An Introduction to Frameworks for IT Management

An overview of various IT frameworks focusing on Standards & Controls

Frameworks ..
 

  

To build strategies Recognized to be best practice in It Management Core instruments for many It managers Vendor neutral Written in accessible & plain way

Few selected Frameworks ..

     

ISO 27001 : Information Security Management Systems ISO/IEC 20000 : ITSM Standard Six Sigma IT Balanced Score Card COBIT (discussed separately) PRINCE2 : Projects in Controlled Environments

 ISO/IEC 27001:2005 - Information technology

Security techniques - Information security management systems - Requirements but it is commonly known as "ISO 27001". Provides a model & detailed guidance for reducing organizations exposure to IS risk as implemented through as ISMS. ISO27001 springs from British Standard BS7799 Latest Version 2005

 ISO/IEC 27001:2005 - Information technology

Security techniques - Information security management systems - Requirements but it is commonly known as "ISO 27001". Provides a model & detailed guidance for reducing organizations exposure to IS risk as implemented through as ISMS. ISO27001 springs from British Standard BS7799 Latest Version 2005

Where is it used?

An instrument by which the value of each organisations

information assets are protected on an ongoing basis Recognizes many facets of information security eg. Technical, human, system, organizational, societal etc.

What is it?
Two parts:

ISO 27001:2005 Information Technology

Security Techniques Information Security Management Systems Requirements ISO 17799:2005 Information Technology Security Techniques Code of practice for Information Security Management

ISO 27001:2005

Management approach to the synthesis of an

information Security Management Systems that is fit for the purpose Measured by the information security requirements and expectations of all the interested parties

ISO 17799:2005

Is a code of practice 11 areas and 39 security control objectives

each of which is directed at a particular area of information security concern Code of practice describes high level information security objectives and controls by which risks in the scope of objectives are treated

How to ?

How to ?

How to ?
- Plan

Planning stage - 4 parts  ISMS documentation defining

Information security policy Statement of applicability

  

Asset Identification Risk assessment Risk treatment

How to ?
- Plan

How to ?
- To Do

To do stage  Formulate & improve a risk treatment plan  Identifying appropriate management actions, resources, responsibilities and priorities for managing IS risks  By implementing the controls selected in SOA to meet control objectives

How to ?
- Check

Check stage  Report on the result of the performance & fitness-for-purpose of the operation will be given to management  Process performance assessed against ISMS policy, & objectives after itereation under PDCA cycle

How to ?
- Act

Act stage  After management review, corrective & preventive actions based on ISMS audit & management review  To achieve continual improvement fo the ISMS

Relevance
Relevance to IT Management

Recognized the value of information that an

organization uses Many of these information assets will be IT equipment Many of the controls impinge on IT management Information Security is NOT just an IT management issue

Strengths & weaknesses

Detailed guidance of the fit-for-purpose Is

Management System Measured by Organization's risk profile Built by iteration through PDCA cycle improving the effectiveness Focus on Confidentiality, integrity & availability Problem in implementing due to large number of assets available to the organization When extending organizations information resources outside, difficult to subject the external organizations to the same standards

 

The First international standard for IT Service Management Initially developed as a British Standard BS15000 Version 1 published in 2000, V.2 in 2002 Currently Certification is owned and managed by itSMF (IT Service Management Forum)

Where is it used?

Appropriate to IT Service Provider organizations To all industry sector and all sizes of organizations except smallest (perhaps ISO9000 would suit !) Traditionally used to achieve formal certifications Helpful as a benchmark

What is it?


Two parts:

Specification "promotes the adoption of an

integrated process approach to effectively deliver managed services to meet the business and customer requirements" Requirements Code of Practice expansion 7 explanation of the requirements specified in the first part- describes the best practices for service management

What is it?

Both parts share a common structure Scope Terms & Definitions Planning and Implementing Service Management Requirements for a Management System Planning & Implementing New or Changed Services Service Delivery Processes Relationship Processes Control Processes Resolution Processes Release Process.

What is it?

What is it?


Service Delivery Processes

Service level management Service reporting Service continuity and availability management Budgeting and accounting of IT services Capacity management Information security management Business relationship management Supplier management Incident management Problem management Configuration management Change management

Relationship Processes

Resolution Processes

Control Processes

What is it?

How to ?

Primarily a measure of process conformance to be achieved than a means of achieving Can be applied by any service provide who wishes to demonstrate conformance with best practices in IT service management Steps

Internal comparison Internal benchmarking Formal certification

Relevance

 

Concerned of service management and hence centrally relevant Does not depend on any specific approach Assessments are made against the process in place, irrespective of methods, guidance, techniques adopted Costs include training of staff, cost of improvement, cost of assessment

Strengths & weaknesses

 

Still early in life With growing popularity worldwide, an agreed and accepted core of best practice Addresses on generically valid core elements of the service management processes Hence, cannot describe the full set of processes/ procedures required to deliver effective and efficient customer focused services

A branding term given to a structured, disciplened, rigourous approach to process improvement Literally means only 3.4 defects per million opportunities occurring After the rise of TQM, Motorola Engineer Bill Smith coined the term in early 1980

Where ?

  

Origin in manufacturing industry, now in >10 industry sectors eg. defense, finance, ICT Invented by Motorola Optimized by GE Initially perceived as a methodology for operations & manufacturing industries

Where ?

  

ABN Amro NV in Netherlands did a Pilot in 2004 with the help of Cape Gemini Led to cost reduction of 1.2 million Euros in 3 month period Also the approach helped to work together globally and to quantify the process KPIs and improvements. Adopted not just Six sigma methodology but also the mindset viz. Six Sigma philosophy

What ?

Refers

to the statistical notion of having 99.99% confidence is implementation of a measurement-based strategy That focuses on process improvement and variation reduction to increase profits by eliminating variability, defects and waste that undermine customer loyalty Tried-and-true methods available for decades and combine these to create a new and structured methodology

Fundamental objective

Practical goal

Relies on

What ?

Three Levels  Metric: 3.4 Defects Per Million Opportunities (DPMO)  Methodology:

DMAIC (Define-Measure-Analyze-Improve-Control) DMADV (Define-Measure-Analyze-Design-Verify) DFSS (Design For Six Sigma)



Philosophy

DMAIC

How to ?

How to ..

Tools & Templates (illustrative):

             

Affinity Diagram Brainstorming Calculators Cause & Effect/Ishikawa/Fishbone Control Charts Contract management software Creativity/ Out-of-the-box thinking Design fo Experiment Document Control Flow Chart Risk Assessment Process map Scatter diagram Six Sigma reports templates etc..

Strengths & weaknesses

      

A rigorous improvement method or philosophy which is fast to implement with high success rate Consists one language worldwide Best suited to high volume/high risk process, large data sets available, measurable & repeatable processes Not one-size-fits-all methodology Can be used in many situations but not always in the same way Substantial requirement of resources in plans to adopt philosophy Can benefit the organization, IF used in the right way and for the right purpose.

    

It was ideated and first detailed by Robert Kaplan and David Norton. The Balnced Scorecard is a strategic planning and management system used to align business activities to the vision and strategy of the organization, improve internal and external communications and monitor organization performance against strategic goals.

Where ?

 

Performance management system that enables business to drive strategies based on measurement & follow up Can be easily applied to IT investments, projects, departments as performance management & alignment system Growing popularity to the concept Widely supported & disseminated by international consultant groups like Gartner, IDC etc

What ?

The balanced scorecard suggests we view 4 critical perspectives of our business:

Learning & growth: includes training, learning, corporate culture and attitudes, self growth. Individuals are the main repository of knowledge of an organisation and the critical resource. Business process: Metrics based on internal business processes allow management to monitor how well the business is running Customer: Indicators on customer satisfaction and tools to improve and monitor customer relations are critical Financial: Timely and accurate financial data is still a key to manage the business. Data should be centralised and of fast and easy access, but financial data should not be the only indicator, thus the original intention of the word balanced.

What ?

How to?

High level road map to BSC

Presentation of the concept to senior management Establish a project team Gather data & collect information on Develop organization specific IT Balanced Score Card
Corporate IT strategy IT metrics already in use for performance measurement

How to?

Some lessons learned

Start small with only key objectives Consider BSC technique as a supportive mechanism for IT/Business alignment & IT Governance Consider & implement IT BSC as an evolutionary project Provide a formal project organization Provide best IT practices supporting the IT BSC Regularly revisit Focus first on establishment of appropriate objectives and measures and after that on automation via tools and software

How to?

How to?

1 6
Management Cycle

1. Collect
Collect information.

2. Create
Create the scorecard design.

3. Cultivate
Cultivate acceptance and the measurement culture.

4. Cascade
Cascade measures down through the organisation.

3 4
Source: Chang, Richard Y.; Mark W. Morgan; Performance Scorecards, Jossey-Bass, 2000

5. Connect
Connect objectives and measures to employees.

6. Confirm
Confirm effectiveness through evaluation leading to ongoing improvement.

Relevance to IT Management

Getting business value from IT and measuring that value are important governance domains Combined responsibility of business & IT to take both tangible & intangible costs & benefits into account IT BSC provides answers to questions like

How do I get back the extra money spent on IT ? How does my It benchmark against competitors? Do I get back from It the promised returns? How do I learn from past performance? Is my It implementing strategy in alignment with business?

Strengths & weaknesses



IT BSC is treated as the best practice for performance measurement and alignment It provides the systematic translation of the strategy into critical success factors and metrics Gives a balanced view of total value delivery of IT to the business Provides a snapshot of where your IT organization is at a certain point in time Barriers & pitfalls:

Visions & strategies that are not actionable Strategies that are not linked to departmental. Team & individual goals Feedback, that is tactical & not strategic

PRINCE2 (PRojects IN Controlled Environments) is a process-based method for effective project management. PRINCE2 is a de facto standard used extensively by the UK Government and is widely recognised and used in the private sector, both in the UK and internationally.

Where ?

It concentrates on the work of the project manager, team managers and members of senior management involved in decision making de facto best practice project management standard in the UK & widely used in Netherlands & Australia Spreading fast across the world

What ?

The key features of PRINCE2 are:

Its focus on business justification A defined organisation structure for the

project management team Its product-based planning approach Its emphasis on dividing the project into manageable and controllable stages Its flexibility to be applied at a level appropriate to the project.

What ?

Two key principles of PRINCE2 are:  A project should be driven by its business case check for conformity in regular intervals and stop if justification is disappeared  PRINCE2 is product based focuses on products (documents) to be produced by the project and NOT the activities to produce them

PRINCE2

PRINCE2

How to ?

 

Covers all sizes of projects Thorough understanding is required to able to use its flexibility & scalability Does not attempt to cover techniques that are already in public domain eg. network planning & use of Gantt charts

Relevance to IT Management

  

Originally devised for IT by a group of IT managers Very relevant to the management of It projects Excellent approach to planning & organization of a project & describes the production of a business case (often a weak area in IT projects !!) Closing of a project is also very relevant

Strengths & weaknesses

      

A disciplined approach to project management through combination of processes & components Controls, risks and quality chapters of the method are particularly strong A complete approach to the management of risk is given Quality coverage begins before the project officially begins PRINCE2 is not a complete answer to project management Does not contain techniques such as soft skills like leadership It does not cover programs