CobiT And ITIL Breakfast Seminar

COBIT® vs. ITIL® Why can’t it be both?

Agenda COBIT & ITIL: An Overview What is C OBI T Key Components of C OBI T Key C OBI T Terms Other Organizations on C OBI T C OBI T with other Frameworks What is ITIL Key Components of ITIL Key ITIL Terms Critical Success Factors: for ITIL & C OBI T Key Success Indicators: for ITIL & C OBI T Maturity Assessments C OBI T and ITIL In Practice Organizational Change Additional Resources

What is IT Governance? IT Governance – Industry Definition* A structure of relationships and processes to direct and control the IT enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes Is a decision rights and accountability framework (structure) to ensure desirable behaviour in the use of IT Links IT processes, IT people, IT technology and information to enterprise strategies and objectives *Source: Control Objectives for Information and Related Technology (CobiT®) IT Governance Institute © 2007 IT Governance Institute. All rights reserved. www.itgi.org

Typical IT Governance Mission “ To leverage industry best practices (i.e. ITIL) to engineer the lifestyle change required to achieve the IT strategy and enable the overall Company corporate vision.” COBIT ITIL

The IT Governance Lifecycle TASK ENVIRONMENT • Ethics & Culture • Laws and Regulations • Mission & Vision • Role Models • Industry Practices • … MONITOR MONITOR WHY ? WHY ? CREATE CREATE PROTECT PROTECT EXECUTE EXECUTE KEY PERFORMANCE INDICATORS COBIT PROCES FRAMEWORK CSF, CO and CP KEY PERFORMANCE INDICATORS COBIT PROCES FRAMEWORK CSF, CO and CP ALIGNMENT VALUE DELIVERY PERFORMANCE MEASUREMENT RISK MANAGEMENT IT RESOURCE MANAGEMENT MATURITY MODELS CONTROL OBJECTIVES CONTROL PRACTICES CSF IT BSC COBIT BENCHMARK MATURIT MODEL Audit guidelines BUSINESS AND IT KEY GOAL INDICATORS WHAT ? WHAT ? TASK ENVIRONMENT • Ethics & Culture • Laws and Regulations • Mission & Vision • Role Models • Industry Practices • … MONITOR MONITOR WHY ? WHY ? CREATE CREATE PROTECT PROTECT EXECUTE EXECUTE KEY PERFORMANCE INDICATORS COBIT PROCES FRAMEWORK CSF, CO and CP KEY PERFORMANCE INDICATORS COBIT PROCES FRAMEWORK CSF, CO and CP ALIGNMENT VALUE DELIVERY PERFORMANCE MEASUREMENT RISK MANAGEMENT IT RESOURCE MANAGEMENT MATURITY MODELS CONTROL OBJECTIVES CONTROL PRACTICES CSF IT BSC COBIT BENCHMARK MATURITY MODEL Audit guidelines BUSINESS AND IT KEY GOAL INDICATORS WHAT ? WHAT ? © 2007 IT Governance Institute. All rights reserved. www.itgi.org

How do the Frameworks Support & Guide the Business of IT C OBI T IT Wide CMMI ITIL Infrastructure / Operations Application Development IT Finance IT People Technology Architecture Customer Relationship ISO 17799 / NIST 800 Security & BCP/DRP

What is C OBI T Developed in 1996 by the Information Systems Audit and Control Association and IT Governance Institute as a standard for IT security and control practices. Provides a reference framework for IT, security, auditing managers and users. It helps companies deploy effective governance over systems and networks. C OBI T's Management Guidelines component consists of tools to measure a company's capabilities in 34 IT processes. These include performance measurement elements, a list of critical success factors that provides best practices for each IT process, and maturity models to help in benchmarking. © 2007 IT Governance Institute. All rights reserved. www.itgi.org

Organizes IT into 4 primary domains Divides these domains into 34 processes and provides a high level control objective for each Focuses on fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT Is supported by a set of 318 detailed control objectives and supporting control practices Effectiveness Efficiency Availability Integrity Confidentiality Reliability Compliance Planning & Organization Acquisition & Implementation Delivery & Support Monitoring Key Aspects of the CobiT Framework © 2007 IT Governance Institute. All rights reserved. www.itgi.org

Key C OBI T Terminology Domains Processes Control Objectives CobiT Terms / Concepts Summary Description Planning & Organization (PO) – Management Oversight, Governance, Policy, Strategy, Metrics, Risk Management, Investment, Quality Acquisition & Implementation (AI) – Acquire, Development, Implementation, Manage, SDLC, PMM, Change Management Delivery & Support (DS) – Change Management, Operations, Security Monitoring (MO) – Compliance, Management Monitoring, Auditing Drill down of key processes within each domain Key IT processes akin to key business processes within a business cycle Key Control Objectives or Control Statements that assist management in meeting business objectives and the risks to business information Suggested control activities are identified by objective Potential high-level audit steps are identified for activities This is also referred to as Activities or Tasks – IT activities or tasks that make up the processes

Key C OBI T Terminology Where most organizations start What most compliance regulations require © 2007 IT Governance Institute. All rights reserved. www.itgi.org CobiT Terms / Concepts Summary Description Business Requirements for Information Quality: Effectiveness, Efficiency Fiduciary: Compliance, Reliability of Information Security: Confidentiality, Integrity, Availability Critical Success Factors Define most import issues and actions for management Get processes under control Key Goal Indicators Measures that define after the fact success in achieving business requirements Monitor achievement of IT process goals Key Performance Indicators Indicators defined how well IT processes are performing Monitor performance within IT processes Maturity Model Maturity of processes (controls) – 0-5 0 = Non-existent 1 = Initial 2 = Repeatable 3 = Defined 4 = Managed 5 = Optimized

What other organizations are saying "C OBI T's real focus is on whether or not you have controls in place that ensure you are compliant with relevant regulatory authorities." "It helps organizations determine if they are doing what they said they would and if they are able to show evidence of this." "C OBI T has proven to be an excellent tool for measuring and assessing our IT controls." Lockheed Martin, which also uses CMMi and ISO 17799 to improve its processes and IT service levels. Source: NetworkWorldFusion “IT frameworks demystified”, 02/21/08

What other organizations are saying “ ITIL is absolutely the best framework available for IT operation. There are no competitors.” - Ben Worthen, CIO Magazine “ We now have the ability to assess how we are performing at any point in time. We’ve identified where we had bottlenecks, and now the total number of problems is going down. And we have evidence to show people that we are improving.” -Suresh Kumar, CIO, Pershing “ ITIL is common sense. It’s what many successful organizations already do…ITIL forges a bond between IT, management and external customers…” -Bruce Boardman, 2005 “ ITIL is like an elephant, you can eat the whole thing one bite at a time or in phases” -Stephen Bajada, CIO, Magazine

IT Service Management & ITIL Defined ITIL is the “de-facto industry best practice” for IT Service Management Non-proprietary and based upon proven practitioner experiences International user support (IT Service Management Forum - itSMF) ITIL was developed by the UK Office of Government Commerce (OGC) Developed in the late 1980s and continuously updated since ISO 20000 – Formal, international standard for IT Service Management certification, based upon ITIL best practices (formerly BS 15000) ITIL is a comprehensive and consistent set of industry “best practices” for IT Service Management organized in an integrated, process-based framework in order to add VALUE to customers

What is ITIL®? ITIL®, I nformation T echnology I nfrastructure L ibrary is the most widely accepted approach to IT service management in the world ITIL® is also supported by a comprehensive qualifications scheme, accredited training organizations, and implementations and assessment tools

What Is ITSM? ITSM is an acronym for IT Service Management

Source: The Art of Service Quality Flexibility Cost Management How / What ? Why! ITIL Framework Service Management Objective Tree effective efficient organization effective efficient IT service provision

What are the Benefits of ITIL? Reduced Costs Improved IT Services through the use of Proven Best Practices Customer Service Satisfaction IT Value through Business, IT Operational, and Goal Alignment Improved Productivity, Skills, and Experience Improved delivery of third party services through the specification of ITIL® Documented Common Sense

Where Does ITIL Fit? Focuses on Process (Not Technology) You don't implement ITIL: You use it to help create organizational change ITIL doesn't offer guidance on how to actually apply the best practices it catalogs each organization must design its own processes based on ITIL To run IT like a business, you need to understand the key services that go into it ITIL makes that work visible. It allows you to measure what is important, so you can emphasize the things that add value and take out the things that don't

ITIL v3 – The Service Lifecycle Source: ITIL Refresh Project Service Design Service ITIL Service Strategies Service Operation Service Design Continual Service Improvement Service Transition Complimentary Guidance Quick Wins Governance Methods Case Studies Value-added Products Templates Qualifications Study Aids

COBIT & ITIL: CSF’s Align! Sustained executive and management support Transformation must be institutionalized Plan and drive organizational change Don’t “boil the ocean” – utilize a prioritized and phased implementation approach Listen, understand, communicate, communicate and communicate

Key Success Indicators Customer Satisfaction Process Maturity & Adoption Performance Benchmarks Quality Certifications Compliance with Regulatory & Audit Requirements Employee Development & Competence

Maturity Level Definitions They provide a “short hand” method for describing key attributes of a control or a process Maturity levels can be used to describe the attributes of our current controls or our current processes They can also be used to describe the target level or attributes of our controls or processes Controls maturity levels are different than an overall process maturity level definition Controls maturity levels are different (but similar) than the current ITIL and CMMI maturity level definitions

Process MM: Gartner View Getronics Confidential Page Source: Gartner (November 2005) IT Management Process Maturity Model Based on 0.00 – 4.00 Best Practice Maturity Scale CMMI uses a 5 point scale: 1: Initial 2: Repeatable 3: Defined 4: Managed 5: Optimized

Lessons Learned: Other Companies COBIT COBIT is a reference, a set of best practices, not an “out of the box” solution Enterprises still to need to analyze its control requirements and customize based on: Value drivers Risk profile IT infrastructure, organization and project portfolio Understand that Control Maturity (COBIT) and Process maturity (ITIL) is different. Leverage other frameworks for security area (NIST, ISO 17799, etc) ROI is still difficult to quantify ITIL ITIL is Guidance,not an “out of the box” solution Enterprises still to need to analyze its process requirements and customize/make “fit for purpose” based on: Value drivers IT infrastructure, organization Risk and Project Portfolio Understand that process maturity (ITIL, CMMI, etc) and control maturity (COBIT) is different. Leverage other frameworks for security area (NIST, ISO 17799, etc) ROI is still difficult to quantify

C OBI T with other frameworks for SOX SOX Guidelines COBIT ITIL CMMi IT Control Environment Define a strategic IT plan Define the IT Organization and Relationships Communicate Management Aims and Direction Ensure Compliance with External Requirements Assess Risks Monitoring N/A N/A Program Changes (Change Management) Manage Projects Manage Changes Manage Quality Change Management Release Management Requirements Management Requirements Development Project Planning Process & Product Quality Assurance Verification & Validation Program Development (SDLC) Manage Projects Manage Quality Install and Accredit Systems Change Management Release Management Requirements Management Requirements Development Project Planning Process & Product Quality Assurance Verification & Validation Computer Operations Manage Problems and Incidents Manage Operations Manage Data Incident Management Problem Management N/A Access to programs and data (Security) Ensure Systems Security Manage Data Manage Facilities Manage Configuration Configuration Management Configuration Management

C OBI T with other frameworks – Non SOX Objectives Other IT Process Areas COBIT ITIL CMMi Asset Management Manage Configuration Configuration Management N/A Quality Management Manage Quality Service Level Management Process and Product Quality Assurance DRP & BCP Ensure Continuous Service Continuity Management Availability Management N/A Service Levels Define and Manage Service Levels Ensure Continuous Service Service Level Management Continuity Management Availability Management Capacity Management N/A Performance and Capacity Planning Manage Performance and Capacity Ensure Continuous Service Service Level Management Availability Management Capacity Management N/A Help Desk and Customer Support Educate and Train Users Assist and Advise Customers Service Desk Organizational Training Control IT Costs Manage the Information Technology Investment Manage Human Resources Identify and Allocate Costs IT Service Financial Management Supplier Agreement Management Others Define the Information Architecture Determine the Technological Direction Identify Automated Solutions Develop and Maintain Procedures N/A Technical Solution Product Integration

C OBI T In Practice: An Example DS 5 – Ensure Systems Security DS5.1 Manage Security Measures DS5.2 Identification, Authentication and Access DS5.3 Security of Online Access to Data DS5.4 User Account Management DS5.5 Management Review of User Accounts DS5.6 User Control of User Accounts DS5.7 Security Surveillance DS5.8 Data Classification DS5.9 Central Identification and Access Rights Management DS5.10 Violation and Security Activity Reports DS5.11 Incident Handling

DS 5.5 Management Review of User Accounts Control Objective Management should have a control process in place to review and confirm access rights periodically. Risk (why) Without periodic review of user account access a user could have access to systems or data that he or she no longer needs or should not have access to. Control Activities (who, what, when) On a quarterly basis data owners review the Top Security Transaction Code Reports to verify that only authorized users can create, read, update and/or delete the information that they own. Supporting Evidence Confirmations are stored within a Lotus Notes database. Exceptions result in a help desk ticket being created.

ITIL Access Management: Guidance Provides Guidance on IT Access Management Processes Found in the Service Operations Phase of the ITIL V3 Lifecycle Additional source for process guidance, benefits, etc.

C OBI T In Practice: An Example #2 AI 6 – Manage Change AI6.1 Change Request Initiation and Control AI6.2 Impact Assessment AI6.3 Control of Changes AI6.4 Emergency Changes AI6.5 Documentation and Procedures AI6.6 Authorized Maintenance AI6.7 Software Release Policy AI6.8 Distribution of Software

AI 6.3 Control of Changes Control Objective Requests for changes, application maintenance and supplier maintenance are standardized and are subject to formal change / release management procedures. Risk (why) Without a change management methodology, application changes could be implemented without proper testing or approval and could result in unscheduled downtime which disrupts business processes. Control Activities (who, what, when) A change management system is utilized to track all change requests. Change requests are entered by the change manager and reviewed by the change control board twice a week. Before promotion to production, each change is tested using an appropriate testing strategy given the size and nature of the change. Testing may include end user testing when appropriate and the test results must be reviewed and approved by an appropriate manager. Once changes have been reviewed, tested and accepted, the production environment is updated to include the accepted changes. Supporting Evidence Documentation is maintained within the change management system XYZ.

Change Management: Process Guidance ITIL Provides guidance on how to implement Change Mangement in your IT Organization Provides guidance on how to assess impact and risk Found in the Service Transition Phase of the Lifecycle

Making Changes on an Organizational Level Workshop Exercise

Organizational Change – The Influence Fact #1: People will not align with ‘bad aims’ and are less inclined if the organization does not align with their belief systems Most staff will simply nod and smile demurely as if in servile acceptance And then nothing happens The people can't be bothered WHAT DO WE DO? Re-assess and re-align your organization's aims, beliefs, integrity - all of it - with your people's Then they might begin to be interested in helping with new skills and change, etc.

Organizational Change – The Influence Fact #2: People can't just drop everything and 'change', or learn new skills, just because you say so Perception: Even if they want to change and learn new skills, they have a whole range of issues that keep them fully occupied What they might be thinking…: "So you want me to attend this training course, so you can earn more (etc, etc), and when I come back from two days away in some rotten hotel my personal pile of meaningless jobs will just have magically disappeared will it? And when I come to try to implement these new skills and make all these new things happen, everyone will be completely in step will they? Pull the other one.. Again, no can do.."

Organizational Change: The Influence WHAT DO WE DO? Consult with people! Save yourself from incorrect Assumptions Consulting with people does not mean that you hand over the organization to them - they wouldn't want the corporation if you paid them anyway No, consulting with people gives you and them a chance to understand the implications and feasibility of what you think needs doing Consulting with people, and helping them to see things from both sides generally throws up some very good ideas for doing things better than you could have dreamt of by yourself! It helps you to see from both sides too!

Organizational Change: The Influence Fact #3: Organizations commonly say they don't have time to re-assess and re-align their aims and values, etc., or don't have time to consult with people properly, because the organization is on the edge of a crisis Organizations get into crisis because they ignore facts one and two In general, ignoring these facts again will only deepen the “crisis”

Organizational Change – the Influencers What Do We Do? Take Advantage of “Crisis” Crisis is the best reason to re-align your aims and consult with people Crisis is wake-up and change the organization and its purpose - not change the people When an organization is in crisis, the people are almost always okay - it'll be the organizational purpose and aims that are not

Organizational Change – Summary You cannot just “Tell” and “Command” Change within the organization Look at Organizational Goals and Objectives What does your organization actually seek to do? Whom does your organization benefit? And whom does it exploit? Who are the winners, and who are the losers? Does your organization have real integrity? COMMUNICATE COMMUNICATE COMMUNICATE Communicate does not equal Consensus – but it does foster trust and change!

More Information www.isaca.org www.itsmf.com www.itgi.org www.acend.com

Why is ITIL® training important? Your company will improve business with ITIL® processes that you learn in the training Working Together Lowering Costs Optimizing Performance Ensuring Compliance Improving IT Service Strategy, Design, Transition, Operation and Continual Service Improvement

Why is ITIL® training important? ITIL® certification will allow you to understand the common language of ITIL®, understood by IT professionals worldwide, and will increase your standing within the IT community ITIL® gives you an adaptive and flexible framework for managing IT services and encourages you to use common sense rather than follow a rigid set of rules

Course Offerings (Accredited Training Powered by Ahead-Technologies Courseware ) ITIL® Service Management (Foundations) – 2 Credits Prerequisite: None Duration: 2.5 ILT days Attendance: Anyone working in IT ITIL® Practitioner Series (5 courses available) – Total 12 Credits Prerequisite: Foundation Certification in IT Service Management Duration: 3 ILT days for each course Attendance: Middle Managers & Team Leaders Manager’s Certificate in IT Service Management – 17 Credits Prerequisite: Foundation Certification in IT Service Management & approved criteria Duration: 12 ILT days Attendance: Those that are managing, implementing, & advising on ITIL® processes, through project or day-to-day management, who have 5 years experience with IT Service Management.

Why is COBIT® training important? Your company will improve business and overall business to IT Alignment with IT Governance Objectives that you learn in the training Working Together Optimizing Performance Ensuring appropriate controls and compliance Benefit from completing the Internationally Recognized COBIT® Foundations Exam

CobiT And ITIL Breakfast Seminar

More Related Content

What's hot (20)

Viewers also liked (18)

Similar to CobiT And ITIL Breakfast Seminar (20)

Recently uploaded (20)

CobiT And ITIL Breakfast Seminar

Editor's Notes