The enterprise IT organization is awash with operational silos that touch IT service management (ITSM) — and in many ways one could argue that some could and should be part of corporate ITSM activities.
Most commonly pointed to is the App Dev and IT Operations divide — with DevOps a potential solution or "journey to a better place" — but there are other significant opportunities for different parts of the enterprise IT organization to play better together. These include: Security; IT Asset Management; and IT Governance, Risk, & Compliance (ITGRC).
The latter in particular is interesting as ITSM is actually part of the larger Governance or ITGRC picture.
Take an integrated approach to ITGRC and ITSM
ServiceNow partner Intreis, a Chicago based consulting firm specializing in ITGRC and ITSM integrations, helps customers achieve this. The following outlines an Intreis customer case study success that delivered significant financial and time savings as well reduced risk and increased compliance.
The customer, a publicly traded Global Technology Company with 22 offices and 1,500 employees, is subject to SOX, PCI, European Safe Harbor, and ISO27001. Its controls environment consists of circa 100 general computing controls and prior to taking an integrated approach to ITGRC and ITSM:
- Audits took eight months
- $1.5 million was spent annually on audit fees
- $200k was spent on audit preparation and support
- The audit activity would identify 50+ deficiencies.
Reap the benefits of an integrated approach to ITGRC and ITSM
With Intreis' help the customer achieved significant benefits through automation and by integrating the customers ITSM and ITGRC processes on a single unifying platform:
- Audits are now completed in two weeks rather than eight months
- Audit fees have dropped to $300k (an 80% reduction)
- Preparation and support now costs $40k (another 80% reduction)
- 9,000 IT person hours are saved
- There are zero deficiencies
- There were $250k savings in head count costs related to controls testing
- There was a $250k+ technology cost avoidance (i.e. buying a standalone IT GRC platform).
Six key steps for ITGRC success
So what do you need to do to be successful with an ITGRC/ITSM integration? Intreis offers up six key steps:
- Define your services — Your services are the basis for effective process design and controls identification.
- Process redesignn - Embrace it. You will have to redesign your processes in order to embed and automate your controls. It's worth the effort.
- Consolidation of controls — Get to a consolidated set of controls. The idea is to define one master set of controls that meet all your business and regulatory requirements. So if you need to…
- Enlist the experts — Not everyone can be experts in controls and compliance, or process design. If you don't have the expertise in house, engage subject matter experts. Get it done right the first time…enjoy the results for a lifetime.
- Automate, automate, automate — Anytime something is done manually it is open for human error. Automate to the fullest extent possible for maximum predictability and efficiency.
- Allow time for results —Definition and automation do not take very long, about a third of the time of most GRC application implementations. With that said, many IT controls operate quarterly and annually so your full savings potential may not be realized in year one, but you will certainly see it in year two.
Source: Case Study — Integrating ITGRC and ITSM
A shorter version of this blog was originally published on the ISACA website.
1 Comment
