Archive for September, 2010
Are the compliance police out to get you?
Tuesday, September 28th, 2010
Smart tips to help you remain compliant and out of trouble!
By guest blogger Melanie Gillespie, SAIC
How do you keep from getting in trouble with the “compliance police?”
Whether you are in the private sector or a government agency, you know compliance is everything! Depending on your program or organization, you may have to abide by the Capability Maturity Model Integration (CMMI), the Information Technology Infrastructure Library (ITIL), the National Institute of Standards and Technology (NIST), government orders, law and regulations, and specific agency policies. The list goes on and on and on…and on. Remaining in compliance is worrisome for many…maybe even you. So, how do you keep from getting in trouble? How do you know whether you should be worried? The easiest thing is to remember when it comes to compliance is simply: I-CAN-DO-IT!
I – Incorporate Trying to add compliance after the fact or as an after-thought is harder than understanding the rules and applying them from the beginning in the way you work. Every group has some sort of “compliance” expected of them – whether it is laws and regulations, self-improvement or best practices. If your group has certain procedures in place, find out what they are, why they are there, and how they relate to you and your job. For example, compliance means “perform a business case for all new work.” Then the normal procedure for starting any new work is a business case; and it becomes part of the normal way you do business. It also becomes second nature and you never have to worry about the “compliance police” coming after you. If they do, you have done what you are supposed to.
C – Communicate
Communicate with the governing bodies – let them know when you are doing something new and what impacts it may have on existing procedures or if you need new ones. Don’t try to sweep it under the rug – “If they don’t know, then I will not get caught, right?” – Wrong! It is not worth the chance. Besides, most governing bodies will work with you if you give them plenty of time upfront. They can also let you know if something is coming and give you time to adjust if needed. Having open communication with any governing groups will just make life easier all around.
A – Ask questions Ignorance is no excuse, so if you are unsure, ask. It will save you time and money later spending a little time to ensure you know what the rules are and what is expected of you. Often regulations and laws are written as guidelines and the specifics are left up to you to determine how best for you to comply with the intent of the rule/law, etc. The more you know the more you will be in compliance without breaking the bank or your back trying to comply with some outrageous interpretation. Remember, just because it worked well for someone else, doesn’t always mean it will work the same way for you. Occasionally, it makes sense to use someone else’s plan, in which case you have saved yourself time and energy. However, be sure it makes sense for your work environment. If not, figure out why not and what you need to do to be in compliance and still work effectively.
N – kNow the rules (I know, it’s a “k” not an “n” but it sounds the same! )
Spend a little time researching what the rules are that apply to your work. Check with your security group as well as the Enterprise Architecture (EA) Group – they can usually direct you to any standards or policies that may influence your work. Check with management and see what they know or think may come down the line. Being aware of what compliance means to your group is the first step in being in compliance.
D – Document, document, document! Explain and record why you are doing what you are doing. If someone asks later, you have documentation that can support what you have done to-date. Without this documentation, it is just your word and you have no defense. It also shows you were thinking about what you were doing and not hiding anything. Set up some standard procedures for your group, so everyone does “it” the same way and explain why these procedures are important. Procedures help document the best way to perform the work and still be in compliance with all the rules and policies. If the procedure is cumbersome, then look at how it can be improved and still be in compliance. Working together with your team to identify the best scenario for your group will keep everyone out of trouble with the “compliance police”! (And be sure to follow these procedures once they are in place!)
O – Ongoing You can’t go through the effort of being in compliance just once. Policies change, laws change, and so does the systems and work you are doing. So that means you have to review what you have done, review the existing laws, policies, etc., and see if there is anything new or different from the last time you looked.
IT – Information Technology
Make use of any information technologies that can help keep track of all the rules and regulations you have to be compliant with. They change, so managing the rules and the impact of these rules will save you headaches later on.
Sounds like a lot?
So this may sound like a lot, but it really isn’t. If you know what the rules are and can incorporate them in your daily work, then compliance is easy. The first step is to know what compliance means to you. Remember, most rules are there for a reason. The next step is finding ways of incorporating these reasons into your work environment – build it into your systems and procedures as a way of doing business every day. Then you don’t have any worries from the dreaded “compliance police.” Just remember, I CAN DO IT!
You can ask it!
Now, it’s your turn. Have you used any of these tips to help comply with the rules and regulations of your organization? Is there any I left out? How has remaining compliant helped you and/or your organization to meet its bottom line or mission? Feel free to add your comments or post your questions. You can ask it!
Tags: CMMI, compliance, , enterprise architecture, federal, GAO, governance, Government, guidelines, IG, ITIL, Melanie Gillespie, NIST, regulation, SAIC
Posted in Corporate, Government, Risk Management, Uncategorized | 7 Comments »
Is Enterprise Architecture the Scariest Thing Since High School Calculus?
Monday, September 20th, 2010
By Mohammed Dolafi, e-Management
For some, EA is the scariest thing since Calculus.
Here’s a Washington D.C. insider observation: People shut down the moment they hear the term: enterprise architecture (EA). I am totally serious. Perhaps, it’s because enterprise architecture sounds like a course in high school you’ve been dreading to take. For some, EA is the scariest thing since Calculus. (Well, maybe I am overstating). But, why is EA so creepy to so many people? Well, it may have something to do with that fact many simply just don’t get it. So, here’s crash course on enterprise architecture. Don’t worry. It’s an easy “A.”
EA 101: Enterprise Architecture is about Progression Simply put, enterprise architecture provides government agencies with structure for performance, business, data, application, technology, and security to manage operations effectively. Enterprise architecture provides vision, goals, resources, policies, standards, and governance. It can also be a roadmap for modernization, stakeholder viewpoints, models for business, information, systems, and infrastructure. Plus, EA consists of strategies, methods, processes, and rules. EA also offers an enterprise-wide knowledgebase to ensure “picture perfect” business transformation. And what government agency doesn’t need that?
EA 201: It’s the Law!
The Clinger-Cohen Act is a 1996 United States federal law, designed to improve the way the federal government acquires, uses, and disposes information technology (IT). The law supplements information resources management policies by establishing a comprehensive approach for executive agencies to improve the acquisition and management of their information resources. Clinger-Cohen mandates the establishment of the enterprise architecture across all federal agencies.
EA 301: What’s It Good For?
In practical terms, EA is really good stuff. For instance, EA assists leadership in making informed decisions, and aligning IT with mission and strategic goals. Plus, EA improves agency performance through measurement and metric toward an agency’s mission and goals. It allows you to assess and mitigate risks focusing on strategic, tactical, compliance, and reporting objectives at different levels of the organization structure.
With EA, you can also:
- Manage effectively any change across with the agency;
- Eliminate unnecessary duplications and redundancies;
- Manage IT investments wisely through integration of EA processes with portfolio management and CPIC processes;
- Provide accurate, current, relevant, and reliable reports for analysis and decision though improved data quality; and
- Promote information sharing and reusability of common objects across the enterprise.
EA 404: What You Need for Success
The key components of successful EA development, implementation, use, and maintenance include the program, governance, framework, and methodology. The following EA components provide a roadmap for success.
EA Program
An officially chartered EA Program establishment is required to manage EA activities toward effective and seamless achievement of an agency’s mission, strategic goals, and support the continuity of operations. This can happen by focusing on main business drivers including citizens and partners needs, changing business conditions, emerging technologies, legislation, and agency missions; taking the agency strategy as input, architect the enterprise, invest with wisdom, and allocate resources accordingly though program management plans, and implement through execution of program management plans.
Enterprise architecture isn’t rocket science. Instead, it provides our government with structure.
EA Governance Governance is a discipline that provides a structure for consistent management, cohesive policies, and interrelated processes to facilitate decision-making for all areas of responsibilities across the agency. Normally, agencies formally establish one or more chartered enterprise-wide governance bodies along with necessary processes to oversee the EA program activities ensuring the successful and effective business transformation toward an agency’s missions.
Popular EA Frameworks
Zachman framework is the most complete architecture framework that was created by John Zachman, one of the EA pioneers. However, its development takes a lot of time. For this reason, most of the federal agencies do not use this framework. On the other hand, the DoDAF (DoD Architecture Framework) is an architecture framework that is used by all military agencies. You may also consider the FEAF (Federal Enterprise Architecture Framework). Most federal civilian agencies use this framework as a foundation for their customized frameworks. (Reference: A Practical Guide to Federal Enterprise Architecture, Chief Information Officer Council, Version 1.0, February 2001). No discussion on EA frameworks is complete without FEA Reference Models, a set of interrelated “reference models” designed to facilitate cross-agency analysis and the identification of duplicative investments, gaps and opportunities for collaboration within and across agencies. And then there is the TOGAF (The Open Group Architecture Framework) that enables agencies to design, evaluate, and build the right architecture for your organization.
EA Methodology
The methodology is an essential element for successful development, implementation, use, and maintenance of EA. The EA team develops the As-Is and To-Be architecture layers: Strategic, business, data/information, application/service, technology, and security architecture using frameworks and standard provided by the Office of Management and Budget (OMB), the Government Accountability Office (GAO), and other accredited resources. The team then identifies the agency’s As-Is and To-Be capabilities using the EA products. Next, the team performs gap analysis to identify capability gaps. Following the gap analysis, the team should prioritize capability gaps, identify findings, and categorize risks and opportunities. After that, the team should prepare a list of recommendations that addresses short-term, mid-term, and long-term initiatives. The EA team is now ready to propose a multi-year transition plan along with the transition strategy based on best practices. Keep in mind, the transition plan will be executed upon the chief information officer (CIO) and IT investment Review Board approval.
The Final Exam: So, What Have We Learned?
Without EA, federal agencies do not have enough information to make informed decisions regarding the IT investments, allocation of resources, planning, and timely execution of plans for implementation and deployment of enterprise assets. Lack of effective EA program and governance can have significant negative impacts regarding accomplishing agencies business modernization toward their missions and goals.
You’ve Got Questions?
Do you have any unanswered questions around EA? How successful have EA initiatives been at your agency? Are there any successes you would like to share? Remember to feel free to share this blog article with your colleagues. I look forward to reading and responding to your questions and comments
Tags: CIO, Clinger-Cohen Act of 1996, continuous risk management, CPIC, DoDAF, , , enterprise architecture, FEAF, federal, GAO, governance, Government, information technology, Mohammed Dolafi, OMB, performance, portfolio management, TOGAF
Posted in Uncategorized | 9 Comments »
|
|