cobit and itil breakfast seminar

1. COBIT vs. ITILWhy cant it be both?

COBIT & ITIL: An Overview

What is C OBI T

Key Components of C OBI T

Key C OBI T Terms

Other Organizations on C OBI T

C OBI T with other Frameworks

What is ITIL

Key Components of ITIL

Key ITIL Terms

Critical Success Factors: for ITIL & C OBI T

Key Success Indicators: for ITIL & C OBI T

Maturity Assessments

C OBI T and ITIL In Practice

Organizational Change

Additional Resources

IT Governance Industry Definition*

Astructureof relationships and processes

todirect and controlthe IT enterprise

in order toachieve the enterprises goalsby adding value

whilebalancing risk versus returnover IT and its processes

Is a decision rights and accountability framework (structure) to ensure desirable behaviour in the

use of IT

Links IT processes, IT people, IT technology and information to enterprise strategies and objectives

To leverage industry best practices (i.e. ITIL)to engineer the lifestyle change required to achieve the IT strategy and enable the overall Company corporate vision.

Developed in 1996 by the Information Systems Audit

and Control Association and IT Governance Institute as a standard for IT security and control practices.

Provides a reference framework for IT, security, auditing managers and users.

It helps companies deploy effective governance over systems

and networks.

C OBI T's Management Guidelines component consists of tools to measure a company's capabilities in 34 IT processes.

These include performance measurement elements, a list of critical success factors that provides best practices for each IT process, and maturity models to help in benchmarking.

Organizes IT into 4 primary domains

Divides these domains into 34 processes and provides a high levelcontrol objectivefor each

Focuses on fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT

Is supported by a set of 318 detailed control objectives and supporting control practices

Effectiveness

Efficiency

Availability

Integrity

Confidentiality

Reliability

Compliance

Planning & Organization

Acquisition & Implementation

Delivery & Support

Monitoring

Planning & Organization (PO)Management Oversight, Governance, Policy, Strategy, Metrics, Risk Management, Investment, Quality

Acquisition & Implementation (AI)Acquire, Development, Implementation, Manage, SDLC, PMM, Change Management

Delivery & Support (DS)Change Management, Operations, Security

Monitoring (MO)Compliance, Management Monitoring, Auditing

Drill down of key processes within each domain

Key IT processes akin to key business processes within a business cycle

Key Control Objectives or Control Statements that assist management in meeting business objectives and the risks to business information

Suggested control activities are identified by objective

Potential high-level audit steps are identified for activities

This is also referred to as Activities or Tasks IT activities or tasks that make up the processes

Quality:Effectiveness, Efficiency

Fiduciary:Compliance, Reliability of Information

Security:Confidentiality, Integrity, Availability

Define most import issues and actions for management

Get processes under control

Measures that define after the fact success in achieving business requirements

Monitor achievement of IT process goals

Indicators defined how well IT processes are performing

Monitor performance within IT processes

Maturity of processes (controls) 0-5

0 = Non-existent

1 = Initial

2 = Repeatable

3 = Defined

4 = Managed

5 = Optimized

"C OBI T's real focus is on whether or not you have controls in place that ensure you arecompliantwith relevantregulatoryauthorities."

"It helps organizations determine if they are doingwhatthey said they would and if they are able toshow evidenceof this."

"C OBI T has proven to be an excellent tool formeasuringand assessing our IT controls." Lockheed Martin, which also uses CMMi and ISO 17799 to improve its processes and IT service levels.

ITIL is absolutely the best framework available for IT operation. There are no competitors.

- Ben Worthen, CIO Magazine

We now have the ability to assess how we are performing at any point in time. Weve identified where we had bottlenecks, and now the total number of problems is going down. And we have evidence to show people that we are improving.

-Suresh Kumar, CIO, Pershing

ITIL is common sense. Its what many successful organizations already doITIL forges a bond between IT, management and external customers

-Bruce Boardman, 2005

ITIL is like an elephant, you can eat the whole thing one bite at a time or in phases

-Stephen Bajada, CIO, Magazine

ITIL is the de-facto industry best practice for IT Service Management

Non-proprietary and based upon proven practitioner experiences

International user support (IT Service Management Forum - itSMF)

ITIL was developed by the UK Office of Government Commerce (OGC)

Developed in the late 1980s and continuously updated since

ISO 20000 Formal, international standard for IT Service Management certification, based upon ITIL best practices (formerly BS 15000)

ITIL,I nformationT echnologyI nfrastructureL ibrary is the most widely accepted approach to IT service management in the world

ITIL is also supported by a comprehensive qualifications scheme, accredited training organizations, and implementations and assessment tools

ITSM is an acronym for IT Service Management

Reduced Costs

Improved IT Services through the use of Proven Best Practices

Customer Service Satisfaction

IT Value through Business, IT Operational, and Goal Alignment

Improved Productivity, Skills, and Experience

Improved delivery of third party services through the specification of ITIL

You don't implement ITIL:

You use it to help create organizational change

ITIL doesn't offer guidance on how to actually apply the best practices it catalogs

each organization must design its own processes based on ITIL

To run IT like a business, you need to understand the key services that go into it

ITIL makes that work visible. It allows you to measure what is important, so you can emphasize the things that add value and take out the things that don't

Sustained executive and management support

Transformation must be institutionalized

Plan and drive organizational change

Dont boil the ocean utilize a prioritized and phased implementation approach

Listen, understand, communicate, communicate and communicate

Customer Satisfaction

Process Maturity & Adoption

Performance Benchmarks

Quality Certifications

Compliance with Regulatory & Audit Requirements

Employee Development & Competence

They provide a short hand method for describing key attributes of a control or a process

Maturity levels can be used to describe the attributes of our current controls or our current processes

They can also be used to describe the target level or attributes of our controls or processes

Controls maturity levels are different than an overall process maturity level definition

Controls maturity levels are different (but similar) than the current ITIL and CMMI maturity level definitions

IT Management Process Maturity Model

Based on 0.00 4.00 Best Practice Maturity Scale

CMMI uses a 5 point scale:

1: Initial

2: Repeatable

3: Defined

4: Managed

5: Optimized

COBIT is a reference, a set of best practices, not an out of the box solution

Enterprises still to need to analyze its control requirements and customize based on:

Value drivers

Risk profile

IT infrastructure, organization

and project portfolio

Understand that Control Maturity (COBIT) and Process maturity (ITIL) is different.

Leverage other frameworks for security area (NIST, ISO 17799, etc)

ROI is still difficult to quantify

ITIL is Guidance,not an out of the box solution

Enterprises still to need to analyze its process requirements and customize/make fit for purpose based on:

Value drivers

IT infrastructure, organization

Risk and Project Portfolio

Understand that process maturity (ITIL, CMMI, etc) and control maturity (COBIT) is different.

Leverage other frameworks for security area (NIST, ISO 17799, etc)

ROI is still difficult to quantify

IT Control Environment

Define a strategic IT plan

Define the IT Organization and Relationships

Communicate Management Aims and Direction

Ensure Compliance with External Requirements

Assess Risks

Monitoring

Program Changes (Change Management)

Manage Projects

Manage Changes

Manage Quality

Change Management

Release Management

Requirements Management

Requirements Development

Project Planning

Process & Product Quality Assurance

Verification & Validation

Program Development (SDLC)

Manage Projects

Manage Quality

Install and Accredit Systems

Change Management

Release Management

Requirements Management

Requirements Development

Project Planning

Process & Product Quality Assurance

Verification & Validation

Computer Operations

Manage Problems and Incidents

Manage Operations

Manage Data

Incident Management

Problem Management

Access to programs and data (Security)

Ensure Systems Security

Manage Data

Manage Facilities

Manage Configuration

Configuration Management

Asset Management

Manage Configuration

Configuration Management

Quality Management

Manage Quality

Service Level Management

Process and Product Quality Assurance

DRP & BCP

Ensure Continuous Service

Continuity Management

Availability Management

Service Levels

Define and Manage Service Levels

Continuity Management

Capacity Management

Performance and Capacity Planning

Manage Performance and Capacity

Capacity Management

Help Desk and Customer Support

Educate and Train Users

Assist and Advise Customers

Service Desk

Organizational Training

Control IT Costs

Manage the Information Technology Investment

Manage Human Resources

Identify and Allocate Costs

IT Service Financial Management

Supplier Agreement Management

Others

Define the Information Architecture

Determine the Technological Direction

Identify Automated Solutions

Develop and Maintain Procedures

Technical Solution

Product Integration

DS 5 Ensure Systems Security

DS5.1 Manage Security Measures

DS5.2 Identification, Authentication and Access

DS5.3 Security of Online Access to Data

DS5.4 User Account Management

DS5.5 Management Review of User Accounts

DS5.6 User Control of User Accounts

DS5.7 Security Surveillance

DS5.8 Data Classification

DS5.9 Central Identification and Access Rights Management

DS5.10 Violation and Security Activity Reports

DS5.11 Incident Handling

Control Objective

Management should have a control process in place to review and confirm access rights periodically.

Risk (why)

Without periodic review of user account access a user could have access to systems or data that he or she no longer needs or should not have access to.

Control Activities (who, what, when)

On a quarterly basis data owners review the Top Security Transaction Code Reports to verify that only authorized users can create, read, update and/or delete the information that they own.

Supporting Evidence

Confirmations are stored within a Lotus Notes database.Exceptions result in a help desk ticket being created.

Provides Guidance on IT Access Management Processes

Found in the Service Operations Phase of the ITIL V3 Lifecycle

Additional source for process guidance, benefits, etc.

AI 6 Manage Change

AI6.1 Change Request Initiation and Control

AI6.2 Impact Assessment

AI6.3 Control of Changes

AI6.4 Emergency Changes

AI6.5 Documentation and Procedures

AI6.6 Authorized Maintenance

AI6.7 Software Release Policy

AI6.8 Distribution of Software

Control Objective

Requests for changes, application maintenance and supplier maintenance are standardized and are subject to formal change / release management procedures.

Risk (why)

Without a change management methodology, application changes could be implemented without proper testing or approval and could result in unscheduled downtime which disrupts business processes.

Control Activities (who, what, when)

A change management system is utilized to track all change requests.Change requests are entered by the change manager and reviewed by the change control board twice a week.

Before promotion to production, each change is tested using an appropriate testing strategy given the size and nature of the change.Testing may include end user testing when appropriate and the test results must be reviewed and approved by an appropriate manager.

Once changes have been reviewed, tested and accepted, the production environment is updated to include the accepted changes.

Supporting Evidence

Documentation is maintained within the change management system XYZ.

ITIL Provides guidance on how to implement Change Mangement in your IT Organization

Provides guidance on how to assess impact and risk

Found in the Service Transition Phase of the Lifecycle

Fact #1:

People will not align with bad aims and are less inclined if the organization does not align with their belief systems

Most staff will simply nod and smile demurely as if in servile acceptance

And then nothing happens

The people can't be bothered

WHAT DO WE DO?

Re-assess and re-align your organization's aims, beliefs, integrity - all of it - with your people's

Then they might begin to be interested in helping with new skills and change, etc.

Fact #2:

People can't just drop everything and 'change', or learn new skills, just because you say so

Perception: Even if they want to change and learn new skills, they have a whole range of issues that keep them fully occupied

What they might be thinking:

"So you want me to attend this training course, so you can earn more (etc, etc), and when I come back from two days away in some rotten hotel my personal pile of meaningless jobs will just have magically disappeared will it? And when I come to try to implement these new skills and make all these new things happen, everyone will be completely in step will they? Pull the other one.. Again, no can do.."

WHAT DO WE DO?

Consult with people!

Save yourself from incorrect Assumptions

Consulting with people does not mean that you hand over the organization to them - they wouldn't want the corporation if you paid them anyway

No, consulting with people gives you and them a chance to understand the implications and feasibility of what you think needs doing

Consulting with people, and helping them to see things from both sides generally throws up some very good ideas for doing things better than you could have dreamt of by yourself!

It helps you to see from both sides too!

Fact #3:

Organizations commonly say they don't have time to re-assess and re-align their aims and values, etc., or don't have time to consult with people properly, because the organization is on the edge of a crisis

Organizations get into crisis because they ignore facts one and two

In general, ignoring these facts again will only deepen the crisis

What Do We Do?

Take Advantage of Crisis

Crisis is the best reason to re-align your aims and consult with people

Crisis is wake-up and change the organization and its purpose - not change the people

When an organization is in crisis, the people are almost always okay - it'll be the organizational purpose and aims that are not

You cannot just Tell and Command Change within the organization

Look at Organizational Goals and Objectives

What does your organization actually seek to do?

Whom does your organization benefit?

And whom does it exploit?

Who are the winners, and who are the losers?

Does your organization have real integrity?

COMMUNICATE COMMUNICATE COMMUNICATE

Communicate does not equal Consensus but it does foster trust and change!

www.isaca.org

www.itsmf.com

www.itgi.org

www.acend.com

Your company will improve business with ITIL processes that you learn in the training

Working Together

Lowering Costs

Optimizing Performance

Ensuring Compliance

Improving IT Service Strategy, Design, Transition, Operation and Continual Service Improvement

ITIL certification will allow you to understand the common language of ITIL, understood by IT professionals worldwide, and will increase your standing within the IT community

ITIL gives you an adaptive and flexible framework for managing IT services and encourages you to use common sense rather than follow a rigid set of rules

ITIL Service Management (Foundations) 2 Credits

Prerequisite:None

Duration:2.5 ILT days

Attendance:Anyone working in IT

ITIL Practitioner Series (5 courses available) Total 12 Credits

Prerequisite:Foundation Certification in IT Service Management

Duration:3 ILT days for each course

Attendance:Middle Managers & Team Leaders

Managers Certificate in IT Service Management 17 Credits

Prerequisite:Foundation Certification in IT Service Management & approved criteria

Duration:12 ILT days

Attendance:Those that are managing, implementing, & advising on ITIL processes, through project or day-to-day management, who have 5 years experience with IT Service Management.

Your company will improve business and overall business to IT Alignment with IT Governance Objectives that you learn in the training

Working Together

Optimizing Performance

Ensuring appropriate controls and compliance

Benefit from completing the Internationally Recognized COBIT Foundations Exam

cobit and itil breakfast seminar

Education

key processes

c obi t c obi t

key business processes

governance institute

cobit framework

domain key

key goal indicators

control activities