LECTURE 1LECTURE 1

The ProblemThe ProblemSolutions: Standards & FrameworksSolutions: Standards & Frameworks

The ProblemThe Problem

… ?

PROJECT & PRODUCE …

… & then MANAGE !• Longer time (20+ years vs. 9 months)

• More & more complex relations (school/companions/b-g.friend/… vs. gynecologist)

• More expensive (… ask your father …)

• More risks (car/drugs/alcohol/depression/unemployment/… vs. abortion)

• …

• Less & weaker “instructions” !!!

Managing an ICT Factory … how much experience gained?Managing an ICT Factory … how much experience gained?

The Heroic Years

Becoming an Industry

ICT: exact science or still ICT: exact science or still artistic handicraftartistic handicraft?

… in theory … … actually …

An example: Capacity Planning …

Trans. Rate

DB W/R Ratio

# U

sers

RA

M CP

U

Bandwidth

Transactions? What kind? From where? When? How many? …

Users? What channel through? What trend? What service? …

DB access? How many records? How much big? What update frequency? …

NOW … and tomorrow? … and next year? …

Ever-Increasing Complexity …Ever-Increasing Complexity …

… … under a more under a more and more easy and more easy skin, at everyone’s skin, at everyone’s fingertips!fingertips!

CMM CMM (Capability Maturity Model):(Capability Maturity Model): Maturity LevelsMaturity Levels

5. Optimizing. Continuous process improvement.

4. Managed. Detailed measures of the software process and product quality are collected.

3. Defined. Management and engineering activities are documented, standardized, institutionalized.

2. Repeatable. Basic project management tracks cost, schedule, and functionality. Successes can be repeated for similar projects.

1. Initial. Ad hoc. Success depends on individual effort and heroics.

The The ICT Management Process ICT Management Process Maturity Model Maturity Model (Gartner, 1999) … (Gartner, 1999) … or or “Trying to Run Before Walking”“Trying to Run Before Walking”

Reactive

Proactive Analyze trends Set thresholds Predict problems Measure appli-

cation availability Automate Mature problem,

configuration, change, asset and performance mgt processes

Fight fires Inventory Desktop SW

distribution Initiate

problem mgt process

Alert and event mgt

Measure component availability (up/down)

IT as a service provider

Define services, classes, pricing

Understand costs Guarantee SLAs Measure & report

service availability Integrate processes Capacity mgt

Service

Value IT as strategic

business partner IT and business

metric linkage IT/business

collaboration improves business process

Real-time infrastructure

Business planning

Level 2

Level 3

Level 4

Chaotic Ad hoc Undocumented Unpredictable Multiple help

desks Minimal IT

operations User call

notification

Level 1

Tool Leverage

Manage IT as a Business

Service Delivery Process Engineering

Operational Process Engineering

Service and Account Management

Level 5

Approaches Currently In Approaches Currently In UseUse

Business As Usual - “Firefighting”Business As Usual - “Firefighting”

Legislation - “Forced”Legislation - “Forced”

Best Practice Focused Best Practice Focused

Confusing the 'Means' With Confusing the 'Means' With the 'End'the 'End'

This Is Not the Goal!

ITIL

Six Sigma

CMM-IMalcolm Baldrige

"Certification"

Etc.

Certification Does Not Guarantee Good Outcomes!

Beware of Process for Its Own Sake!

Process Improvement Is About Better Outcomes and Experiences for Customers

Best PracticesBest Practices

••What is not What is not defineddefined cannot be cannot be controlledcontrolled••What is not What is not controlledcontrolled cannot be cannot be measuredmeasured••What is not What is not measuredmeasured cannot be cannot be improvedimproved

Define Define -- Improve-- Improve MeasureMeasure -- Control And Stabilize-- Control And Stabilize

Quality & Control Models• ISO 900x• COBIT• TQM• EFQM• Six Sigma• COSO• Deming• etc..

Process Frameworks• IT Infrastructure Library• Application Service Library • Gartner CSD• IBM Processes• EDS Digital Workflow • Microsoft MOF• Telecom Ops Map• etc..

CobIT

IT OPERATIONS

Audit Models

Quality Systems & Mgmt. Frameworks

Service M

gm

t.

Ap

p. D

ev. (SD

LC

)

Pro

ject Mg

mt.

IT P

lann

ing

IT S

ecurity

Qu

ality System

IT Governance ModelIT Governance Model

COSO

ISO17799

PMI

ISO

SixSigma

TSOIS

Strategy

ASL

CMMi

Sarbanes- Oxley

US Securities & Exchange Commission

ITIL

BS 15000

ISO 20000

CMMi

ITIL

BS 15000

ISO 20000

Look at the Regulatory Storm We Look at the Regulatory Storm We All FaceAll Face

Missing:• PCI• FERPA• Security breech reporting (CA SB 1386)• CA SB 25 re SSN use•Graham Leach Bliley• DMCA• CAN-SPAN• Fed Privacy Act 1974 – RMP-8• Electronic Gov Act of 2002• OMP Circular A-130• NIST security standards – FIPS 200, 800-53A• Cyber Security R&D Act

Relationship of Control Relationship of Control RegimesRegimes

OperationsApplicationsFinanceStrategy

COCO

COSO

COBIT

ITIL

University control regimes are derived from frameworks originally developed for businesses and need tweaking to fit comfortably.

Committee of Sponsoring Organizations Committee of Sponsoring Organizations (COSO) – The (COSO) – The ComponentsComponents

Monitoring

• Assess control system performance over time

• Ongoing and separate evaluations

• Management and supervisory activities

Control Activities

• Policies that ensure management directives are carried out

• Approval and authorizations, verifications, evaluations, safeguarding assets security and segregation of duties

Control Environment

• Sets “tone at the top”

• Foundation for all other components of control

• Integrity, ethical values, competence, authority, responsibility

Information and Communication

• Relevant information identified, captured and communicated timely

• Access to internal and externally generated information

• Information flow allows for management action

Risk Assessment

• Identify and analyze relevant risks to achieving the entity’s objectives

COSO Enterprise Risk COSO Enterprise Risk Management (ERM) ModelManagement (ERM) Model

Monitoring

ControlActivities

RiskAssessment

ControlEnvironment

Information&

Communication

Information&

Communication

Graphical Representation

The COSO ERM FrameworkThe COSO ERM Framework Entity objectives can be

viewed in the context of four categories Strategic Operations Reporting Compliance

ERM considers activities at all levels of the organization Enterprise-level Division or subsidiary Business unit processes

Source: COSO Enterprise Risk Management Framework; Draft Version, July 2003

CobIT:CobIT:Control Objectives for ITControl Objectives for IT

CobIT is an open standard control framework CobIT is an open standard control framework for IT Governance with a focus on IT Standards for IT Governance with a focus on IT Standards and Auditand Audit

Based on over 40 International standards and is Based on over 40 International standards and is supported by a network of 150 IT Governance supported by a network of 150 IT Governance Chapters operating in over 100 countriesChapters operating in over 100 countries

CobIT describes standards, controls and CobIT describes standards, controls and maturity guidelines for four domains, and 34 maturity guidelines for four domains, and 34 control processescontrol processes

The CobiT CubeThe CobiT Cube

4 Domains

34 Processes

318 Control Objectives

(Business Requirements)

Deliver & Support(DS Process Domain)

Deliver & Support(DS Process Domain)

Monitor(M Process Domain)

Monitor(M Process Domain)

Acquire & Implement(AI Process Domain)

Acquire & Implement(AI Process Domain)

Plan & Organize

(PO Process Domain)

Plan & Organize

(PO Process Domain)

CobiT DomainsCobiT Domains

CobiT Processes by DomainCobiT Processes by Domain

Delivery &Support

Monitoring Planning &Organization

Acquisition &Implementation

The 34 Defined CobiT ProcessesThe 34 Defined CobiT Processes

1

2

3

4

The 7 CobiT The 7 CobiT PrinciplesPrinciples

Positioning the Positioning the Frameworks Frameworks

Level of Abstraction HighLow

ITRelevance

Holistic

Specific

TCO

ITIL CMMI

CobiT

Six Sigma

ISO 9000

National Awards(e.g., Baldrige)

People CMM

Scorecards

ISO 20000

CMM =capability maturity model

CobiT =Control Objectives for Information and Related Technology

ITIL =IT Infrastructure Library

TCO =total cost of ownership

IS0 20000 = IT service mgt standard

ISO 9000 = quality mgt standard

Point solutions are useful, but a broader, holistic approach to process and quality

improvement is POWERFUL.

Process Framework - ITILProcess Framework - ITIL

ITIL is a best-practice process framework.ITIL is a best-practice process framework. Service deliveryService delivery Service supportService support Others (application management, security management)Others (application management, security management)

Initiated by the U.K.'s government Central Computing Initiated by the U.K.'s government Central Computing and Telecommunication Agency (CCTA). CCTA is and Telecommunication Agency (CCTA). CCTA is merged into the Office of Government Commerce.merged into the Office of Government Commerce.

Shows the goals, general activities, inputs and outputs of Shows the goals, general activities, inputs and outputs of the various processes.the various processes.

Does not "cast in stone" every action you should do on a Does not "cast in stone" every action you should do on a day-to-day basis.day-to-day basis.

ITIL Refresh or "Version 3" is in delivered.ITIL Refresh or "Version 3" is in delivered.

Hype Surrounding ITILHype Surrounding ITIL ITIL makes the business ITIL makes the business

love the IT group!love the IT group! ITIL is easy!ITIL is easy! Buy our tool and have ITIL!Buy our tool and have ITIL! Everybody is doing it …Everybody is doing it …

What's next …What's next … ITIL cures cancer!ITIL cures cancer! ITIL solves world hunger!ITIL solves world hunger!

Technology Trigger

Peak ofInflated

Expectations

Trough of Disillusionment Slope of Enlightenment

Plateau of Productivit

y

time

visibility

ITIL 2005

ITIL 2012

ITIL 2006

ITIL 2008

ITIL 2010

IT Operations Management Hype Cycle

0% 20% 40% 60%

"Completed" adoption

Implementing 2+ years

Implementing 0-2 years

Plan to start in next 18 months

No plans at this time

2006

Source: Audience polling survey at 2006 Gartner Data Center conference in November 2006 (n=171)

Polling Results – ITIL Adoption

0% 20% 40% 60%

Improve quality of service

Lower cost of deliveringservice

Improve agility to respond tobusiness requirements

Address compliance or riskissues

None of the above

2006

Polling Results – Primary Driver for ITIL

Source: Audience polling survey at 2006 Gartner Data Center conference in November 2006 (n=180)

0% 20% 40% 60%

Lack of guidance onorganization and roles

Process definitions too highlevel to implement

Requires too much change inculture

Cannot justify ROI

Too much focus on tools inyour organization

Lack of experienced ITILconsultants

2006

Polling Results

Biggest Hurdle Implementing ITIL

Source: Audience polling survey at 2006 Gartner Data Center conference in November 2006 (n=164)

ITIL: The ITIL: The GoodGood and the and the BadBad Service Delivery:Service Delivery:

Service-level Service-level managementmanagement

Financial managementFinancial management Capacity managementCapacity management IT service continuityIT service continuity Availability managementAvailability management

Service Support:Service Support: Incident managementIncident management Problem managementProblem management Change managementChange management Configuration Configuration

managementmanagement Release managementRelease management

Service DeskService Desk

Core Benefits:Core Benefits: Standard process language Standard process language Emphasis on process vs. technologyEmphasis on process vs. technology Process integrationProcess integration Standardization enables cost and Standardization enables cost and

quality improvementsquality improvements Focus on customerFocus on customer

Limitations:Limitations: Not a process improvement Not a process improvement

methodologymethodology Specifies "what" but not "how"Specifies "what" but not "how" Doesn't cover all processesDoesn't cover all processes Doesn't cover organization issuesDoesn't cover organization issues Hype driving unrealistic expectationsHype driving unrealistic expectations

Assuming Tools Will Solve Assuming Tools Will Solve Your ProblemsYour Problems

Be wary of vendor hypeBe wary of vendor hype Focus on process firstFocus on process first Tools can be enablers or inhibitorsTools can be enablers or inhibitors Assess capabilities of yourAssess capabilities of your

current toolscurrent tools Review new tools where they Review new tools where they

would pay significant dividendswould pay significant dividends Buy what you need, as you need itBuy what you need, as you need it

"Man is a tool-using animal. Nowhere do you find him without tools; without tools he is nothing, with tools he is all." (Thomas Carlyle)

The next lecturesThe next lectures

Lect. # 2 – ITIL insight / part 1Lect. # 2 – ITIL insight / part 1 Lect. # 3 – ITIL insight / part 2Lect. # 3 – ITIL insight / part 2

Lect. # 4 & # 5 – complying to ITIL Lect. # 4 & # 5 – complying to ITIL principles, a Primary IT Market principles, a Primary IT Market Leader evidenceLeader evidence

Thank Thank YouYou