1

ITIL seminar for managers and senior engineers at ITS

-IT governance, IT internal control, ITIL and IT services-

Nov. 24. 2010JICA Expert Go Ota

2

Agenda

Part 0. Introduction

Part 1. General Idea of IT governance and service1-1. Overview of

Internal control and IT supports1-2. IT Governance1-3. Risk Management1-4. ITAC: IT Application Control and Application development1-5. Availability Management

and Service Continuity Management1-6. Protection of Information Assets - Information Security Management- 1-7. IT services and operation

Part 2. Recommendation and discussion2-1. Roadmap and main activities2-2. ITS structure

and capacity development (HRD)

3

0. Introduction

4

What do user want? Want do users see?

What are tasks of IT engineers?

5

Paradigm changes for ITS

Technology Oriented User needs Oriented

Focusing on Infrastructure Focusing on Application

Activities within ITS Activity across USP

Showing Performance Showing ROI

Expand and extend Effectiveness and efficiency

Ad hoc activities Cycle of activities

Recording data Utilizing data

6

Objectives of ITS Customer Satisfaction :CS•CS is a measure of how products and services supplied by a company meet or surpass customer expectation. It is seen as a key performance indicator within business•In a competitive marketplace where businesses compete for customers, customer satisfaction is seen as a key differentiator and increasingly has become a key element of business strategy.(Wikipedia)

Not direct objectives, but:Because ITS achieves CS, ITS should keep appropriate recourses and structure. How does ITS keep them?

7

Important ideas of ITIL

•Small action and quick win- Don’t think of Appling all of ITIL at one.- To start small activities and get good results soon.• CSIP: Continues Service Improvement Program- ITIL doesn't provide fixed procedures and methods, IT

engineer should develop appropriate methods for own situation.- To find problem and improve every time- To visualize process and results, record data and show

evidence.• Proactive-To prepare before problem and/or trouble happen

KPI: KPI should include how to measure and to show difference before and after.

8

Presenting and Communicating (CISA IS Audit)

Considerations for Communication and Presentation to Executive•Understandable for Exceptive. Because usually they doesn’t know IT technology, Don’t use technical terms.•Finding and recommendation should be made form the viewpoint of business•Short documentation, executives don’t have time to read sick documents.•Showing objective evidence. Executives prefer quantitative information to qualitative one

9

Overview of Project Management

PMBOK Knowledge Areas1. Project Integration Management2. Project Scope Management3. Project Time Management4. Project Cost Management5. Project Quality Management6. Project Human Resources Management7. Project Communications Management8. Project Risk Management9. Project Procurement Management

Resources

Performance

Tim

e

Project Managing Triangle

10

Part 1.

General Idea of IT governance and service

1-1. Overview of Internal control and IT supports

11

Why IS Audit is needed? Social BackgroundInformation System has been becoming a main function for business.•Supporting business activity•Keeping business information•Main interface to customer

Innovation of ICT gave information system major role in business

Problem of business management•Inappropriate IT system to business strategy• Bug investment for IT system and unclear ROI

Problem of security/ risk management• Computer virus/ illegal Access• System trouble and Backup of disaster

Effective and Efficient inter management and operation for Information system should be needed

Independent Information System Audit

12

Why IS Audit is needed? Legal Background 　(1)

After major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom, the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002•Directs SEC to enact rules protecting shareholders & the economy•Honesty in financial reporting•Responsibility at the Top•Demonstrate Compliance by Audits

The most contentious aspect of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting

Internal Control must use Information System now. To evaluate internal control should needs audit for Information system

13

Why IS Audit is needed? Legal Background 　(2)

Company Auditor

Financial Audit

SOX

Financial Audit (Result)

Operation Audit (Process)

Internal Control

Financial Audit Report

Financial Audit

Financial Statement

Internal Control

Financial Audit Report

Financial Audit

Financial Statement

Internal Control Statement

Internal Control Audit

Internal Control Audit Report

IntegratedAudit

Operation Audit assure the clearance of financial statement

Effectiveness and efficiency of Operation

Assurance of Financial Statement

Compliance with lows

14

IT Internal ControlIT control

ITGC:IT General Controls

ITCLC: IT Company Level Control

ITAC: IT Application Control

ITGC:IT general controls•Logical access controls.•System development life cycle controls.•Program change management controls.•Data center physical security controls.•System and data backup and recovery•Computer operation controls.

ITCLC: IT Company Level Control* IT Governance/Policy *IT Risk Management. *Training* Quality Assurance *IT Internal Audit

IT Infrastructure (Network, Server, PC …)

Development Operation

ITAC: IT Application Controlcomplete and accurate •Input Data Control.•Process Control•Output Control

Application Systems

AccountingSystem

Sales System

….

15

Definition of error, failure and risk in Test and Control

BugDefect

FaultFlaw in component or system to fail to perform its required function

Human Error Human action that produces incorrect result

Failure Deviation of the component or system from its expected delivery, service or result.

Risk A factor that could result in future negative result consequences; usually expressed as impact and likelihood

Factor Malice Chang of EnvironmentDisaster, New standard

Test

Remaining Bugs Operation error Crime System Break

Appear and/or occur

Risk

Failure

Risk management and Control

Control preventing from failure

16

Where did ITIL come from? 　 Problem of Current IT system and operation * IT system became core of business and social

activities, simultaneously it became bigger and more complicated

* Cost of IT is not clear, sometimes investment to IT development and operation doesn’t realize user needs.

ITIL ( Information Technology Infrastructure Library) is collection of good practices and knowledge/skill for operation of infrastructure and realizes;

- Stable and high quality operation of IT infrastructure - Providing clear indicator of ROI for IT operation

( Return of Investment)

17

2. New Frameworks of IT Services

Activity

Plan Strategy

COBITInternal Control &IT Governance

Val ITIT investment and

governance

ISO 9000 Quality Management

ISCA/CISA IS audit

ISO 27000 Security

COSO Internal Control

ITIL V.2

ITIL V.3(ISO 20000)

Service Delivery and Operation

ITACITGCITCLC

CMMI

18

Related important laws, regulations and guidelines

No Laws, regulations and guidelines (Useful- ness)

1 Information Technology Infrastructure Library (ITIL) ISO/IEC 20000 XXX

2 The Control Objectives for Information and related Technology (COBIT) by ISACA

XXX

3 ISO/IEC 27002: Information technology - Security techniques - Code of practice for information security management

XXX

4 CMMI (Capability Maturity Mode ® Integration) XX

5 ISO 9001 Quality management systems XX

6 Standards, Guidelines, and Tools and Techniques for Audit/Assurance and Control Professionals by ISACA

XX

7 Public Company Accounting Reform and Investor Protection Act of 2002 (SOX)

X

8 Val IT by IT Governance Institute (ITGI) X

9 COSO (The COmmittee of Sponsoring Organizations of the Tread way Commission) Control Framework

X

10 ISO/IEC 9126 & 25000 Software engineering — Product quality is an international standard for the evaluation of software quality.

X

19

Overview of ITIL Ver3.0

•Service Strategy- Link IT service strategies to customer value• Service Design- Design services to satisfy business

objectives•Service Transition- Implement service designs- Service knowledge management system- Refinement of change, configuration and

release processes• Service Operation- Deliver and manage services- Refinement of incident and problem

management processes- Event and access management• Continual Service Improvement- Never-ending review for opportunities

20

Inportanct idea of ITIL

•Service Strategy- Link IT service strategies to customer value• Service Design- Design services to satisfy business

objectives•Service Transition- Implement service designs- Service knowledge management system- Refinement of change, configuration and

release processes• Service Operation- Deliver and manage services- Refinement of incident and problem

management processes- Event and access management• Continual Service Improvement- Never-ending review for opportunities

21

Process of ITIL (1)Cycle Processes and Functions V2 Situation*1

Service Strategy

01 Financial Management X **02 Service Portfolio Management

03 Demand Management

Service Design

04 Service Catalog Management

05 Service Level Management X

06 Capacity Management X

07 Availability Management X

08 Service Continuity Management X

09 Information Security Management

10 Supplier Management

Service Transition

11 Transition planning and support

12 Change Management X

13 Service Asset and Configuration Management X

14 Release and configuration Management X

15 Service validation and testing

16 Evaluation

17 Knowledge Management

*1: Situation: Evaluation by Mr.Ota with small survey* very weak or non, ** weak, *** fair, **** good and ***** very good

22

Process of ITIL (2)

Cycle Processes and Functions V2 Situation*1

Service Operation

18 Event Management

19 Incident Management X

20 Request fulfillment

21 Problem Management X

22 Access Management

23 Monitoring and control

24 IT operation

25 Service Desk X

26 -Technical Management

27 -IT Operations Management

28 -Applications Management

Continual Service Improvement

29 Improvement Process

30 Service Report

23

IT Governance/Services flow and cycle (COBIT)Business Objectives

Governance Objectives

Planning and Organization

Application and Implementation

Delivery & Support

EffectivenessEfficiency

ConfidentialityIntegrity

ComplianceReliability

Information

PeopleApplication Systems

TechnologyFacilities

Data

IT recourses

Monitoring

PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine the technological directionPO4 Determine the IT Processes, …….

AI1 Identify automated solutionsAI2 Acquire and maintain application softwareAI3 Acquire and maintain technology infrastructureAI4 Enable operation and useAI5 Procure IT resourcesAI6 Manage …….

DS1 Define and Manage Service LevelsDS2 Manage third party servicesDS3 Manage performance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and allocate costs…….

M1 Monitor and evaluate IT PerformanceM2 Monitor and evaluate internal control…….

24

IT Governance Focus Area: (ITGI)Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goal of:

• Providing strategic direction

• Ensuring that objectives are achieved

• Ascertaining that risks are managed appropriately

• Verifying that the enterprise’s resources are used responsibly

25

IT Governance Focus Area: (ITGI)

Strategic alignment

Focuses on ensuring the linkage of business and IT plans; on defining, maintaining and validating the IT value proposition; and on aligning IT operations with enterprise operations

Value delivery Is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT

Resource management

Is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimization of knowledge and infrastructure.

Risk management

Requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise, and embedding of risk management responsibilities in the organization

Performance measurement

Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting

26

What is Internal Control?Internal Control Model by SOCO

Objectives

Control Environment

Risk Management

Control Activity

Information and Communication

Monitoring

IT Control

Ope

ratio

n

Rep

ortin

g

Com

plia

nce

Activities

OrganizationEnterprise-level, Division or subsidiary and Business unit

Objective Risk Control

Financial Statement

27

Activities of Internal ControlControl Environment

The tone for the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control.

Risk Management The identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed

Control Activity The policies and procedures that help ensure management directives are carried out.Consists of 2 aspects: Policy of what should be and Procedures to accomplish policy

Information and Communication

Support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities

Monitoring Assess the quality of internal control performance over time.

IT Control Procedure or policy that provides a reasonable assurance that the information technology (IT) used by an organization

28

1-2. IT Governance

29

Concept of IT Governance: Definition & Summary

Definition•IT Governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives. (CobiT 4.1)•[IT Governance] Consists of the leadership, organizational structures and processes that ensure that the enterprise’s information technology sustains and extends the organization’s strategies and objectives. (IIA International Professional Practices Framework)

Summary

a) Leadership and Clear Business Ownership

b) Aligned Business-Relevant Measures

c) Complete and Accurate Inventories

d) Linking Technical and Business Risk

30

Organization of steering committee for IT governanceU

Board of Directors

CEO Office Executive Chairperson

Marketing Sales Legal R&D IT

Admin.Production Finance QC HR

IT Strategy /Steering Committee

IT Strategy (Committee) IT Steering (Committee)

•Advices the board and management of IT strategy•IT delegated by the board to provide input to the strategy and prepare tits approval•Focus on current and future strategic IT issue

•Decides the overall level of IT spending and how costs will be allocated.•Assist executive in the delivery of the IT strategy.•Oversees day-day management of IT service delivery and IT projects•Focus on implementation

31

Concept of IT Governance:

Balanced ScorecardThe core characteristic of the Balanced Scorecard and its derivatives is the presentation of a mixture of financial and non-financial as well as leading and lagging measures each compared to a 'target' value within a single concise report.

Strategic target Measuring method Target Action plan

Person in charge

Financial

Improvement in profits nature Net profit 20% rise 　

The expansion of a customer Sales growth rate 30% rise

A few air crafts Lease cost 20% down

Customer Orientation

Expansion of a customer loyalty

Repeater ratio 90% or more 　

Customer rate of increase 30% rise

Keeping a departure time

Departure at the right time 90% or more

Average delay time Less than 10 minutes

Business Process

Keeping a schedule.

Flight cancellation ratio 0% 　

Customer complaint number of cases

Zero affair/month

Learning & Growth

Improvement of Training

Training cost 10% of sales 　

Training Time 10% rise

32

Concept of IT Governance:Balanced Scorecard: example of objectives and metrics

Viewpoint Objective Example Metrics

Financial

Business/ IT Alignment Operational budget approval

Value Delivery Business Unit Performance

Risk Management Results of Internal Audits

Customer Orientation

Customer Satisfaction Business Unit Survey ratings

Competitive Costs Attainment of unit cost targets

Business Process

Development Process Function Point Measures

Operational process Change Management effectiveness

Process Maturity Level of IT Processes

Enterprise Architecture State of the infrastructure assessment

Learning & Growth

Human Resource Management Staff Turnover

Employee Satisfaction Satisfaction survey scores

Knowledge Management Implementation of learned lessons

Genial Balanced Scorecard, Not IT

33

Concept of IT Governance:

a) Clear Business Ownership and DirectionAlignment of Business and IT Objectives (CobiT 4.1 ‘Framework’)

Category for Objectives Company A

Enterprise Strategy Rapid global expansion

Business Goalsfor IT

Sacrifice standards for speed

IT Goals Buy locally what works

Architecture for IT and activities Minimal

IT Scorecard Number of blanches supported

Example: Objectives of company

34

Concept of IT Governance:

c) Complete and Accurate Inventories•IT-dependent Business Processes•Data Repositories and Information Flows•IT Infrastructure•IT Resources and Processes

Category for Objectives Information Flows

Enterprise Strategy Influence Trade Customer

Business Goals for IT“Right information, right place, right time”

for Sales

IT GoalsEffectively combine product profitability,

share, store data

Architecture for IT and activitiesLaptops in Shopping Carts

Efficient (Cheap) communications

IT ScorecardSolution cost efficiency

Sales Representative Satisfaction

Example: Information flow of sale

35

Service Level AgreementA service level agreement (frequently abbreviated as SLA) is a part of a service contract where the level of service is formally defined. In practice, the term SLA is sometimes used to refer to the contracted delivery time (of the service) or performance. As an example, internet service providers will commonly include service level agreements within the terms of their contracts with customers to define the level(s) of service being sold in plain language terms (typically the (SLA) will in this case have a technical definition in terms of MTTF, MTTR, various data rates, etc.)

Availability Time hour, percent

Maximum down-time Hardware Hours or percent

Failure frequency Hardware Number

Response time Hardware Duration in minutes

Periods of operation Time

Service times Time

Accessibility in case of problems Yes/no

Backup Time

Processor time Seconds

Instructions per second Number per second

Number of workstations Number

Example : Hardware Performance Metrics on SLA

36

IT governance flow and cycle (CobiT)Business Objectives

Governance Objectives

Planning and Organization

Application and Implementation

Delivery & Support

EffectivenessEfficiency

ConfidentialityIntegrity

ComplianceReliability

Information

PeopleApplication Systems

TechnologyFacilities

Data

IT recourses

Monitoring

PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine the technological directionPO4 Determine the IT Processes, …….

AI1 Identify automated solutionsAI2 Acquire and maintain application softwareAI3 Acquire and maintain technology infrastructureAI4 Enable operation and useAI5 Procure IT resourcesAI6 Manage …….

DS1 Define and Manage Service LevelsDS2 Manage third party servicesDS3 Manage performance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and allocate costs…….

M1 Monitor and evaluate IT PerformanceM2 Monitor and evaluate internal control…….

37

IT Management hierarchy (CobiT)U

Domain Domain…..

Process Process…..

Action Action…..

Natural grouping of processes often matching an organizational domain of responsibility

A series of joined activities with natural control breaks

Actions needed to achieve a measurable result—activities have a life cycle, whereas tasks are discrete

38

IT Government : Type of PlanningU

Item Strategic Planning Long-tem Planning Operational Planning

Time Frame

•3 years + •1-3 years •1 year or less

Question •What business are we in? Should we expand and contract?

•What are the major business components?•What we concentrate on now?•What products and services are planned?

•What specific tasks must be done to meet the long term plan?

Output •General broad statement of what business the company is in

•Financial goals•Market opportunities•Management organization•Next review period

•Assumptions for the period•Changes needing to be made•Production times•Responsibility•Budget

39

Issues and targets of IT governance (1)

Area Issue Description

Information Security

Information Security

•Institute process to integrate security to with business process•Review and assist security strategy and integration effort.•Ensure that business owners support integration

Risk Management

Risk Management

•Establish risk tolerance.•Ensure regulatory compliance.•Ensure the roles and responsibility include risk management in all activities.

IT strategy Process improvement & assurance

•Provide oversight of all assurance functions and plans for improvement and integration•Identify critical business processes and assurance•Direct assurance integration efforts

IT investment and allocation

•Crate a positive control environment by assuming responsibility for formulating, developing , documenting and controlling polices covering general goals and directives

Enterprise architecture

•Provide oversight of all plans and assurance functions

40

Issues and targets of IT governance (2)

Area Issue Description

IT Management Practice

Human resource management

•Provide oversight of the strategic plan of hireling and training

Sourcing Practice

•Provide oversight of the strategic plan of sourcing•To ensure the risk for outsourcing and the remaining accountability

Change management

•To ensure the process and technology for change management

Financial Management

•Provide oversight the financial plan for IT investment•To ensure the appropriate management for IT investment

Quality Management

•Provide oversight of the Quality control•To ensure the situation of QCM

IT organization

•Provide oversight of duty and responsibility including segregation

41

1-3. Risk Management

42

General idea of Risk Assessment (Evaluation)

Basic element of Evaluating risks•Impact, Effect•Probabilities, likelihood

Big Medium Small

Often Fatal Serious Serious

Sometimes Serious Serious Minor

Rare Serious Minor Minor

Very Simple Risk Evaluation Table (weighting by Impact & Probability)

ImpactProbability

Other (further) Assessment methods•Weighting by dividing detail factorsImpact => Sensitivity of the function to executive management, MaterialityProbability => Extent of system or process change, Complexity•Ranking <- one reason of why auditors use risk assessmentTo multiple weight of business impact to making ranking score.Weight of business impact: example: Financial risk, Strategic risk, Operational risk and Legal compliance

43

General Idea: Type of Means to Risk and ControlType of Means to Risk

Avoid Stopping activity that occurs risk. Because the impact of risk is very serious

Reduce Appropriate internal controls reduce the impact and probability of risk

Transfer Other external means such as insurance reduce impact of risk

Accept Impact of risk would be accepted, because impact is low or cost of means is so expensive.

Type Function Example of Control

Preventive Control

•Prevent errors from happening•Attempt to predict•Monitor both operation and inputs.

•Segregate duties•Programmed edit checks•Using access control software•Suitable procedure for authorization

Detective Control

•Find out errors and malicious •Hash total•Check points in production job•Internal audit function•Echo controls in telecommunications•Reviewing activity logs

Corrective Control

•Remedy problems•Identify cause•Enhance procedures•Minimize the impact of a threat

•Backup procedure•Return procedure

44

Concept of IT Governance:

d) Linking Technical and Business Risk•Risk is most important factor of business.•Management needs to be able to compare IT Risks with other risks.•IT Governance must do an effective job of translating technical risks to business risks.

IT Risk Business Exposures

Incidents resulting from Changes

Disruptions to Critical Business Processes (i.e.: Orders to Cash)

Input or output error Compromise Company Reputation

Information Security Incidents Reduce Organizational Capacity

45

Example: Summary of Risk Assessment Document

No Category Risk Description Eva. Control

Covering all payment transaction

Missing invoice by EDI

Invoice by EDI has trouble and missing

1 Checking EDI’s invoice by human

Error transition

Error Transactions are not reported/ detected

3 Module for listing out error transition

Correctness of payment date

Input error Mistake of input for invoice by FAX

4 Cross checking to order transition

Not include inappropriate data

Cancel of invoice

Payment to cancel invoice

2 Procedure of cancellation of invoice

Security of operation xxx xxxx xxxxx

Integrity of payment data

xxx xxxx xxxxx

No authorized DB modification

xxx xxxx xxxxx

Contents of risk assessment document•A description of the risk assessment methodology used•The identification of significant exposures and the corresponding risks•The risks and exposures the audit is intended to address•The audit evidence used to support the IS auditor’s assessment of risk

46

Example Report: summary of RCM (Risk and Control Matrix)

No

Type Risk Control and Procedure Audit Procedure Result & comment

Covering all payment transaction

Missing invoice by EDI

Sending e-mail when EDIand function to make the list of e-mail

•Program specification•Procedure•Log files•Working record

•GoodReviewing the list is not defined in the procedure

Error transition

Function of error transition

•Program specification•Error transition log•Invoices

•Excellentwork well

Regulation of correct error transition

•Procedure•Working record for correcting error

•GoodNeed more detail correction method

Correctness of payment date

Input error

Appropriate Editing (Checking function)

•Program specification•Record of error input•Observation of input activities

Good• some filed needed more checking functions

Appropriate input form (printed)

•Checking input form•Record of error input•Observation of input activities

•FairCustomer sometimes mistakes

Cross checking to order transition

•Procedure•Program specification

•None (Very poor)

47

1-4. ITAC: IT Application Control and Application development

48

Overview of Development Organization

Senior Management

Project Sponsor

User Management

Project ManagementQuality Assurance

Project Development Project Team

UserProject Team

Technical Infrastructure Team Leader

SoftwareSupport

HardwareSupport

NetworkSupport

Application/ system Analysis

Programmer

Tester

Steering Committee

49

Overview : SLDC (System Development Lift Cycle) by ISACA

P1: Feasibility Study

P2: Requirement Definition

P3: System Design

P4: Development

P3: System Selection

P4: Configuration

P5: Implementation

Review

P6: Post implementation

P7: Disposal

R

P3: Buy or Make

R

R

R R

R

R

BuyMake (Build)

Scope of General System

Development

50

Overview of SLDC Phase 1 and 2

Phase 1: Feasibility StudyTo determine the strategic benefit of new information system and analyze possible resolutions to realize needs •Define business case•Define the objectives with supporting evidence.•List up possible resolutions•Perform preliminary risk assessment•Agree upon an initial budget and expected return on investment (ROI)

Phase 2: Requirement definitionTo create detail definition of needs including inputs, output, current environment and proposed interaction.•Collect specifications (requirements) and supporting evidence.•Identify which standard (technology) will be implemented for the specifications.•Create a quality control plan to ensure that the design complaints to the specifications.

51

Overview of SLDC Phase 3 and 4

Phase 3: Plan solution and system design/ system selectionTo plan solution (strategy ) whether make (build) or buy based on the objectives from phase 1 and specifications from phase 2.Case of Build •Make design such as user requirement, basic design, detail design and operation design. ( start development process)Case of buy•Make RFP (Request for Proposal) to select best vendor and product based on specification in Phase 2.•Conduct bidding to select the vender and product

Phase 4: Development and configurationCase of Build •Making program and conducting testingCase of buy•Customization is typically limited program configuration settings with a limited number of customized reports.

52

Overview of SLDC Phase 5,6 and 7

Phase 5: ImplementationTo install new system and final user acceptance (mainly function testing) test begins. The system undergoes a process of final certification and approval.

Phase 6: post implementationAfter the system has been in production use, it is reviewed for effectiveness to full fill the original objectives. •Compare performance metrics to the original objectives.•Re-review the specifications and requirement annually.•Implement request for new requirement, update or disposal

Phase 7: DisposalFinal phase is the proper disposal of equipment and purging data.

53

Reason 2: Gap between costumer and developerU

Costumer’s satisfaction evaluated by developer

Costumer’s satisfaction evaluated by customer

Principle 7 – Absence-of-errors fallacy

Verification is test whether system and/or software meets the expressed requirements such as specifications.Validation is test whether system and/or software meetstrue user’s needs and requirements.

54

Real Time line of V-model

User Requirements

Detail Design

Acceptance Test

System Test

Integration Test

Global (Basic) Design

Component Test

System Requirements

Programming

U

Preparation &Test

Preparation &Test

Project Phase (Time)

Preparation &Test

Preparation &Test

Preparation &Test

•Plan and design for following test based of the specification including requirements set・ Testing the specification including requirements set

Note: Global Design = External Design, Detail Design = Internal Design by FE

55

Mistake of update master data

Risk of Operation of Information System

E-commerce System

E-commerce DB

CustomerOperator

Even if the system of ABC Company doesn't have bugs, there are many risks and failures

CustomerError Transactions

Criminal

ABC Company

123Company

XYZCompany

Mistake of input

Illegal access

Inappropriate procedure for error data

Throw out reports

Automated transaction without checking

Inconsistency of data between companies

56

System Development and IT Control

Requirement Analysis

OperationDesign & Program

Testing Migration

Maintenance

Changing

Monitoring

Cut - over

Project Management

Software Quality Assurance

Operation Management

IT Control(ITAC)

Control function

Manual & Procedure

Activity

Regulation

Management

All items are targets of IS audit

57

Control Items of ITAC

Input Management

(Control)

Processing Management

(Control)

Output Management

(Control)

ITAC

ITGC Access Management (Control)

User-IDs/Passwords Data SecurityNetwork Security Security AdministrationAccess Authorization

•Data Entry Controls•Input (Transaction) Authorization•Batch control•Segregation of Duties•System Edits•Error Reporting and handling

• Interface Control• Data file control• System Edits• Error Reporting and handling

• Reconciliation• Distribution• Access

Major means of control

58

Objectives of Control of Input Management (Control)Objective Sample of Control Sample of Audit

Organization make a regulation of Input management and complies with it

•Regulation including procedure, method of verification and authorization for input activities

•Checking regulation documents•Inspection of working record of input activity

Operation of input is carried based on the regulation and assures no repeated nor missing

•Procedure that to put stamp on a form sheet after input •System function to check serial No. of input data

•All form sheets has stamp after input•Checking no repeated data in a database

Enough means and function realize preventing from input error and illegal operation.

•System function can detect invalid data input•Operators can use only specific PCs (terminal)

•Review and Testing the system function•Access log of PC

Storing and abolishing data is carried based on the regulation

•Regulation for abolishing report documents.•Only authorized person access (see) past data.

•Checking record of abolishing documents.•Checking access log for database

Controls are both with IT system and without IT system

59

Objectives of Control of Processing Management (Control)Objective Sample of Control Sample of Audit

Organization make a regulation of data management and complies with it

•Regulation including procedure, method of verification and authorization for data management

•Checking regulation documents•Inspection of working record of backup

Data access control and monitoring work effectively

•Regulation of access control to update master data

•Checking access log for database

Integrity of data is guaranteed •Regulation of checking data range of master data

•Checking test record of data update

Data transfer complies with its regulation.

•Regulation of data transfer •Checking record of transfer data

Data exchange takes appropriate means to prevent from illegal access and to keep security.

•Function of error correction during data exchange

• Log data of exchange error correction.

Storing , copying and abolishing data prevent from illegal access and keep security

•Regulation for abolishing report documents

•Checking record of abolishing documents

60

Objectives of Control of Output Management (Control)Objective Sample of Control Sample of Audit

Organization make a regulation of output management and complies with it

•Regulation including procedure, method of verification and authorization for output activities

•Checking regulation documents•Inspection of working record of output activity

Operation of output is carried based on the regulation and assures no repeated nor missing

•Regulation defines person for output procedure

•Checking access log for output data

Enough means and function realize preventing from output error and illegal operation

Distribution of output is curried based on its regulation.

•Regulation of output distribution

•Checking distribution of output report

Storing and abolishing output is carried based on the regulation

•Regulation for abolishing report documents

•Checking record of abolishing documents.

61

Technique and Means of Control of Input Management (Control)

Area Description

Date control preparation

•Good design source document or form- Grouping similar input fields- Providing appropriate code to reduce error- Containing appropriate serial No. and cross-reference No.- Appropriate input filed style to reduce error- Including Appropriate filed for document authorization

Input Authorization

•Signature on form or souse document•Online Access Control (Only authorized individual can access specific information)•Unique password (Don’t share password nor grant password to others)•Usage of specific terminals or specific area.•Segregation of duties

Batch control

•Appropriate batch header form including application name, transaction code, preprinted No., identification data,•Total minatory amount (Verification the total monetary values of items processed equals the total monetary values of batch documents.•Total items ( No. of units ordered in the batch and No. of units processed)•Total num of documents•Hash totals (Verification of total of Hash value: no meaning in the form, but preprinted the fixed numbers)•Reviewing online batching input by manager.

62

Technique and Means of Control of Input ( Processing) Management

Area Description

Regulation and Monitoring

•Transaction log ( input process and batch process)•Documented Regulation•Transmittal log•Cancellation of source document ( By pouncing with holes or marking to avoid duplicate entry)

Error Reporting and Handling

•Appropriate error handing- Rejecting only transition with error- Rejecting the whole batch of transition- Holding the batch as suspense- Accepting the batch and flagging error transactions•Appropriate error collection procedure- logging of errors- Timely corrections- Upstream resubmission- Approval of correction- Suspense file- Error file- Validity of corrections

63

Technique and Means of Control of Processing (Input) Management

Area Description

Data validation and Editing Procedure

•Sequence check ( to avoid duplicated and missing)•Limit check ( not only input data, but also update of master data)•Range check•Validity check (Checking whether input data is one of date of the set)•Reasonableness check (requested number of order)•Table lookup (validity by using table)•Key verification ( Validity of no duplicated key)•Completeness check (Null checking data in specific field)•Duplication check ( Checking duplication of transaction)•Logical relation check ( ex. If he has wife, his must be over xx old.)

Process validation and verification

•Manual recalculation•Run to run totals ( Checking values among process ex. Sum of middle process and sum of end process)•Limits check of amounts•Reasonableness of amounts•Exception reports•Reconciliation (cross comparison) of file totals

64

Technique and Means of Control of Processing Management

Area Description

Data File Control

•Before and after image report ( Difference proves transactions done correctly)•Maintenance error reporting and handling (Checking and reviewing error handing by personnel who did not handle)•Source document retention ( Verification of file and source data)•Internal and external labeling (labeling on physical removable storage such as tapes and disk cartridge.•Version management•Data file security•One for one checking ( Verification by comparison between data and source document)•Transaction log•File updating and maintenance authorization•Parity checking

Type of data files•System control parameter (Configuration parameter)•Master data (Standing data) : Not be changed by transaction•Master data (Balancing data): Be changed by transaction•Transaction file

65

Technique and Means of Control of Output Management

Area Description

Outputvalidation Procedure

•Sequence check ( to avoid duplicated and missing)•Balancing and reconciling•Log of online distribution

Output delivery and storage

•Logging and storage of negotiable, sensitive and critical forms in secure place•Computer generation of negotiable instrument, forms and signature including intelligent property.•Appropriate report printing and distribution including electric reporting- Control of printing spool- Authentication of printing- printing in secure and safe room- Delivery and recipient evidence such as a signature•Output report retention•Output error handling

66

Concept of IT Governance:

As Is Model

To be Model

Next Model

Enterprise Architecture for IT

An enterprise architecture (EA) is a conceptual blueprint that defines the structure and operation of an organization. The intent of an enterprise architecture is to determine how an organization can most effectively achieve its current and future objectives.

67

1-5. Availability Managementand Service Continuity Management

68

RTO and RPORTO: Recovery Time Objective: the duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.RPO: Recovery Point Objective: the point in time to which you must recover data as defined by your organization. This is generally a definition of what an organization determines is an "acceptable loss" in a disaster situation.

- 1day - 2hours - 1hour T =0 + 1hour +2hours + 1day

RTO

disaster

RPO

Tape Backup

Disk Backup Real-time

Transaction Backup

Trouble

69

Type of Trouble, Disaster and Threats

Trouble Disaster and Threats

Natural Man Made

•Bug of software

•Wrong operation

•H/W trouble

•Network trouble

•Illegal attack

•Flood & Other water based incidents

•Earthquakes

•Hurricane, Tornadoes, Monsoons

•Thunders, Hail and Ice storms

•Lightning and Electrical storms

•Snow and Winter storms

•Volcanic eruptions, ash fall out

•Large natural fires & smoke residues

•Political

•Fires

•Flood due to equipment, pipes, sprinklers etc.

•Epidemics

•Explosions

•Hazardous / toxic material spills, contamination, access denial

70

Example: Availability plan (Trouble recovery)

No Point of trouble

Causes Detection Risk/Affect

Incident method

RTO/RPO

Recovery Method

1 Banner CUP CPU down Server Monitor

Level:3Service Stop

Showing “service stop ”page

2 hour0 min

Checking CPU , replace CPUChecking DB integration

2 Banner HDD RAID 1 disk break

Message RAID error

Level: 0None

-- 0 hour0 mini

Replace disk

3 DB HDD down

Server Monitor

Level:3Service Stop

Showing “service stop ”pageConnecting backup HDD and recover data

2 hour0 min

Checking HDD, replace HDDChecking DB integration

4 Banner DB DB soft down

Information from user

Level:3Service Stop

Showing “service stop ”pageRestart DB and checking DB integration

2 hour0 min

Checking and debugging log to find reason to down and fix.

71

Overview of BCP: Business Continuity Plan

BCP: Business Continuity PlanAn ongoing process supported by senior management and funded to insure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and recovery plans, and ensure continuity of services through personnel training, plan testing, and maintenance.

BCP vs. DRP•BCP vs. DRP Business Continuity Plan (BCP) tells us what essential resources are needed to continue business operations.•The Disaster Recovery Plan (DRP) tells us how to bring back those essential resources. The purpose of the DRP is to carry out the BCP

72

Overview of Disaster Recovery Plan (DRP)

Headquarters Data center

Backup

Recovery Site

Disaster

Restore

Backup Network

73

Flow of of BCP / DRP

Planning

Risk Assessment & Business Impact Analysis

Developing Plan Strategies & Developing The Plan

Plan Testing & Maintenance

Awareness & Training

74

Flow of of BCP / DRP: Planning

•Define BCP vs. DRP for clear understanding by all.•Identify Project Sponsors and Leadership. Defining objectives, policies, critical success factors, scope. Identifying legal and regulatory requirements.•Define standard terms and assumptions.•Develop a Project Plan and Budget. Hard costs and soft costs such as equipment, personnel resources, facilities, etc.

75

Flow of of BCP / DRP: Risk Assessment & Business Impact Analysis

•Process of identifying the risks to an organization, assessing the critical functions necessary for an organization to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls.•Identify the following: – Risk – Exposure to loss, injury, danger; potential for loss (qualitative or quantitative). – Threats – Event that can cause a risk to become an actual loss (natural or man-made). – Vulnerabilities –Exposure to an event that can cause actual loss.

Quantitative Risk:– Assigns a value to the risk.– Identifies cost of a particular effect, incident or phenomenon.– Can be state in an ALE (Annualized Loss Exposure or Expectancy).Qualitative Risk:– Intangible effects caused by a particular incident.– Descriptive – Usually relates a cause with an effect.

76

Type of Risk to be considered

Compliance Financial Operational Strategic Technical

Contractual Lost/Deferred Revenue

People Market Share Cyber crime

Regulatory Opportunity Production Partnerships E-Business

Service Level Agreements

Shareholder Equity

Supply Chain Reputation Infrastructure Failure

Critical assets– People;– Buildings and Facilities;– Computer Equipment (PCs, Servers, mainframes, etc.);– Telecom Equipment (PBX’s);– Communication equipment (Routers, Switches, CSU / DSU etc.);– Inventory and Materials;– Production & Plant Equipment;– Critical Data;– Critical Computer Applications;– Operating Systems and Databases;– Environmental (Power, HVAC, Physical Security); and– Internal & External Customers & Users.

77

Design of new Controls for BCP / DRP

Current controls•Physical ControlsFire suppression / sprinkler systemsAccess control systemsSecurity guards•Procedural ControlsHiring and termination policiesClean desk policyDocument receipting•Logical ControlsData storage protectionProtection afforded assets by location in relation to threat

Evaluate the effectiveness •Deter the threat•Lessen the loss•Ability to deter or reduce risks

Improve the effectiveness of controls:• Implementing layers of protection where possible• Training• Documentation• Enforcement

78

Organization for BCP/DRP after disaster

Team

Incident Response team

Emergency Acton team ( for first action for such as fire)

Information security team

Damage assessment team

Emergency management team

Offsite Storage team

Software team

Application team

Emergency operation team

Network recovery team ( for Information system)

Communication team

Transportation team

Team

User hardware team

Data preparation and records team

Administrative support team

Supplies team

Salvage team (Management of moving a recovery site)

Relocation team (Management of moving from a recovery site)

Coordination team ( for all the sites (branches) and recovery site)

Legal affair team

Recovery test team

Training team

79

Flow of of BCP / DRP: Developing Plan Strategies & Developing The PlanDetermine and guide the selection of alternative business recovery operating strategies for recovery of business and information technologies within the recovery time objectives, while maintaining the organization’s critical functions.Identify Requirements for DRP and BCP Strategies•Review business recovery issues from BIA•Review technology recovery issues for each support area•Review non-technology issues for each support areaIdentify Off-Site storage requirements and Alternative facilitiesIdentify Viable Recovery strategies within business functional areas:•Service Degradation•Internal Recovery (Reciprocal Agreement)•Commercial Recovery Center such as Hot site and Warm site.Consolidating Strategies across the Enterprise•Coordination of Technology Recovery•Enterprise Level Crisis Management•Enterprise Level Media Handling•Centralized strategy for interfacing with local

80

Flow of of BCP / DRP: Developing Plan Strategies & Developing The Plan

Content Detail content

Plan Scope and Objective

•Definition of Standard Terms•Selecting the appropriate Methodology•Scope of Project itself

Business Recovery Organization (BRO) and responsibilities

•BCP Planning Coordinator•Disaster Recovery Teams•Business Continuity Management Teams

Major Plan Components

•Reduction•Response•Recovery and Resumption

Escalation, notification and plan activation

•Disaster Declaration Procedures•Mobilization procedures•Damage assessment concepts•Recovery Site Activation

Vital records and off-site storage program

•What goes off-site•Inventory of what is off site•How do you get it back

Detail Plan (1/2)

81

Flow of of BCP / DRP: Developing Plan Strategies & Developing The Plan

U

Content Detail content

Salvage and Reclamation Procedures

•Document extent of damage, items destroyed, items recoverable.•Arrange for removal of recoverable items

Restoration Planning •Preparations of new facility.•Preparations for moving into new facility.•Plans for cutting over from temporary site to new facility.

Provisions for testing and maintenance of the plan

•Procedures for periodic and routine update of plan.•Procedures for periodic and routine testing of plan or plan•components.

Detail Plan (1/2)

82

1-6. Protection of Information Assets

- Information Security Management-

83

What is “Protection of Information Assets”

Information Assets•all elements of information that either share a common usage, purpose, associated risk and/or form of storage. •Something that is considered of worth to the organization.

Protection of information assets •Protect against loss of nuclear sensitive/classified information,•Protect against the theft of material (both physical and information),•Protect against terrorist action,•Ensure nuclear safety,•Ensure business continuity, •Minimize business risk

84

Overview of threats to Information Assets

E-commerce System

E-commerce DB

CustomerOperator

Criminal

ABC Company

123Company

Password by interview

clacking

Scavenging

spoofing

Virus

Malice

Intrusion

Eavesdropping

lightning , fire

85

3+3 atomic elements of Information Security

element Description Example

Confidentiality •ensuring that unauthorized people, resources or processes cannot access information

•Access control•Password•cryptogram

Integrity •Protection of information from intentional or accidental unauthorized changes

•Digital signature

Availability •Assurance that information is available whenever needed

•Redundancy of network•RAID

Accountability •Ensuring explanation information are genuine by recoded log or signature.

•Access log

Authenticity •Ensuring that the data, transactions, communications or documents (electronic or physical) are genuine.

•Digital signature•Password

Reliability •Ensuring that system and process work well

•Redundancy of network•RAID•Load monitoring

86

Concept of Protection of Information Assets (Attackers)

Threats

Attackers

Vulnerabilities

Risks

Assets

Countermeasures

Owner

impose

may be aware of

give rise to

Wish to abuse and/or may damage

To

That increase To

that exploit

Leading to

may be reduced by may possess

to reduce

wish to minimizevalue

87

Type of computer crimes

Source of Attack Target of Attack Example

A Computer is the objectives of the crimes. (Attackers often use another computer to launch an attack)

•Target may or may not be defined. Attackers launch attack with no specific target in mind.

•Distributed Dos•Virus•Spam

B Computer is the objectives of the crimes. (Attackers often use another computer to launch an attack)

•Special identified computer

•Denial of services (Dos)•Hacking

D Computer is the tools of the crime.Attacker uses computer but the target is not the computer.

•Target is data of information stored on computer or transmitted on network

•Fraud•Unauthorized access•Phishing•Key logger

E Computer symbolized the crime.Attacker lure the user of the computer to get confidential information

•Target is user of computer

•Social engineering- Fake website- Spam- spoofing

F Computer symbolized the crime.Attacker get physical information assets directory.

•Target is physical information asset

•Piggy bag•Scavenging

88

Overview: Common attack methods and techniquesTarget of Attack Method

B •Attackers launch attack with no specific target in mind.

•Virus•Warm•Interrupt attack

•E-mail bombing•Flooding•Distributed Dos•Spam•Botnets•Virus

A •Special identified computer

•Network analysis•Port scan•Password crack

•Message modification•Race condition•Man in the middle attack•Packet replay•Masquerading•Buffer overflow

•Alternation attack•Malicious code•Clacking•Denial of services (Dos)•SQL injection

D •Target is data of information stored on computer or transmitted on network

•Key logger•War driving•Spy ware•Cross site scripting

•E-mail spoofing•Eavesdropping•Hacking•Remote maintenance•Salami

E •Target is user of computer

•Social engineering- spoofing

•Fake website•Phishing

F •Target is physical information asset

•Scavenging •Piggy bag

Computer Security Institute/FBI and Ernst & Young say nearly 50% of all network attacks come from the inside

89

Security control concept (1)

Access Control •Ability to permit or deny the use of resources by a particular entity•The ability to allow only authorized users, programs or processes system or resource access

Authentication •Who goes there?•Restrictions on who (or what) can access the system•Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources

Authorization •Are you allowed to do that?•Restrictions on actions of authenticated users•The right or a permission that is granted to a system entity to access a system resource

90

Security control concept (2)

Need-to-know•Having access to the information that is required to carry out work •ensuring that access to nuclear sensitive assets is limited to only those who have the necessary ‘need to know’ and the appropriate security clearance

Defense-in-depth•places multiple barriers between an attacker and your assets•the deeper an attacker tries to go, the more layers they need to get through undetected

Least privilege and functions•The minimum level of computer access to an asset in order to effectively carry out work•only a minimal set of users have root access•Users can user only minimum functions

91

General Idea: Type of Means of controlsExample of Control

Avoid Disconnect from network, stopping services

Reduce Backup site, Duplex system, Monitoring

Transfer Insurance, hosting

Accept Enhancement of customer support

Type Example of Control

Preventive Control

Firewall, DMZ , Antivirus software, IPS (Intrude Preventing system)

Detective Control

Log, IDS (Introduce Detecting system), Network monitoring.

Corrective Control

Backup , alternate device, recovery procedure

92

Information Security Cycle

Risk Management

Identification of Important Information

Security Plan

Implementation

Follow up Measures

•Information security relies on the identification of information assets which is of worth to the organization and needs to be secured

•overall specification of all security precautions, procedures, and systems that are implemented at a facility to protect material, personnel, information assets, etc. In short, what is the plan to implement our controls

•Assessment of risks associated with protection of the information

•Security Plan & supporting procedures, Clearly defined roles & responsibilities, Training, awareness, & culture, Incident response procedures

•Security tends to degrade during the operational phase of the life cycle•regular audits, assessments, tests, and inspections provides a means of preventing degradation of security operations.

93

Group roles and Responsibility for Security Management

Executive manager

IS security steering committee

Security Advisory Group

CPO: Chief privacy Officer

CISO: Chief Information Security

Officer

Process Owners

Information asset Owners Process

Owners

Process Owners

Process Owners

Data Owners

Process Owners

User

Process Owners

Related third Party

Process Owners

Security Administrator Process

Owners

Security Specialist

Process Owners

IT Developer

IS Auditor

94

Key elements of information security management

element Description

Senior manager •Commitment and support from senior management are important to successful of information security management

Policy and procedure

•The policy frame work should be established-Standards to develop minimum security baseline-Measurement criteria and methods-Specific guidelines, practices and procedures

Organization •Responsibility for the protection of individual assets should be clearly defined.

Security awareness and education

•All employees and third party users should receive appropriate training and updates to security awareness and compliance with written security polices and procedures.

Monitoring and compliance

•IS auditor are usually charged to assess , on a regular basis, the effectiveness of security program

Incident handling and response

•Because security incident is an event adversely affecting the processing of compute usage, the organization should take the appropriate measures to reduce of incident when it happens.

95

Summary Basic Security Evaluation Check list (1)Topics Point

Assets/Inventory •What type of data maintained by the company ?•Is there any confidential information? How do they keep?•Are there any specific requirement to handling data?

Environment •What kind of ICT devices dose the company have?•Are there wireless network? How is its security?•Is there a appropriate network maps for security?•What kind of OS does the company use?•How is remote network access?•How is licenses of software?•How is a configuration management of H/W and S/W?•Are there any physical security means for entering IT room?

Anti-virus •Does the company have anti-virus policy?•Do all workstations and servers have anti-virus software?•Does antivirus software update virus DB automatically?•Does each staff understand when he/she finds virus?

Password •Does the company have policy of using password•Does the company conduct training?•Is there any software detect weak password?•Do staff know that they cannot share password?

96

Summary Basic Security Evaluation Check list (2)

Topics Point

Patch •Do all device update automatically? How often?•Is there any environment for testing new patch?•Is there any backup before update new patch?

Minimizing services

•Does the company identify necessary services?•Does the IT staff review minimizing services?•Is there any means to prevent new installation by unauthorized personnel?

Vulnerabilities •Is vulnerability testing done?•After testing? Does the company take means to vulnerabilities?•If someone finds vulnerability, who support next? •Are there any firewall an IDS in the network?

Backup and recovery

•Is backup done regularly?•Is backup kept in secure area?•Are there appropriate procedure for backup and recovery?•Can backup is appropriate to recover business in case of disaster?•Does IT staff have experience of recover or test of recover?

97

Vulnerability Assessment & Penetration Testing

Vulnerability Assessment•Overall network infrastructure is assessed to determine any exploitable vulnerability•Sophisticated tools are used to identify any potential security weaknesses•Devices assessed include firewalls, routers, servers, etc.•Tests are performed to identify system weaknesses from both internal and external threats•Comprehensive report submitted with vulnerabilities found and corrective actions to be taken•Should be performed at regular intervals or after any major changes

Penetration Testing•Attempt to scrutinize the true strength of an organization’s security infrastructure against a real attack•Assume the role of a real intruder and attempts to breach the network in a controlled and safe way not affecting your services•Launches a series of attacks on the network using commonly used techniques•Various commercial and open source “hacker” tools will be employed during the tests

98

1-7. IT services and operation

99

Overview of Incident/Problem management and service desk

Remaining Bugs Operation error Crime System Break

Appear and/or occur

Risk/ Factor

FailureTrouble

User

Incident Management:to restore a normal service operation as quickly as possible and to minimize the impact on business operations

Monitoring System

Service Desk

Detect risk factor or symptoms

Problem Management:to get red of factor of risk or failure or to resolve the factor that made or will make failure

Request 1st level staff

2nd level staff

escalation

100

Checkpoint of Incident & Problem management

Category Target Description

Procedure and situation

Regulation and procedure

•Does the organization have appropriate procedure to resolve the problem, especially escalation root .•Are recording tasks and functions of event, incident and problem developed?

Situation of Incident/ problem Management

•Do problem exist during processing?•Were resolving process resolved in timely manner and was the resolution complete reasonable?•Are all problems identified for verification and resolution?

Help desk (Service desk)

Help desk (Service desk)

•Does the help desk has appropriate staff?•Are there any SLA of the help desk?•Are there any appropriate supporting software for a help desk?•Does the help desk have appropriate regulation and procedures , especially escalation root to resolve the problem.•Does the help desk record appropriate support and working record?

101

Overview of Capacity Management

Reactive activities:•Monitoring and measuring•Responding and reacting to capacity related events (incidents)

Proactive activities:•Predicting future requirement and trends•Budgeting, planning and implementing upgrade.•Seeking ways to improve service performance.•Optimizing the performance of a service

102

Checkpoint of Hardware

Category Target Description

Planning & Acquisition

Planning •Is the plan aligned with business requirements?•Is the plan synchronized with IS plans?•Have criteria for acquisition of hardware been developed and appropriate?•Does new hardware suit the current IT environment?

Acquisition •Is the a acquisition in line with hardware acquisition plan?•Are procurements and document of procurements based on appropriate procedure an regulation?•Are procurements processes approved by appropriate management

Operation& Incident management

Operation & Maintenance

•Is scheduling adequate to meet workload schedules and user requirements?•Is scheduling flexible to accommodate required hardware and preventive maintenance?•Is maintenance done during off-peak workload period?•Is appropriate maintenance the vendors recommend done?

Monitoring &Incident / Problem management

•Have IS management staff reviewed malfunctions, abnormal system termination and operator action?•Is continuous review performed of hardware and system software performance and capacity•Is monitoring adequate in the case of equipment failure?•Is monitoring based on logs, maintenance history and adequate information?

103

Checkpoint of OS and System softwareU

Category Target Description

Planning & Acquisition

Planning •Are the plan aligned with objective of business?•Do they meet the requirements?•Do they include IS controls?•Do the comply with short- and long-range IS plans?

Feasibility study and Acquisition process

•Are the proposed system objectives and purpose consistent with the request?•Has the cost-benefit analysis of system software procedures addressed?

Operation& Incident management

Security and Control

•Has the procedures been established to restrict the ability circumvent logical access.•Have procedures been implemented to manage software update?•Are controls adequate in change, authorization, security, Audit test, ….•Is master console secure?

Operation and documentations

•Have all appropriate levels of software been implemented?•Are there necessary documentations such as access violation, change management, parameter, active logs and reports ….?•Is the latest version with testing?

104

Tasks of operation staff

•Executing and monitoring scheduled job•Facilitating timely backup•Monitoring unauthorized access and use of sensitive data•Monitoring and reviewing the extent to adherence to IT operation procedures as established by IS and business management •Participating in test of disaster recovery plans•Monitoring the performance, capacity, availability and failure of information resources•Facilitating troubleshooting and incident handling.

105

Workflow of Change Management for approval

RFC

Why is Change management important ? More than 50% of incident and More than 90% of incident that affect on business are caused by changing.

User Change ManagerCAB

(Chang Advisory Board)

ConfigurationManager

Request For Changing

Review

Reject

ProgrammerOperator

Input RFC

Initial priority Update RFC

Argent Change

ProcedureArgent

Priority &schedule

Type

Approval and Plan

Trivial Impact assessment &

Discussion changing

NoApproval

Report

Serious

Change Procedure

Yes

Update RFC

Update RFC

106

Conceptual Model of CMS (Change Management System)

107

Configuration Management for Application U

Configuration Management

Development

Code

ConfigurationInfo.

Build

Target S/W

Smoke Testing

Testing

108

How to manage bug report (Incident report) 1Simple Work flow

U

Tester Test Manager Programmer

Reported Review Check

CloseNot problem

Problem, but Not repair

Deferred

Repaired

Confirmation

NGOK

Close

109

How to manage bug reports (Incident reports) 2State Transition: Life cycle of bug report

U

Reported Opened Assigned Fixed

Rejected Deferred Reopened Closed

Report

Bad Report

Rewritten or Check

Approved for repairReview

Decline for repair

Not ProblemApproved for

repair

Gathered New information

repaired

Failed confirmation

Test

Confirmed to be repair

Problem returned

110

BTS (Bug Tracking System)

U

Advantage of BTS : Low load of use, High efficiency・　 Sharing real time bug information・　 Easy management of progress of Bug fixing・　 Unified bug format

OSS BTS

Product Summary Form Linkage

Mantis Good functions for BTS

Easy to install, Good Report

Detail Testlink

Bugzilla For big development Detail Testlink

Trac Integrated development management

Simple

111

New Tools for IT operation

ManagementNetwork

Monitoring toolsService Desk (ITIL)

support toolsOther tools

Incident Management X (Detection)

X (Management)

Problem Management X (Detecting)

X (Management)

Service Management X (Measurement) Excel

Capability ManagementX (Measurement)

Excel

Configuration Management X (Monitoring)

X (Management)

Change Management X (Management)

Finance Management Excel

Skill Management Excel or Access

Knowledge Management X (Management)

Wiki, Word, Excel

Evaluation and Report X (Data)

X (Data/Report)

Word, Excel

112

Overview of Target of TestingISO 9126 Quality Model

Functional Testing Non-Functional Testing

suitability accuracy

compliance

interoperability security

reliabilityusability

efficiencymaintainability

Actual Target

Ordinal TestingFunctions of system and/Or software , that are typically described ( implicitly) in a requirements specification, a functional specification , or in use cases.

Performance TestingLoad TestingStress TestingSecurity TestingUsability TestingMaintenance TestingReliability Testing

U

113

Part 2.

Recommendation and discussion

2-1. Roadmap and main activities

114

Roadmap of reformation of ITSU

2010 2011 2012

Dec. Jan. Apr. Jul. Oct. Jan. Mar. Jul. Oct.

Preparation & Urgent activities

Design and Shifting to V3

Reformation of new activities and procedure based on V3

Phase 1.

Phase 2.

Phase 3.

Quarter Monitoring.

115

Points of ITIL Activities at ITIL (phase1)

• User needs Oriented• Small action and quick win• CSIP: Continues Service Improvement

Program• Showing ROI and evaluation of KPI• Getting agreement of USP management

ITIL procedures and functions of ITS are almost good as V2 level now. ITS needs to shift to cyclic management as V3.

Phase 1 is perpetration for shifting to V3.

116

Key tasks of Phase 1 (& 2)

Tasks to be shown outsideA-1. Formulation of IT Committee for IT governanceA-2. Conducting user needs assessmentA-3. Accomplishment of enhancement of USP NetA-4. Starting enhancement of application development and

controlA-5. Enhancement of environment and support of regional

campusesA-6. Enhancement of direct user supportA-7. Starting plan of academic research servicesA-8. Possible cost cut with evidence

117

Key tasks of Phase 1& 2

Tasks to enhance ITSB-1. Employment of new staffB-2. Enhancement of work procedure as ITS levelB-3. Modifying strategic plan and getting approval by USP

management.B-4. Enhancement of measuring method of KPIs and other i

ndicatorsB-5. Definite regular monitoring procedureB-6. Planning and conducting training including regional staf

f B-7. Enhancement of communication among staff

118

A1: The committee across customers, users and ITS Customer (Pay money) User

Lectures USP staff StudentsUSP

SMT Centre for Flexible and Distance

Learning (CFDL)

Human Resources

Unit

Student Academic

Services Unit

Finance Section

(IT Strategy /Steering Committee)

ITS

•Annual plan, multi-year projection (Budget, strategy, procurement and service plan)•SLA (Service Level Agreement)•Development Plan of Applications.•Needs Assessment•Internal Audit (half year or quarterly)•Assessment of Annual Activity and SLA

Planning & Quality OfficeQuality Assurance Unit

IT Governance

119

Summary: Flow of the committee

Result of Needs assessment

Result of past activity of ITS ( of Audit)

Proposal of ITS Action plan

Discussion and evaluation of the proposal

Final ITS action plan

•Prioritize activities•Allocation of budget and resources•Agreement of ROI/SLA (Service Level Agreement)

Result of risk management

•upgrade•New environment such as wireless

120

A-2. Conducting user needs assessment

Phase 1.

Meeting or Interview with each

Faculty/Unit

Meeting or Interview with each

Faculty/Unit

Analyzing and reporting

To Faculty/Unit

ITS strategic plan

After Phase 2.

Regular Meeting or Interview with each

Faculty/Unit

Online needs assessment and

claim counter

Regular Analyzing and Reporting

121

A-4. Starting enhancement of application development and control

MISFinance Section

Human Resources

Student Unit

Programmer

Programmer

Programmer

Programmer

Development

Operation

Development based on priority list

Development based on Project

Problems•No committee to discuss development Plan•Capacity of development depend on each programmer•When programmer quit, user section rob MIS of a programmer•Operations of application should be controlled(Group SAS data team make many error of data input)If there is an appropriate input control, quality of the system would be improved.

ITAC: IT Application Control

Programmer

Group SAS

Enrollment team

Assessment team

Data team

122

A-5. Enhancement of environment and support of regional campuses

a. Survey of Number of break down PCs and repairing (and establishment of repairing procedures)

b. Needs assessment for regional campuses and staffc. Enhancement of communication with regional

campus staffd. Conducting training for regional campus staff

123

A-6. Enhancement of direct user supporta. Reformation of ITS web sites

What kind of information is important for users.b. Enhancement of announcement of IT usage at USPc. Finding problem of the current helpdesk as user support

and resolving

124

A-8. Possible cost cut with evidence

Example:• Improvement of repairing work ( xx PCs / week -> xx

PCs/week)• Reducing servers: finding unused servers and stopping

them• Procurement of servers: ITS provide server function.

User doesn’t need procure new server H/W.• Making a appropriate contact of software license.• Charging for special IT services

125

B-2. Enhancement of work procedure as ITS level

Regional Development

Enterprise & Network

User Services

MIS

Current Situation

ITS

•Missing procedures•Quality of procedures

Management of working procedures

Internal Quality Assurance ( Internal Audit)

•Correctness of procedure•How staff follow the procedure

Target of Internal Audit•Progress and performance of projects•Quality of daily work and operation

ISO 9000 Quality Management

126

B-4. Enhancement of measuring method of KPIs and other indicatorsa. Storing all incident data: How to store incident data

User Help Desk

Service Desk Plus

Incident Data

Enterprise & Network

MIS

Bug

Trouble

Incident Report

Current Situation

Service Desk Plus

Incident Data

Service Desk Plus

Incident Data

BTSBug

127

B-4. Enhancement of measuring method of KPIs and other indicators

b. Evidence to explain number of staff at ITSPC H/W technician, AV H/W technician, Helpdesk, USP net operator and AV operator(Schedule, actual working hour and performance ( num. of repairing H/W , Num. Of user request at Helpdesk)

c. Definition of measuring method of KPIs,d. Current situation ( or value ) of KPIsExample:• Current breakdown ratio of PCs at regional corpuses is xx%, KPI

in 3 months is that the ratio is reduced to yy%• Number of personal Note PC connecting wireless is 800 PCs in 2

010, expectation in 2013 up to 1500. ITS establish new wireless network for 2000 PCs until 2013.

• Input error ratio of banner is 15% now that makes 20 claims/ week. The xxxxx internal control would reduce the ration 5%.

128

B-3. Modifying strategic plan and getting approval by USP management.Points of modification1) Generally speaking, management doesn’t have interest in

enhancement of IT service organization, but in profit caused by enhancement.

Yearly fixed

bugged

Daily Operation

New Operation

Additional bugged

New Project

2) Additional budget , ROI and priority

3) User needs and Risk

•User claim/trouble

•User requirement/ needs

•Hidden needs

•Future needs

User

ITS

129

2-2. ITS structure and capacity development (HRD)

130

1. Current ITS structure (July, 2010)

Director

Office Support (3)

Management of Project & Regional

Development

Enterprise Systems & Network Infrastructure

Management of User services

MIS

Section/ 　Manager

Finance (Analyst/

Programmer) (1)

USP Net Engineer (2)

Telephony Engineer & Operator (3)

Server Engineer (4)

IT lab support / supervisor (8)

Remote Lecture support (USP Net

support) (2)

PC maintenance (5)

Vice Director

Staff at remote campus (20)

Net (Cabling Technician) (2)

Help Desk (5)

Help Desk assist engineer (3)

Media (Auditorium) support (9)

AV devices (Including VC)

maintenance (3)

Student/ MIS (Analyst/

Programmer) (1)

Payroll (Analyst/ Programmer) (1)

Lecture Support

User support

H/W Technician

Development

131

Current Organization: Type of staff

* Incase of other universities in other countries, these asks are outsourced (private company).

Type of Staff Position/JobCurrent

RemarksPlaned N.of Staff

N.of Current

N.of Vacancy

% of Vacancy

Management Director/Manager 6 6 0 0.0%

Planning 2 2 100% Project coordinator & Business Analyst

IT design and support

Analyst and programmer at Enterprise Systems & Network

18 9 9 50.0%

High vacancy rate, because of High turnover. Tasks are design, operation and maintenance of satellite network, campus network, servers (more then 300)

User support Help desk14

8 (Intern4)

6 42.9%Helpdesk including 4 intern staff.

Lecture support * USP Net Ope, PC. Lab. Technician, AV Operator

22 19 3 13.6%Staff is supporting 24 PC Labs and 12 big seminar rooms now. ITS has other new 3 PC Labs at ICT center

Development * Analyst and programmer at MIS

7 3 4 57.1%

High vacancy rate, because of High turnover. Other section/unit are keeping Analyst and programmers for prompt development and bug fix now.

H/W Technician *

Cable Tech, PC/AV Technician

12 10 2 16.7%Technicians are supporting 6,000 network nodes and more than 3,000 PCs

Regional Staff Regional Staff23 20 3 13.0%

Almost 1 regional campus has at least 1 staff (some staff are part-time)

  Total 104 75 29 25.5%  

132

Problems related to ITS organization (Summary)

Problems Causes Resolutions

High rate of Vacancy, especially IT Analyst and programmer -> Number of staff for IT infrastructure is less than needed.

•High turnover•Not easy to find experienced staff

• (Reduce turnover) - Preparation of carrier path•(Turnover is inevitable) - employment of graduate students and growing them up - To define work procedures (documents) and share knowledge.•Enhancement of staff capability (skill and knowledge) by training

Job/ Personal based Task => Work load among staff is not appropriate. After a staff move out, a job is stopped

•Job based contract•Flat organization structure, not deep.•A few collaborative activities within and across sections•lesson learned and know-how are not shared.

•Hierarchical organization with team system (Teams have responsibility ).•To define task relations within and across sections based on ITIL procedure•Introduction of ITIL management system for IT operation including knowledge management.

No evidence of effectiveness and efficiency of activities => users seem not to be satisfied with current IT support and think ITS has many staff.

•A few Metrics <= a few procedures to get•A few evaluations and assessments of work•No clear definition of user needs.

•Definition of clear service level with users/customers.•Measurement, evaluation and assessment task including personal load.•Introduction of measurement tools

133

2. Image of ITS structureDirector

Regional support & Development

Enterprise Systems & Network Infrastructure

Service Desk & Desktop Management

MIS

Team

MIS Online, SOLS and Database

Development(6)

Banner Development(6)

Service Desk (1)

Central Service Desk (9)

Design & Ope. of Desk Top (6)

ITIL Design & Operation (3)

Design & Ope. of Net. and Infra. (1)

Satellite(2)

NOC(2)

Cabling(4)

Design & Ope. of Unified Telephony(5)

Design & Ope. of Servers (6)

Security Management (1)

Reginald Management (2)

Remote Lecture support (4)

Lecture (PC/AV) Support (19)

PC/AV maintenance (10)

Vice Director

Academic support & maintenance

Section/ 　Manager

Lecture Support

User support

H/W Technician

Development

New Position

Strategy &Planning(2)

Remote Service Desk /Regional engineer

(23)

134

Image of Type of ITS staff (New)

Type of Staff Position/Job

New Organization

a+b Comment Planed N. of Staff

N. of Current

N. Of (a)

Vacancy

N. of (b) New

Management Director/Manager 6 6 0

Strategy & QM

3 0 2 1 3Including security management

IT design, support

IT Analyst and programmer

16 9 7 0 7

NOC/ ITIL 5 0 2 3 5

User support 16 8 6 2 8 (Current , intern 4)

Lecture support

USP Net Ope, PC. Lab. Technician, AV Operator

23 19 3 1 4

Development Analyst and programmer at MIS

14 3 4 7 11Employment of graduated students to become senior programmers by On the Job Training.

H/W Technician

Cable Tech, PC/AV Technician

13 10 2 1 3

Regional Staff Regional Staff 23 20 3 0 3

  Total 119 75 29 16  

135

Point of reformation of ITS structure

• Development HR management system• Employment of vacant position• Restructure of Application development at USP level• Communication managers and staff• Enhancement of training ( Management of staff skill and skill

standards)• Development of regional staffs’ capacity• Establishment of team system in current structure• Utilization of internship and employment of graduated students.

What is motivation and incentive of staff?

136

3. Strategy of reformation of ITS

Organization

Roles Culture Skills Training Metrics Monitoring

Current

Aligned by Technology

Technology Specialists

Hero-Oriented

Job Titles in Place

Limited — Technical

FTE(M/M), Basic record of work

Hierarchical Org. Team system

Service Roles Emerge

Looking at Best Practices

Job Levels (Sill Standard) Defined

Technology by Job Levels

Basic SLA/ KPI, Basic record

Periodic Monitoring

Process/Service -Centric;

Process Role Well-Defined

Working on Best Practices

Employee Skills Tracked

Formal Training, Job Rotations

Ordinary SLA/KPI, Data for proactive

Periodic Monitoring and audit

Process Cycle based

Process Manager and Owner Role Well-Defined

Best Practices Effectively Used

Manage Skills Portfolio

Lifelong Training including management

Detail SLA/ KPIData related business

Periodic audit based on internal control

FTE: Full Time Equivalent , SLA: Service Level Agreement

137

Thanks for you joining the lecture!

U

Contact: Go Otae-mail gohome@v006.vaio.ne.jp

Web www.beyondbb.jp (Japanese)