected, stored, and protected at the Port. Scope the PHI environment to ensure all of the relevant systems and devices are considered. Assess existing processes and controls in place to protect PHI against the HIPAA Security Rule to determine level of compliance and identify areas of improvement. Test relevant controls to assess operating effectiveness of required controls. 18 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. High-Level IT Audit Project Scopes (continued) 2015 IT Audit Plan Estimated IT Audit Recommended Effort Suggested Skill Sets Hours Data Loss Prevention Identify relevant regulations and privacy laws Information Security 300 hours Assessment related to the handling and protection of sensitive Certified (CISSP / CISA data at the Port such as: (1) Current state Privacy preferred) Laws, (2) Relevant federal regulations and industry Certified Information guidance including HIPAA (note: credit card data Privacy Professional will be addressed as part of the PCI review.) (CIPP) Review all current policies and procedures related Experience ins the use of to the protection of PII. standard DLP tools (e.g., Review data handling procedures for relevant Vericept, Symantec, departments to determine the following: (1)Types of Websense, etc.) data being collected, (2) How data is being collected and retained, (3) Retention formats (e.g., hard copy, electronic), (4) How long collected data is retained, (5) How retained data is protected, (6) How data is purged, deleted, or disposed of. Identify all applications, databases and data stores where PII is being collected and/or stored. Employ automated DLP tools to scan (1) data in motion within the organization and (2) data at rest on a sample of key company file shares. 19 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. High-Level IT Audit Project Scopes (continued) 2015 IT Audit Plan Estimated IT Audit Recommended Effort Suggested Skill Sets Hours IT Change Review change management processes, identifying Experience auditing 250 hours Management current risks and control gaps. change control processes. Diagnostic Gain a detailed understanding of the organizational Detailed understanding of reporting structure and key approval positions. ITIL / Cobit frameworks and best practice guidance Identify all core applications and systems for which for Change Control access is tracked and/or that follow the current process. change control process. Strong IT audit skills (CISA Document a detailed data flow chart describing the preferred) current approach by which changes are tracked, tested approved, deployed, etc. Document an approval matrix establishing the appropriate levels and positions responsible for approving user access and changes to Port's IT environment. Identify general efficiency gaps in the current processes as well as unmitigated risks and control weaknesses. Assess Segregation of Duties configurations for critical systems (e.g., developer access to production). 20 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. High-Level IT Audit Project Scopes (continued) 2015 IT Audit Plan Estimated IT Audit Recommended Effort Suggested Skill Sets Hours Business Continuity / Assess the overall maturity of the business Clear understanding of 300 hours Disaster Recovery continuity program and to determine whether proper common business Review development and maintenance processes are in continuity frameworks place as dictated by standard BC best practices. (e.g., Business Continuity Institute, Disaster The scope of the review should include evaluating Recovery Institute and testing (where appropriate) the processes and International, etc.) documentation over the following aspects of the business continuity program: Certified Business Continuity Professional Crisis Management (CBCP) preferred. Crisis Communication Training and Awareness Plan Testing Elements Plan Maintenance Activities Disaster Recovery (IT) Planning Business Process Recovery Planning Risk Assessment execution Business Impact Analysis (BIA) execution Strategy Planning 21 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. High-Level IT Audit Project Scopes (continued) In addition to the recommended 3-year audit plan outlined above, we have also provided the following reviews for management's consideration. Additional Potential Projects Estimated IT Audit Recommended Effort Suggested Skill Sets Hours Demand and Detailed review of Demand management process Experience and understanding 250 hours Portfolio with associated controls and KPIs. of best practices around Management Demand, Program, and Evaluation of IT project demands and intake Portfolio Management. processes of technology-related projects both with ICT and Aviation Maintenance. ITIL Foundations or Practitioner Certifications Assess how demands on IT are classified, preferred prioritized and the oversight in place around the assignment of work to the appropriate resources, Solid understanding of Project and management of the execution of work and Management and SDLC validation of service. Vulnerability Assessment of how vulnerabilities within the Port Experience with common 200 hours Management environment (both internal and external) are vulnerability tools (e.g., identified, risk ranked, addressed and monitored Nessus, Qualys, etc.) overall. Typically encompasses the patching CISSP process. Security Strategy Review of overall security strategy and posture, General knowledge of Security 200 hours Review the approach for strategy development, and how strategy development and the strategy is being rolled out. implementation CISSP 22 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Technology Performance: Benchmarking & Metrics Analysis Benchmarking Results Benchmarking Comparisons Protiviti utilized three data points to benchmark the Port's information technology functions across similar organizations: The IT Process Institute's IT Controls Performance which includes comparison data points on organizational size and IT control effectiveness. The IT Process Institute's IT Strategic Alignment Benchmark which includes comparison data points on IT strategy models and alignment practices. Gartner's IT Metrics: IT Spending and Staffing Report for a comparison of IT metrics across a variety of industries. The 2012 version of this report was used in conjunction with prior year reports for multi-year comparisons. This section outlines the results of these benchmark comparisons. 24 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Benchmarking Results Key Themes The Port's IT metrics compare favorably with the North American and comparable industry averages (per analysis of key IT metrics from Gartner). Variations in metrics are within an acceptable margin of the comparable industry averages. The Port may have an opportunity to leverage third-party contractors to help manage costs on some initiatives. Business needs indicate that the primary strategic focus of the Port's IT functions should be on partnering with the business, utilizing a "Process Optimizer" model. The core IT practices to enable this level of alignment are currently in place (per the ITPI Strategic Alignment Benchmark). The need for the "Process Optimizer" alignment model is driven by the expectations of the two largest consumers of Port IT services: Corporate and the Aviation Division. The "Process Optimizer" model also effectively provides for the services required by other Port divisions desiring a lower level of IT alignment (e.g., in a "Utility Provider" model); however, the Port's cost allocation methodology may require revision to more accurately reflect variations in IT expectations and utilization levels. 25 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Benchmarking Results Key Themes (continued) The Port's IT processes perform as well as or better than organizations of comparable size and industry-groups (per the ITPI IT Control Performance Benchmark). The Port rates as a "High Performer" with two thirds of its measured IT performance metrics rating better than the benchmark average. The Port may realize additional performance gains (against the benchmark peer groups) with targeted improvements to the 12 "foundational" IT process activities. The Port should consider revisiting these benchmark measurements every 2 3 years. 26 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. IT Controls Performance Benchmark Results 27 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ITPI IT Controls Performance Benchmark Overview The ITPI IT Controls Performance (ITCP) Benchmark includes control data from 377 organizations of various sizes and industries between 2007 and 2011. The benchmark measures the maturity of 53 process activities as well as 15 key performance metrics. Analysis of the benchmark results compared the Port's performance across 15 performance metrics to the following industries classifications (identified by the ITPI), each of which has relevant similarities to the Port's business model: Energy and Utilities This industry was included based on some utility services provided by the Port. Additionally, the Port can also be viewed as a 'utility' based on the limited number of alternatives within the region. Government & Public Administration This industry was included for comparison based on the Port's status as a public commission. Transportation This industry includes airport services, marinas, and marine ports & services. Professional Services This industry includes real estate operations, commercial building management, IT services, and parking services. Miscellaneous Services This industry was added as some Port services do not fit into other industries as defined by the ITPI. 28 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ITPI IT Controls Performance Benchmark Overview (continued) While the activities of both the ICT and Aviation Maintenance organizations were considered for this benchmarking exercise, the metrics utilized in the final analysis were based solely on ICT data due to the following factors: Discussions indicated differences in metric availability between the two groups. Aviation Maintenance practices showed a lower level of overall maturity and formality when compared to ICT practices. There are on-going efforts to adopt consistent practices across both groups that will utilize ICT's practices as the target / baseline ICT activities represent a significantly greater volume of IT process activity than Aviation Maintenance. 29 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ITPI IT Controls Performance Benchmark Results Summary The ITCP Benchmark identified the Port of Seattle as "High Performer" for its peer group. The "High Performer" designation indicates that the controls that have been implemented have improved the overall performance of ICT, and ultimately the business. Analysis of the ITCP benchmark results provided the following key observations: The Port's IT performance levels are consistent with those observed across the benchmarking peer group. Potential opportunities exist for additional IT performance gains with targeted IT process improvements. This analysis and key observations are described in more detail on the following pages. 30 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ITPI IT Controls Performance Benchmark Industry Analysis The chart below summarizes the Port's ITCP benchmark analysis for key control use and performance, and it compares the Port's scores to the average scores for "High Performers" in the Port's peer group as well as comparable industry groups. Peer Group Scores (By Industry) Port of High Seattle Energy and Government & Professional Misc. Performers Transportation Utilities Public Admin Services Services Performance 66% 67% 50% 52% 33% 45% 52% "Top Half" (10 of 15) (10 of 15) (7.5 of 15) (7.8 of 15) (5 of 15) (6.7 of 15) (7.8 of 15) Key Controls 43% 68% 58% 59% 57% 74% 47% in Use (23 of 53) (36 of 53) (30.5 of 53) (31.4 of 53) (30 of 53) (39 of 53) (25 of 53) Foundational 50% 69% 55% 60% 51% 71% 62% Controls (6 of 12) (8.3 of 12) (6.6 of 12) (7.2 of 12) (6.17 of 12) (8.57 of 12) (7.4 of 12) # of Firms N/A N/A 29 15 6 21 5 Although the Port had fewer key controls considered as "in place" (only 23 of 53) than its peer group or the comparable industry averages, the Port's performance significantly exceeds these industries based on the number of Port performance metrics that are better than half the other respondents (the "Top Half Count"). 31 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ITPI IT Controls Performance Benchmark Metrics Introduction As mentioned previously, 10 of 15 ICT metrics were higher than at least half of the other participants in the ITPI IT Controls Performance Benchmark. The charts on the next two slides compare the Port's performance metrics to those in the Port's peer group. The average scores are shown as ranges of the 25th to 75th percentile in order to compare the Port's results to middle range of each performer category. Key results and notes related to this analysis are noted below. Metrics of note: The Port's Server to System Administrator Ratio (the number of servers and other devices that can be supported by a single system administrator a key IT efficiency measure) greatly exceeds the average. This is attributable to the Port's investment in virtualized servers and efforts to standardize devices and configurations. Although the Port's Percentage of Late Projects is within the range of it's peer group, it does not fall within the top half percentage of all respondents. Discussions indicate that these delays typically result from resource constraints that are typically out of the project teams' control (e.g., key resources not having availability, stakeholder requests to delay the project, business priority changes). Customer Satisfaction results are based on responses from key Port business personnel interviewed for this project. While not in the top half, these scores show the business views ICT in a generally positive light. The Port does not actively track "Emergency" changes. Rather, changes are categorized as Scheduled or Unscheduled. The project team worked with ICT management to review the Unscheduled changes in order to identify changes that appear to meet the criteria of an 'Emergency' change (i.e., addressing network outages, significant application outages). 32 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ITPI IT Controls Performance Benchmark Performance Metrics Comparison Peer Group High Performance Measure Port of Seattle Performers Operations Metrics Change Success Rate 98% 95 98% Emergency Change Rate * 7% 3 10% Late Project Rate * 34% 10 50% Server / System Admin (ratio) 225.12 25 123 Support Metrics First Fix Rate (%) 95% 82 95% Incident SLA Rate (%) 100% 90 98% Large Outage Mean time to repair (in hours) * 3 1 4 BOLD GREEN - Performance Metric is better than half of the other respondents in the benchmark * Lower score is better ** Mean score used rather than median 33 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ITPI IT Controls Performance Benchmark Performance Metrics Comparison Peer Group High Performance Measure Port of Seattle Performers Security and Audit Metrics (based on known security breaches) Security Breaches with No Loss (%) 100% 99 100% Security Breaches Corrected (%) 100% 90 100% Security Breaches Auto Detected (%) 95% 80 98% Repeat Audit Findings (%) * 0% 0 42% Customer Satisfaction Metrics ** (based on average customer satisfaction survey responses on a 1 -5 Scale ) End User Satisfaction 3 3.9 Business Management Satisfaction 3 3.6 IT Staff Customer Awareness 4 4.2 IT Staff Customer Communication 3 3.6 BOLD GREEN - Performance Metric is better than half of the other respondents in the benchmark * Lower score is better ** Mean score used rather than median 34 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ITPI IT Controls Performance Benchmark Conclusions & Recommendations Continue efforts to align and standardize IT processes across ICT and Aviation Maintenance. These efforts should improve the overall maturity of the Port's IT processes and simplify the management of key IT systems. The ITPI research suggests that the Port's overall IT performance can realize additional gains by continuing to mature three building block process activities: A defined process to detect unauthorized access; Defined consequences for intentional, unauthorized changes; and A defined process for managing known errors (currently in place). After improving the controls listed above, the Port should explore maturing the additional nine foundational process activities, which will continue to improve performance objectives (see Appendix B for a listing of the foundational activities). 35 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ITPI IT Controls Performance Benchmark Conclusions & Recommendations The Port should consider revising the Change Management Meeting structure to define specific guidelines governing what can be considered as an "Unscheduled Change." The Port should evaluate whether the business has a desire to implement a process to define, report, and measure IT service level objectives. This will help ensure the business understands the desired / requested levels of IT service as well as the IT function's ability to delivery against these objectives. Defined service level objectives will also enable better planning within the IT organization related to meet business expectations. 36 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. IT Strategic Alignment Benchmark Results 37 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ITPI IT Strategic Alignment Benchmark Overview Protiviti utilized the IT Process Institute's IT Strategic Alignment (ITSA) Benchmark study to better understand how the Port's IT function aligns with the overall business strategy. Based on this research, IT organizations fit one of three types when considering IT and Business Alignment: IT Organizational Types Utility Provider Not always engaged with the business. Focused primarily on providing shared information management services and support needs. Process Optimizer Responsive to the business. Focused on shared information management services and support, plus improving business applications and business processes. Revenue Enabler Well integrated into the business. Focused on shared information management services, business process optimization, and technology enabling products and services. The dominant organizational type helps to define and clarify IT's focus and its impact on the overall business strategy. When an IT organization focuses on adding business value without confirming the type fit, it risks becoming fragmented as it attempts to move in multiple, counterproductive directions. Business executives may not clearly articulate the business strategy, IT management may not be actively integrated into the business, or a combination of the two may exist. 38 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ITPI IT Strategic Alignment Benchmark Overview (continued) The ITPI ITSA Benchmark includes control data from 269 North American companies across various industries. This data analyzes nine value attributes, 49 alignment practices, and16 alignment measures to determine the specific practices that enable IT strategic alignment success. This analysis utilized two methods to gather information necessary to conduct this assessment: Key business personnel were polled (via inquiry and questionnaire) on nine questions used to determine the 'type' of IT organization needed to achieve the level of value desired by the business. Facilitated sessions were conducted with the ICT and Aviation Maintenance leadership to gather 89 data points related to alignment practices and measures. After gathering the necessary information, the project team compared the business' expected type of IT to how the IT function has structured itself. Additionally, the project team was able to determine if the Port has implemented the specific strategic alignment practices that have been found to optimize alignment for the desired IT type. 39 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ITPI IT Strategic Alignment Benchmark Nine Organizational Attributes The type of IT Organization identified by the benchmark is determined by specific organizational attributes based on the IT function's focus on the following set of Information Management, Business Process, and Strategic Revenue activities. Attribute Information Management Business Process Strategic Revenue 1. Purpose Provides shared services Enables business unit objectives, Enables technology-based products common infrastructure and and focuses on application and and services to enter new markets information management process improvement to differentiate customer offerings 2. New technology Improve cost and efficiency Meet specific business function Enable new product or service requirements requirements 3. CIO role Operations expert Business manager Corporate strategist 4. CIO reports to Finance or Operations Business unit executive CEO / President 5. IT funding source Independent as shared service Part of business unit budget cycle Part of enterprise strategic planning 6. Success metrics Operating performance SLAs and Project success and business unit Enterprise-level revenue contribution user satisfaction executive satisfaction 7. Business strategy IT is not involved in determining IT collaborates at the business-unit IT plays a proactive role in shaping participation business goals and strategy level corporate strategy 8. Competitive advantage Cutting costs, reducing Optimizing business functions and Creating new technology-enabled contribution inefficiencies, and enabling better business processes to differentiate products and services that change decision making existing products and services the rules of the game 9. Investment justification Cost savings and business Revenue or profit gains from Revenue and profit that are process efficiency gain existing products and services generated by new products or new markets 40 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ITPI IT Strategic Alignment Benchmark The Business Perspective Surveys were sent to leaders within the various business units in order to profile their desired type of IT function. Based on discussion with key business personnel, profiles of the type of IT function desired by the business were identified. These results indicate the type of IT function desired is dependent on the division of the Port in question: The Seaport, Real Estate, Police / Fire, and Capital Development divisions desire an IT function that focuses on providing consistent, reliable connectivity to the applications they use to perform their jobs. This best aligns with a Utility Provider IT function. Corporate and the Aviation divisions desire an IT function that can provide innovative solutions that improve their ability to deliver service to their customers. These needs best align with a Process Optimizer IT function. It is important to note that the majority of IT services (and costs) are currently associated with delivering services to Corporate and the Aviation division. This suggests that the Port's IT function should focus on providing services expected of a Process Optimizer. 41 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ITPI IT Strategic Alignment Benchmark The IT Perspective The results of the facilitated benchmark sessions indicate, we determined that the Port's IT function is most accurately described as a Process Optimizer. The chart to the left depicts an aggregate view of the ICT and Aviation Maintenance results weighted by the number of personnel. Aviation Maintenance personnel tend to function as a Utility Provider which is consistent with their current mandate from the business. The benchmark also suggests that in some situations, ICT's activities can lean towards those typical of a Revenue Enabler. IT's status as a Process Optimizer appears to be aligned with business expectations because the majority of IT services are targeted to Aviation and Corporate The other divisions that desire a Utility Provider may perceive the processes implemented to support the needs of a Process Optimizer to be excessive and Port of Seattle unnecessary. As a result, it is important that cost of these additional services be clearly understood and allocated to the appropriate divisions. 42 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ITPI IT Strategic Alignment Benchmark The IT Perspective Process Optimizer Profile As a Process Optimizer, the Port's IT functions should be focused on providing a common infrastructure and capabilities that support basic information and transaction management. Additionally, the IT function should enable business unit specific objectives and capabilities by implementing applications that optimize key business functions and processes. Below are the key attributes and drivers of IT functions acting as a Process Optimizer: Key Enabler: Business is involved with IT planning and strategy Key Challenge: Balance standardization with unique business requirements. Key Measures: Business unit executive satisfaction Business process efficiency and effectiveness Key Performance Drivers: Actively identifies opportunities to use emerging technology Develops and enforces enterprise infrastructure standards IT investments are justified primarily by business process optimization that enables competitive advantage. Understanding business needs is pervasive at the IT executive and VP level. 43 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. ITPI IT Strategic Alignment Benchmark Conclusions and Recommendations The Port's IT function is appropriately structured as a Process Optimizer to support the objectives of its primary stakeholders within Corporate and the Aviation division. While the other divisions do not desire more than a Utility Provider, the services they receive from a Process Optimizer should be sufficient to meet this need. Port Management should formally select and communicate support for a single IT alignment model to all business units. The Process Optimizer model is likely the most appropriate fit to ensure the same level of service for the Corporate and Aviation divisions. IT functions should be cautious of focusing on alignment practices that overreach the mandate of a Process Optimizer since this could lead to unnecessary additional alignment-oriented activities (and costs). The formula for reallocating IT costs from the Corporate division to the other divisions is viewed as a pain point by "lighter" IT-using divisions. The formula should be reviewed by Management and either reinforced or revised (e.g., to align more closely with the initial IT cost allocation, pre-reallocation, which is based on system utilization). 44 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Gartner Benchmark Matrix Analysis 45 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Gartner Benchmarking Results Approach Overview Protiviti utilized the Gartner IT Key Metrics Data 2012: IT Spending and Staffing Report to compare the Port to other organizations in a variety of similar industries as well as the average for all participants in North America. The following slides show the industry and Port metrics for several key performance indicators. For the purposes of this analysis, the Port was compared to the following industries, each of which has relevant similarities to the Port's business model: Government - State / Local This industry was included for comparison based on the Port's status as a public commission. Professional Services This industry includes real estate operations, commercial building management, it services, and parking services. Software Publishing & Internet Services This industry was included as the Port internally develops customized applications and provides these to some tenants and airlines. Transportation This industry includes airport services, marinas, and marine ports & services. Utilities This industry was included based on some utility services provided by the Port. Additionally, the Port can also be viewed as a 'utility' based on the limited number of alternatives within the region. 46 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Gartner Benchmarking Results Assumptions Gartner Definitions: IT Spend comes from anywhere in the enterprise that incurs IT costs and it is not limited to the IT organization. It is calculated on an annualized "cash out" basis and therefore contains capital spending and operational expenses, but not depreciation or amortization. Number of IT Full-Time Equivalents (FTE) represents the logical staff to support functions performed by the physical staff, measured in calendar time. This includes all staffing levels within the organization from managers and project leaders to daily operations personnel. This includes both in-sourced FTEs and Contract FTEs. This excludes staff of a third-party vendor (e.g., IT outsourcing), who are not operationally managed by in-house staff, but managed by the vendor. Number of Employees is the count of employees (i.e., head count, excluding enterprise contractors and consultants) regardless of whether these employees are frequent users of the technology supported by the IS organization. This includes full-time and part-time employees or as reported in public record. Operational Spend is the total day-to-day operations and maintenance expenses for this fiscal year that have not been capitalized. This does not include any amortization and depreciation expenses. Capital Spend includes the total capitalized IT spend for the fiscal year. (Full value of capitalized assets acquired in the fiscal year.) This includes investments in new application development and IT infrastructure. (Detailed source data used in this analysis is available in the Appendix) 47 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Gartner Benchmarking Results IT Spend as % of Revenue / Operating Expense These metrics compare the Port's IT Spending to the Port's Revenue and Operating Expenses. These metrics must be considered in conjunction with other metrics, overall business objectives, and other circumstances that could influence the resulting calculations. % of Port Revenue This metric can assist in evaluating whether the level of investment in IT is aligned with business performance. The Port's IT spend is consistent with the average across comparable industries. NOTE: This metric is not calculated for Government entities. As a result, the Comparable Industry Average also excludes this data point. % of Port Operating Expenses This metric can also provide a perspective on the business' IT investment strategy based on operating expenses which tend to be more consistent year-to-year. The Port's metric is less than 1% higher than the comparable industry average. This metric is likely influenced by how the Port chooses to capitalize some projects. Additionally, organizations with higher IT spend percentages tend to view IT as an enabler which can improve business performance and productivity. This is consistent with the view of IT as a Process Optimizer. 48 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Gartner Benchmarking Results IT Spending Change Over Time The charts to the left illustrate how the Port's IT spending has changed from 2007 to 2012. Since the Port's IT spending was generally aligned with comparable industries (see previous slide), Protiviti used the Port's 2007 IT spend as a baseline to project what the Port's IT budget would look like assuming it followed Gartner's average rate of change for North America and comparable industries over the 2007 to 2011. This comparison yielded the following key observations: The Port has demonstrated better IT cost control over the 2007-2011 period (net increase of 9%) than predicted by either the Gartner North America or comparable industry averages (net increases of 13% and 15%, respectively). The Port's cost containment results were achieved despite increased capital expenditures in 2008 and 2009 (~70% higher than either 2007 or 2010). These increases were due to several large capital projects, including HCM Upgrade, IP Telephony, and Computer Aided Dispatch (911 system). While significant capital IT projects (like the 2008 and 2009 examples above) are often accompanied by a subsequent increase in IT expense, the Port's IT expenditures have demonstrated effective cost control over the 2007 to 2011 period, as demonstrated by the following results: Expense increased by only 7% (net) over the period. The Port's cumulative IT expenditures for the period were within 2% and 3% of the amount predicted by the Gartner comparable industry and North America averages. 49 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Gartner Benchmarking Results IT Spending Supporting Growth and Transformation This metric looks at how IT's investments are spread between maintaining the existing IT environment and infrastructure (Run); developing and enhancing technology to support business growth (Grow); and implementing technology to introduce the Port to new business opportunities (Transform). The Port has generally outperformed comparable industries in controlling its "run" costs and has shifted more of its IT spend on growing and transforming the business. This is likely attributable to: Cost reductions in supporting the IT infrastructure (i.e., server virtualization, device standardization) Viewing the IT function as an enabler of business objectives also impacts these allocations as the IT function prioritizes investments in projects that will grow or transform business operations. 50 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Gartner Benchmarking Results IT FTEs as a % of Employees This metric compares the ratio of IT FTEs to the number of employees / users they support. This ratio helps to determine whether the IT function's staffing is aligned with business needs. On initial analysis, the number of employees supported by Port IT personnel appears to be high (7.2%). However, Port IT personnel support end users who are not Port Employees (i.e., contractors, tenants, airline users). Adjusting the metric to account for these additional users better aligns the Port's ratio (5.2%) with the average results. The percentage of IT FTEs across related industries varies, however the average percentage across related industries is 5% which is slightly lower than the Port's average of 5.2%. The Port's ratio may be attributed to the Port IT function acting as a "Process Optimizer" which typically employs additional resources that specialize in addressing specific business needs. This is similar to the Professional Services and Software Publishing & Internet Services industries. 51 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Gartner Benchmarking Results IT Spend Per Employee This metric looks at the average IT spend per Port employee. This provides an indicator of the level of IT support received by the end users. The initial analysis shows the Port's IT Spend per employee is ~$2,000 higher than the comparable industry average although lower than some comparable industries. However, like the IT FTEs as a % of Employees metric, this does not account for non-employees supported by the IT functions. Adjusting the metric to account for the additional non-employees brings the average IT spend below the comparable industry average. The actual value of this metric should be viewed as between the employee only and all user values as the same level of service is not required between Port and non-Port employees. It should not be considered unusual for the Port to have a higher than average IT spend per employee given the number and diversity of systems supported by the IT functions. 52 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Gartner Benchmarking Results Use of Contractors This metric compares the use of internal versus external resources in delivering IT services. Contractors enable the organization to remain flexible to changing business conditions. However, reliance on contractors for extended periods can be costly and may adversely affect efforts to implement a standardized approach. The majority of IT services at the Port are provided by internal ICT or ET resources. This reliance on internal resources is an outlier in comparison to other industries. Recent changes to Port procurement requirements and limitations on the time period contractors can be engaged for. Additionally, the use of contractors may be prohibitive based on the complexity and diversity of the Port's operations which require additional time to onboard contract resources. 53 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Gartner Benchmarking Results Conclusions & Recommendations Due to the Port's complex environment and diverse service, it is important to consider the Port's metrics in comparison to several different comparable industries. The Port's IT metrics are generally aligned with the comparable industry averages. With the exception of the use of contractors, higher than average Port metrics are not significant outliers and can be attributed to several causes: IT functions acting as a Process Optimizer typically have higher costs and resource needs than comparable industries to support the organization's. With the exception of Professional Services and Software Publishing / Internet Services, most IT organizations in comparable industries tend to act as utility providers. The Port has needed to develop applications to address business objectives because out-of-the-box solutions do not exists to support these objectives. The number and diversity of application within the application portfolio require additional resources and expenses to support. Port IT functions support end-users who are not Port employees. Industry benchmarking should be revisited every 2-3 years to revalidate and re-baseline IT performance. 54 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Gartner Benchmarking Results Conclusions & Recommendations An opportunity may exist to better leverage contractors to assist in delivering IT services to the business and contain IT costs. However, to realize this opportunity, the following sourcing challenges should be addressed (in collaboration between IT and Procurement): Streamline the process of engaging contractors to assist on critical IT projects to allow for "just-in-time" staffing of contractors. Review the policy limiting contract resources to a single year of service. The ramp-up time required for new contractors limits their effectiveness, and could potentially increase IT costs due to this policy. Continue efforts to streamline the application portfolio by consolidating applications with similar functionality and encouraging the use of existing applications rather than implementation of new applications. Business leaders need to identify specific metrics that should be reported by IT to stakeholders (e.g., the ICT Governance Board). Metrics should be shared regularly with key IT stakeholders and trended over time. A subset of key metrics should be identified for regular communication to the Port Commission. 55 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Technology Performance: Process Maturity Analysis Capability Maturity Analysis Approach Overview Over the course of the assessment, the Protiviti project team conducted interviews with ICT and Aviation Maintenance personnel in order to gain a better understanding of how key IT processes were performed across the Port. The specific processes reviewed were: Change, Configuration & Release Program, Project & Portfolio Management Management (includes SDLC) Security Management Continuity Management Support / Service Desk The maturity of each of these processes across all Port IT functions was evaluated using the Capability Maturity Model and the Six Elements of Infrastructure. The Project team also evaluated the maturity of the Port's IT Governance practices across the Five Elements of IT Governance as defined by the IT Governance Institute. Additional information about the Capability Maturity Model, Six Elements of Infrastructure and Five Elements of IT Governance can be found on the following pages. 57 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Capability Maturity Analysis Results Summary The Port's IT functions have established a core set of IT process, human, and technological capabilities to enable consistent delivery of IT services. Based on the Port's desire to balance cost control with IT performance, this analysis identified a "Defined" level of maturity as an appropriate target for the Port. Areas currently meeting or exceeding the Port's maturity requirements include: Project, Program & Portfolio Management and IT Support & Service Desk. Areas largely aligned with the Port's maturity requirements but with some additional opportunities for improvement include Change, Configuration & Release Management and IT Governance. Areas where additional improvement is required to align with the Port's maturity requirements include Continuity Management and IT Security. Further maturity improvements can be expected as the effort to align and standardize ICT and Aviation Maintenance IT processes are completed. The results and recommendations from this analysis are described on the following pages. 58 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Capability Maturity Analysis About the Capability Maturity Model The Protiviti Capability Maturity Model is a methodology, adapted from the SEI Carnegie- Mellon Capability Maturity Model, used to develop and refine an organization's processes. The model describes a five-level evolutionary path of increasingly organized and systematically more mature processes. The model is depicted in the graphic below: Increased Quality & Productivity Potential for increased costs is accepted to ensure process consistency & quality Typical Target Zone: Cost & performance management are effectively balanced Likelihood of increased costs due to process issues & Increased inconsistency Risk & Variability 59 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Capability Maturity Analysis About the Six Elements of Infrastructure The Six Elements of Infrastructure (Six Elements) is a tool for categorizing issues, understanding where problems are occurring within the organization, and drawing conclusions to form the basis for recommendations. These capabilities should be a part of every process and function should possess. The Six Elements are identified in the graphic below: The Six Elements are used in conjunction with the CMM to determine the needed improvements in process capability. The following slides outlined specific observations associated with each element of the Six Elements. More detailed explanations of each element are described in the Appendix. (IT Governance is evaluated by the key areas of IT governance rather than the Six Elements of Infrastructure) 60 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Capability Maturity Analysis About the Five Elements of IT Governance When assessing the Port's IT Governance activity, the project team used the IT Governance Institute's The Five Elements of IT Governance (depicted below) instead of the Six Elements of infrastructure to identify the specific governance practices and provide a basis for the maturity assessment. IT Governance Practices and Goals Strategic Alignment Linkage between business and IT plans Define IT Value Proposition Aligning IT operations with business operations Risk Management Performance Management Resource Management IT risk awareness and understanding Measure strategy implementation Optimize investment in resources risk appetite Measure value delivery Discipline management of resources Transparency Drive behaviors and improve Align capabilities Accountability and risk management processes Value Delivery Deliver benefits against strategy Execute the IT Value Proposition Improve intrinsic value of IT 61 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Capability Maturity Analysis IT Capability Maturity Analysis Summary Current Demonstrated Maturity State: Repeatable to Defined Target Maturity State (1-3 Years): Defined* Change, Continuity Program, Project Configuration & Security Support / Management and Portfolio IT Governance Release Management Service Desk Management Management Optimizing Potential for $$$ increased costs is accepted to ensure process consistency & quality Managed $$ Typical Target Zone: Cost & performance Defined management $ are effectively balanced Repeatable $$ Likelihood of increased costs due to process issues & Initial inconsistency $$$ * Note: Higher levels of maturity may be identified as the "best fit" option once the "Defined" level is consistently achieved by the Port. Current Maturity Partial Demonstration 62 2012 Protiviti Inc Target Maturity CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Capability Maturity Analysis IT Operational Processes (1 of 2) Change, Configuration & IT has implemented the AGILE development methodology to facilitate the development process for Release Management custom-developed applications. Development teams utilize Microsoft's Team Foundations Server (TFS) to manage the development process, including requirements for robust development documentation. IT holds a weekly change management meeting to discuss changes that will occur over the upcoming week. However, there is little discussion of the impact of each change during the meeting. A larger than average number of changes are considered "unscheduled" (made outside of the change management meeting cycle) than similar organizations. These changes are not necessarily to address a system outage or other situation. IT is in the process of implementing the Tripwire application for file integrity monitoring; however IT is currently unable to automatically detect unauthorized production environment changes. IT utilizes customized SharePoint ticketing functionality to manage changes and a custom-developed configuration management database (CMDB) tool; however, these data sources are not integrated and the CMDB data is not consistently updated to reflect changes. They are also not integrated with the Service Desk system (Maximo) or TFS. Continuity Management IT has deployed technology that is designed to be resilient and would likely experience minimal downtime during a business interruption. The existing BCM policy has not been updated since 2006 - efforts to update are underway. Existing data centers provide limited geographic diversity - efforts to establish an additional site are in- process. BCM and IT recovery plans have not been fully tested. It does not appear that a Business Impact Analysis has been performed with the business to establish recovery time and point objectives to appropriately scope IT recovery operations. Although Continuing Operations Plans are being consistently developed across the business, there is not a centralized analysis by IT to ensure that recovery plans appropriately consider system downtime. Defined (On Target) Repeatable (Improving) Initial 63 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Capability Maturity Analysis IT Operational Processes (2 of 2) Project, Program & Significant efforts have been made to implement a consistent project management approach within IT. Portfolio Management Project Managers and Business Analysts (BAs) have obtained PMP and BA certifications. ICT Governance Board meets at least once a month to report on the progress of the project. IT projects typically are delivered within budget, and 66% of IT projects are delivered on time. In the past, IT has been brought into some business initiated projects after the scope and cost have been established. Efforts have been undertaken to improve integration and communication between IT and Business project management efforts. Projects delivered outside of defined timeline expectations are often the result of changed business project sponsors priorities or key business resources availability. Security Management The Port has recently hired a Senior Manager, CISO with responsibility for the Port's overall security posture. The Port has undertaken efforts to assess their PCI compliance but remediation activities have not be completed consistently. A comprehensive Information Security policy has not been published. Processes have not been implemented to regularly review user access to IT systems. Individuals requesting access to IT systems generally do not know the specific type of access needed. Support / Service Desk A centralized Service Desk has been implemented to handle all in-coming requests. Maximo is utilized by IT to manage, track, and report on incidents and service requests. ICT provides internal users access to a growing knowledge base for user self service. Incidents are tracked and prioritized by severity level. Data show that these issues are typically resolved within internal service level goals. IT personnel focus on addressing incidents. There is minimal focus on incident trending or correlation in order to identify underlying problems, and known error tracking is informal. Defined (On Target) Repeatable (Improving) Initial 64 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Capability Maturity Analysis IT Governance Practices Strategy Alignment Clear Governance Board approval requirements have been established for investments exceeding specific thresholds. Governance board is comprised of business and IT executives Based on the results of the ITPI Benchmarks, it appears that the IT functions are appropriately aligned with business expectations. Risk Management IT has conducted a risk assessment and is actively tracking / addressing the identified items on a dashboard. Progress is communicated intermittently in the ICT Governance Board meetings. Ongoing project risks and issues are communicated up to management through formal channels. Key IT risk and key controls have been identified for the Port's financial systems, but these are not necessarily reviewed and verified for all IT systems. Resource Management Turnover is low and few contractors are utilized within IT which enables the staff to better understand key resource capabilities. Skills have been identified for each IT role, and managers regularly review/assess needs. The inventory of skill sets is effectively managed by individual IT managers. Performance Measurement IT has mechanisms in place to gather the information necessary to measure their performance. Information is provided to the executive leadership, but not necessarily at their request. IT has not worked with the business to define service level expectations making it difficult for IT to demonstrate that service objectives are being met. Value Delivery From a PMO standpoint, there are activities in place to confirm capital project requirements are being met, budget is kept, and goals are being achieved. While the concept of "ROI" is not regularly used, post-project reviews validate that goals established in business cases are met by completed projects. Defined (On Target) Repeatable (Improving) Initial 65 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Capability Maturity Analysis Recommendations (1) Change, Configuration, & Release Management: Incorporate risk-based impact assessment into the change management meeting and change review process. This process should leverage data from the Port's CMDB as well as individuals' knowledge. Key outcomes from this process should include: Designation of different levels of review, approval, and validation required for a change. Increased flexibility in change scheduling and a reduction in "unscheduled" changes (e.g., lower impact / risk changes could be approved with less lead time). Formally incorporate configuration data updates (via the CMDB) into the change management process to help ensure configuration data reliability. These efforts should also include a review of the CMDB data structure to ensure it supports all the needs of the change and support management processes. (Beyond Target Goal) - Complete implementation of the Tripwire file integrity monitoring solution and institute a formal process for reviewing and resolving detected changes. This process should also include defined consequences for implementation of changes without proper approval. (Beyond Target Goal) - Evaluate whether the Maximo application functionality can be extended to support the change management process to enable better alignment between the support and change management processes, and also streamline performance reporting / monitoring for IT processes. These efforts should also consider whether the CMDB data can be integrated with Maximo. 66 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Capability Maturity Analysis Recommendations (2) Continuity Management: Define a clear schedule for updating the Port's overall BCM policy, aligning Continuing Operations Plans, and creating a cross-department IT continuity plan. Perform a comprehensive business impact analysis (BIA) spanning all Port divisions to establish clear business recovery objectives (RTO and RPO). Continue with in-process plans to establish a recovery site in a different geography than the Puget Sound Region (e.g., Spokane). Perform tests across IT and the business to validate effectiveness of the updated BCP, Continuing Operations Plans, and IT recovery procedures. This could begin with less complex / detailed procedures (e.g., a desktop walkthrough) but should progressively build up to a full end-to-end recovery test for business critical business functions and applications. Project, Program, & Portfolio Management: (Beyond Target Goal) - Continue efforts to align IT and capital project management across the enterprise. As part of these efforts, there should be a formal process for IT architectural / impact assessment at the outset of all capital projects with anticipated IT impacts. This should verify alignment with existing IT architectural standards, consider impacts to compliance frameworks, and evaluate whether other IT risks are effectively mitigated. 67 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Capability Maturity Analysis Recommendations (3) Security Management: Continue efforts to remediate PCI compliance gaps. As part of these efforts, management should evaluate the resource requirements for the Security organization and develop formal resourcing plans to align with the compliance project objectives. Develop and distribute a comprehensive IT security policy. These efforts should be paired with a formal security awareness program for all Port employees and system users. Define and implement formal user access review processes. These processes should involve validation of user access permissions with the appropriate system owners (where possible, the system owners should be business unit personnel). Formalize the roles / permission sets granted to users for key systems based on job function. These roles / permission sets should be utilized to determine appropriate approvals for granting new or additional access to Port systems. Key incompatible roles / permission sets should be identified (with the business, where applicable) and these should be evaluated at the time of access provision as well as on a recurring basis to verify proper segregation of duties. 68 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Capability Maturity Analysis Recommendations (4) Support / Service Desk: Define a formal process for identifying and managing problems, including creation of a centralized repository of "known errors" and workarounds (as part of the Port's support knowledge base). (Beyond Target Goal) - Review the design and operation of the existing Maximo service desk solution to identify points of sub-optimization and opportunities to streamline the application for IT and business users. In addition to the design of the Maximo service desk workflows, these efforts should also consider the following: Ease of data entry / collection and opportunities for increased user "self-service" (e.g., providing a sub-set of IT services in a standard "catalog"). Methods for integrating data from the Port's CMDB into the support management processes to assist in reactive incident / problem investigation as well as proactive problem analysis. Feasibility of using the Maximo application to support the service level management and problem management processes. 69 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Capability Maturity Analysis Recommendations (5) IT Governance: Performance Management: Evaluate the business desire for formalized service level objectives and implement a service level management process based on these objectives. These objectives should be defined to align to the specific IT strategies defined for each business unit (e.g., IT as a utility provider vs. process optimizer). Risk Management: Continue to formalize the process for identifying and managing enterprise IT risks. The IT risk management process should be incorporated with the existing ICT Governance Board process and include the following attributes: Define a comprehensive IT risk and control framework (e.g., based on CobiT) that addresses operational systems / processes as well as compliance and financial audit requirements. Encompass the entire IT risk lifecycle, from initial identification and communication, through impact analysis and mitigation plan tracking. Aggregate IT risks across IT (projects, departments, etc.) and provide a consistent basis for IT risk prioritization and analysis, potentially including methods for IT risk quantification. Integrate with corporate risk management practices (e.g., internal audit, compliance). (Beyond Target Goal) - Resource Management: Consider Implementing a formal process for development and ongoing management of IT resource capabilities and skills. These efforts should include establishing skill development roadmaps for employees and working with Procurement to address improved use of temporary / contingency resources. 70 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendices Appendix A: IT Audit Risk Universe / / Organizational Operational / / Component/ Sensitivity Strategic / Planning Service Marketplace Financial Regulatory Criticality) Gross Residual Internal Group Application / IT Risk Elements Risk Risk Control or BU Process / Legal Exposure Data Integrity / Rating Rating Environment Project Information ( 10 25 20 15 15 15 Aviation Project FIMS Phase II (2012) 7 8 8 3 6 9 700.0 544.4 4 ICT Component Data Center - Airport (C4) 5 9 7 8 7 7 745.0 579.4 4 Aviation Component Data Center - Toll Plaza 6 6 7 9 7 9 725.0 644.4 2 Aviation Process Project Management (Technology related) 7 8 7 6 6 5 665.0 591.1 2 Aviation Application Revenue Control (Parking System) 6 6 7 9 7 8 710.0 552.2 4 Aviation Application FIMS (Flight Information Management System) 7 8 9 4 4 8 690.0 536.7 4 ICT Process Business Continuity Planning 4 7 7 6 6 7 640.0 533.3 3 Aviation Application Physical Security System (Johnson Controls) 5 8 8 3 8 7 680.0 528.9 4 Aviation Application 800 Mhz Communication System 6 8 6 4 8 7 665.0 517.2 4 Aviation Process Change Management - Aviation 5 7 6 6 6 6 615.0 512.5 3 Aviation Process Aviation Investment Steering Committee 7 7 7 7 6 5 655.0 509.4 4 ICT Process User Management 4 8 5 6 6 8 640.0 497.8 4 Aviation Process User Management 4 8 5 6 6 8 640.0 497.8 4 Aviation Project Access Control System Refresh (2013) 5 7 6 5 7 7 630.0 490.0 4 Aviation Application Anti-Virus (Trend Micro) 2 6 8 7 8 5 630.0 490.0 4 Aviation Application Train System 6 7 9 4 4 6 625.0 486.1 4 ICT Component PCI 4 4 4 6 9 9 580.0 483.3 3 Aviation Process IT Asset Management 4 6 6 7 6 5 580.0 483.3 3 ICT Project PeopleSoft Financials Upgrade (2012) 6 8 5 9 7 8 720.0 480.0 6 ICT Process Change Management - ICT 4 8 6 8 5 7 660.0 476.7 5 ICT Component Data Center - Fisher Plaza 4 8 6 7 6 7 660.0 476.7 5 Aviation Component Wireless Networking (AV) 5 7 7 4 6 6 605.0 470.6 4 Aviation Application Common-Use System (CUSE) 6 7 8 6 4 4 605.0 470.6 4 Seaport Application Propworks 4 7 6 7 5 6 605.0 470.6 4 high risk Medium risk Low risk Must do 72 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix A: IT Audit Risk Universe (continued) / Organizational Operational / / / Service Component/ Sensitivity Strategic / Planning Marketplace Financial Regulatory Criticality) Gross Residual Internal Group Application / IT Risk Elements Risk Risk Control or BU Process / Legal Exposure Data Integrity / Rating Rating Environment Project Information ( 10 25 20 15 15 15 Aviation Application Runway Taxi Systems 4 8 6 2 6 8 600.0 466.7 4 Aviation Application Loading Bridges 4 7 8 4 6 5 600.0 466.7 4 ICT Process Disaster Recovery Planning 5 7 8 7 7 7 700.0 466.7 6 Aviation Application Aviation Maximo 4 7 4 6 7 7 595.0 462.8 4 Aviation Project CUSE Migration (2012) 7 6 8 4 2 8 590.0 458.9 4 Aviation Process Vulnerability and Patch Management 4 6 7 7 7 6 630.0 455.0 5 Aviation Application ASDX (Approach Detection System) 3 9 4 2 5 9 575.0 447.2 4 ICT Process End-Point Security 3 7 6 7 8 8 670.0 446.7 6 ICT Process IT Governance Board 8 7 5 8 6 7 670.0 446.7 6 ICT Process Vulnerability and Patch Management 4 6 7 6 7 6 615.0 444.2 5 Aviation Application Propworks 6 6 6 7 4 5 570.0 443.3 4 ICT Process IT Training 4 7 4 4 7 7 565.0 439.4 4 Aviation Application ID Badge Winbadge Airport System 4 8 6 3 5 5 555.0 431.7 4 Aviation Application Noise Monitoring System 5 4 8 4 7 5 550.0 427.8 4 ICT Project Access Control System Refresh (2013) 6 7 6 5 7 7 640.0 426.7 6 Aviation Application Enterprise GIS 7 6 5 4 6 5 545.0 423.9 4 ICT Component Virus Protection 3 6 7 6 7 8 635.0 423.3 6 ICT Process IT Policy/Process Management 4 8 6 4 6 5 585.0 422.5 5 Seaport Process PMO 6 6 6 4 5 5 540.0 420.0 4 Aviation Application Airport Training System 5 6 5 3 7 6 540.0 420.0 4 ICT Component Wireless Security 4 6 6 6 7 8 625.0 416.7 6 ICT Component Database (SQL) 3 8 4 8 5 8 625.0 416.7 6 Aviation Application CUSS Kiosks & Reporting 7 5 8 5 2 5 535.0 416.1 4 high risk Medium risk Low risk Must do 73 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix A: IT Audit Risk Universe (continued) / Organizational Operational / / / Service Component/ Sensitivity Strategic / Planning Marketplace Financial Regulatory Criticality) Gross Residual Internal Group Application / IT Risk Elements Risk Risk Control or BU Process / Legal Exposure Data Integrity / Rating Rating Environment Project Information ( 10 25 20 15 15 15 Aviation Application Access Control Video System 4 7 4 4 6 6 535.0 416.1 4 ICT Component LAN/WAN 3 8 8 5 3 7 615.0 410.0 6 Aviation Process Physical Access (AV) 3 9 8 3 8 6 670.0 409.4 7 Aviation Project Elevators and Escalator Replacement 5 7 6 2 6 4 525.0 408.3 4 ICT Project Records and Document Management (2012) 3 7 5 5 8 7 605.0 403.3 6 Aviation Process Project Management Office (PMO) 7 8 6 7 6 5 660.0 403.3 7 ICT Process Project Management Office (PMO) 7 8 6 7 6 5 660.0 403.3 7 ICT Application E-Mail (Exchange) 5 9 8 2 7 6 660.0 403.3 7 ICT Component Active Directory Management 4 7 7 5 4 7 595.0 396.7 6 Aviation Project Safety Management System (Currently in RFP Process) 3 6 6 2 7 5 510.0 396.7 4 Aviation Process Aviation Communications Center (ACC) 4 7 7 3 7 6 595.0 396.7 6 Aviation Application Facility Management System (FMS) 3 7 4 4 6 5 510.0 396.7 4 ICT Process Backup and Recovery (i.e., Backup Replication, Deduplication) 4 5 4 6 7 7 545.0 393.6 5 Aviation Process Backup and Recovery 4 5 4 6 7 7 545.0 393.6 5 ICT Project Enhanced Client Security (Compliance Initiatives 2013) 4 5 7 6 7 6 590.0 393.3 6 ICT Project Security Checkpoint Wait Time (2012) 6 6 7 2 8 6 590.0 393.3 6 Aviation Project Airline Activity Management System (2012) 5 6 7 3 3 5 505.0 392.8 4 Seaport Process Physical Access (SeaPort) 3 7 6 2 6 4 505.0 392.8 4 Aviation Application Water Supply System 5 5 5 5 5 5 500.0 388.9 4 Police Application Public Safety CAD 5 5 5 5 5 5 500.0 388.9 4 Aviation Application Flight and Fleet 5 5 5 5 5 5 500.0 388.9 4 Seaport Application Marine Domain Awareness 5 5 5 5 5 5 500.0 388.9 4 Seaport Project Seaport Security Grant Round 7 5 5 5 5 5 5 500.0 388.9 4 high risk Medium risk Low risk Must do 74 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix A: IT Audit Risk Universe (continued) / / / / Service Marketplace Financial Regulatory Component/ Sensitivity Group Application / Gross Residual Internal IT Risk Elements Strategic / Planning Organizational Operational Criticality) Risk Risk Control or BU Process / Legal Exposure Data Integrity / Rating Rating Environment Project Information ( 10 25 20 15 15 15 Aviation Application Ground Transportation Management System 5 5 5 5 5 5 500.0 388.9 4 Fire Project Fire Systems Replacement 5 5 5 5 5 5 500.0 388.9 4 Department ICT Process IT Asset Management 4 6 6 7 6 5 580.0 386.7 6 ICT Process Release Management 3 7 3 6 5 7 535.0 386.4 5 ICT Project Maximo Enhancements and Upgrades (2012) 5 6 6 7 5 5 575.0 383.3 6 ICT Component Airport Garage Cameras 3 6 4 6 6 6 530.0 382.8 5 Aviation Project Time Clock System (2012) 2 7 2 6 5 6 490.0 381.1 4 ICT Component Port of Seattle Website 5 4 9 4 6 6 570.0 380.0 6 ICT Project Ground Transportation Management System (2012) 5 7 6 2 6 7 570.0 380.0 6 Seaport Component Wireless Networking (SeaPort) 5 6 5 4 5 6 525.0 379.2 5 Aviation Application Baggage System 3 6 7 5 3 3 485.0 377.2 4 ICT Project Cyber Security Info and Event Manager (SIEM) 4 5 5 6 7 7 565.0 376.7 6 ICT Process Incident Management 3 6 7 4 6 6 560.0 373.3 6 Aviation Application Voice Paging System 4 7 8 2 2 3 480.0 373.3 4 ICT Component Remote Access (VPN and Citrix) 3 7 4 4 7 7 555.0 370.0 6 Police Application Telestaff/Time Link 2 6 4 5 5 5 475.0 369.4 4 Fire Application Telestaff/Time Link 2 6 4 5 5 5 475.0 369.4 4 Department Seaport Process Emergency Management 4 6 7 2 4 6 510.0 368.3 5 ICT Process Network Security 3 6 5 4 7 7 550.0 366.7 6 ICT Project Internet Redesign 6 5 7 4 5 6 550.0 366.7 6 ICT Process Capital Requests 7 6 6 6 3 5 550.0 366.7 6 ICT Process IT Budgeting 7 6 6 6 4 4 550.0 366.7 6 high risk Medium risk Low risk Must do 75 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix A: IT Audit Risk Universe (continued) / / / / Component/ Sensitivity Group Application / Gross Residual Internal IT Risk Elements Strategic / Planning Organizational Operational Service Marketplace Financial Regulatory Criticality) Risk Risk Control or BU Process / Legal Exposure Data Integrity / Rating Rating Environment Project Information ( 10 25 20 15 15 15 ICT Application Microsoft Office Suite 4 9 4 7 4 6 600.0 366.7 7 ICT Application Maximo 4 7 4 6 7 7 595.0 363.6 7 ICT Component Telephony (PBX/VoIP) 4 8 7 2 4 5 545.0 363.3 6 ICT Process Service Desk 6 7 7 4 5 5 585.0 357.5 7 Cap Dev Process Contracting 4 6 6 6 5 4 535.0 356.7 6 Aviation Process Airport Training (e.g., Homeland Security Training, Security Training, 5 6 7 2 7 4 535.0 356.7 6 Airfield Driver Training, Authorized Signatory Training, Fire Extinguisher Training) ICT Project Common-Use Check In Kiosk Expansion (2012) 6 6 7 3 3 6 530.0 353.3 6 Cap Dev Process Service Level Agreement Management 6 6 4 5 7 4 530.0 353.3 6 ICT Project Propworks Upgrade (2012) 6 6 3 6 5 6 525.0 350.0 6 Aviation Process Emergency Management 4 7 8 2 5 6 570.0 348.3 7 ICT Component HIPAA 2 3 4 6 9 8 520.0 346.7 6 Corporate Process Physical Access (Corp) 3 7 6 3 6 4 520.0 346.7 6 ICT Process Systems, Networking and Infrastructure Monitoring 3 7 5 4 5 8 560.0 342.2 7 ICT Project Network Firewalls 3 6 3 4 7 7 510.0 340.0 6 Cap Dev Process Procurement (Central Procurement Office) 7 8 4 6 7 4 605.0 336.1 8 ICT Application PeopleSoft (Time Entry) 3 7 3 7 6 6 550.0 336.1 7 ICT Application System Center Configuration Manager (SCCM) 4 7 4 5 6 6 550.0 336.1 7 Aviation Project Automated Vehicle Identification Replacement 3 5 4 5 4 4 430.0 334.4 4 ICT Project CDS Replacement (2013) 5 5 5 5 5 5 500.0 333.3 6 ICT Project Computer Aided Dispatch Upgrade (2012) 5 5 5 5 5 5 500.0 333.3 6 ICT Process IT Strategic Planning 9 5 6 3 4 4 500.0 333.3 6 ICT Application Windows Operation System 7 Upgrade 3 7 4 5 5 7 540.0 330.0 7 high risk Medium risk Low risk Must do 76 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix A: IT Audit Risk Universe (continued) / Organizational Operational / / / Service Component/ Sensitivity Strategic / Planning Marketplace Financial Regulatory Criticality) Gross Residual Internal Group Application / IT Risk Elements Risk Risk Control or BU Process / Legal Exposure Data Integrity / Rating Rating Environment Project Information ( 10 25 20 15 15 15 ICT Application HP SiteScope (Service Desk) 4 7 4 4 6 6 535.0 326.9 7 ICT Application Nagios (Service Desk) 4 7 4 4 6 6 535.0 326.9 7 ICT Application Compass Intranet Application 4 6 3 4 6 6 490.0 326.7 6 ICT Project SharePoint Extranet 3 5 6 4 5 5 485.0 323.3 6 ICT Application FIM (File Integrity Monitoring - Tripwire) 3 6 3 5 6 8 525.0 320.8 7 ICT Application Tripwire SIM (Security Information and Event Management) 3 6 3 5 7 7 525.0 320.8 7 ICT Process SDLC 5 7 4 6 5 7 575.0 319.4 8 Cap Dev Application Sybase 4 6 3 6 5 7 520.0 317.8 7 ICT Application Oracle DB 4 6 3 6 5 7 520.0 317.8 7 Seaport Project Camera Installation 3 4 4 4 5 4 405.0 315.0 4 Aviation Project Camera Mapping with GIS 4 4 5 3 4 4 405.0 315.0 4 ICT Project ID Badge Software Upgrade (2012) 2 6 3 3 7 6 470.0 313.3 6 Aviation Application System Atlanta (i.e., Provides RVR readouts (barometric, air density, 2 7 2 2 4 5 400.0 311.1 4 etc.) Aviation Application Passer System (i.e. simulations that goes to about 20 miles out) 2 7 2 2 4 5 400.0 311.1 4 ICT Process Configuration Management 3 5 5 4 4 6 465.0 310.0 6 ICT Component Virtualization 7 6 3 3 4 8 505.0 308.6 7 Cap Dev Application Livelink Document Management 5 5 5 5 5 5 500.0 305.6 7 Cap Dev Application Contractor Data System 5 5 5 5 5 5 500.0 305.6 7 Corporate Application RiskMaster Claims & Risk Management 5 5 5 5 5 5 500.0 305.6 7 Corporate Application Budget System 5 5 5 5 5 5 500.0 305.6 7 Corporate Application eBilling Application 5 5 5 5 5 5 500.0 305.6 7 Corporate Application APS Scanning System 5 5 5 5 5 5 500.0 305.6 7 Cap Dev Application PMIS Project ManagementInformation System 5 5 5 5 5 5 500.0 305.6 7 high risk Medium risk Low risk Must do 77 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix A: IT Audit Risk Universe (continued) / Organizational Operational / / / Service Component/ Sensitivity Strategic / Planning Marketplace Financial Regulatory Criticality) Gross Residual Internal Group Application / IT Risk Elements Risk Risk Control or BU Process / Legal Exposure Data Integrity / Rating Rating Environment Project Information ( 10 25 20 15 15 15 ICT Application Tableau (Data Mining) 7 5 4 5 4 6 500.0 305.6 7 Cap Dev Process Warranty Management 3 5 3 6 5 5 455.0 303.3 6 Aviation Application Veramark / Cable Management System 3 5 4 3 2 5 385.0 299.4 4 ICT Application SharePoint 3 7 3 5 4 6 490.0 299.4 7 Aviation Project Business Service Center 5 5 6 2 2 2 385.0 299.4 4 ICT Project Peoplesoft Self-Service (2013) 3 7 3 3 4 5 445.0 296.7 6 Cap Dev Application AutoCAD 6 6 4 4 3 6 485.0 296.4 7 Corporate Component Wireless Networking (Corp) 4 7 4 4 4 4 475.0 290.3 7 Cap Dev Application Bid Management System 4 5 4 5 5 5 470.0 287.2 7 ICT Project Budget System Upgrade (2013) 5 4 3 6 4 4 420.0 280.0 6 Corporate Application Concur 3 5 2 6 5 6 450.0 275.0 7 ICT Application Team Foundation Server (TFS) 2 5 3 4 5 7 445.0 271.9 7 ICT Project Police Records Management System (2012) 3 4 4 2 6 5 405.0 270.0 6 ICT Project Maintenance Management and Scheduling Tool (2012) 3 5 3 4 3 5 395.0 263.3 6 Corporate Application Send Word Now 3 4 5 2 6 5 425.0 259.7 7 Aviation Process Computer Refresh 3 5 4 2 2 2 325.0 252.8 4 ICT Project Enterprise Project Delivery System (2012) (Skire Unifier) 6 5 3 3 2 3 365.0 243.3 6 Aviation Project CUSS Kiosk Expansion 2 3 5 2 2 3 300.0 233.3 4 Corporate Application Plateau Learning Management System (LMS) 3 5 3 2 5 4 380.0 232.2 7 ICT Application Knowledgebase 3 5 5 2 2 4 375.0 229.2 7 ICT Application Self-Service Portal 3 5 3 2 2 3 320.0 213.3 6 ICT Project Rental Car/Bus Maintenance Facility (2012) 2 4 4 2 2 3 305.0 203.3 6 ICT Component Data Center - Pier 69 1 4 2 1 1 4 240.0 200.0 3 high risk Medium risk Low risk Must do 78 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix B: Benchmarking Overview Benchmark information presented in this report is primarily based on research conducted by the following three organizations: IT Process Institute Organization Overview IT Controls Performance Study IT Strategic Alignment Study Gartner Organization Overview IT Key Metrics Data 2012: IT Spending and Staffing Report 79 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix B: Benchmarking Overview About the IT Process Institute The IT Process Institute (ITPI) is a not-for-profit organization formed by IT practitioners and academics (Carnegie Mellon, FSU) that supports IT audit, security, and operations professionals Focus: Research, benchmarking, and prescriptive guidance Goal: To measurably enhance efficiency & effectiveness of IT operations & controls Approach: Pairing industry based volunteers with leading university researchers, to identify and study top performing IT organizations The Visible Ops Handbook and Visible Ops Security Based on 5 years studying high-performing IT Operations & Security organizations 100 pages long, dense type but easy to read Over 50,000 copies in print First published in 2004, revised with new content & published again in 2005 / 2007 Owned by the ITPI, jointly developed by IT practitioners and academic research IT Controls Performance Study & Benchmark Survey 330 North American enterprises Designed to evaluate the performance impact of IT Controls. Assumes "controlled" process performs better and defines by how much Answer questions about which IT Controls efforts have the greatest impact Change, Configuration, and Release (CCR) Performance Study & Benchmark Building on ITCP Study findings, 341 companies surveyed Identified 12 leading practices from 57 common approaches to CCR 7 sets of practices statistically predict performance improvements IT Strategic Alignment Performance Study & Benchmark Building on ITCP and CCR Study findings, 269 companies surveyed Identified 3 major IT strategic models and key practices / challenges for each 5 sets of practices that directly impact alignment performance 80 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix B: Benchmarking Overview ITPI IT Controls Performance Study Goals and Assumptions Designed to evaluate the performance impact of IT Controls Assumes "controlled" process performs better and defines by how much Answer questions about which IT Controls efforts have the greatest impact The following slides provide additional Information related to this Benchmark Study 81 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix B: Benchmarking Overview ITPI IT Controls Performance Study Key Facts Study Demographics . . . Study Details . . . 330 North American companies represented Benchmark surveys completed Dec06 / Jan07 Average IT expenditure: $96.8 million 53% of respondents are IT Director, VP or CXO Mean number of IT employees: 656 89 total questions: 85% of organizations have 1000+ employees 13 Demographic Questions 37% have 10,000+ employees 53 Control Activity Questions A broad range of revenue / operating budgets: 12 General IT Effectiveness Questions 42% between $250M and $1B, 11 Specific Control Performance Questions 41% between $1B and $10B, and New Control Maturity (Likert) Scale 14% from companies with >$10B Existing IT Frameworks 53 Control Activities 15 Performance Measures 5 Books of ITIL Access Controls (10) Operations Measures Change Controls (15) Configuration Controls (7) Support Measures Performance 318 COBIT controls Release Controls (5) Improvement Security / Audit Measures Resolution Controls (9) Customer Satisfaction ISO20000 / 17799 Service Level Controls (7) ITPI Controls Performance Study Research Approach 1: Cluster participants by control use & performance 3: Assess impact of control process maturity 2: Identify Foundational Controls that best predict performance variation 4: Quantify performance improvement potential 82 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix B: Benchmarking Overview ITPI IT Controls Performance Study - Analysis Approach Basic Analysis: 16 5 Performance Clusters are p evident, with: 14 Similar maturity of controls 12 n p p p p p p p p Measure Top Half Count (15) Distinct profiles of IT n p n p p p p p p p p p performance 10 n n n t t p p t t t p p p p l l l n n n n n p t t p p p t t t p p p p t t l l l l l but there is no single determinant 8 n n p t t n t p p p t t t t p p t p t t t p l l l l of performance!! nn n n n t n n n n n n t t p t t t t t t t t t t l l l l l l 6 nn n n n n n n t t t t t t t t t t t t l l l t t t l l l nn n n n t t t t t t t t t l l l l l Several important trends: 4 n n n n n n n t t t t t t l t l l No companies with low control n n n t n t l l maturity had high IT 2 n n n t t t t l l l performance n t t t t 0 t l IT Controls affect performance 0 10 20 30 40 50 60 differently at Small vs. Large Control Count (53) companies Control Maturity matters, especially in Larger companies n Small: Low Use / Low Performance t Small: Moderate Use / High Performance p Large: Moderate Use / Low Performance l Large: High Use / Low Maturity / Low Performance Large: High Use / High maturity / High Performance 83 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix B: Benchmarking Overview ITPI IT Controls Performance Study - Foundational Controls (Smaller Organizations) Low Use / Low Perf. (18%) Research Question: What subset of controls impact smaller organization performance the most? Methodology: Use regression to determine relationship between controls and performance for two smaller organization clusters with Low and Moderate control use Findings: Three controls predict 45% of performance variation in smaller organizations with Low to Moderate control use: 1. A defined process to detect unauthorized access Moderate Use / High Perf. (14%) 2. Defined consequences for intentional, unauthorized changes 3. A defined process for managing known errors Important Note: In this Study, there is no single, distinct boundary between "Smaller" and "Larger" companies the distinction found was between companies that tended to "use" more controls (with a tendency to be "Large") and those that did not (with a tendency to be "Small") 84 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix B: Benchmarking Overview ITPI IT Controls Performance Study - Foundational Controls (Larger Organizations) Moderate Use / Low Perf. (35%) Research Question: What subset of controls impact larger organization performance the most? Methodology: Use regression to determine relationship between controls and performance for two larger organizational clusters Findings: Nine foundational controls predict 60% of performance variation in larger organizations 1. A defined process to analyze & diagnose root cause of problems 2. Provide IT personnel with accurate information about the current configuration High Use / Low Perf. (19%) 3. Changes are thoroughly tested before release 4. Well-defined roles and responsibilities for IT personnel 5. A defined process to review logs of violation and security activity to identify and resolve unauthorized access incidents 6. A defined process to identify consequences if service level targets are not met 7. A defined process for IT configuration management 8. A defined process for testing releases before moving to the production environment 9. CMDB describes the relationships and dependencies between configuration items (infrastructure components) 85 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix B: Benchmarking Overview ITPI IT Controls Performance Study - Assess impact of control process maturity High Use / Low Perf. (19%) Research Question: Does process maturity explain performance difference between two larger organization clusters both with High control use but different levels of performance? Methodology: Test control use and control maturity measures to determine if they are statistically different for these two groups. Group respondents by performance, and assess various maturity measures for practical use Count of foundational controls at process maturity level 4 and 5 had strongest correlation with performance High Use / High Perf. (14%) Findings: Both overall control maturity and foundational control maturity are statistically higher for high performing cluster: Process maturity explains in part the difference in performance of these two organization types Possible Conclusions: Foundational IT controls should be implemented at higher level of process maturity in order to achieve performance improvement Some Process should be monitored for exceptions, and exceptions should be managed with consequences 86 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix B: Benchmarking Overview ITPI IT Controls Performance Study - Performance Improvement Potential In relation to Low and Medium Performers, Top Performers can generally: Authorize and implement 5 - 14 times more IT changes Increase the number of successful changes by 11% - 25% Support 2.6 - 6.6 times more software applications per IT staff Support 1.3 - 1.9 times more servers per System Administrator Increase customer satisfaction by 18% - 30% Automatically detect 12% - 76% more potential security breaches At the same time, Top Performers experience a reduction in: Time spent to repair large IT system outages by 35%58% The number of "emergency" change requests processed by 29%55% The number of late projects by 20% - 50% Unplanned IT work by 12% - 37% Repeat audit findings by 39% - 52% A significant portion of performance differential is due to Foundational Control Use 87 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix B: Benchmarking Overview ITPI IT Controls Performance Study - Key Findings Summary & Conclusions Controls impact smaller and larger organizations differently Three Foundational Controls predict 45% of the performance variation in Smaller organizations Nine Foundational Controls predict 60% of the performance variation in Larger organizations Organizations should monitor and manage process exceptions for Foundational Controls in order to achieve performance improvement Performance improvement potential is significant Top Performers get more done with less Top Performers have much fewer audit & regulatory issues and the cost savings associated with improvements such as reduced unplanned work, increased change success and higher first-fix rates goes directly to the bottom line 88 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix B: Benchmarking Overview ITPI IT Strategic Alignment Study Basic Question: How can organizations manage IT for competitive advantage? Focus: Determine the specific practices that enable IT strategic alignment success. Study Approach: Cluster participants into one of three IT Value Archetypes based on answers to nine attribute questions Identify alignment challenges faced by each archetype Identify practices that optimize strategic alignment for each archetype Establish recommendations on how organization's can transition to other archetypes 89 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix B: Benchmarking Overview ITPI IT Strategic Alignment Study - Key Facts Study Demographics: Study Details: 269 North American companies represented Benchmark surveys completed October 2007 across various industries 49 alignment practices Respondent company annual revenues greater Strategy / Prioritization than $100 million Use of business-linked performance 33% - $100M to $250M metrics 34% - $251M to $1B Governance, Budget, and Prioritization 21% - $1B to $10B practices 12% - >$10B Use of common architecture / standards IT managers and executives Business skills of IT organization 21% - Managers 16 alignment measures on 1-10 scale 42% - Directors Business Alignment 33% - VP / Executive Service Delivery 4% - Individuals Cost Efficiency Agility Innovation 90 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix B: Benchmarking Overview ITPI IT Strategic Alignment Study - Measuring Activities & Performance How did the ITPI determine what data and performance measures to study? 9 Value Archetype 49 Strategic Alignment 16 Performance Measures Attributes Practices in 5 Categories in Five Areas Purpose Strategy and Technology Business Alignment Prioritization Requirements CIO Role Use of Business-linked Service Delivery Performance Metrics CIO Reporting Structure Governance, Budget, & Cost Efficiency Prioritization Practices IT Strategic IT Funding Source Alignment Use of Architecture Success Metrics Agility and Standards Business Strategy Participation Business Skills Innovation Competitive of IT Organization Advantage Contribution Investment Justification 91 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix B: Benchmarking Overview ITPI IT Strategic Alignment Study - The Three IT Value Archetypes Study participants were placed into one of three IT value archetypes based on their answers to nine attribute questions. The IT value archetypes are: Utility Providers are not actively engaged with the business. They focus primarily on providing shared information management services. Process Optimizers are responsive to the business. They focus on shared information management services plus business applications and business process optimization. Revenue Enablers are well integrated into the business. They focus on shared information management services, business process optimization, and technology-enabled products and services. 92 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix B: Benchmarking Overview ITPI IT Strategic Alignment Study - Key Takeaways The study revealed that: Mixed objectives suggest that each archetype group requires scaled sets of competencies as the organization focuses on more than shared information management services. Specific technologies, IT strategies, and best practices do not apply equally well to all business strategies in all organizations. Practice alignment can be assessed only after verifying that the current IT archetype fits appropriately with the current business strategy. Further, there is a distinction between Business Alignment vs. Business Integration Revenue Enablers have the highest alignment performance scores: They are tightly integrated with the business They have the least control over their budget, but have the highest budget growth Utility Providers have the lowest alignment performance scores: They are more loosely aligned with the business They have the most control over their budget, but have the lowest budget growth 93 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix B: Benchmarking Overview About Gartner Founded in 1979, Gartner is Technology focused research organization. The Company consists of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events. Gartner's primary audience is Chief Information Officers and other Senior IT Executives. Stats / Sizing 3,700 associates, including 1,200 research analysts and consultants in 75 countries worldwide. Serves 10,000 clients 2005 Revenue US $989 Million 94 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix B: Benchmarking Overview Gartner IT Key Metrics Data The Gartner IT Key Metrics Data reports contain important database averages from a subset of metrics and prescriptive engagements available through Gartner Benchmark Analytics. These database averages do not account for individual variations of unique competitive landscape, business scale, IT complexity or demand which may be justified by specific business needs. Complexity and demand for IT services should always be considered in the context of a cost or performance evaluation as these factors often dictate long term support requirements. IT Key Metrics Data should be used as a high level directional indicator and in the creation of planning assumptions and not viewed as an absolute benchmark. The 2012 IT Key Metrics Data: IT Spending and Staffing Report was used for Protiviti's analysis (prior year metrics reports were used for multi- year trending analysis). Key Findings Average IT spending across all industries increased by 4.4% in 2011 and is expected to increase by a further 4.7% in 2012. From 2010 to 2011, average IT spending as a percent of revenue increased from 3.5% to 3.6%, and IT spending as a percent of operating expense increased from 4.3% to 4.5%. In 2012, IT spending as a percent of revenue and IT spending as a percent of operating expense are expected to drop to 3.2% and 4.0%, respectively. IT spending per employee, at $12,708, rose by 2.9% compared to 2010, and it returned to a value similar to that seen in 2009. IT full-time equivalents (FTEs) as a percent of total employees, at 5.3%, remained nearly unchanged since 2009. 95 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix C: Six Elements of Infrastructure The Building Blocks of Maturity The other model used to evaluate Capability Maturity is Protiviti's "Risk Management Infrastructure" model, which demonstrates the business components of a quality process. The "6 Elements of Infrastructure" Describes the components needed to ensure quality & risk management Are generally designed from left to right as shown above Each component contributes to the overall process maturity of each area Describes the "necessary ingredients" for mitigating risk to strategies the business deems critical 96 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix C: Six Elements of Infrastructure Business Strategies and Policies In this component of the Six Elements, the formal Business Policy framework includes specific guidelines as well as the more general principles that apply to all aspects of the business and management of its risks. Policies enable process owners to understand what the organization intends to accomplish with a process. Policies are linked to strategy; they put strategy in play. These policies: Articulate the selected process objectives so that process owners and personnel will understand what the risk management capabilities are intended to accomplish. Guide management and process owners toward achieving specific process goals, implementing specific risk strategies, designing specific processes, using designated products, executing specific transaction types, and complying with specific risk tolerances and expected standards of conduct. Help senior executives and the Board clarify their understanding of the process and the related impact on the business. 97 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix C: Six Elements of Infrastructure Business and Risk Management Processes In this component of the Six Elements, Business Processes: Are the primary means of executing business strategies and policies. Contain inputs, activities and outputs that are integrated with business processes. Should contain operational risk controls that are built into day-to-day processes. Are the sequence of activities and tasks that must be performed and are described precisely by process owners to achieve the desired process objectives. Promote a clearer understanding of the activities requiring the most attention from a risk management and control standpoint. Risk responses and control activities are desirably integrated within business processes because risks are best managed and controlled as close as possible to the source. This risk element is deficient if the process does not carry out established policies or achieve the intended result. 98 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix C: Six Elements of Infrastructure People and Organization Structure In this component of the Six Elements: People execute processes. Key tasks are assigned to people with the necessary knowledge, skill, and expertise. As people take on new risk management responsibilities, their roles, accountability and relationships with other risk owners should be clearly defined. Process owners should be satisfied that everyone's job is clearly spelled out so that they can hold people accountable, both within and outside the organization. Roles and responsibilities of risk-taking versus risk-monitoring functions should be clearly defined and delineated. Process owners are accountable for losses experienced with undesirable risk incidents occur. Key tasks are assigned to people with the requisite knowledge, skill, and expertise. Roles and responsibilities of risk-taking versus risk-monitoring functions must be defined and delineated. This risk element is deficient if people lack the knowledge and experience to perform the process. 99 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix C: Six Elements of Infrastructure Management Reports In this component of the Six Elements: Reports should be actionable, easy to use and linked to well-defined accountabilities. Reports are designed according to the information needs of people who are responsible for executing processes in accordance with the risk strategy. Personnel with risk management responsibilities use reports to monitor achievement of objectives, execution of strategies, and compliance with policies. Management reports include position reports, transaction reports, management and board reports, valuation / scenario analyses and comprehensive reports. Factors to consider when reporting on frequency include the volatility or severity of the risks, the needs for the user and the dynamics of the underlying business activities. Reporting on risks is integral to an organization's success as reporting on quality, costs, and time. This risk element is deficient if reports do not provide enough information for management. 100 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix C: Six Elements of Infrastructure Methodologies Methodologies organize key tasks and a working body of knowledge within a logical, well-structured framework. Effective methodologies help managers: Identify, quantify and prioritize risks. Source risk to its root causes and key drivers. Support the analysis of risk / reward trade-offs and portfolio diversification. Price products and services to adequately compensate for risks undertaken. Evaluate cost effectiveness of risk mitigation alternatives and allocation of capital to absorb potential losses. This risk element is deficient if methodologies do not adequately analyze data and information. 101 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix C: Six Elements of Infrastructure Systems and Data In this component of the Six Elements, Systems and Data: Support the modeling and reporting that are integral to risk management capabilities. Provide relevant, accurate, and on-time information. Should meet the company's business requirements, and be flexible enough to allow for future enhancement, scalability and integration with other systems. Systems and data typically include: Transaction systems and analytical software. Systems that identify and capture risk drivers. Systems and databases that warehouse key data elements relating to specific tasks. Special-purpose systems that quantify individual risks and aggregate portfolios of risks or provide risk analytics. This risk element is deficient if information is not available for analysis and reporting. 102 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix D: Five Elements of IT Governance Strategic Alignment Objective: IT Governance Practices and Goals Determine if a relationship exists between IT and business objectives and if this Strategic Alignment relationship has been established through participation between both IT and Risk Performance Resource business management. Management Management Management Value Delivery Example Review Documents: IT Strategic Plan Third Party service provider agreements and RFP process Typical Areas of Concern: Is IT management aware of the overall business strategy? What is IT's involvement in defining the business strategy? Do current IT initiatives relate to one or more of the organization's strategic objectives? Is there a clear line of communication between IT and business management? How do third party service providers support business objectives? What IT archetype is necessary to support the business objectives? 103 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix D: Five Elements of IT Governance Risk Management Objective: IT Governance Practices and Goals Determine if activities are conducted relating to the identification and analysis of Strategic Alignment risks impacting the achievement of business objectives and the preparation of Risk Performance Resource financial statements. Management Management Management Value Delivery Example Review Documents: Business Continuity and Disaster Recovery Plans and Test Results IT Risk Assessment Third Party Service Provider Agreements and Request For Proposal Policies and Procedures Typical Areas of Concern: Is a process in place to assess, address, and communicate IT risks to key stakeholders and executive management during the project, change, and release management processes? How does IT select and manage third party vendor relationships? Does a business continuity and disaster recovery plan exist and is it tested on a periodic basis? Does a risk management plan exist and are risk management activities incorporated into project, change, and release management process? Do discussions between IT, Business, and Compliance leadership occur in order to identify ways in which the IT environment can assist in strengthening the organization's control environment? 104 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix D: Five Elements of IT Governance Performance Management Objective: IT Governance Practices and Goals Determine if the effectiveness of IT systems, processes, and personnel, internal Strategic Alignment and external, are being monitored for alignment with business needs. Risk Performance Resource Management Management Management Value Delivery Example Review Documents: Performance metrics for services, projects, processes, and systems Reports of IT's performance against defined metrics to key stakeholders and executive management Third Party Service Level Agreements Incident and Problem Management Policies and Procedures Cost Allocation Policies and Procedures Typical Areas of Concern: Does the IT organization report performance metrics to key stakeholders? Are processes in place to review key performance metrics and correct items falling below a reasonable level? Do performance management activities consider both internal and third party IT activities? Is IT performance reported in IT or Business terms? Are the metrics operational, strategic, or both? Is a process in place to establish performance metrics based on changing business needs? Do the Board of Directors and Executive management have an awareness of IT performance based on quantifiable data? 105 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix D: Five Elements of IT Governance Resource Management Objective: IT Governance Practices and Goals Determine if adequate activities are being performed to align the use of Strategic Alignment resources (applications, information, infrastructure, people) to meet the needs Risk Performance Resource of the business. Management Management Management Value Delivery Example Review Documents: IT Organization Chart IT Job Descriptions Sourcing Strategy for IT projects IT Segregation of Duties Requirements IT Asset Management Policies and Procedures Typical Areas of Concern: Are processes in place to assess and implement IT segregation of duties? Has an IT sourcing strategy been established that align with business objectives? Do IT resource dedicate more time to operational or strategic objectives? Does the IT department have processes in place to facilitate knowledge sharing within the department and with the business? Have IT resources (employees, applications, hardware) been optimized to support business objectives? Have formal job descriptions and reporting relationships been created and communicated for all IT positions? Has an asset management program has been established? 106 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Appendix D: Five Elements of IT Governance Value Delivery Objective: IT Governance Practices and Goals Determine if IT is effectively managing costs as they relate to meeting business Strategic Alignment objectives and communicating this management to the appropriate individuals. Risk Performance Resource Management Management Management Value Delivery Example Review Documents: IT Steering Committee Meeting Minutes Policies and Procedures for the Development and Management of IT projects IT Budget Typical Areas of Concern: Is there a clear relationship between IT project performance indicators and business objectives? Has the IT budget been communicated to business leadership? Does business leadership understand the investments that have been made in IT? Does IT actively communicate the expected and realized value of IT projects? Does the business rely on the integrity and accuracy of data captured and reported by IT systems? Do IT and business leaders meet on a periodic basis to review the current and upcoming IT initiatives to reassess alignment with business objectives? 107 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. DRAFT: For Discussion Purposes Only Appendix E: Capability Maturity Model Matrices Change, Configuration and Release Management (includes SDLC) Strategy & Processes & People & Management Methodologies Systems & Data Policies Controls Organization Reports Close alignment of CCR processes are Matrixed functions/ World-class process Costs/benefits/risks Real-time system change, configuration, formally enforced, roles adjust quickly to performance; All measured and controls prevent service and release (CCR) automated, monitored initiatives; Ownership, changes are "normal"; balanced in portfolio of interruptions; Excellent Optimizing practices with business statistically, and are roles, standards and System outages are changes, releases, and data integrity; strategy; New initiatives proactive (i.e., "near cross-training are rare and well-planned projects across Automated config. data are agile and misses" identified) inherent in operations infrastructure prevalent successful CCR policy/objectives CCR processes are CCR ownership/roles Management by Process performance Integrated change ingrained into IT integrated; Enforced by evident; Cross-training exception; Few (<1%) benchmarked to plan process systems; increased Costs Managed governance practices; some preventive limits failure points; emergencies/failures; for future; Config. "Real-time" trending; Service measures controls; Monitoring Config. teams support Config. data proactively integrated with other IT Integrated CMDB with designed into process capability exists multiple BUs managed processes automated detection Policy and strategy Practices understood, CCR roles defined; KPIs analyzed Models include impact 1-2 primary systems define objectives for but largely manual; Process ownership periodically; Service analysis & risk used to manage success; Policy Releases include clearly established; thresholds in place; mitigation activities; IT changes; Reporting Defined emphasizes that "no rollback plans; Config Process awareness Success measured in process integration structures defined/ unauthorized changes" impact analysis In widespread; Some terms of ROI/TCO; beginning; History of available; CMDB in are made place; Detection of cross-training; CAB Infrequent (<2%) changes is traceable place with some data failures is unlikely includes business emergencies/failures (e.g., at CI-level) collection automation Basic policy exists to Change/release Some responsibilities Few metrics defined; Basic models are Some auto-data Typical Target Zone establish authority and process is somewhat understood; Limited Data gathered through considered, but used collection, but with responsibility; Limited consistent; Informal training available; CAB periodic audits; inconsistently; Mass manual input; Config. Repeatable long-term strategy and enforcement/ training; established but with Somewhat frequent "data changes" are data manually held; vision; Informal Config. process only IT; Some config. (10%) emergencies/ normal; Limited view of Segregated test planning definition beginning coordination failures and change- configurations environments exist related outages No strategy nor policy Processes are informal, Change success results Only anecdotal Process not defined as Manual or redundant for managing change to differ significantly from heroics and evidence available; "request to close"; data gathering; IT systems exists between groups, and responsibility not Frequent (>20%) Siloed processes; Accurate config. data Initial are adjusted reactively consistent; Siloed emergencies/failures; Config. relies on "expert unavailable; Changes config. knowledge Frequent change- knowledge" often cause issues increased Costs related outages 2012 Protiviti Inc Current Maturity Partial Demonstration 108 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Target Maturity DRAFT: For Discussion Purposes Only Appendix E: Capability Maturity Model Matrices Continuity Management Strategy & Processes & People & Management Methodologies Systems & Data Policies Controls Organization Reports Business continuity Comprehensive, BCM operates as a core Relevant information BCM analysis is BCM program is aligned management (BCM) is organization-wide BCM business function, regarding key threats continuously and with enterprise systems advertised internally and processes are aligned chartered with clear and impacts are systematically improved; in near real time; New externally as a with strategic objectives accountability and available with little notice; Continuity risks are technologies are pursued Optimizing competitive advantage; and customer responsibility; Continuity reporting is a analyzed in relation to to ensure BCM success; BCM is used to drive expectations; World- Personnel are well normal part of operations strategic decisions BCM program leverages strategic goals and class process trained regarding their enterprise data to internal efficiencies performance roles and duties improve BCM BCM policy and Threats understood and Dedicated department BCM program BCM data is analyzed in Information regarding objectives are ingrained proactively managed; maintains plan content & effectiveness reported to the context of overall BCM risk is readily into IT governance BCM practices address conduct tests and and understood by upper risk; Enterprise risk available and used by increased Costs practices; Service recovery objectives and exercises; Cross-training management; Reporting assessments include line of business Managed measures designed into regulatory compliance; limits points-of-failure; is used to ensure BCM-related analysis. managers as well as BCM processes and BCM processes Clear process ownership recovery objectives are Analysis incorporates BCM program managers testing schemes formalized and plans well and management met and to improve BCM special circumstances. maintained support plans Policy and strategy Formal BCM process or Roles have been created All key measures Regulatory or industry Continuity information is define objectives for lifecycle has been for those responsible for analyzed periodically; planning standards collected in a systematic success; Recovery designed and deployed; BCM and IT DR; process Metrics require some consistently integrated way that can be Defined processes are formally Risk assessment and ownership established refinement; Service into risk mitigation and leveraged across defined and integrated business impact analysis with widespread training thresholds established; BCM program departments; Data is into the BCM program have been performed and awareness Processes in place to available for key BCM keep BIA current decisions Typical Target Zone IT disaster recovery (DR) The organization's BCM BCM and IT DR are part- Reporting tactical; Basic models are Some issues such as IT planning is the focus; processes include crisis time roles, exist in silos, Reports may be inconsistently utilized; DR collect relevant data Repeatable Testing focused on management, business and unintegrated; limited distributed Analysis is but it is isolated, not component recovery; resumption or IT DR training indiscriminately limited/isolated comprehensive, and not BCM is decentralized shared Focus is data backup; BCM is ad-hoc; A formal BCM ownership not BCM reporting non- "Best effort" is employed Very limited ability to Processes developed in plan does not exist for clearly defined or simply existent; Only anecdotal for a methodology and collect data on the BCM Initial silos; Expectations are testing or awareness added to the role of IT evidence available; Lack "best guess" is used to program other than direct undefined without risk operators; Success of confidence in the identify business management of assessment depends on heroics ability recover requirements continuity vendors increased Costs 2012 Protiviti Inc Current Maturity Partial Demonstration 109 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Target Maturity DRAFT: For Discussion Purposes Only Appendix E: Capability Maturity Model Matrices Program, Project & Portfolio Management Strategy & Processes & People & Management Methodologies Systems & Data Policies Controls Organization Reports Portfolio alignment PMO processes Designated Centers of Key PMO metrics PMO framework IT demand, program, strategies frequently standardized into all Excellence support continuously balance enables continuous and project data evaluated. Portfolio enterprise practices. distributed hybrid cost, return, risk and portfolio modeling. integrated to allow Optimizing management is agile & "Near misses" identified teams. Standards & time to allow historical Portfolio optimization historical & forwardsupports changing & corrected. training ingrained into & leading measures. occurs in "real time." looking analysis. objectives. operations. Policy & objectives PMO processes Process/initiative Management by PMO framework Process/project ingrained into project enforced by effective ownership evident exception. Analysis of integrates demand & management systems increased Costs Managed oversight practices. automated/ preventive throughout enterprise. benchmarks used delivery to develop fully integrated. Allow Service measures controls & monitoring Training ensures no frequently to evolve portfolio balancing view of demand vs. designed into process. capabilities. single points-of-failure. processes/projects. scenarios. delivery capabilities. Policy & strategy are PMO practices widely PMO process Key project & portfolio Portfolio & demand 1-2 primary systems defined with objectives understood, but may be ownership is defined. measures (cost, return, management are used to manage for project & investment largely manual. Awareness/training time, risk) defined & integrated into daily processes & gather Defined success. Processes becoming widespread; common analyzed regularly. operations. Effective data. Reporting consistently applied. PMO oversees some use of control "gates" & structures defined & portfolio capabilities. value measurement. readily available. Basic policy or standard PMO processes Multiple PMO functions Few project/portfolio Common project Some automated data Typical Target Zone to establish somewhat consistent may exist. Some metrics are defined. practices defined, but collection, but may be management between groups, but project/portfolio Project investment not always followed. redundant or highly Repeatable intent/mission for may lack enforced management exists, but return is assessed by Cost/benefit analyses manual. Data sources demand and project standards tools and/or inconsistent execution periodic audits and/or inconsistently applied. may lack integrity/ management exists. training. capability. manual measurement. integration. Project standards and Project management is Formal PMO & demand Only anecdotal No overall project Manual/redundant portfolio strategy do not reactive, managed management functions evidence available for methodology exists; methods used to gather Initial exist or are highly informally and very do not exist; project, demand and siloed/inconsistent data about projects and informal. inconsistent across responsibility is portfolio capabilities. processes & standards overall demand or enterprise. dispersed. in use. priorities. increased Costs Current Maturity Partial Demonstration 110 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Target Maturity DRAFT: For Discussion Purposes Only Appendix E: Capability Maturity Model Matrices Security Management Strategy & Processes & People & Management Methodologies Systems & Data Policies Controls Organization Reports Optimizing N/A Not Applicable to Most Organizations Information security Standard information Centralized security Security reporting to Comprehensive security A single security strategy aligned with security processes function with highly management is routing methodology integrates dashboard is available to IT/business strategy; emulate and evaluated qualified staff routine, complete, and all key components: provide real time data Relevant policies in place based on best practice; coordinates and enforces clear; Performance and strategy, policy, risk from a number of Managed and adaptable to external Risk management objectives; Roles evolve risk-based metrics management, core perspectives; Automated conditions and business integrated with other risk over time with provide an overall view of processes, metrics; data feeds pull from all needs sourcing activities training/technology the organization Performance security processes increased Costs improvement continuously identified Information security Standard information Centralized security Management regularly Comprehensive security Processes have been strategy is formally in security processes are function with receives reports in a methodology integrates integrated into core place and supported by documented and knowledgeable staff consistent format and is most key components: security functions to relevant policies; Senior consistently performed; coordinates and enforces comfortable with the strategy, policy, risk gather business-relevant Defined management actively Processes are driven by objectives; Roles content provided; Key management, core security data; Automated supports security formal risk management defined to ensure measures are assessed processes, metrics; feeds and processes initiatives; Policies are which determines accountability across the and used to identify risk Performance streamline the process regularly updated resource allocation organization areas/modify strategy improvement regularly identified Typical Target Zone Core information security Informal core information Security roles and Few metrics defined; Methodologies are in Basic and/or manual policies are documented; security processes are in responsibilities are in in Metrics are collected place for specific security solutions in place for the policies meet relevant place; Processes may place; Key individuals regularly but not functions which provide a collection of data for Repeatable regulatory requirement, not be documented, have appropriate skills to necessarily in a common language; specific security but may not be fully current, or are not perform job functions; consistent manner; opportunities for functions; Data tends to enforced systemically enforced Training is available and Metrics typically audit improvement identified be operational in nature, encouraged driven not risk/value-oriented Information security Core information security Security roles and Reporting on information Formal methodologies Limited automated strategies and policies do processes are not responsibilities have not security functions is are not in place to assist security solutions are in not exist or are ad hoc in formalized; A formal risk been defined to ensure informal or does not with understanding risks place; Quantitative nature; Senior assessment process is comprehensive coverage provide adequate insight and performing security measures are not Initial management does not not in place to prioritize and individual into the current state of functions; Functions are integrated into security sponsor security and address risks and accountability; Success security unpredictable and in a solutions to allow for initiatives, or is unaware security activities are relies on individual constant state of flux value measurement increased Costs of related security risks. reactive heroics; training is informal 111 2012 Protiviti Inc Current Maturity Partial Demonstration CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Target Maturity DRAFT: For Discussion Purposes Only Appendix E: Capability Maturity Model Matrices Support / Service Desk Strategy & Processes & People & Management Methodologies Systems & Data Policies Controls Organization Reports Support is aligned with Efficient Service Desk Service Desk is Industry leading KPIs; Service Desk enables Technology enables self- IT/business strategy; function integrates core knowledgeable, Specified thresholds, continuous IT diagnosis/ prevention; Strategy and process IT processes; Customer proactive, and enables targets and effectiveness improvement; FAQs and Tools enable dynamic & Optimizing are agile and adapt to service & advocacy business; Standards and metrics used to known error database static reporting, both changing business focused; Use "best" cross-training are proactively improve are integral to support historical & predictive needs practices ingrained performance operations Policy & objectives Service Desk function Centralized Service High-quality static, Centralized Service Extensive use of ingrained into IT established; Incident/ Desk closely aligned dynamic, and predictive Desk is single point of automation integrated increased Costs governance practices; problem integrated with with other IT functions to incident/ problem contact; Knowledge- into daily operations; Managed Service measures IT processes; Monitoring prevent issues; Roles, reporting ; KPI trending base established; High Integration of designed into process capabilities exist training, and incentives used to prevent incidents use of KPIs for technologies across all in place performance analysis IT processes Policy & strategy define Incident/problem Centralized Service KPIs and underlying Service Desk centralizes Stable technology objectives for support formalized and reflect Desk roles well performance analyzed incident/ problem integrates incident/ functions and day-to-day practices; understood by IT/ periodically; Service processes; IT process problem processes; Defined relationship with Processes are heavily business; Some cross- thresholds in place; integration beginning; Beginning to integrate business; Formal manual, but with some training occurs, but Formal reporting Developing FAQs/user with other key IT policy/procedures automation mostly informal techniques are used guidelines processes (e.g., CCR) Basic support policy and Incident process Experienced support Few metrics defined; No Basic Service Desk Minimal automated Typical Target Zone strategy exist; Focused focused on reactive staff assigned, but are process, resource, or model to support incident workflow /escalation on incident response resolution; Little problem reactive; Some satisfaction metrics management, but may automation; Support Repeatable capability; Process understanding of used; KPIs data may be be used inconsistently. request management documented but little responsibilities; Informal available, but not used largely manual with enforcement training only for improvement individual monitoring IT support functions No standard incident/ Call center/help roles KPIs not available; Weak escalation process Incident management viewed as cost centers problem processes; may exist, but weakly Metric focus on IT spend in use; No models manual or within only; Policy/ strategy is Only reactive support staffed or siloed; or downtime; established; Reliant on inefficient systems; Initial informal provided; Processes Success due to Management is not people to resolve Informal problem differ greatly heroics/staff aware of trends incidents. management based on increased Costs "tribal knowledge" Current Maturity Partial Demonstration 112 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Target Maturity DRAFT: For Discussion Purposes Only Appendix E: Capability Maturity Model Matrices Governance Practices Strategic Alignment Risk Management Resource Management Performance Measurement Value Delivery IT is integral to achieving key Risk management is a IT resources are deployed A balanced scorecard IT is viewed as a strategic business strategy objectives. continuous process strategically, considering approach is used to business partner. Solutions IT proactively identifies and coordinated by the Board and internal and external sourcing continuously monitor IT are presented to the business Optimizing presents solutions to address senior management. The IT models, and are based on effectiveness. The scorecard for review, are delivered on strategic business challenges. and enterprise level of risk defined evaluation criteria is presented to the Board and time/budget, and achieve the tolerance is widely known. linked to business strategies other key executives. specified scope/objectives. The Board and/or executives Annual IT risk assessments IT project, purchasing, asset, IT fully understands the IT cost-effectively delivers regularly evaluate alignment are completed according to and resource management operational performance high-quality services that meet between IT and business accepted methodologies. processes are integrated and indicators for the enterprise, the needs of the enterprise. increased Costs Managed strategies. Long- and short- Preventative controls and regularly measured for and these are regularly Communication is frequent term (or tactical) IT plans are monitoring mechanisms help effectiveness. measured, monitored, and and structured. IT proactively mapped to business to validate that key risks are reported/summarized to IT seeks to enhance business strategies. appropriately managed. stakeholders. value. A formal process is used to IT risks are known, prioritized, IT skill set inventories are IT Service Level Agreements IT is viewed as an enabler of evaluate and prioritize and re-evaluated on a regular maintained and gaps are (SLAs) with the business are business processes. There potential IT projects. basis. Mitigation activities are proactively identified. Formal defined and tracked. A formal are activities in place to Defined Established criteria are defined for each risk and some processes exist to deliver IT process exists to review, confirm requirements are consistently applied to monitoring structures are in personnel and assets to monitor, and communicate being met, budget is kept, and facilitate cross-functional operation. projects and maintenance SLA results/ performance. goals are being achieved (e.g., committee decisions. efforts, as needed. ROI). IT maintains existing systems IT risks have been identified An organization-wide Some measures are regularly IT is viewed as a consistent Typical Target Zone but is viewed primarily as an and are being tracked with organization chart exists and is assessed across IT and are utility provider. IT-business order taker by the business some mitigation activities in maintained. A list of consistently communicated. communication is fairly Repeatable units. Project decisions place. IT adequately responds applications and infrastructure There are gaps between what consistent, but interaction is involve business personnel when an incident occurs, but assets can be generated, but it is measured by IT and what typically issues-focused. and require business cases. procedures are informal. may not be reliable or current. the business would like to There is little formal analysis of have measured. goal achievement. IT projects and services may IT lacks understanding of the IT reporting lines and skill sets Some measures are assessed Communications between IT inconsistently align with risks that may exist across the are known by management, within a few IT areas. Results and the business are irregular business needs/objectives. entire company landscape. but they are not inventoried or may be informally and/or ineffective. Projects Initial Project decisions are made Risk assessment activities organized. IT asset communicated and data are are often delayed; do not unilaterally or without occur occasionally or in management is informal. not used to source or deliver specified scope, increased Costs established criteria. response to an incident. proactively address issues. and/or are over budget. 2012 Protiviti Inc Current Maturity Partial Demonstration 113 CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party. Target Maturity Confidentiality Statement and Restriction for Use This document contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of Robert Half International Inc. ("RHI"). RHI is a publicly-traded company and as such, the materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to your Company, and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents are intended for the use of your Company and may not be distributed to third parties. 114 2012 Protiviti Inc CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.