This chapter describes a technique known as Business Transformation Readiness Assessment, used for evaluating and quantifying an organization's readiness to undergo change. The Canadian Government Business Transformation Enablement Program (BTEP) provides guidance on how to identify the business transformation-related issues. The BTEP recommends that all projects conduct a transformation readiness assessment to at least uncover the business transformation issues.
The following sections describe Business Transformation Readiness Assessment using the BTEP method, including some lessons learned. The first step is to determine what factors will impact on the business transformation associated with the migration from the Baseline to Target Architectures. Business Case exists that creates a strong focus for the project, identifying benefits that must be achieved and thereby creating an imperative to succeed. Workable Approach and Execution Model is an approach that makes sense relative to the task, with a supporting environment, modeled after a proven approach. Enterprise Ability to Implement and Operate the transformation elements and their related business processes, absorb the changes arising from implementation, and ongoing ability to operate in the new environment.
Each factor should be assessed with respect to risk using the process highlighted in Part III, 31.
From a risk perspective, these actions are designed to mitigate the risks and produce an acceptable residual risk. The readiness factors assessment will be a living document and during the migration planning and execution of the Transition Architectures, the business transformation activities will play a key role. The business transformation workshops are a critical part of the Communications Plan whereby key individuals from within the organization gather to assess the implications of transforming the enterprise. In short, enterprise architecture implementation will require a deep knowledge and awareness of all of the business transformation factors that impact transitioning to the visionary state. The benefits of cloud computing (specifically Software as a Service [SaaS]) over in-house development are clearly articulated and well known, and they include rapid deployment, ease of customisation, reduced build and testing effort, and reduced project risk. Recent high-profile outages and security breaches serve to further confuse businesses as they attempt to correlate their current internal control environment and proposed controls for the cloud with the external incidents chronicled in the press. Over the last few years, a plethora of documents have been written containing risk exposure, ad hoc guidance and control checklists to be consulted when considering cloud computing. In 2009, the European Network and Information Security Agency (ENISA) produced a document titled ‘Cloud Computing: Benefits, Risks and Recommendations for Information Security’.


In July 2011, ISACA released IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud, which provides a comprehensive guide to cloud controls taken from COBIT, Val IT and Risk IT. The security-related risk can be assessed in a similar structured approach by assessing against selected ISO 2700x, COBIT and NIST 800-53 controls that are applicable to the exposures within cloud computing. The ten principles of cloud computing risk8 help to give context to the frameworks for assessment previously discussed, and they can be used as an overall road map for migration to cloud computing. The ISACA Business Model for Information SecurityTM (BMISTM)9 (figure 4) was used as an overarching framework for risk and security.
Based on BMIS, these 10 principles of cloud computing risk provide a framework for cloud computing migration which is presented here in a case study. The business benefit of placing this function in the cloud is that it will allow branches, call centres, brokers and other channels to use the same code base and avoid replicating the calculations in multiple places. The first step in the framework is to formulate and communicate a vision for the cloud at an enterprise and business-unit level. Once the vision is articulated and the risk management organisation is in place, the next step in the road map is to ensure visibility of what needs to be done and the risk of doing it.
This will be a joint effort between corporate (especially human resources) staff, lines of business, and IT planners. The business case document identifies concrete benefits (revenues or savings) that the organization is committed to deliver and clearly and unquestionably points to goals that the organization is committed to achieving. As risks, they should be part of the risk management process and closely monitored as the enterprise architecture is being implemented. It is important to note whether the business transformation actions will be on the vision's critical path and, if so, determine how they will impact implementation. To do this they will become aware of the Architecture Vision and architecture definition (if they were not already involved through the business scenarios and Business Architecture). Similarly well known are Infrastructure as a Service (IaaS) benefits, which include reduction in cost, movement from capital expenditure to operational expenditure and agility.1 A consensus on the risk of cloud computing is, however, more difficult to achieve because the industry is lacking a structured framework for risk identification and assessment.
Most of these are deep on security concerns but narrow across the breadth of IT risk where a comprehensive framework for assessment is needed. The risk profile for cloud migration itself is also in a state of flux, as existing offerings are maturing and new offerings are emerging. In addition, the standard can be used to derive a superset of risk that is currently not coherently articulated in the industry.


As an example, figure 3 shows a cross-reference of the security-related risk (identified in the literature reviewed) to COBIT 4.1 DS5 Ensure systems security. The business function is part of the decision-making process within the end-to-end home loan business process shown in figure 5. Executives must have oversight over the cloud—The business as a whole needs to recognise the value of the cloud-based technology and data. Management must own the risks in the cloud—The management of the relevant business unit must own the risk associated with its use of cloud services, and must establish, direct, monitor and evaluate commensurate risk management on an on-going basis.
All necessary staff must have knowledge of the cloud—All users of the cloud should have knowledge of the cloud and its risk (commensurate with their role in the organisation), understand their responsibilities and be accountable for their use of the cloud. In addition, businesses struggle with identifying and following a road map for cloud implementation. Figure 1 gives a comparison of the top types of risk identified by the CSA, OWASP and ENISA, showing the variation in both content and ranking.
In doing so, the publication highlights both the need for a consistent and broadly accepted risk assessment framework and the fact that its existence still remains elusive. There is also a potential business driver for allowing customers access to their own data if placed on the public cloud. There must be constant vigilance and continuous monitoring of risk to these information assets, including ensuring compliance with appropriate laws, regulations, policies and frameworks. Many of the challenges translate directly into risks that have to be addressed, monitored, and, if possible, mitigated. Paradoxically, from a small to medium-sized enterprise perspective, migrating to the cloud may in fact mitigate risk.2 For example, the likelihood of server misconfiguration or poor patch management leading to a successful attack is greatly reduced, as is the risk of data loss due to less use of portable media.
In the case study, the business decides to assign ownership of the complete (business and IT) risk of the initiative to the retail bank operational risk manager, who works with the departmental IT risk manager to plan actions covering both the business and technical risk involved. In the case study, the home lending line-of-business owner and the IT manager work together to ensure that the involved business and technology staff have the appropriate skills to embark on the cloud initiative or that the needed expertise is obtained externally. The scope and approach of the transformation initiative have been clearly defined throughout the organization.




Hurricane checklist houston
Always ready in french
Physical map of usa blank
Community emergency response team singapore


Comments

  1. 02.06.2014 at 21:27:41


    Utilised to it, and without gloves, your hands your better knives.

    Author: Ramiz
  2. 02.06.2014 at 10:17:18


    Gas in the space running/effectively water food must be cooled swiftly in order.

    Author: azercay_dogma_cay
  3. 02.06.2014 at 22:20:58


    Processes will invaded by electromagnetic pollution and it just.

    Author: BESTGIRL
  4. 02.06.2014 at 12:40:13


    That could enable them to locate employment for the.

    Author: queen_of_snow