it governance – leveraging itil ® v2/v3 for governance success greg charles, ph.d. vp and senior...

IT Governance – Leveraging ITIL® v2/v3 for Governance SuccessGreg Charles, Ph.D.VP and Senior Advisor, Global Customer Success GroupWestern U.S. ITIL, Governance & Best Practices LeadCA, Inc.

May 2008

April 18, 2023 Copyright © 2008 CA

IT Governance

Defined as: The management of risk & compliance.

“The overall methodology by which IT is directed, administered and controlled”

ComplianceGovernance


Three Pillars of IT Governance

IT Governance

InfrastructureManagement

IT Use/Demand Management

IT Project Management


Managing Ever-Increasing Complexity


Identity Manage

r

The Business World View

FirewallNetwork

Applications

Switch

Load Balancer Porta

l

SAP

PSFT

Siebel

Web Services

3rd Party applications

End User

Web Servers

Databases

Router

Mainframe

DatabaseBlack Box


The Cruel Reality

ScreenScrape

ScreenScrape

ScreenScrape

ScreenScrape

MessageQueue

MessageQueue

MessageQueue

DownloadFile

DownloadFile

DownloadFile

TransactionFile

TransactionFile

TransactionFile

ORB

ORB

CICS Gateway

CICS Gateway

APPC

APPCRPC

RPC

TransactionFile

Sockets

Sockets

Message

Message

Application

Application

Application

Application

Application

Application

Application

Application

Application

Application

Source: Gartner


Addressing These Challenges:Improving Engagement and Efficiency

WHAT IS ENGAGEMENT?

Doing the Right Things

IT’s ability to partner with the business to maintain alignment and maximize return from IT investments

WHAT IS EFFICIENCY?

Doing Things Right

IT’s ability to make the best use of its people, budgets and assets


IT Seen as Black Box:- Business lacks visibility

- Poor customer satisfaction

Overwhelming Demand:- Unstructured capture of requests and ideas

- No formal process for prioritization and trade-offs

- Reactive vs. proactive

IT and Biz Divide- Business thinks in IT services – IT

delivers in technology terms

- Costs disassociated with services

$

$ $

Obstacles Prevent Effective Engagement


Disparate Systems Reduce Efficiency

- No Single System of Record for Decision-Making

- IT Management systems siloed

- Relevant Metrics Hard to Obtain

- Disparate Systems Costly to Maintain and Upgrade


IT Governance Landscape


Comprehensive Portfolio Management- Services, projects, assets, applications

- Systematic evaluation and prioritization

- Map controls to compliance requirements

- 100% visibility into strategic initiatives

- A single invoice to the customer for all services

Integrated Demand Management- Capture, catalog, and prioritize all demand

- Manage service requests from help desks

- Match resources to highest-value initiatives

How to Improve Engagement?Structured IT Governance Process

Business Intelligence for the BRM- Visibility into all services that support LOB

- Detailed cost invoices


How to Improve Efficiency?Comprehensive Management

Comprehensive Resource Management- Drive maximum utilization of in-house

and outsourced resources

- Capture time and allocate staff for any type of investment

- Advance Resource Mgmt capabilities

Scalable, Transparent Status Capture- Capture time and cost of all activities in a

single repository for charge-backs and reporting

- Capture asset costs through integration with Asset Management Solution

World-Class Project Execution- Leverage best practices across

entire project portfolio

- Rapid time to value

Empower the PMO- Automate, enforce, and report on

process compliance


Approaches Currently In Use

> Business As Usual - “Firefighting”

> Legislation - “Forced”

> Best Practice Focused

http://www.firerescuediscount.com/photogallery/photos/photo7.jpg


Best Practices

•What is not defined cannot be controlled

•What is not controlled cannot be measured

•What is not measured cannot be improved

Quality & Control Models• ISO 900x• COBIT®

• TQM• EFQM• Six Sigma• COSO• Deming• etc..

Process Frameworks• ITIL®

• Application Service Library • Gartner CSD• IBM Processes• EDS Digital Workflow • Microsoft MOF• Telecom Ops Map• etc..


ITIL® v2 to v3

Planning To Implement Service Management

Service Management

ServiceSupport

ServiceDelivery

The

Business

The Business

Perspective

Application Management

ICTInfrastructureManagement

The

Technology

Security Management

Introduction to ITIL

Software Asset Management

Small-Scale Implementation


CMDB

IncidentsProblems

Known Errors Changes Releases

MonitoringTools

Incidents

Incidents

ChangeManagement

ReleaseManagement

Release scheduleRelease statisticsRelease reviewsSecure library’Testing standardsAudit reports

ConfigurationManagement

ProblemManagement

IncidentManagement

Customer Survey reports

CommunicationsUpdates

Work-arounds

Releases

DifficultiesQueries

Enquiries

CMDB reportsCMDB statisticsPolicy standardsAudit reports

Change scheduleCAB minutesChange statisticsChange reviewsAudit reports

Problem statisticsProblem reportsProblem reviewsDiagnostic aidsAudit reports

Service reportsIncident statisticsAudit reports

Changes

ClsRelationships

Service Desk

Customer Surveyreports

The Business, Customers or Users

ITIL® v2 Service Support Model


ITIL® V2 Service Delivery ModelBusiness, Customers and Users

QueriesEnquiries

Service LevelManagement

AvailabilityManagement

CapacityManagement

FinancialManagement

For IT Services

IT ServiceContinuity

Management

CommunicationsUpdatesReports

RequirementsTargets

Achievements

SLAs, SLRs OLAsService reportsService catalogueSIPException reportsAudit reports

IT continuity plansBIS and risk analysisRequirements definedControl centersDR contractsReportsAudit reports

Financial planTypes and modelsCosts and chargesReportsBudgets and forecastsAudit reports

Capacity planCDVTargets/thresholdsCapacity reportsSchedulesAudit reports

Availability planAMDBDesign criteriaTargets/ThresholdsReportsAudit reports

Alerts and ExceptionsChanges

ManagementTools


IT Governance and ITIL® Version 3


Service Strategies

> Service Strategy Process Strategy Generation

IT Financial Management

Service Portfolio Management

Demand Management

> Organizational Development & Design

> Implementing Service Strategy


Service DesignService Management Blueprint

> Service Design Principles

> Service Design Process Service Portfolio Design Service Catalogue Mgmt Service Level Mgmt Capacity Mgmt Availability Mgmt Service Continuity Mgmt Information Security Mgmt Supplier Mgmt

> Service Design Technology

> Service Design Implementation


Service Transition

> Service Transition Principles

> Service Transition Process Change Management Service Asset &

Configuration Mgmt Knowledge Management Service Release Planning Performance and Risk

evaluation Acquire Assets, Build and

Test Release Service Release

Acceptance Test and Pilot Deployment,

Decommission and Transfer


Service Operation

> Service Operation Principles

> Service Operation Process Event Management Incident Management Request Fulfillment Problem Management Access Management

> Common Service Operation Activities IT Operations (Console, Job

Scheduling etc.) Mainframe Support Server Mgmt and Support Desktop Support, Middleware Mgmt,

Internet/Web Mgmt Application Mgmt Activities

> IT Security

> Organization Service Operation Service Desk Technical Management IT Operations Management Application Management Service

Design Implementation


Continual Service Improvement

> Continual Service Improvement Principles

> Continual Service Improvement Process

Measurement and Control

Service Measurement

Service Assessment and Analysis

Service Level Management

> Organizing for Service Continual Improvement


Improvement actions & plans

Continual Service Improvement

Service Operation

Operational servicesOperational Plans

Service Transition

Transition PlansTested solutions

SMKS

Service Design

SolutionDesigns

ArchitecturesStandards

SDPs

Ser

vice

Po

rtfo

lioS

ervi

ce C

atal

og

ue

The Business / Customers

Service Strategy

StrategiesPolicies

Resource and constraints

Objectives from Requirements

Requirements

IT Governance

(New Product Development, Project Mgmt,

Resource Mgmt, Financial Mgmt,

and Demand Mgmt)

IT Governance

(New Product Development, Project Mgmt,

Resource Mgmt, Financial Mgmt,

and Demand Mgmt)

IT Governance

(Demand, Risk & Control, Service Portfolio,

Project Financial Mgmt, Business Relationship Mgmt,

and Process Management)

IT Governance

(Demand, Risk & Control, Service Portfolio,

Project Financial Mgmt, Business Relationship Mgmt,


IT Governance

(Demand, Resource, Process Mgmt,

and Project Mgmt)

IT Governance

(Demand, Resource, Process Mgmt,

and Project Mgmt)

IT Governance

(Resource Mgmt, Project Mgmt,


IT Governance

(Resource Mgmt, Project Mgmt,


IT Governance

(Process Mgmt,

Project Mgmt, and

Bus Relationship Mgmt)

IT Governance

(Process Mgmt,

Project Mgmt, and

Bus Relationship Mgmt)


COBIT®

IT OPERATIONS

Audit Models

Quality Systems & Mgmt. Frameworks

Service M

gm

t.

Ap

p. D

ev. (SD

LC

)

Pro

ject Mg

mt.

IT P

lann

ing

IT S

ecurity

Qu

ality System

IT Governance Model

COSO

ISO17799

PMIPMBOK

PRINCE2

ISO

SixSigma

TSOIS

Strategy

ASL

CMMi

Sarbanes- Oxley

US Securities & Exchange Commission

ITIL®

BS 15000

ISO 20000


COBIT® (Control Objectives for IT)

> Focused on IT Standards and Audit, COBIT® is jointly “owned/maintained” by ITGI and ISACA (Information Systems Audit and Control Association)

> Based on over 40 International standards

> Supported by over 150 IT Governance Chapters

– www.itgi.org

– www.isaca.org

Best Practices:Industry and CA best practices are applied to all of our solutions to maximize standardization and quality


The COBIT® Cube

4 Domains

34 Processes

318 Control Objectives

(Business Requirements)

____

215 in COBIT® 4.0


Delivery & Support(DS Process Domain)

Delivery & Support(DS Process Domain)

Monitoring(M Process Domain)Monitoring

(M Process Domain)

Acquisition & Implementation(AI Process Domain)

Acquisition & Implementation(AI Process Domain)

Planning & Organization(PO Process Domain)

Planning & Organization(PO Process Domain)

COBIT® Domains - Summary


How to Make IT a Reality?

Key Success Factors

Theory – ITIL® / COBIT® / etc.Theory – ITIL® / COBIT® / etc.

Guidelines for Best Practices Provides the theory but not

always defines the process Education is an important

component

Guidelines for Best Practices Provides the theory but not

always defines the process Education is an important

component

Technology – CA and othersTechnology – CA and others

Provide the technology that enables & automates the process

Repeatability, compliance & notifications

Implement processes impossible without technology

Provide the technology that enables & automates the process

Repeatability, compliance & notifications

Implement processes impossible without technology

Process Process

Convert theory to process that is applicable to the unique needs of the organization

Training & Education Tool configuration

Convert theory to process that is applicable to the unique needs of the organization

Training & Education Tool configuration


Customer maturity isolates appropriate transition point, blueprint & ROI

Define Policy In Network Scanner

Discover Assets

Define Standard Builds

NetworkScan Group (scheduled)

Attack & Penetration Performed

Level 1

Ensure Backup of Critical Assets

New Asset?

YES

NO

Agent Based Scanning Initiated

Re-Test Notification to User

Population

Systems configuration changed and

rebooted

Verification - Rescan

Patch Needed?

Patches sent to Vulnerability Management

Group

NO

YES

Config.Change Needed?

NO

YES

Patch Available?

NO

Patch Tested?

NO

Document problems with incident ticket

YES YES

Requestfor

Change

Initiate Change Order and

complete Business Impact Analysis

YES

Level 2

NewIncidents

Detect Vulnerabilities

Assess Business Impact

Assign Priority

Fixed?

Document Post Scan Results

Audit Asset

Generate Report

UpdateCMDB

YES

NO

Software Delivery

YES

Restore ImageDocument

problems with incident ticket

NO

Level 3

IDSSecurityIncident

Computer Incident Response TeamInvestigation In

Progress

Security To Incident

Resolution

Vulnerability Identified?

YES

NO

Acceptable Use ViolationDenial Of ServiceInformation TheftProbeSocial EngineeringUnauthorized UseResource Modification

Level 4

Integrated SecurityEvent Priortization

Manual Process To Remove

Vulnerabiliteis

Network ScanPenetration Test

QuantitativeMetrics


Vulnerabiliteis

Making IT Easier4-Business-Driven

3-Responsive

2-Efficient

1-Active

Ability toshare yourIT resourcesthroughoutthe supplychain anddynamicallyreallocateresourcesbased uponchangingbusiness needs

Ability tomanageservice levelsand providethe services that areimportant tothe business

Ability toautomateresponses,streamlineprocesses,consolidateresources

Ability torespond toproblemsand faults

ROIROI

ROI

4-Business-Driven

3-Responsive

2-Efficient

1-Active





ROIROI

ROI


Discover Assets




Level 1


New Asset?

YES

NO



Population


rebooted


Patch Needed?


Group

NO

YES


NO

YES

Patch Available?

NO

Patch Tested?

NO


YES YES

Requestfor

Change



YES

Level 2

NewIncidents



Assign Priority

Fixed?

Document Post Scan Results

Audit Asset

Generate Report

YES

NO

Software Delivery

YES

Restore ImageDocument

problems with incident ticket

NO

Level 3


Vulnerabiliteis

Network ScanPenetration Test


Vulnerabiliteis


Discover Assets




Level 1


New Asset?

YES

NO



Population


rebooted


Patch Needed?


Group

NO

YES


NO

YES

Patch Available?

NO

Patch Tested?

NO


YES YES

Requestfor

Change



YES

Level 2

NewIncidents



Assign Priority

Fixed?

YES

NO

Restore Image


Vulnerabiliteis


Vulnerabiliteis


Tools to Aid Success

CISOIncident Manager

IT Operations Manager

Customer / Partner

Business Manager

Facilities Security Manager

Application Manager

EmployeeCustomer Relationship

Manager

HR

NewHire

User BuildingAccess

Provisioned Automatically

Approve Access

Identity verified &Entered in HR

New Hire Has Access to Business

Applications

CustomerDefined

Incldent Opened (ifrequired by policy)

Authorized Customer /Partner

Employees haveAccess

Customer/PartnerChanges Business

Relationshipe.g. Buys New

Product/ServiceDelegated

Request Change inApplication Access

Request Change inApplication Access

for New ProjectWorkflow Approval

Change inApplication Access

Access NewApp Resource Access New

App Resource

Customer/PartnerForgets Password

Use NewPassword

Self-serveReset Password

Use NewPassword

Customer/PartnerUser No LongerNeeds Access Employee

Terminated/Retired

Employee removedfrom HR System

DelegatedRequest removal

of Access

AutomaticallyProvide List

of Employeesfrom HR System

User EntitlementsExceptions Report

Generated Automatically

Periodic Security Audit

Scheduled

AutomatedSynchronization

Process Compares Authoritative User & Role

List with LAN & AppUser accounts

Excess Entitlements /

Accounts?

[N]

Workflow toRequest

Remediation

[Y]

New App

Develop/AcquireApp

Produce OperationsManual for App

Customeraccess

removedEmployee

accessremoved

AuditReports

Completed

IncidentClosed

Obtain LAN/AppID & Passwords

User AccessReviewed /

Set-upIncident Closed

IncidentOpened

UserAccess

ChangedIncidentClosed

Self-serveSet New Password

IncidentClosed

Incident OpenedPassword Reset

Define Policies & Stds for IDProvisioning,

and Reporting

Define CorporateIdentity Directory

Entitlement Mgt, &Security Web Services

Define ID andPassword Stds

Workflow forSecurity Review

of Application

Validate App UsingDirectory Services

Define IAM Policies,Processes,

Workflows & Owners

Integration with ProductionDirectory & Security

Web Svcs

ManageApplication Security

IncidentOpened

ID AllocatedAutomatically

Periodic PolicyReview

New Customer

(or Partner)

Development Manager

Identity andAccess

AutomaticallyProvisioned to- LAN, - Email,

- Corporate Directory,

- AuthenticationTechnology,

- Security WebServices,- Security

Infrastructure,- Business Apps

- ExternalFederated Services

Define Role MgtStds

Validate App With Role Stds

User AccessEnabled

Automatically

Approve Access

AutomatedProcess to

Deprovision Userfrom Systems/Apps

User DeprovisionedIncident Closed

Incident OpenedAutomatedProcess to

Deprovision Userfrom Facilities

Access

Customer Entered in Customer/Partner

Relationship System

Define FederatedTrust Stds

Obtain Authoritative List ofAll Users/Roles Automatically

Delegated User

Creation

CMDB ChangeImpacting App deployment,

Ownership, Access etc

Reviewcurrent reports

Customer/Partner

EmployeeEnters Data

Via Self-ServeRegister

SPML Request

FromCustomer/

Partner

Validate App withProvisioning System

Validate App withID / Passwd Stds

Validate with SPML

Solution Sheets

Transitional MaturityROI Tool

Process Model

Profilers

4-Business-Driven

3-Responsive

2-Efficient

1-Active





ROIROI

ROI

4-Business-Driven

3-Responsive

2-Efficient

1-Active





ROIROI

ROI

Maturity Model

Blueprints

Assessments

0

Service Support

Service Delivery

Infrastructure MgmtApplication Mgmt

Implementing IT Svc Mgmt

Importance Capability

0

Service Support

Service Delivery

Infrastructure MgmtApplication Mgmt

Implementing IT Svc Mgmt

Importance Capability

Business-DrivenEfficient

• Dedicated Security Staff

• CISSP Training

• Security Awareness Training

• Certified Security Staff

• Security Awareness Training (IT, HR, Dev)

• Certified Security & IT Ops Staff


• Staff trained in Threat Detection

• End User technology training in Anti-Spam prevention

Ser

vic

es a

nd

So

luti

on

sT

ech

nic

al C

apab

iliti

esO

rgan

izat

ion

al

Ch

ara

cter

isti

cs

Attack andPenetration

Testing

Basic SecurityPolicy

ResponsiveActive

Anti-VirusScanning

Identify & ClassifyAssets

Manual LoadOS Patches

Backup/Recovery

Business ImpactAnalysis

DevelopedStandard OSConfiguration

Integrated VMAnd Helpdesk

Agent-basedVulnerabilityManagement

Agent-basedConfigurationManagement

BusinessImpact Correlation

& Reporting

Integrated Forensics

Investigation

Compliance Management &

Reporting

IT GovernanceManagement

SecurityRoad Map

Assessment

eTrust VMService

Security Policies&

Procedures

CISSP TrainingAttack &

PenetrationAssessment

VulnerabilityAssessment

CERTTraining

ITIL TrainingeTrust VM

Service

BusinessCorrelation Rule

Development

Policy and Process

Monitoring

SecurityBusiness PortalDevelopment

ComplianceOriented

Architecture

Incident ResponseProgram

Development

ForensicInvestigation

Training

PeriodicVulnerabilityAssessments

Technology Design, Implementation,and Integration Services

(AV, VM, etc.)

Technology, Design, Implementation& Integration Services

(VM, Backup/Recovery, Service Desk, etc.)


Tracking ofVulnerability

Activities

CERT & IncidentResolutionProcess

Tracking of Threat&

Forensics Events

BCP/DRManagement

ITIL Compliant ITOperations

Process

AutomatedSoftware Distribution

Patch Process

ComplianceManagement &

Reporting

Security Roadmap& Strategy

Development

Attack &PenetrationAssessment

ISO17799Program

Development

SecurityStandards

Development

ComplianceArchitectureDevelopment

Anti-SpywareMalwareSolutions


(Audit, SCC, Forensics, SCM, IDS, Pest Patrol.)


Process


(Compliance Oriented Architecture.)

Audit CollectorsIntegrated

Security Event Prioritization

Business-DrivenBusiness-DrivenEfficient Efficient

• Dedicated Security Staff

• CISSP Training

• Security Awareness Training

• Certified Security Staff


• Certified Security & IT Ops Staff


• Staff trained in Threat Detection

• End User technology training in Anti-Spam prevention

Ser

vic

es a

nd

So

luti

on

sT

ech

nic

al C

apab

iliti

esO

rgan

izat

ion

al

Ch

ara

cter

isti

cs

Attack andPenetration

Testing

Basic SecurityPolicy

ResponsiveActive

Anti-VirusScanning


Manual LoadOS Patches

Backup/Recovery

Business ImpactAnalysis

DevelopedStandard OSConfiguration

Integrated VMAnd Helpdesk

Agent-basedVulnerabilityManagement

Agent-basedConfigurationManagement

BusinessImpact Correlation

& Reporting

Integrated Forensics

Investigation

Compliance Management &

Reporting

IT GovernanceManagement

SecurityRoad Map

Assessment

eTrust VMService

Security Policies&

Procedures

CISSP TrainingAttack &

PenetrationAssessment

VulnerabilityAssessment

CERTTraining

ITIL TrainingeTrust VM

Service

BusinessCorrelation Rule

Development

Policy and Process

Monitoring

SecurityBusiness PortalDevelopment

ComplianceOriented

Architecture

Incident ResponseProgram

Development

ForensicInvestigation

Training

PeriodicVulnerabilityAssessments

Technology Design, Implementation,and Integration Services

(AV, VM, etc.)


(VM, Backup/Recovery, Service Desk, etc.)


Tracking ofVulnerability

Activities

CERT & IncidentResolutionProcess

Tracking of Threat&

Forensics Events

BCP/DRManagement

ITIL Compliant ITOperations

Process

AutomatedSoftware Distribution

Patch Process

ComplianceManagement &

Reporting

Security Roadmap& Strategy

Development

Attack &PenetrationAssessment

ISO17799Program

Development

SecurityStandards

Development

ComplianceArchitectureDevelopment

Anti-SpywareMalwareSolutions


(Audit, SCC, Forensics, SCM, IDS, Pest Patrol.)


Process


(Compliance Oriented Architecture.)

Audit CollectorsIntegrated

Security Event Prioritization


Governance: Meeting Customer Needs Leveraging Best Practices

Best Practices:Industry and CA best practices are applied to all of our solutions to maximize standardization and quality

Best Practices: ITIL®, COBIT®, COSO, ITAM, ITSM, Six Sigma, etc.


The Result Business-IT Integration

ITBusiness

IT Governance – Leveraging ITIL® v2/v3 for Governance SuccessGreg Charles, Ph.D.VP and Senior Advisor, Western U.S. ITIL, Governance & Best Practices Lead,Global Customer Success GroupCA, Inc.

May 2008

it governance – leveraging itil ® v2/v3 for governance success greg charles, ph.d. vp and senior...

Documents

project management slide

governance landscape

assets slide

management systems

gartner slide

upgrade slide

ca disparate systems

effective engagement