Data Center is our focus

We help to build, access and manage your datacenter and server rooms

Structure Cabling

We help structure your cabling, Fiber Optic, UTP, STP and Electrical.

Get ready to the #Cloud

Start your Hyper Converged Infrastructure.

Monitor your infrastructures

Monitor your hardware, software, network (ITOM), maintain your ITSM service .

Our Great People

Great team to support happy customers.

Saturday, February 22, 2014

Mengapa kita harus punya Network Mapping ?

Beberapa tipe Policy

The Executive View

Most textbooks on policy development focus on the technical side of matters.  For example, some go to great lengths about all the details of access control.  In doing so they achieve two ends:
  • Firstly, and most obviously, this technology-focused approach results in a mass of technical details.  This often confuses what is policy, what is standards and what is procedure.
  • Secondly, resulting from this, the overwhelming consequence is that the policies are obtuse and incomprehensible to much of the organization, not least of all the managers, the executive and the board.
This problem usually comes about because the task of writing policy has been limited to that of IT security and has been therefore delegated to the IT department and written by a technician who does not have a crucial role in some other project.  Said technician is unlikely to have good writing skills or the necessary breath of experience.  But most importantly of all the technician will not have the viewpoint that addresses the whole of the organization from a business perspective.
Considered in this light, the resulting quality of many published and commercially available policies and book on policy is not surprising. The idea that 1,400 “Policies” is somehow a better bargin than a mere 1,100 fails to address what POLICY is really about by confusing policy with controls, standards and procedures.
The section “%”The Good and the Bad":/policy/the-good-and-the-bad/%" gives an illustration of this gulf.  The example of the “good” policy is:
"Access to Corporate Information System resources will be restricted to authorize users in accordance with their roles. Users will uniquely identify themselves and be accountable for the actions carried out under this identification"
As a policy statement, this has many advantages, the greatest of which are its clarity and generality.  It can be understood by everyone from the Board of Drectors to the janitor.  It is a general statement that can be applied in many specific circumstances.

The Functional View

This structure of policy is very common when written from a technical point of view or by technical staff. As such it concentrates on the functioning of the technical aspects of the organization rather than on the business aspects. One of the side-effects of a technical viewpoint is that it may be difficult to communicate to non-technical people.
FunctionalPolicy


The Corporate View

This view can take many forms depending on the nature of the organization – Non-profit, service, sales, manufacturing, R&D. It focuses on the management of the organization – hence the “Mission Statement” prominently displayed.
In the same way that the functional view is optimized for a technical point of view, a corporate view may appear to lack the “slots” for the technical details.
CorporatePolicyStructure

The Academic View

A information security policy for an academic institution may vary even more than for a corporate one. Academic institutions place great emphasis on freedom of communicaiton and thought, but at the same time, by their very nature tend to be “hot-beds” of experimental learning that may overflow into behaviour that is detrimental to the other users or the world at large.
This view is included to show the scope that a policy may have to cover.
AcademicView

Other Views

Senior Management Statement of Policy

This is often the first policy to be formulated.
  • It acknowledges the importance of the information and information processes resources to the business.
  • It is a statement of support for good practice in information handling, security and regulatory compliance.
  • It is a commitment of support to authorize and manage the formulation and enforcement of lower level policy, standards, guidelines and procedures.
This can be a very short statement, but it is very important as it gives validity and mandate to the policy process.  Without such a document, other managers and supervisors can "opt-out", claim to be exempt, and otherwise drag their heels.

Regulatory Policies

These are policies that the organization is require to implement to meet compliance with governmental or legal requirements.
Such policies have two primary objectives:
  • To ensure that the organization is following the mandated baseline practices of operation and/or reporting that apply to its industry.
  • To give the directors and executives confidence that their fudicial obligations are being met.

System-Specific Policy

This kind of policy focuses on the decisions management has taken that pertain to a particular system.  Although we tend to think of a "system" as a piece of information processing hardware and software, the system could be an organization unit, division or even a particular business operation and its processes.  This kind of policy is often and "operating manual" for that system.

Issue-Specific Policy

XXX (TBD)
This kind of policy may be stand-alone – a privacy policy for the whole organization – or it may deal with a specific issue within the framework of one of the other policy models.

Program or Project Policy

XXX (TBD)

There are also ‘policies’ that are present in many organization but do not follow the strict definitions that have been discussed here:

Advisory Policies

As the name suggests, these are policies that give guidance.
Following them is strongly suggested and the consequences of failing to follow them may be severe.

Informative Policies

These exist purely to inform the reader.

Dibalik Policy


Beyond Policy

The Policy process is just the start of a comprehensive security plan The policy defines the organization’s attitude towards security and makes clear that all members have a part to play in creating and enforcing a suitable culture of security.
The best policy and security functions are to no avail if they are not observed or not used.
Next is the task of converting the policy into practice, which requires an explicit plan.
Identify the assets, tangible and intangible and estimate their criticality and value Assess the threat to those assets Determine the level of acceptable risk Make available the resources to deploy measures to address that level of risk Put in place the training and support necessary to make those measures effective Establish a timetable for a regular review of this process so as to keep up with changing needs in the internal and external environment.
All this leads back into Risk Management and Audit & Assessment.

Membuat Policy


Developing Policy

Policy can mean different things to different people and be structured in different ways according to the needs of the organization.
This section looks at some of those ways.
Effective Security Systems Require Explicit Policies
Policies are an organization's most effective tool for good governance and the smooth running of operations.  They are management's instructions on how the organization is to be run.
"Policy: Clarifying What is expected."
Policies are essential to the effective, efficient and reliable operation of an organization.  They lead to smooth, consistent and efficient operations.
"Guidelines: How to make decisions without perfect information"
Properly structured, Policies are general statements that do not need to be revised as the details of technology and products change.  Policies are accompanied by guidelines as to how they are to be applied in new situations.
"Standards: References, and documented agreements contains precise criteria to be used consistently as rules, definitions or specifications."

Guna dari IS Awareness adalah utk merubah perilaku


Awareness

The purpose of Information Security awareness is to change behaviour.
Policy can only do so much,and no matter how well written and communicated, it will always have gaps. Awareness helps to bridge those gaps by bring people to understand aims and objectives of security. Hopefully with this understanding they will not only follow the letter of policy but the spirit as well.
Awareness – and awareness training – is not the objective; it is just a a step on the way to changing the way people behave.
The purpose of Information Security awareness is to change behaviour
Security Awareness should be part of a coherent, ongoing plan of teaching staff about various aspects Information Security. In fact a well worked-out course will not only be more effective that a few disjointed episodes such as the occasional “lunch-and-learn” but will give the opportnnity to develop themes and explain not nly the corporate policies but also how Information Security affects our everyday life.
Awareness courses and training does need to be broken out to address the differing needs of the various audiences as well as covering the common ground.
Management needs to be presented with a strategic perspective on security and it should be structured to help them understand their governance rĂ´le. By contrast IT staff need to get a grip on the technology and address many issues in greater depth. Other users may not need such aggressive or in-depth presentations, but they should focus on their job-role and be relevant to their day-to-day activities.

Awareness Training “Good Practices”

  • Provide the theoretical context – basic info about information security risks (threats, vulnerabilities, impacts)
  • Provide the practical context – basic info on infosec incidents in the news, and ideally within the organization/closer to home
  • Generate some motivation for change – draw out the key issues and start discussing possible responses (helps people rationalise and understand)
  • Milk the motivation – use hooks such as personal accountability, compliance, good practices and ‘the business value of security’ to turn motivation into action
  • Broaden perspectives – consider ‘information’ rather than ‘IT’ for a start! Also novel risks, business context, social context, personal context.
  • Reinforce positive behaviours, but stay creative, topical and engaging enough to maintain interest over the long term [and thinking long term means we don’t need to try to address the whole information security field NOW! We can plan it out, build the foundations and work on whatever needs work whenever – see step 1].
  • Measure and continuously improve the awareness program. Find out what works well and do more of it. Find out what doesn’t work too well and either change or stop it. Oh and justify the investment.

Keuntungan dari Policies & Procedures


Benefits

Policies provide a framework within which to define roles and responsibilities, to formulate and justify any regulations and to make explicit the organization’s attitudes towards any actions that threaten its assets. They are sometimes described as “Management’s instructions as to how the organization is to be run”.
Overall the policy must define the place that information security plays in supporting the mission and goals of the institution.
Developing a security policy is the first step to improving your organization’s security stance.

Specific Reasons & Benefits

Demonstrate Management Support
  • Give security staff the backing of management in further security activities
Demonstrate a Commitment to Security
  • Showing customers that your organization cares about protecting their information.
  • Preventing the negative press that can result from security breaches,
Protect Investments
  • Reducing the number and extent of information security breaches. The sooner a breach is identified, the lower the cost of addressing it will be. Direct costs (e.g., cost to recover data lost or altered during an incident, cost to notify customers of breaches, fines for non-compliance) and indirect costs (e.g., lost customers, lost productivity, time spent investigating/resolving breaches and hoaxes) will decrease.
  • Reducing systems’ costs by allowing control measures to be designed into systems rather than adding them to installed systems. (It is significantly more expensive to retrofit a control than to design it into an application or system.)
  • Providing savings through coordination and measurement of all security awareness, training, and educational activities while reducing duplication of efforts.
Provide better protection for assets by
  • Helping employees recognize and respond appropriately to real and potential security concerns.
  • Providing fresh, updated information to keep your staff current on new risks and what to do about them.
  • Making employees, contractors, and business partners aware that the data on their computers and mobile devices (PDAs, thumb drives, smart phones, etc.) are valuable and vulnerable.
Form the basis for budget and staffing
  • Establish a comparison point against cost of losses and non-compliance.
  • Establish sponsorship for projects to build out security infrastructure to achieve acceptable governance.
  • Establish expectations for spending on security for new revisions to technology operations and business operations.
Form a baseline against which progress can be measured
  • Demonstrate effectiveness of security measures
  • Justify effort and cost
  • Form the basis for a continued improvement cycle
Establish Communication Paths
  • Motivate employees, contractors, and consultants to improve their behaviours and incorporate security concerns into their decision making.
  • Rewarding good security behaviour
Coordinate Activities
  • Declare a corporate goal for operations and projects to meet.
  • Authorize a governance and gating change management board.
  • Declare ownership of information assets.
Assure Consistent Implementation of Controls
  • Create a standards body and means for churning technology from emerging technology through to evergreen status.
  • Declare a compliance standard based on industry or open standards, tailored to the organization.
  • Authorize an audit practice with organization wide access and consistency.
Avoid Liability
  • Reduce the potential for fines and mandatory audits by improving overall compliance
  • Reduce the potential for lawsuits by demonstrating a corporate concern for security and a process for ensuring that the workforce will provide adequate protection for information assets entrusted to its care
  • Reduce C-level executives’ exposure to prosecution by ensuring that they understand that they are legally responsible for the integrity of the organization’s information ass
  • Demonstrating compliance with regulations that require information security awareness and privacy training
  • Demonstrating effort to protect both corporate information and customer personal and financial information
  • Facilitate disciplinary or legal action by having process for documenting the requirements and individual’s acknowledgment of the security policies.
Manage Risks
  • Declare a risk appetite reflecting corporate identity.
  • Document the goals of risk management.
  • Authorize a risk management role and accountability.
  • Establish a strategy for reviewing and managing risks for core functions: financial, operational, reputational & regulatory, technology and data.

Policies & Procedures

Policies & Procedures

Overall, Policies are an organization’s most effective tool for good governance and the smooth running of operations. They are management’s instructions on how the organization is to be run.
Policies are essential to the effective, efficient and reliable operation of an organization. They lead to smooth, consistent and efficient operations.
Properly structured, Policies are general statements that do not need to be revised as the details of technology and products change. Policies are accompanied by guidelines as to how they are to be applied in new situations.

System Integrity is experienced in the development of Policies for Information Security, Privacy and Governance.

Brainstorm
We can guide and assist you and your staff to develop your own policies and procedures in a way that best suits the needs of your organization.



What Makes Policy Sucessful?

For security policies to succeed they must meet these simple requirements:
  • Management must support the policies.
  • The policies must be:
    • concise and understandable
    • technically feasible
    • enforceable
    • implemented globally and consistently
    • widely distributed and easily accessible
    • flexible to adapt to changing technologies and institution goals
At the same time it is sensible that policies should:
  • balance protection with productivity
  • state reasons why policy is needed
  • describe what is covered by the policies
  • define contacts and responsibilities
  • discuss how violations will be handled and provide sanction
  • contain a response plan for remediation in the event of failures


Manajemen Resiko


System Integrity banner
risk-blocks

Risk Management

The need for effective IT Risk management has become significantly more important as organizations have become more dependent on their IT systems for their livelihood and success. While many organizations feel they have a solid grasp on their IT risk concerns, too often their IT risk management efforts have serious gaps and vulnerabilities due to a failure to take a holistic approach to IT risk. Effective IT risk management requires a comprehensive approach that addresses all four areas of IT risk: security, availability, performance, and compliance. It requires an IT risk management program that follows a proven model that takes into account an organization’s unique culture and attitudes toward risk.
Risk is the chance of something happening that will have an impact on objectives. It is measured in terms of consequences and likelihood.
Risk Management includes the culture, processes, and structures that are directed towards the effective management of potential opportunities and adverse effects.
Risk Management Processincludes the systematic application of management policies, procedures, and practices to the tasks of establishing the context, identifying, analyzing, assessing, managing, monitoring, and communicating risk.
Risk management provides an organization with the ability to handle long-term and short-term changes in its operations arising from changes in its environment, in regulations, in its business activities. These changes may be planned or unexpected.
All business decisions, in IT or otherwise, are an exercise in the evaluation of the risk of inaction versus the cost of action to reduce risks (real or perceived). Risk management is helpful in answering both strategic and tactical questions – the commitment to a new technology or whether to upgrade the capacity of the existing file-and-print server. Furthermore, a risk-management process will help you prioritize these issues should you lack the resources necessary to address them all immediately.
In a competitive business setting, the use of risk management is vital to the long-term success of your company. The cost of attempting to eliminate all risks would make a prohibitive demand on resources and time. In reality, businesses need to take some risks to gain a competitive edge. You must therefore the an educated and informed approach to deciding which risks can be taken and how to allocate your finite resources to support your business strategies.
Risk management is about sound judgment when taking risks. It affords a level of contingency planning should a risk become a reality. Understanding risks is the starting point of a risk-management process. Once you understand the risks, you are be able to make sound decisions on whether to accept, mitigate or transfer those risks. In addition, risk management pulls together data from other security areas, such as vulnerability analysis and operations monitoring, to provide an overall view of business risk.

Beda Audit dan Assessment



Audit & Assessment

What’s The Difference?

So, what’s the difference between and Audit and an Assessment?
Essentially it is in the degree of formalism involved.
An Audit is usually against some formal definition or standard, which may be externally defined, such as ISO-27001 or PCI:DSS, or a law or regulation such as Sarbanes-Oxley in the US or the Canadian PIPEDA. Such audits will have a clearly defined methodology and a clear report of the degree of conformance.
Management should think of the deficiencies reported in a formal audit as matters of grave concern that need to be addressed. This is especially so in the case of audits for regulatory compliance since there may be punitive measures for non-conformance.
An Assessment is less formal and less severe. An assessment is usually observations by an experienced practitioner that compares the operations and practices of the client against that are generally considered Best Practices.
Very often, an assessment can be of more use to management than an audit. Since audits are concerned primarily with compliance, they may miss out on many important factors. Its often said that being compliant does not mean being secure – and vice versa. Many of the credit card security breaches in the last few years were of companies that were PCI compliant. On the other hand, compliance and security are not exclusive.
But an assessment can do more, can be more valuable for Operations than a formal audit. It can tell you how you can improve your IT in various ways; make it more efficient, more robust, more flexible. It can address issues of change, generate new ideas and possibilities. It can tell you what is good and what is bad, what ventures should be encouraged and which should be killed off. It is inherently more open-ended than an audit, and this can make it much more valuable.

Governance ?


Governance

Simply put “governance” means: the process of decision-making and the process by which decisions are implemented (or not implemented). Governance can be used in several contexts such as corporate governance, international governance, national governance and local governance. And of course, out concern: IT Governance.
Corporate governance has been a high profile topic in recent years principally because of public concern at a lack of control at the top of organisations. There is a perception that, in certain cases, senior managers appear to have been able to act without restraint and that inadequately designed systems have failed to prevent fraudulent, inefficient or inappropriate behaviour.
A well-defined and enforced corporate governance provides a structure that, at least in theory, works for the benefit of everyone concerned by ensuring that the enterprise adheres to accepted ethical standards and best practices as well as to formal laws. To that end, organizations have been formed at the regional, national, and global levels.
In recent years, corporate governance has received increased attention because of high-profile scandals involving abuse of corporate power and, in some cases, alleged criminal activity by corporate officers. An integral part of an effective corporate governance regime includes provisions for civil or criminal prosecution of individuals who conduct unethical or illegal acts in the name of the enterprise.

Information Technology Governance

IT Governance is more than merely good management practices and IT control frameworks.ISO 38500 clarifies this by making it clear that IT governance is about the stewardship of IT resources on behalf of the stakeholders who expect a return from their investment. The directors responsible for this stewardship look to the management to implement the necessary systems and IT controls. Whilst managing risk and ensuring compliance are essential components of good governance, it is more important to be focused on delivering value and measuring performance.
IT Governance is not a matter for the IT department alone – is the responsibility of the board of directors and executive management
It is easy to recognise the potential benefits that technology can yield, but successful organization need to translate those benefits into specifics that are of value to them, and to understand and manage the risks associated with implementing new technologies. The challenges and concerns this involves will include:
  • Translating and communication value-focused vision and objectives
  • Aligning IT strategy with the business strategy
  • Cascading strategy and goals down into the enterprise
  • Providing organizational structures that facilitate the implementation of strategy and goals
  • Insisting that an IT control framework be adopted and implemented
  • Measuring IT’s performance
Effective and timely measures aimed at addressing these top management concerns need to be promoted by the governance layer of an enterprise. To achieve these ends, boards and executive management need to extend governance they already exercise
over the enterprise, to IT.
IT Governance is not a matter for the IT department alone – is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.

Purpose and Objectives

The point is to harness IT more effectively in support of achieving business objectives and managing financial, strategic, and operational risks
The purpose of IT governance is to direct IT endeavors, as expressed in the list above, and these translate into the following objective for IT:
  • To align IT with the enterprise and realize the promised benefits
  • To use IT to enable the enterprise by exploiting opportunities and maximizing benefits
  • To apply IT resources responsibly
  • To manage IT-related risks appropriately
The overall objectives of IT governance activities are to understand the issues and the strategic importance of IT, to ensure that the enterprise can sustain its operations and to ascertain that it can implement the strategies required to extend its activities into the future. IT governance practices aim at ensuring that expectations for IT are met and IT risks are mitigated.
The point is not to be good at the process of compliance, or governance, or risk management for its own sake – the point is to harness IT more effectively in support of achieving business objectives and managing financial, strategic, and operational risks.

Mana yang governance , dan mana yang tidak ?



What Governance Is ... and Is NOT

There is a growing interest and awareness of IT Governance, but a new ISO standard (see sidebar) makes clear that the term is often misused. What we are really seeing is a rise in interest in IT Governance and Information Assurance – sometimes termed Information Security. These two, long with Service Management (ITIL) these will provide the three supports for business-IT alignment.
But Governance is something distinct. It has a passive part and an active part – the ying and yang.
  • The active part of Governance is setting policy, not issuing commands: setting a course not steering.
  • The passive part of Governance is tracking the business against strategy objectives and policy: taking a navigational fix not weighing the cargo.
Thus IT Governance is about understanding how right we do IT, and defining “how right” in terms of policy and strategy of the organisation.
The four “hows” in the diagram of the header are what Governance is about. The “how well” is only meaningful once the “right things” are defined in terms of what the organisation needs IT to do.

Governance itself is a process.

The people responsible for Governance shuuld be concerned with setting policy and bounds. They should not be concerned with fixing things that go out of bounds. I they do, then they are no longer governing. The boundary between the two and the roles and responsibilties needs to be clearly understood.
Many organizations are offering a service they label “GRC” – Governance, Risk Management and Compliance. Often this is a semantic shift from their work on Risk Analysis, Risk Management and Regulatory Compliance, and approaches Governance in a bottom-up manner and puts too much emphasis on the skills they already have on the operational side.
The international Standards organisation, ISO, released a new standard ISO38500: Corporate Governance of Information Technology, defining that very word. The standard defines Governance as three activities:
  1. Direct,
  2. Evaluate and
  3. Monitor.
The new standard makes it clear that Governance pertains to command and control – not measurement, policing or adjustment we can hope to see the emergence of a term that nicely wraps up the operational (i.e. non-Governance) aspects of Risk and Compliance parts ofGRCAssurance
COBIT and related publications are nearest to an IT Assurance CBOK, and the ValIT publications are on the way to being the CBOK for IT Governance. ISCACA is working on a RiskIT framework.

… And Is Not

The GRC approach confuses things by introducing Risk Assessment and Management, and Compliance. Both of these have to do with operational matters.
Governance is not reporting, or security, or dashboards or risk management, or even project management.
For the most part, Risk Management is not Governance. Most of Risk Management has to do with operations; it is an ongoing, lower-level activity.
In fact Management itself is not Governance. Management is about “getting things done”, handling resources and meeting objectives.
And Operations is where the difference lies, for these things are about executing, not about
The closely intertwined concepts of IT Risk, Assurance and Compliance are about how safelywe do IT, and defining “how safely” in terms of safe for the organisation.
All these things that are being mislabelled as Governance under the GRC banner are about executing the commands of the governors, or providing them with information, or ensuring the organisation complies with their policies. Steering the ship is not governance. Even more so, rowing the ship is not governance.

5 Domain dari IT Governance


System Integrity banner
FiveDomainsOfGovernance

The Five Domains of IT Governance

The essential components of IT governance can be expressed as follows:
  1. IT governance overall is about delivering value and managing risk.
  2. Value delivery, which embodies the concept of risk-related returns, is perhaps the most important.
  3. Value delivery is not possible without strategic alignment and resource management.
  4. It is impossible to provide transparency of success or failure without performance measurement.

Strategic Alignment

Strategic Alignment is concerned with how IT supports the enterprise strategy and how IT operations are aligned with current enterprise operations.
Alignment involves:
  • Understanding the needs of the business
  • Developing IT strategy and objectives
  • Resource allocation – portfolio management
  • Demand management
  • Communication

Why Alignment is Important NEEDS REWRITE

Whilst recognising the importance of IT for overall strategy delivery, prominent amongst these issues was the perceived disconnect between IT strategy and business strategy. This lack of alignment leads to adverse business issues including:
  • Inability of the business to reach its full potential
  • Failure to identify and capitalise upon business opportunities that could be enabled by IT
  • Potentially higher operating costs and, therefore, competitive disadvantage due to the failure to replace expensive labour-led processes with lower-cost (over the long term) automation
  • Incorrect and ineffective focusing of IT-related resources
  • Inability to recruit and retain high-quality IT and business personnel
  • Higher costs overall
  • Erosion of stakeholder value over time

Value Delivery

Value Delivery ensure that value is obtained from investment in information technology and is an essential component of IT governance. It involves selecting investments wisely and managing them throughout their life cycle—from inception to final retirement. It involves making sure that IT delivers appropriate quality on-time and within budget
and examines how actual cost is managed and how the ROI is determined.
  • Identifying project value drivers
  • Identifying service value drivers
  • Project management
  • External benchmarking

Performance Management

Performance management looks at how IT tracks and monitors implementation strategy, how the success of project are determined, at resource usage,
and the ensuing process performance and service delivery
  • Customer satisfaction
  • Service level management
  • Business value measurement
  • Process improvement

Risk Management

Risk Management is about the safeguarding of IT assets, disaster recovery and continuity of operations
including security and information integrity.
  • Organizational risk appetite
  • Project and investment risk mitigation
  • Information security risk mitigation
  • Operational risk mitigation
  • Compliance regulatory mandates
  • Audit

Resource Management

Resource Management looks at how IT optimizes and manages critical IT resources
  • Hardware and software asset management
  • Third party service providers & Outsourcing
  • Standardized architecture
  • Financial management – service costing

Apa kah IT Governance itu ?






Over the past few years one of the most common topics with customers seeking to improve their overall performance of the IT groups was “governance”. It often showed up in the following statements:
• “The key to our success is governance”
• “What we are really missing is good, solid governance”
• “We would be doing better if we only had good governance”
After a while, this got me to thinking. What does ‘governance’ mean? Apparently, it is important to have it. However, when I started talking with people I started to get widely different answers as to what ‘governance’ was, what it consisted of, and why it was so important. What follows below is the outcome of these discussions and ideas. In this post, I will help the reader to better understand the components of governance and why it is important to a high-performing IT organization.
I found the best place to start with this topic is with the definition. If one goes to the dictionary governance would be defined as ‘establishing chains of responsibility, authority, and communication to empower people’. A closer look at the key words reveals these additional details. Governance includes responsibility (being held accountable for a specific duty, task, or decision); authority (the power to influence behavior); communication (exchanging information); and empowering (giving official authority to act). To more easily remember these items; just use the mnemonic ‘RACE’ (Responsibility, Accountability, Communication, Empowerment). Governance also involves establishing measurement and control mechanisms to enable people to carry out their roles and responsibilities. Using this definition as a guideline, the goal of governance is to ensure the results of an organization’s business processes meet the strategic requirements of the organization.
How is IT Governance any different? Based on the above concepts, IT governance can be described as having two distinct components. There is a structural component that pertains to the organization’s information technology activities, the way those activities support the goals of the business, and the people who help manage those activities. There is also a process component that defines the decision-making rights associated with IT as well as the mechanisms and policies used to measure and control the way IT decisions are made and carried out within the organization.
Does the business drive IT through governance? Most people would answer this question with a resounding ‘YES’. There might even be a cynical ‘Duh!’ added at the end of the answer. However, in many cases, this is not necessarily the case. In order for effective governance to be in place, the goals of the IT organization and the goals of the business must be clearly tied together. Too often, a very casual relationship exists between the two or none exists at all. When this occurs, IT initiatives crop up that have no bearing on the strategic business goals. When this happens, both the business and IT resource begin to wonder why a specific project is even being deployed. The question – what is this expected to accomplish? – is often asked. Worse yet, no one can really provide a clear answer.
I attended a conference a few years back that depicted the alignment between business and technology.  The illustration they used is shown below.  This is one of the best pictures I have seen that demonstrates how business goals and IT projects become aligned with one another.  At the top the goals of the business are clearly stated.  These goals should be easily understood by all people from the top to the bottom of the organization.  Once the business goals have been established, the business strategies are developed.  When successfully executed, these business strategies will accomplish the business goals.  Business Process Capabilities – the next layer – are areas in which the business must improve in order to accomplish the business strategies (which, in turn, will achieve the business goals).  Finally, the bottom layer depicts the various business process improvement projects and IT projects that are being deployed.  As an organization considers IT projects, it is critical to align them with the business strategies and business goals.  Doing this creates a very clear picture as to what is expected to be accomplished and how these expectations fit within what the business wants to accomplish.  At its core, this is what IT governance accomplishes.

Some key points about this diagram. The first thing is the number of business goals is probably about right. Any organization, no matter its size or reach, cannot do everything. There are a few things it will seek to do to truly be successful. The next item is that the business capabilities must be well-understood and well-defined. It is important to know what capabilities will drive the business toward its goals. It is at this level where business value drivers come into play. If those items that drive value are identified, defined, and measured, then it becomes must easier to understand how improved performance is going to achieve the business goals. I have read some publications that discuss how companies have defined these capabilities for the entire enterprise and have used these value drivers as the foundation for the business case of any (and all) projects, whether or not they are IT-related.
Finally, while this picture is meant to be illustrative of how all of these items should be linked, consider actually drawing this for the next round of your projects. The result will create a clear linkage of the projects to the specific business goals.
In the end, this is exactly what IT governance seeks to achieve. IT governance creates clarity between business goals and IT projects. This is why it is so important. Think of the statements made at the beginning of this post (“The key to our success is governance.” “What we are really missing is good, solid governance”, etc.). It all starts to make sense why these statements ring true. IT governance is a key element of a well-performing IT organization. So … after all of this explanation, what is IT governance? IT governance is:
• Clearly understanding the business strategy and aligning the technology strategy with
the business strategy
• Providing clarity between the business strategy and the IT initiatives – drawing the
links between business objectives and project objectives
• Providing clarity through the preparation of a business case for each initiative – it is not
enough just to create the links but also to help build the case as to how the project will
improve the business capabilities
• Attaining agreement on priorities – as a group looking at the entire enterprise, it is
making a determination as to what initiatives move forward
• Attaining agreement on which priorities should finish first
• Understanding the resources necessary to accomplish the initiatives – good
governance establishes priorities on resources – both human and financial.
Approving capital funds is not enough, approving the people is usually more difficult
Does your organization (or customer) need to improve your IT governance? We can help.
Doug Shuptar is a Principal in SAP’s Industry Business Consulting Group. He can be reached at douglas.shuptar@sap.com with questions and comments.
Brought to you by SAP Services.

Menghubungkan PABX IP dan Analog

Salah satu tantangan adalah saat ini lebih banyak PABX yang masih menggunakan switching analog dibandingkan dengan IP atau Hybrid. Sedangkan untuk mengganti seluruh PABX dengan IP selalu pasti akan mendapat penolakan dari existing user bahkan manajemen.

Solusinya adalah dengan menggabungkan kemampuan PABX analog existing dengan tambahan IP PBX. Hal itu dapat dilakukan dengan cara ini.




Dengan cara di atas, maka PABX lama tetap dipertahankan, dan memungkinkan dipasangnya PABX baru dengan koneksi :
- FXO dari PABX masuk ke PABX IP sebagai FXS
  Cara ini umumnya dipakai untuk koneksi antar trunk

- FXS dari PABX (umumnya extension) masuk ke PABX IP sebagai FXO.
  Cara ini umumnya dipakai untuk koneksi ke PABX IP sebagai Extension dari PABX Analog

- FXO dari PABX masuk ke PSTN, dan dari PSTN masuk ke PABX IP sebagai FXO.
  Cara ini umumnya dipakai apabila koneksi tidak dalam satu lokasi, jadi menjadi 2 PABX berbeda.

Selamat mencoba. Dan hubungi kami apabila Anda tertarik mencoba.