Governance
Robert E Stroud
Director, Strategy
Business Service Optimization
CA, Inc.
Robert.Stroud@ca.com
Abstract
- Many organizations have been looking to Best Practices
to assist them with in aligning IT to the Business, whilst at
the same time achieving IT Governance.
- Using COBIT and ITIL, this session will deliver an
overview of how these best practices have been used
together by a major financial organization to deliver their
IT Governance requirements while meeting business
objectives.
2 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Trademark Notice
COBIT is a registered trademark of ISACA/ITGI - Information Systems Audit
and Control Association / IT Governance Institute
ITIL is a registered trademark of OGC - the Office of Government
Commerce.
DISCLAIMER
CA nor its speaker warrant or guarantee the concepts or the
accuracy of information provided herein.
All rights reserved
3 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Agenda
- IT Governance
- IT Infrastructure Library (ITIL)
- The fastest introduction to COBIT ever
- Mapping ITIL to COBIT or is COBIT to ITIL
- The Role of ITIL and COBIT in addressing Compliance
a Case Study
- Summary
- Questions and Answers
4 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
IT Governance
5 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Governance, a practical example
6 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Governance
- IT must be managed and controlled from within itself as an
organizational entity with respect to the overall governance of a given
corporation.
- Governance manifests itself in the roles and responsibilities of its
staff resources through the definition of polices and processes it uses
to define its management and decision making of technology use,
and how the technology provides IT Services to the corporation with
which it belongs.
- Governance Is considered present only if it can be measured and
controlled with the means in place to provide metrics of both post fact
and pre-planning intelligence of, and for, the IT Services it Provides.
7 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
What is IT Governance?
IT governance is the term used to describe how those
persons entrusted with governance of an entity will
consider IT in their supervision, monitoring, control and
direction of the entity. How IT is applied will have an
immense impact on whether the entity will attain its vision,
mission or strategic goals
8 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Why is IT Governance Important?
Why is IT more critical:
- Increasing risks (security, compliance, projects etc.)
- Critical business processes depend on information and
systems.
- Growing dependence on service providers.
- IT failures impact reputation.
- IT is dramatically changing organizations and business
practices to create new opportunities and reduce cost.
- IT knowledge is essential to sustain and grow the
business.
9 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
How Can IT Governance Help?
- Responsibilities:
- Ensures ownership by the Board
- Increases understanding of IT significance to the
business and the impact of potential risks
- IT no longer just the CIOs responsibility it is shared
by the whole of management
- Places CIOs role in a clearer corporate perspective
10 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
IT Governance Benefits
CobiT provide s the
business
c ommon languag e &
support
Aligned Framework
time
IT risks
Secure
Controlled
service
quality
Better
time
time stakeholder
value
delivery
time
service
Faster
cost
Cheaper
time
time
11 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
The Story So Far
- IT Governance is a key part of Corporate Governance,
and the way to ensure IT activities are aligned, managed
and measured to ensure business success
- IT Governance is important because IT is so critical to
business success, represents very significant
investments, and is complex and risky to manage
- COBIT provides the framework and resources to support
and enable IT Governance to be implemented
- ITIL is rapidly adopted framework for IT Operations
12 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Infrastructure Library (ITIL)
13 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
ITIL?
- Information Technology Infrastructure Library (ITIL)
- A set of books detailing best practices for IT Service
Management
- Originally developed by the UK government to improve IT
Service Management
- Now becoming more globally accepted as a basis for IT
Service Management
14 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
The Magnificent NINE!
Infrastructure
T
Management
Perspective
Service
Business
B e
Support
ICT
The
u c
s Service h
i Delivery n
Security
n o
Management
e l
s o
s Applications Management g
y
The Software Asset
Business
Perspective 2 Management
15 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
But only 2 of the 9 get used!
Service Support
Service Desk
Incident Management
Problem Management
Configuration Management
Change Management
Release Management
Service Delivery Service Level Management
Capacity Management
Availability Management
Financial Management
16 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Benefits?
- Improved quality service provision
- Cost justifiable service quality
- Services that meet Business, Customer and User
demands
- Integrated centralized processes
- Everyone knows their role and knows their responsibilities
in service provision
- Learn from previous experience
- Demonstrable performance indicators
- Common Terminology
17 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
ITIL Benefits from practitioners
- By streamlining our processes we improved our efficiency
- Reduction in re-work
18 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Issues from the field?
- No measurement model
- No standard processes
- Doesnt follow Plan Do Check Act model
19 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
The fastest introduction to COBIT
..ever!
20 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
What is COBIT?
- Control OBjectives for Information and related Technology
- A framework for IT governance
- Bridges the gaps between business risks, control needs
and technical issues
- Documents good (best) practices
- Increasing Global 2000 adoption
- SOX increasing use..
21 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
COBIT Top Down Approach
4
Domains
34
Processes
220
Control Objectives
22 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
COBIT Activities/Tasks
Plan Do Check
Control
Act
23 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
COBIT Framework
24 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
" PO1 Define a strategic IT plan
PO2 Define the information architecture
PO3 Determine the technological direction
PO4 Define the IT processes, organisation and
relationships
PO5 Manage the IT investment
PO6 Communicate management aims & direction
PO7 Manage IT human resources
PO8 Manage quality
PO9 Assess and manage risks
ME1 Monitor & evaluate IT performance PO10 Manage projects
ME2 Monitor & evaluate internal control
ME3 Ensure regulatory compliance
ME4 Provide IT governance
! !& $ $
$
# $ $
% &
' $
Executive Summary
Critical Key
Maturity Key Goal
Success Performance
Models Indicators
Factors Indicators
26 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Key COBIT Concepts
- Information Criteria
- Key Goal Indicators (KGI)
- IT Resources\RACI
- Key Performance Indicators (KPI)
27 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Key Definitions
- Maturity model
- Maturity models are an instrument to analyse the current position, the
position relative to a defined standard
- Critical Success Factors
- Critical success factors define the most important management-oriented
implementation guidelines to achieve control over and within the IT
processes.
- Key Goal Indicators
- Key goal indicators define measures that tell management after the fact
whether an IT process has achieved its business requirements.
- Key Performance Indicators
- Key performance indicators are lead indicators that define measures of
how well the IT process is performing in enabling the goal to be reached.
28 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
COBIT Maturity Model
0 Non-existent
1 Initial/Ad-hoc
2 Repeatable but Intuitive
3 Defined Process
4 Managed and Measurable
5 - Optimized
29 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Mapping ITIL to COBIT
or is it
COBIT to ITIL
30 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
COBIT and ITIL compliment each other
ITIL COBIT
- Best Practice - Controls Audit
- Process - Requirements
- Relationships - Maturity Scale
31 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
COBIT & ITIL Mapping
PO: Assess Risk
DS: Define & Manage Service Levels
DS: Manage 3rd Party Services
DS: Manage Performance & Capacity
DS: Ensure Continuous Service
DS: Identify & Allocate Costs
DS: Ensure System Security AI: Manage Change
AI: Install & Accredit Systems
DS: Assist & Advise IT Customers
DS: Manage Problems & Incidents
DS: Manage Operations DS: Manage Configuration
DS: Manage Facilities
DS: Manage Data
AI: Acquire & Maintain Technology Infrastructure
32 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
ITIL Books to COBIT Control Objectives
33 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Mapping to ITIL Service Support and
Service Delivery
34 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
COBIT and ITIL used together
- Use the Cobit control objectives with the Cobit maturity
model and Key Performance indicators to manage and
measure performance of your ITIL processes.
35 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
ITIL and COBIT together
addressing Compliance
- a Case Study
36 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Changes for IT
It is NOT sufficient for you to be in
compliance as you have to be able to
readily demonstrate (to prove) that youve
met the control objectives.
37 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Case Study
- Large Bank founded almost 200 years ago
- Diversified provider of financial services
- Personal
- Commercial
- Corporate
- Institutional
- North America, Asia and Europe
38 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Initially an ITIL implementation
May 2003 Nov 2003 May 2004 Nov 2004 May 2005 Nov 2005 May 2006 Nov 2006
Incident
Problem
Service Mgmt
ViaTIL Tool
Tool For For Inc/Prob
Incident/Problem
Service
ServiceLevel Management
Level Management
Financial Management
Financial Management
Change Management
Change Management
Configuration Management
Configuration Management
Capacity Management
Release
Release Management Management
Availability Management (New)
Continuous Improvement
39 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Process Management
!
"
#
#
$ " & #
40 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Governance Team
- A small team of internal advisors accountable to the ITIL Executive
Team
- Ensure overall compliance and integration of the ITIL processes
- Ensures a coherent and comprehensive approach to design and
implementation of each process
- Balance program initiatives with service demands
- Monitor performance, KPI(s), Policy and programs
- Recommend changes to process, or services as needed
- Align policies, performance measures and process initiatives with
organizations strategic objectives
41 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Governance
(
,&
( ( (
$ $ $
) ) )
*+ *+ *+
42 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Process Dashboard & KPIs
43 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Process Dashboard
44 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS9 Delivery & Support
Manage the Configuration
Control of the process of managing the DS9 Maturity Model
configuration that satisfies the business
to account for all IT components, prevent
unauthorized alterations, verify physical 0 Non-Existent
existence and provide a basis for sound
change management 1 Initial / Ad Hoc
45 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
COBIT/ITIL Mapping for DS9 Manage Configuration
COBITDS9 Manage Configuration ITIL Configuration Management
Critical
CriticalSuccess
SuccessFactors Critical
Factors CriticalSuccess
SuccessFactors
Factors
- - Control
Establish ControlofofITITassets
Establishowners
ownersofofall
allconfiguration
configurationelements
elements&&
assets
maintain
maintaininventory
inventoryand
andchange
changecontrol
control
- - Support,
Support,integration
integrationand
andinterfacing
interfacingtotoall
allITSM
ITSMprocesses
processes
Enforcement
Enforcementofofrelease
releasemanagement
managementpolicy
policy Key
KeyPerformance
PerformanceIndicators
Indicators
Integration
Integrationwith
withprocurement
procurement&&change
change - % reduction in number of configuration items (CI)
- % reduction in number of configuration items (CI)
management process
management process attributes
attributeserrors
errorsfound
foundininCMDB
CMDB
- - %%increase
increaseininthe
thenumber
numberofofCIs
CIssuccessfully
successfullyaudited.
Key
KeyGoal
Goal&&Performance
PerformanceIndicators
Indicators audited.
- - variances
variancesbetween
betweenaccounts
accountsand
andphysical
physicalsituations
situations
Reduction
Reductionininnumber
numberofofvariances
variancesbetween
between - - Reduce
Reduce%%ofofchange
changefailures
failuresand
andimprove
improveincident
accounts and physical situations
accounts and physical situations
incident
resolution
resolution time using accurate configurationdata
time using accurate configuration data
Usage
Usageindex
indexofofinformation
informationfor
forproactive
proactiveactions,
actions, - - %%reduction
reductionininHWHW&&SWSWcosts
costs
including preventive maintenance & upgrade
including preventive maintenance & upgrade
Quality
Qualityindex
indexofofinformation,
information,age,
age,changes
changesapplied,
applied,
status and related problem criteria
status and related problem criteria
46 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS9 Critical Success Factors
47 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS9 Information Criteria
- Primary:
- Effectiveness
- Efficiency
- Confidentiality and integrity
- Secondary:
- availability
- Compliance
- reliability
48 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS9 Key Goal Indicators
- % of IT Configuration identified
- % of IT Configuration accounted for
- Reduction in number of variances between accounts and physical
situations
- Quality index information, including the interrelationships, age,
changes applied, status and related problem criteria
- Usage index of information for proactive actions, including preventive
maintenance and upgrade criteria
49 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS9 Key Performance Indicators
- % of Configuration components [data] updated
automatically
- Frequency of physical verifications
- Frequency of exception analysis
- Time lag between modification to the configuration and
the update records
- Number of releases
- % of reactionary changes
50 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS9 Maturity Model
0 Non-existent
Management does not appreciate the need for a process to manage hardware or
software
1 Initial / Ad Hoc
Recognized need, basic inventories, no standard.
2 Repeatable:
But Intuitive: Implicit reliance on personal knowledge and expertise. Some tools. No
consistent working practices.
3 Defined Process:
Accuracy is enforced, documented practices, consistent tools, some automation,
information used by other processes.
4 Managed and Measurable
Implicit reliance on personal knowledge and expertise. Some tools. No consistent
working practices.
5 Optimized
All components are managed, interrelationships exist, audit reports, authorized
software installation, asset tracking.
51 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Example of Process Maturity
52 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Compliance Status at a glance
53 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Summary
54 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Summary
- IT Governance is important to most aspects of the
business not just the IT department
- The use of control frameworks (COBIT) provide the
guidelines to the controls needed to ensure good IT
Governance
- ITIL processes allow for automation and repeatability of
processes to deliver constantly
- Governance is not only mandatory it adds competitive
edge to your organisation
55 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
IT Governance Benefits
CobiT provide s the
business
c ommon languag e &
support
Aligned Framework
time
IT risks
Secure
Controlled
service
quality
Better
time
time stakeholder
value
delivery
time
service
Faster
cost
Cheaper
time
Ref: Price Waterhouse Coopers
time
56 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Questions
57 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Case Study
Using CobiT and
ITIL to Implement IT
Governance
Robert E Stroud
Director, Strategy
Business Service Optimization
CA, Inc.
Robert.Stroud@ca.com