- 1. COBIT vs. ITILWhy cant it be both?
2. Agenda
- COBIT & ITIL: An Overview
-
- Key Components of C OBI T
-
- Other Organizations on C OBI T
-
- C OBI T with other Frameworks
-
- Critical Success Factors: for ITIL & C OBI T
-
- Key Success Indicators: for ITIL & C OBI T
-
- C OBI T and ITIL In Practice
3. What is IT Governance?
- IT Governance Industry Definition*
-
- Astructureof relationships and processes
-
- todirect and controlthe IT enterprise
-
- in order toachieve the enterprises goalsby adding value
-
- whilebalancing risk versus returnover IT and its processes
- Is a decision rights and accountability framework (structure)
to ensure desirable behaviour in the
- Links IT processes, IT people, IT technology and information to
enterprise strategies and objectives
*Source:Control Objectives for Information and Related
Technology (CobiT) IT Governance Institute
-
-
-
-
- 2007 IT Governance Institute. All rights
reserved.www.itgi.org
4. Typical IT Governance Mission
- To leverage industry best practices (i.e. ITIL)to engineer the
lifestyle change required to achieve the IT strategy and enable the
overall Company corporate vision.
COBIT ITIL 5. The IT Governance Lifecycle TASKENVIRONMENT Ethics
& Culture Laws and Regulations Mission & Vision Role Models
Industry Practices MONITOR MONITOR WHY ? WHY ? CREATE CREATE
PROTECT PROTECT EXECUTE EXECUTE KEY PERFORMANCE INDICATORS COBIT
PROCES FRAMEWORK CSF, CO and CP KEY PERFORMANCE INDICATORS COBIT
PROCES FRAMEWORK CSF, CO and CP ALIGNMENT VALUEDELIVERY PERFORMANCE
MEASUREMENT RISK MANAGEMENT IT RESOURCE MANAGEMENT MATURITY MODELS
CONTROL OBJECTIVES CONTROL PRACTICES CSF IT BSC COBIT BENCHMARK
MATURIT MODEL Audit guidelines BUSINESS AND IT KEY GOAL INDICATORS
WHAT ? WHAT ? TASKENVIRONMENT Ethics & Culture Laws and
Regulations Mission & Vision Role Models Industry Practices
MONITOR MONITOR WHY ? WHY ? CREATE CREATE PROTECT PROTECT EXECUTE
EXECUTE KEY PERFORMANCE INDICATORS COBIT PROCES FRAMEWORK CSF, CO
and CP KEY PERFORMANCE INDICATORS COBIT PROCES FRAMEWORK CSF, CO
and CP ALIGNMENT VALUEDELIVERY PERFORMANCE MEASUREMENT RISK
MANAGEMENT IT RESOURCE MANAGEMENT MATURITY MODELS CONTROL
OBJECTIVES CONTROL PRACTICES CSF IT BSC COBIT BENCHMARK MATURITY
MODEL Audit guidelines BUSINESS AND IT KEY GOAL INDICATORS WHAT ?
WHAT ?
-
-
-
-
- 2007 IT Governance Institute. All rights
reserved.www.itgi.org
6. How do the Frameworks Support & Guide the Business of IT
C OBI T IT Wide CMMI ITIL Infrastructure / Operations Application
Development IT Finance IT People Technology Architecture Customer
Relationship ISO 17799 / NIST 800 Security & BCP/DRP 7. The
Governance Program Office enables ITG Strategy
-
-
-
-
- 2007 IT Governance Institute. All rights
reserved.www.itgi.org
8. What is C OBI T
- Developed in 1996 by the Information Systems Audit
- and Control Association and IT Governance Institute as a
standard for IT security and control practices.
- Provides a reference framework for IT, security, auditing
managers and users.
- It helps companies deploy effective governance over
systems
- C OBI T's Management Guidelines component consists of tools to
measure a company's capabilities in 34 IT processes.
- These include performance measurement elements, a list of
critical success factors that provides best practices for each IT
process, and maturity models to help in benchmarking.
-
-
-
-
- 2007 IT Governance Institute. All rights
reserved.www.itgi.org
9.
- Organizes IT into 4 primary domains
- Divides these domains into 34 processes and provides a high
levelcontrol objectivefor each
- Focuses on fiduciary, quality and security needs of
enterprises, providing seven information criteria that can be used
to generically define what the business requires from IT
- Is supported by a set of 318 detailed control objectives and
supporting control practices
- Acquisition & Implementation
Key Aspects of the CobiT Framework
-
-
-
-
- 2007 IT Governance Institute. All rights
reserved.www.itgi.org
10. Key C OBI T Terminology Domains Processes Control Objectives
CobiT Terms / Concepts Summary Description
- Planning & Organization (PO)Management Oversight,
Governance, Policy, Strategy, Metrics, Risk Management, Investment,
Quality
- Acquisition & Implementation (AI)Acquire, Development,
Implementation, Manage, SDLC, PMM, Change Management
- Delivery & Support (DS)Change Management, Operations,
Security
- Monitoring (MO)Compliance, Management Monitoring, Auditing
- Drill down of key processes within each domain
- Key IT processes akin to key business processes within a
business cycle
- Key Control Objectives or Control Statements that assist
management in meeting business objectives and the risks to business
information
- Suggested control activities are identified by objective
- Potential high-level audit steps are identified for
activities
- This is also referred to as Activities or Tasks IT activities
or tasks that make up the processes
11. KeyC OBI TTerminology Where most organizations start What
most compliance regulations require
-
-
-
-
- 2007 IT Governance Institute. All rights
reserved.www.itgi.org
CobiT Terms / Concepts Summary Description Business Requirements
for Information
- Quality:Effectiveness, Efficiency
- Fiduciary:Compliance, Reliability of Information
- Security:Confidentiality, Integrity, Availability
Critical Success Factors
- Define most import issues and actions for management
- Get processes under control
Key Goal Indicators
- Measures that define after the fact success in achieving
business requirements
- Monitor achievement of IT process goals
Key Performance Indicators
- Indicators defined how well IT processes are performing
- Monitor performance within IT processes
Maturity Model
- Maturity of processes (controls) 0-5
12. C OBI T with other Frameworks
-
-
-
-
- 2007 IT Governance Institute. All rights
reserved.www.itgi.org
13. What other organizations are saying
- "C OBI T's real focus is on whether or not you have controls in
place that ensure you arecompliantwith
relevantregulatoryauthorities."
- "It helps organizations determine if they are doingwhatthey
said they would and if they are able toshow evidenceof this."
- "C OBI T has proven to be an excellent tool formeasuringand
assessing our IT controls." Lockheed Martin, which also uses CMMi
and ISO 17799 to improve its processes and IT service levels.
Source:NetworkWorldFusion IT frameworks demystified, 02/21/08
14. What other organizations are saying
- ITIL is absolutely the best framework available for IT
operation. There are no competitors.
- - Ben Worthen, CIO Magazine
- We now have the ability to assess how we are performing at any
point in time. Weve identified where we had bottlenecks, and now
the total number of problems is going down. And we have evidence to
show people that we are improving.
- -Suresh Kumar, CIO, Pershing
- ITIL is common sense. Its what many successful organizations
already doITIL forges a bond between IT, management and external
customers
- ITIL is like an elephant, you can eat the whole thing one bite
at a time or in phases
- -Stephen Bajada, CIO, Magazine
15. IT Service Management & ITIL Defined
- ITIL is the de-facto industry best practice for IT Service
Management
-
- Non-proprietary and based upon proven practitioner
experiences
-
- International user support (IT Service Management Forum -
itSMF)
- ITIL was developed by the UK Office of Government Commerce
(OGC)
-
- Developed in the late 1980s and continuously updated since
-
- ISO 20000 Formal, international standard for IT Service
Management certification, based upon ITIL best practices (formerly
BS 15000)
ITIL is a comprehensive and consistent set of industry best
practices for IT Service Management organized in an integrated,
process-based framework in order to add VALUE to customers 16. What
is ITIL?
- ITIL,I nformationT echnologyI nfrastructureL ibrary is the most
widely accepted approach to IT service management in the world
- ITIL is also supported by a comprehensive qualifications
scheme, accredited training organizations, and implementations and
assessment tools
17. What Is ITSM?
- ITSM is an acronym for IT Service Management
18. Source: The Art of Service Quality Flexibility Cost
Management How / What ? Why! ITIL Framework Service Management
Objective Tree effective efficient organization effective efficient
IT service provision 19. What are the Benefits of ITIL?
- Improved IT Services through the use of Proven Best
Practices
- Customer Service Satisfaction
- IT Value through Business, IT Operational, and Goal
Alignment
- Improved Productivity, Skills, and Experience
- Improved delivery of third party services through the
specification of ITIL
DocumentedCommonSense 20. Where Does ITIL Fit? Focuses on
Process (Not Technology)
- You don't implement ITIL:
-
- You use it to help create organizational change
- ITIL doesn't offer guidance on how to actually apply the best
practices it catalogs
-
- each organization must design its own processes based on
ITIL
- To run IT like a business, you need to understand the key
services that go into it
-
- ITIL makes that work visible. It allows you to measure what is
important, so you can emphasize the things that add value and take
out the things that don't
21. ITIL v3 The Service Lifecycle Source: ITIL Refresh Project
Service Design Service ITIL Service Strategies Service Operation
Service Design Continual Service Improvement Service Transition
Complimentary Guidance Quick Wins Governance Methods Case Studies
Value-added Products Templates Qualifications Study Aids 22. COBIT
& ITIL: CSFs Align!
- Sustained executive and management support
- Transformation must be institutionalized
- Plan and drive organizational change
- Dont boil the ocean utilize a prioritized and phased
implementation approach
- Listen, understand, communicate, communicate and
communicate
23. Key Success Indicators
- Process Maturity & Adoption
- Compliance with Regulatory & Audit Requirements
- Employee Development & Competence
24. Maturity Level Definitions
- They provide a short hand method for describing key attributes
of a control or a process
- Maturity levels can be used to describe the attributes of our
current controls or our current processes
- They can also be used to describe the target level or
attributes of our controls or processes
- Controls maturity levels are different than an overall process
maturity level definition
- Controls maturity levels are different (but similar) than the
current ITIL and CMMI maturity level definitions
25. Process MM: Gartner View Getronics Confidential PageSource:
Gartner (November 2005)
- IT Management Process Maturity Model
- Based on 0.00 4.00 Best Practice Maturity Scale
- CMMI uses a 5 point scale:
26. Lessons Learned: Other Companies
- COBIT is a reference, a set of best practices, not an out of
the box solution
- Enterprises still to need to analyze its control requirements
and customize based on:
-
- IT infrastructure, organization
- Understand that Control Maturity (COBIT) and Process maturity
(ITIL) is different.
- Leverage other frameworks for security area (NIST, ISO 17799,
etc)
- ROI is still difficult to quantify
- ITIL is Guidance,not an out of the box solution
- Enterprises still to need to analyze its process requirements
and customize/make fit for purpose based on:
-
- IT infrastructure, organization
-
- Risk and Project Portfolio
- Understand that process maturity (ITIL, CMMI, etc) and control
maturity (COBIT) is different.
- Leverage other frameworks for security area (NIST, ISO 17799,
etc)
- ROI is still difficult to quantify
27. C OBI T with other frameworks for SOX SOX Guidelines COBIT
ITIL CMMi
- Define a strategic IT plan
- Define the IT Organization and Relationships
- Communicate Management Aims and Direction
- Ensure Compliance with External Requirements
N/A N/A
- Program Changes (Change Management)
- Process & Product Quality Assurance
- Verification & Validation
- Program Development (SDLC)
- Install and Accredit Systems
- Process & Product Quality Assurance
- Verification & Validation
- Manage Problems and Incidents
N/A
- Access to programs and data (Security)
28. C OBI T with other frameworks Non SOX Objectives Other IT
Process Areas COBIT ITIL CMMi
N/A
- Process and Product Quality Assurance
- Ensure Continuous Service
N/A
- Define and Manage Service Levels
- Ensure Continuous Service
N/A
- Performance and Capacity Planning
- Manage Performance and Capacity
- Ensure Continuous Service
N/A
- Help Desk and Customer Support
- Assist and Advise Customers
- Manage the Information Technology Investment
- Identify and Allocate Costs
- IT Service Financial Management
- Supplier Agreement Management
- Define the Information Architecture
- Determine the Technological Direction
- Identify Automated Solutions
- Develop and Maintain Procedures
N/A
29. C OBI T In Practice: An Example
- DS 5 Ensure Systems Security
-
- DS5.1 Manage Security Measures
-
- DS5.2 Identification, Authentication and Access
-
- DS5.3 Security of Online Access to Data
-
- DS5.4 User Account Management
-
- DS5.5 Management Review of User Accounts
-
- DS5.6 User Control of User Accounts
-
- DS5.7 Security Surveillance
-
- DS5.8 Data Classification
-
- DS5.9 Central Identification and Access Rights Management
-
- DS5.10 Violation and Security Activity Reports
30. DS 5.5 Management Review of User Accounts
-
- Management should have a control process in place to review and
confirm access rights periodically.
-
- Without periodic review of user account access a user could
have access to systems or data that he or she no longer needs or
should not have access to.
- Control Activities (who, what, when)
-
- On a quarterly basis data owners review the Top Security
Transaction Code Reports to verify that only authorized users can
create, read, update and/or delete the information that they
own.
-
- Confirmations are stored within a Lotus Notes
database.Exceptions result in a help desk ticket being
created.
31. ITIL Access Management: Guidance
- Provides Guidance on IT Access Management Processes
- Found in the Service Operations Phase of the ITIL V3
Lifecycle
- Additional source for process guidance, benefits, etc.
32. C OBI T In Practice: An Example #2
-
- AI6.1 Change Request Initiation and Control
-
- AI6.5 Documentation and Procedures
-
- AI6.6 Authorized Maintenance
-
- AI6.7 Software Release Policy
-
- AI6.8 Distribution of Software
33. AI 6.3 Control of Changes
-
- Requests for changes, application maintenance and supplier
maintenance are standardized and are subject to formal change /
release management procedures.
-
- Without a change management methodology, application changes
could be implemented without proper testing or approval and could
result in unscheduled downtime which disrupts business
processes.
- Control Activities (who, what, when)
-
- A change management system is utilized to track all change
requests.Change requests are entered by the change manager and
reviewed by the change control board twice a week.
-
- Before promotion to production, each change is tested using an
appropriate testing strategy given the size and nature of the
change.Testing may include end user testing when appropriate and
the test results must be reviewed and approved by an appropriate
manager.
-
- Once changes have been reviewed, tested and accepted, the
production environment is updated to include the accepted
changes.
-
- Documentation is maintained within the change management system
XYZ.
34. Change Management: Process Guidance
- ITIL Provides guidance on how to implement Change Mangement in
your IT Organization
- Provides guidance on how to assess impact and risk
- Found in the Service Transition Phase of the Lifecycle
35. Making Changes on an Organizational LevelWorkshop Exercise
36. Organizational Change The Influence
-
- People will not align with bad aims and are less inclined if
the organization does not align with their belief systems
-
- Most staff will simply nod and smile demurely as if in servile
acceptance
-
- The people can't be bothered
-
- Re-assess and re-align your organization's aims, beliefs,
integrity - all of it - with your people's
-
- Then they might begin to be interested in helping with new
skills and change, etc.
37. Organizational Change The Influence
-
- People can't just drop everything and 'change', or learn new
skills, just because you say so
-
- Perception: Even if they want to change and learn new skills,
they have a whole range of issues that keep them fully
occupied
- What they might be thinking:
- "So you want me to attend this training course, so you can earn
more (etc, etc), and when I come back from two days away in some
rotten hotel my personal pile of meaningless jobs will just have
magically disappeared will it? And when I come to try to implement
these new skills and make all these new things happen, everyone
will be completely in step will they? Pull the other one.. Again,
no can do.."
38. Organizational Change: The Influence
-
- Save yourself from incorrect Assumptions
-
- Consulting with people does not mean that you hand over the
organization to them - they wouldn't want the corporation if you
paid them anyway
-
- No, consulting with people gives you and them a chance to
understand the implications and feasibility of what you think needs
doing
-
- Consulting with people, and helping them to see things from
both sides generally throws up some very good ideas for doing
things better than you could have dreamt of by yourself!
-
- It helps you to see from both sides too!
39. Organizational Change: The Influence
- Organizations commonly say they don't have time to re-assess
and re-align their aims and values, etc., or don't have time to
consult with people properly, because the organization is on the
edge of a crisis
- Organizations get into crisis because they ignore facts one and
two
- In general, ignoring these facts again will only deepen the
crisis
40. Organizational Change the Influencers
-
- Crisis is the best reason to re-align your aims and consult
with people
-
- Crisis is wake-up and change the organization and its purpose -
not change the people
-
- When an organization is in crisis, the people are almost always
okay - it'll be the organizational purpose and aims that are
not
41. Organizational Change Summary
- You cannot just Tell and Command Change within the
organization
- Look at Organizational Goals and Objectives
-
- What does your organization actually seek to do?
-
- Whom does your organization benefit?
-
- And whom does it exploit?
-
- Who are the winners, and who are the losers?
-
- Does your organization have real integrity?
- COMMUNICATE COMMUNICATE COMMUNICATE
-
- Communicate does not equal Consensus but it does foster trust
and change!
42. More Information
43. Why is ITIL training important?
- Your company will improve business with ITIL processes that you
learn in the training
-
- Improving IT Service Strategy, Design, Transition, Operation
and Continual Service Improvement
44. Why is ITIL training important?
- ITIL certification will allow you to understand the common
language of ITIL, understood by IT professionals worldwide, and
will increase your standing within the IT community
- ITIL gives you an adaptive and flexible framework for managing
IT services and encourages you to use common sense rather than
follow a rigid set of rules
45. Certification Scheme 46. Course Offerings(Accredited
Training Powered by Ahead-Technologies Courseware )
- ITIL Service Management (Foundations) 2 Credits
-
- Attendance:Anyone working in IT
- ITIL Practitioner Series (5 courses available) Total 12
Credits
-
- Prerequisite:Foundation Certification in IT Service
Management
-
- Duration:3 ILT days for each course
-
- Attendance:Middle Managers & Team Leaders
- Managers Certificate in IT Service Management 17 Credits
-
- Prerequisite:Foundation Certification in IT Service Management
& approved criteria
-
- Attendance:Those that are managing, implementing, &
advising on ITIL processes, through project or day-to-day
management, who have 5 years experience with IT Service
Management.
47. Why is COBIT training important?
- Your company will improve business and overall business to IT
Alignment with IT Governance Objectives that you learn in the
training
-
- Ensuring appropriate controls and compliance
-
- Benefit from completing the Internationally Recognized COBIT
Foundations Exam