when title is not a question n o ‘we can’ using cobit and itil robert e stroud cgeit...
TRANSCRIPT
Using COBIT and ITIL
Robert E Stroud CGEITInternational Vice President, ISACA
VP Service Management & Governance
Service Management, Governance & Cloud Computing Evangelist CA Technologies
robert e stroud (CGEIT)
— Vice President, Service ManagementService Management and Governance Evangelist
— 27 years Industry Experience
— 15+ years Banking Industry
— ITSM − Treasurer, itSMF International Executive Board
Director Audit, Standards and Compliance
− Former Director, itSMF USA
− Member ITIL V3 Advisory Group (IAG)
− Mentor ITIL V3 Service Transition
− Contributor ITIL Business Perspectives Volume II
− Author ITIL\COBIT\ISO17799 Management Overview
— IT Governance − International Vice President ISACA\ITGI
− Chair COBIT Steering Committee
− IT Governance Committee
− Contributor to COBIT and VAL IT
− Contributor to Basel II Guidance
— BLOG: www.ca.com/blogs/stroud
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
trademark notice
ITIL® is a registered trademark and a registered community trademark of the UK Office of Government and Commerce (OGC) and is registered in the U.S. Patent and Trademark Office.
COBIT® is a registered trademark of ISACA
DISCLAIMER
CA nor it’s speaker warrant or guarantee the concepts or the accuracy of information provided herein.
No part of this publication may be reproduced in any form by print, photo print, microfilm or any other means without written permission by CA.
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
risk & compliance lifecycle
TIME
MATU
RIT
Y
BlissfulUnawarenessPhase
ReactiveFragmentedImplementationPhase
ConsolidationPhase
OperationalExcellencePhase
Ad hoc, “must-do” activities only
Create inventory of governance, risk, and compliance initiatives
Rush projects to react to mandate
Start on a unified GRC approach
Continuous process improvement
benchmark data
Best Outcomes (12%)1 in 10 Organizations
Best Outcomes (19%)2 in 10 Organizations
Best Outcomes (12%)1 in 10 Organizations
Operating Results Worst Normative Best
Top-line Financial Results -12% 0% +8%
Loss/Theft of Customer Data More than 16 3 to 16 Less than 3
Hours of Downtime due to IT More than 60 4 to 60 Less than 4
IT Audit deficiencies More than 16 3 to 16 Less than 3N: 3,280 Source: IT Policy Compliance Group, 2009
sustainable operations
value ofIT capabilities
to the business
control over IT capabilities
high
high
low
low
Implementation of the IT improvement strategy:
• Quality• Domain• Effort• Output & effect• Feedback
Ongoing use and management of the IT infrastructure:
• Business Added Value• Quality• Change• Capacity• Cost• Control
ITservice
ITservice
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
risk posture
Imp
act
Likelihood
H
M
L
L M H
Mitigating controls
Mitigating controls
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
8 February 2009 Quelling the Perfect Storm within IT Copyright © 2009 CA
COBIT
operational compliance
> Governance Framework
> Certifiable
> Defensible position with audit community (internal & external)
> Predictable Risk Model
> Operational Excellence
TOGAFDev.Meth
ITIL
Development
MythologyITIL
Portfolio Mgmt.Enterprise Development Service &
Support
Corporate Governance of ITISO 38500
Corporate Governance of ITISO 27000
Service ManagementISO 20000
Compliance
“IT governance is the responsibility of the
board of directors and executive management.
It is an integral part of enterprise governance
and consists of the leadership and
organisational structures and processes that
ensure that the organisation’s IT sustains and
extends the organisation’s strategies and
objectives.”Source: Board Briefing on IT Governance, 2nd Edition. © 2003 ITGI. All rights reserved.
IT governance
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
governance solves
— Meets the increasing risks (security, compliance, projects etc.)
— Ensures continuity of critical business processes depend on information and systems
— Integrates organizational objectives with the growing dependence on service providers, third parties and cloud computing
— IT is enabling organizations to rapidly innovate andtransform business practices to create new opportunities and reduced cost
— Ensures continuity of IT knowledge which is essential to sustain and grow the business.
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
enterprise governance of IT domains
—Strategic Alignment
—Value Delivery
—Resource Management
—Risk Management
—Performance Measurement
Strate
gic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Performance
Measurem
entIT IT
GovernanceGovernanceDomainsDomains
Strate
gic
Alignm
ent
Value Delivery
Ris
k M
anag
emen
t
Resource Management
Performance
Measurem
entIT IT
GovernanceGovernanceDomainsDomains
Source: COBIT 4.1. © 1996-2007 ITGI. All rights reserved.
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
COBIT™ - the roadmap
—Globally accepted set of tools and good practices that ensures IT is working effectively
—Provides common language to communicate goals, objectives, expected results
—Based on industry standards and good practices in:−Strategic alignment of IT with business goals
−Value delivery of services and new projects
−Risk management
−Resource management
−Performance measurement
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
Governance DriversGovernance Drivers
Information Criteria
• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability
Information Criteria
• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability
COBITFramework
IT RESOURCES• Applications• Information• Infrastructur
e• People
IT RESOURCES• Applications• Information• Infrastructur
e• People
Business GoalsBusiness Goals
MONITOR AND EVALUATEMONITOR AND EVALUATE
PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine the technological directionPO4 Define the IT processes, organisation and relationshipsPO5 Manage the IT investmentPO6 Communicate management aims & directionPO7 Manage IT human resourcesPO8 Manage qualityPO9 Assess and manage risksPO10 Manage projects
AI1 Identify automated solutionsAI2 Acquire and maintain application softwareAI3 Acquire & maintain technology infrastructure AI4 Enable operation and useAI5 Procure IT resourcesAI6 Manage changesAI7 Install and accredit solutions and changes
ME1 Monitor & evaluate IT performanceME2 Monitor & evaluate internal controlME3 Ensure regulatory complianceME4 Provide IT governance
DS1 Define service levelsDS2 Manage third-party servicesDS3 Manage performance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and attribute costsDS7 Educate and train usersDS8 Manage service desk and incidentsDS9 Manage the configurationDS10 Manage problemsDS11 Manage dataDS12 Manage the physical environmentDS13 Manage operations
PLAN AND ORGANISEPLAN AND ORGANISE
ACQUIRE AND IMPLEMENTACQUIRE AND IMPLEMENT
DELIVER AND SUPPORTDELIVER AND SUPPORT
Source: COBIT 4.1. © 1996-2007 ITGI. All rights reserved.
who is doing what? RACI
Source: COBIT 4.1. © 1996-2007 ITGI. All rights reserved.
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
measurement of processes
Source: COBIT 4.1. © 1996-2007 ITGI. All rights reserved.
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
maturity model
Awareness and
Communication
Policies, StandardsProcedures
Tools and Automation
Skills and Expertise
Responsibility and
Accountability
Goal Setting and Measurement
5
4
3
2
1
Overall Process Maturity
Maturity Attributes
as-is
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
maturity model
to-be improvement measures
as-is
Awareness and Communication
Policies, Standards and
Procedures
Tools and Automation
Skills and Expertise
Responsibility and
Accountability
Goal Setting and Measurement
5
4
3
2
1
Overall Process Maturity
Maturity Attributes
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
• Financial Management• Return on Investment• Service Portfolio Mgmnt• Demand Management
SERVICE STRATEGY
• Event Management• Incident Management• Request Fulfilment• Problem Management • Access Management
SERVICE OPERATION
• 7-Step Improvement Process
CONTINUAL SERVICE IMPROVEMENT
• Service Catalogue Management• Service Level Management • Capacity Management • Availability Management• IT Service Continuity Management• Information Security Management• Supplier Management
SERVICE DESIGN
• Transition Planning and Support• Change Management• Service Asset & Configuration
Management• Release & Deployment
Management• Service Validation• Evaluation• Knowledge Management
SERVICE TRANSITION
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
ITIL processes
relationship between COBIT & ITIL
—COBIT is an IT Governance and Control framework and focuses on WHAT should be addressed to ensure good governance of all IT related processes, including service management processes.
—COBIT provides guidance, framework and tools on achieving desired levels of conformance and performance of IT Processes required to satisfy business needs.
— ITIL provides best practices describing HOW to plan, design and implement effective service management processes.
—By leveraging COBIT guidance, an enterprise can ensure that its service management effort is aligned with its overall business, governance and internal control requirements.
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
COBIT
IT Operational Processes - ITIL
Application Development Processes - CMMI
Project & Portfolio Management - PMBOK
Establish the work
Align with roles
RACI
Responsible, Accountable, consulted and informed
RACI
Responsible, Accountable, consulted and informed
Measurement
Governance COBIT
using frameworks together
Slide 20Governance for your ITSM Environment © 2008-2010 CA, Inc. All rights reserved.
the COBIT user guide for service managers
— Explains importance of governance of the focused area
— Defines the need for good practices
— Provides an overview of the specific role
— Explains the relationship between COBIT and the best practices for the role
— Explains how to use the COBIT and ITIL support the governance of IT enabled businessservices
— Provides a roadmap for getting started.
— Provides a table of key service manager activities based on ITIL V3 x-referenced to COBIT 4.1 and ISO20000
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
RACI for the service manager – DS1 manage service levels
CobiT® User Guide for Service Managers © 2009 IT Governance Institute. All rights reserved
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
generic role descriptions an aid to areas of responsibility
CobiT® User Guide for Service Managers © 2009 IT Governance Institute. All rights reserved
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
coverage of ITIL to COBIT processes
by Jimmy Heschl
21
43
65
721 43 65 87 109
21 43 65 87 109 1211 13
21
43
Plan and OrganiseA
cquire and Implem
ent
Deliver and Support
Mon
itor a
nd E
valu
ate
full none
COBIT processes addressed byIT Infrastucture Library v3
x x xCobiT® User Guide for Service Managers © 2009 IT Governance Institute. All rights reserved
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
key processes in the lifecycle – example service operation
ITIL V3 Service Operation
ITIL V3 COBIT 4.1
Event Management DS3, DS8, DS13
Incident Management DS8
Request Fulfilment DS8
Problem Management DS10
Access Management DS5
Operation Management DS13
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
mapping IT goals to IT process
CobiT® User Guide for Service Managers © 2009 IT Governance Institute. All rights reserved Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
goals and metrics for DS1 – managing service levels
CobiT® User Guide for Service Managers © 2009 IT Governance Institute. All rights reserved Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
control practices (DS1)
CobiT® User Guide for Service Managers © 2009 IT Governance Institute. All rights reserved Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
mapping of COBIT DS1.1 to ITIL
CobiT® User Guide for Service Managers © 2009 IT Governance Institute. All rights reserved
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
achieve governance of IT services
CobiT® User Guide for Service Managers © 2009 IT Governance Institute. All rights reserved Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
linking COBIT, ITIL & governance of IT services
CobiT® User Guide for Service Managers ISBN 978-1-60420-071-3 © 2009 IT Governance Institute. All rights reserved
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
example financial management
4. Financial Management (Service Strategy – 5.1, 5.2)Service Manager Key Activities
Based on ITIL v3 ITIL V3 x-ref COBIT 4.1 x-ref ISO
20000
KeyDeliverables
R A C I
FM1. Understand the business and IT culture and attitude towards financial management, and any regulatory or compliance requirements
5.1.4.3 Plan PO1.1 IT value management
7.2 7.3
Service Business Case
BPO SM CFOCIO
CIO
FM2. Identify all internal and external contacts that provide and/or receive IT financial information. Define financial reporting and analysis requirements.
5.1.4.3 Plan PO5.1 Financial managementframework
7.2 7.3
Financial management requirements.
SM CIO CFOBPO
CFO
FM3. Guide the financial reporting outputs to meet the business and IT needs.
5.1.4.3 Analyse
PO5.4 Cost management
6.4 Financial Reports
SMCIO
CIO CFOBPO
CFOBPO
FM4. Maintain awareness of the value of the services and of the current costs and use this information when considering the business case for new services.
5.1.4.3 Analyse
PO5.5 Benefit management DS6.1 Definition of services
SMBPO
BPO CIOCFOSPM
CIOCFOSPM
FM5. Define together with the business and IT, financial measures of success.
5.1.4.3 Measure
DS6.2 IT accounting
6.4 Cost allocations.
SMBPO
CIO CFO CFO
FM6. Ensure financial information about the service is presented clearly to business and IT management.
5.1.4.3 Measure
DS6.3 Cost modelling and chargingDS6.4 Cost model maintenance
Cost model. SMCIO
CIO CFOBPO
CFOBPO
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
example: change management
33
ChangeProposal (optional)
Create RFC
Record the RFC
Review RFC
Assess and evaluate Change
Authorise Change
Plan updates
Co-ordinate change implementation
Review and close change record
Authorise Change proposal
Update change and configuration information in CM
S
Evaluation report
Work orders
Work orders
ready for evaluation
requested
ready for decision
authorized
scheduled
implemented
closed
ITIL v3 activity
AI6.1Change Standards and Procedures
CobiTControl obj
AI6.2 Impact Assessment, Prioritisation and Authorisation
AI6.4 Change Status Tracking and Reporting
AI6.5 Change Closure and Documentation
10.1.2Change management
ISO 27002 Control
Investment Management (IM)
Portfolio Management (PM)
Value Governance (VG)
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
detailed mapping (excerpt)
COBIT Control
Objective
Name
ITIL
Coverage
PO1 Define a Strategic IT Plan
SS 1 Introduction SS 2 Service management as a practice SS 3 Service Strategy principles SS 3.5 Service Strategy fundamentals SS 4 Service strategy …
A+
PO1.1 IT Value Management
SS 2.2 What are services? SS 3.1 Value creation SS 3.4 Service structures SS 4.4 Prepare for execution SS 5.1 Financial Management SS 5.2 Return on Investment SS 5.3 Service Portfolio Management
C
PO1.2 Business-IT Alignment
SS 2.1 What is service management SS 2.3 The business process SS 2.4 Principles of service management
C
PO1.3 Assessment of Current Capability and Performance
SS 4.4 Prepare for execution CSI 5.2 Assessments
C
PO1.4 IT Strategic Plan SS 3.3 Service provider types SS 3.5 Service Strategy fundamentals SS 4.1 Define the market SS 4.2 Develop the offerings SS 4.3 Develop strategic assets …
C
PO1.5 IT Tactical Plans SS 4.4 Prepare for execution SS 7.1 Implementation through the lifecycle SS 7.2 Strategy and Design …
C
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
next steps
—Purchase the COBIT User Guide for Service Managers
—Identify your target areas for implementation
—Implement
—Communicate the value
—Move onto the next implementationtarget
—ISACA guidance is available at www.isaca.org
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
IT Governance
Benefits
$
$
value of governance
—Reliable services
—Transparency
—Responsiveness of IT to business
—Management confidence
—Higher Return on Investment (ROI)
—Business and IT Integration
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud
more information
Email: [email protected]
Web: www.ca.com/itil
Twitter: www.twitter.com\RobertEStroud
BLOG: www.ca.com/blogs/stroud
Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud