Frameworks ..
To build strategies Recognized to be best practice in It Management Core instruments for many It managers Vendor neutral Written in accessible & plain way
ISO 27001 : Information Security Management Systems ISO/IEC 20000 : ITSM Standard Six Sigma IT Balanced Score Card COBIT (discussed separately) PRINCE2 : Projects in Controlled Environments
Security techniques - Information security management systems - Requirements but it is commonly known as "ISO 27001". Provides a model & detailed guidance for reducing organizations exposure to IS risk as implemented through as ISMS. ISO27001 springs from British Standard BS7799 Latest Version 2005
Security techniques - Information security management systems - Requirements but it is commonly known as "ISO 27001". Provides a model & detailed guidance for reducing organizations exposure to IS risk as implemented through as ISMS. ISO27001 springs from British Standard BS7799 Latest Version 2005
Where is it used?
What is it?
Two parts:
ISO 27001:2005
ISO 17799:2005
each of which is directed at a particular area of information security concern Code of practice describes high level information security objectives and controls by which risks in the scope of objectives are treated
How to ?
How to ?
How to ?
- Plan
How to ?
- Plan
How to ?
- To Do
To do stage Formulate & improve a risk treatment plan Identifying appropriate management actions, resources, responsibilities and priorities for managing IS risks By implementing the controls selected in SOA to meet control objectives
How to ?
- Check
Check stage Report on the result of the performance & fitness-for-purpose of the operation will be given to management Process performance assessed against ISMS policy, & objectives after itereation under PDCA cycle
How to ?
- Act
Act stage After management review, corrective & preventive actions based on ISMS audit & management review To achieve continual improvement fo the ISMS
Relevance
Relevance to IT Management
organization uses Many of these information assets will be IT equipment Many of the controls impinge on IT management Information Security is NOT just an IT management issue
Management System Measured by Organization's risk profile Built by iteration through PDCA cycle improving the effectiveness Focus on Confidentiality, integrity & availability Problem in implementing due to large number of assets available to the organization When extending organizations information resources outside, difficult to subject the external organizations to the same standards
The First international standard for IT Service Management Initially developed as a British Standard BS15000 Version 1 published in 2000, V.2 in 2002 Currently Certification is owned and managed by itSMF (IT Service Management Forum)
Where is it used?
Appropriate to IT Service Provider organizations To all industry sector and all sizes of organizations except smallest (perhaps ISO9000 would suit !) Traditionally used to achieve formal certifications Helpful as a benchmark
What is it?
Two parts:
integrated process approach to effectively deliver managed services to meet the business and customer requirements" Requirements Code of Practice expansion 7 explanation of the requirements specified in the first part- describes the best practices for service management
What is it?
Both parts share a common structure Scope Terms & Definitions Planning and Implementing Service Management Requirements for a Management System Planning & Implementing New or Changed Services Service Delivery Processes Relationship Processes Control Processes Resolution Processes Release Process.
What is it?
What is it?
Service level management Service reporting Service continuity and availability management Budgeting and accounting of IT services Capacity management Information security management Business relationship management Supplier management Incident management Problem management Configuration management Change management
Relationship Processes
Resolution Processes
Control Processes
What is it?
How to ?
Primarily a measure of process conformance to be achieved than a means of achieving Can be applied by any service provide who wishes to demonstrate conformance with best practices in IT service management Steps
Relevance
Concerned of service management and hence centrally relevant Does not depend on any specific approach Assessments are made against the process in place, irrespective of methods, guidance, techniques adopted Costs include training of staff, cost of improvement, cost of assessment
Still early in life With growing popularity worldwide, an agreed and accepted core of best practice Addresses on generically valid core elements of the service management processes Hence, cannot describe the full set of processes/ procedures required to deliver effective and efficient customer focused services
A branding term given to a structured, disciplened, rigourous approach to process improvement Literally means only 3.4 defects per million opportunities occurring After the rise of TQM, Motorola Engineer Bill Smith coined the term in early 1980
Where ?
Origin in manufacturing industry, now in >10 industry sectors eg. defense, finance, ICT Invented by Motorola Optimized by GE Initially perceived as a methodology for operations & manufacturing industries
Where ?
ABN Amro NV in Netherlands did a Pilot in 2004 with the help of Cape Gemini Led to cost reduction of 1.2 million Euros in 3 month period Also the approach helped to work together globally and to quantify the process KPIs and improvements. Adopted not just Six sigma methodology but also the mindset viz. Six Sigma philosophy
What ?
Refers
to the statistical notion of having 99.99% confidence is implementation of a measurement-based strategy That focuses on process improvement and variation reduction to increase profits by eliminating variability, defects and waste that undermine customer loyalty Tried-and-true methods available for decades and combine these to create a new and structured methodology
Fundamental objective
Practical goal
Relies on
What ?
Three Levels Metric: 3.4 Defects Per Million Opportunities (DPMO) Methodology:
Philosophy
DMAIC
How to ?
How to ..
Affinity Diagram Brainstorming Calculators Cause & Effect/Ishikawa/Fishbone Control Charts Contract management software Creativity/ Out-of-the-box thinking Design fo Experiment Document Control Flow Chart Risk Assessment Process map Scatter diagram Six Sigma reports templates etc..
A rigorous improvement method or philosophy which is fast to implement with high success rate Consists one language worldwide Best suited to high volume/high risk process, large data sets available, measurable & repeatable processes Not one-size-fits-all methodology Can be used in many situations but not always in the same way Substantial requirement of resources in plans to adopt philosophy Can benefit the organization, IF used in the right way and for the right purpose.
It was ideated and first detailed by Robert Kaplan and David Norton. The Balnced Scorecard is a strategic planning and management system used to align business activities to the vision and strategy of the organization, improve internal and external communications and monitor organization performance against strategic goals.
Where ?
Performance management system that enables business to drive strategies based on measurement & follow up Can be easily applied to IT investments, projects, departments as performance management & alignment system Growing popularity to the concept Widely supported & disseminated by international consultant groups like Gartner, IDC etc
What ?
Learning & growth: includes training, learning, corporate culture and attitudes, self growth. Individuals are the main repository of knowledge of an organisation and the critical resource. Business process: Metrics based on internal business processes allow management to monitor how well the business is running Customer: Indicators on customer satisfaction and tools to improve and monitor customer relations are critical Financial: Timely and accurate financial data is still a key to manage the business. Data should be centralised and of fast and easy access, but financial data should not be the only indicator, thus the original intention of the word balanced.
What ?
How to?
Presentation of the concept to senior management Establish a project team Gather data & collect information on Develop organization specific IT Balanced Score Card
Corporate IT strategy IT metrics already in use for performance measurement
How to?
Start small with only key objectives Consider BSC technique as a supportive mechanism for IT/Business alignment & IT Governance Consider & implement IT BSC as an evolutionary project Provide a formal project organization Provide best IT practices supporting the IT BSC Regularly revisit Focus first on establishment of appropriate objectives and measures and after that on automation via tools and software
How to?
How to?
1 6
Management Cycle
1. Collect
Collect information.
2. Create
Create the scorecard design.
3. Cultivate
Cultivate acceptance and the measurement culture.
4. Cascade
Cascade measures down through the organisation.
3 4
Source: Chang, Richard Y.; Mark W. Morgan; Performance Scorecards, Jossey-Bass, 2000
5. Connect
Connect objectives and measures to employees.
6. Confirm
Confirm effectiveness through evaluation leading to ongoing improvement.
Relevance to IT Management
Getting business value from IT and measuring that value are important governance domains Combined responsibility of business & IT to take both tangible & intangible costs & benefits into account IT BSC provides answers to questions like
How do I get back the extra money spent on IT ? How does my It benchmark against competitors? Do I get back from It the promised returns? How do I learn from past performance? Is my It implementing strategy in alignment with business?
IT BSC is treated as the best practice for performance measurement and alignment It provides the systematic translation of the strategy into critical success factors and metrics Gives a balanced view of total value delivery of IT to the business Provides a snapshot of where your IT organization is at a certain point in time Barriers & pitfalls:
Visions & strategies that are not actionable Strategies that are not linked to departmental. Team & individual goals Feedback, that is tactical & not strategic
PRINCE2 (PRojects IN Controlled Environments) is a process-based method for effective project management. PRINCE2 is a de facto standard used extensively by the UK Government and is widely recognised and used in the private sector, both in the UK and internationally.
Where ?
It concentrates on the work of the project manager, team managers and members of senior management involved in decision making de facto best practice project management standard in the UK & widely used in Netherlands & Australia Spreading fast across the world
What ?
project management team Its product-based planning approach Its emphasis on dividing the project into manageable and controllable stages Its flexibility to be applied at a level appropriate to the project.
What ?
Two key principles of PRINCE2 are: A project should be driven by its business case check for conformity in regular intervals and stop if justification is disappeared PRINCE2 is product based focuses on products (documents) to be produced by the project and NOT the activities to produce them
PRINCE2
PRINCE2
How to ?
Covers all sizes of projects Thorough understanding is required to able to use its flexibility & scalability Does not attempt to cover techniques that are already in public domain eg. network planning & use of Gantt charts
Relevance to IT Management
Originally devised for IT by a group of IT managers Very relevant to the management of It projects Excellent approach to planning & organization of a project & describes the production of a business case (often a weak area in IT projects !!) Closing of a project is also very relevant
A disciplined approach to project management through combination of processes & components Controls, risks and quality chapters of the method are particularly strong A complete approach to the management of risk is given Quality coverage begins before the project officially begins PRINCE2 is not a complete answer to project management Does not contain techniques such as soft skills like leadership It does not cover programs