How to leverage Enterprise Architecture in a regulated environment
leanIX_net
1,387 views
47 slides
Nov 29, 2018
Slide 1 of 47
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
About This Presentation
In his presentation at EA Connect Days 2018 in Bonn, Andreas Weinberger, Head of IT & Head of IT Governance Committee at Bank Donner & Reuschel, explored how Enterprise Architecture can be used to support business departments in dealing with regulations regarding information and information ...
Slide Content
How to leverage EA in a regulated environment Andreas Weinberger @ leanIX EA Connect Day 2018, Bonn
Abstract EA can be used to support business departments in dealing with regulations regarding information and information technology . It helps in generating a common understanding and providing a central pool of information . As a means of communication it also enhances the learning process and capturing of new information . We will demonstrate a way of working with leanIX in regard to regulations like GDPR and BAIT/VAIT (COBIT).
Enterprise Architecture @ regulated environment
rules suck
some confessions Rules D&R internal ruleset and CI Guide leanIX spoken as ˈliːn ˈaɪ-ˈɛks leanIX Logo, Format and Timescale Picture attribution Attribution: [email protected] Larry Ewing and The GIMP Suck ignored Slide Master, took screenshot from website no Logo, wrong Font, no Color-Scheme Generation X , born in 4:3 no watching the watch just stole Tux from Wikipedia and the pictures from my brothers Flickr
Enterprise Architecture @ regulated environment
EA in regulated environments Regulated industries Regulated areas D&R @ SI IT- Gov -Professional in multiple roles Regulations GDPR BAIT/VAIT (COBIT) A way of working Working examples Lessons learned Tools for the trade
regulated industries Health Food Energy Mobility Finance (Banks & Insurances & ...) ... Information technology > nearly everyone and everything GDPR
regulated areas (just examples) (IT) Governance Compliance Risk Management General Management IT Management Information Security Data Protection Cybersecurity …
EA in regulated environments Regulated industries Regulated areas D&R @ SI IT-Governance in multiple roles Regulations GDPR BAIT/VAIT (COBIT) A way of working Working examples Lessons learned Tools for the trade
Donner & Reuschel as a regulated entity A small bank as a part of an insurance group residing in the European countries of Germany and Luxembourg headquarters in Hamburg and Munich doing business worldwide in a broad range of financial services internal IT as service provider for integration outsourced IT (multi- sourcing )
2 views Head of IT internal IT department Providermanagement Head of IT Governance committee internal IT governance unit (CIO-Office)
EA in regulated environments Regulated industries Regulated areas D&R @ SI IT- Gov -Professional in multiple roles Regulations GDPR BAIT/VAIT (COBIT) A way of working Working examples Lessons learned Tools for the trade
Regulations
GDPR data processor Processes
GDPR Process driven approach Application driven approach Enable scoping by tagging GDPR relevant factsheets Use GDPR outcome in portfolio management
APQC‘s Process Classification Framework
Demo-Space: BIAN
Demo-Space: BIAN Service Landscape
BAIT
Mapping COBIT to BAIT
Demo-Space: COBIT Processes
EA in regulated environments Regulated industries Regulated areas D&R @ SI IT- Gov -Professional in multiple roles Regulations GDPR BAIT/VAIT (COBIT) A way of working Working examples Lessons learned Tools for the trade
from lists to connected information list based List of relevant core applications in the yearly report List of applications within a license management review List of all application within scope of cloud project leanIX based Fixed lists can be built with project factsheets + each item within such a list is visibly marked with this list membership + connection can contain additional information Reports can be generated as needed by filtering
from lists to connected information list based List of relevant core applications in the yearly report List of applications within a license management review List of all application within scope of cloud project leanIX based
information flow IT department Users Governance stakeholders Audit & Regulators
EA in regulated environments Regulated industries Regulated areas D&R @ SI IT- Gov -Professional in multiple roles Regulations GDPR BAIT/VAIT (COBIT) A way of working Working examples Lessons learned Tools for the trade
Rule based application portfolio management
Rule based application portfolio management
Rule based application portfolio management
extract information from text Existing descriptions and documentation often contain a lot of information and hints Use this hints to ask questions In this case (on the left ) we found : Tag for user management missing Link to Excel missing Link to Reuters missing Tag for license management missing Unknown software BLP Show them how to put structured information into fields and tags
finding wrong lifecycle information
finding missing user-management We have a special tag „Nur Zugang“ meaning „ access only “ for all applications ( mostly web based ) where we do not provide any client software or client-server infrastructure . Our tag group „Rechteverwaltung“ shows us , what technical type of usermanagement this application has ( Active Directory, own database , ...). „nicht angegeben“ means „ no information “. So a cross check of these tags always shows us where information may be missing .
cross check – mode of operations Application owners tag group : operations mode internal mixed outsourced System owners System owners VPN, certificates , client dependencies , ... Integration, data transport , ...
initiate and document governance checks Project factsheets are very useful for keeping track of actions like completeness checks . This enables the ad hoc collection of unstructured data ( descriptive text within the connection ) as well as generating structured data ( the connection itself ) in the same action . They can also be used as a criterion for filters !
Cross reference information Use project factsheets for detailed topics (in this example browser strategy ) Link them to the relevant elements (in this example all the browsers , not in screenshot ) Link them to applications with know issues and describe the issue within the connection
Find strange combinations Tag group „IDV“ marks „EUC – end user computing “ „Fremdentwicklung“ means „ developed by other company “ > time to ask some questions
Being a ledger is not easy We had regulatory tags for all sorts of regulation But we had no tag for ledgers And our data modeling was not complete In planning a move to the cloud we found out that we first have to get permission to move a ledger
... and much more Inconsistencies in filtered lists (application “not GDRP relevant” but connected to data object “customer”) check the timelines over and over, cross reference lift & shift against finding self contained clusters watch for keywords (customer > GDPR)
Complexity of office communications
EA in regulated environments Regulated industries Regulated areas D&R @ SI IT- Gov -Professional in multiple roles Regulations GDPR BAIT/VAIT (COBIT) A way of working Working examples Lessons learned Tools for the trade
lessons learned find & involve all stakeholders be aware of different perspectives be aware of different maturity levels ask questions check data check timelines cross check with available documentation validate your models don’t overthink, learn by doing, try things
EA in regulated environments Regulated industries Regulated areas D&R @ SI IT- Gov -Professional in multiple roles Regulations GDPR BAIT/VAIT (COBIT) A way of working Working examples Lessons learned Tools for the trade
Toolbox for IT- Governance and -management Process Management system EAM system ISMS system > or something light Ticket system Workflow system User management system Contract management ...
ISMS light two sets of factsheets Containing the CIA triad ( confidentiality , integrity and availability ) plus non-repudiation One set for the information owners to define their need of protection The other set for IT and providers to define the level of protection
Mapping leanIX Material COBIT (BAIT/VAIT) GDPR Business Capability Poster, Demo-Space (BIAN) APO08 finding & marking relevant capabilities Process Demo-Space (COBIT & ITIL) Enabler: Processes finding & marking relevant processes User Group Enabler: OrgStructures responsibility & information owners Project Demo-Space (ISMS light) APO05, BAI01 impact Application Enabler: Services processing and interaction Interface BAI10 pathway for data Data Object BIAN Enabler: Information tagging and filtering IT Component Technopedia BAI09 „contaminated“ Provider APO10 processor Technical Stack Poster, Demo-Space APO4 tagging and filtern Export ready
Questions?
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1,387
- Slides 47
- Favorites 2
- Age 2560 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
46 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
46 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
21 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views