CobiT And ITIL Breakfast Seminar

COBIT® vs. ITIL® Why can’t it be both?

Agenda
COBIT & ITIL: An Overview
What is C OBI T
Key Components of C OBI T
Key C OBI T Terms
Other Organizations on C OBI T
C OBI T with other Frameworks
What is ITIL
Key Components of ITIL
Key ITIL Terms
Critical Success Factors: for ITIL & C OBI T
Key Success Indicators: for ITIL & C OBI T
Maturity Assessments
C OBI T and ITIL In Practice
Organizational Change
Additional Resources

What is IT Governance?
IT Governance – Industry Definition*
A structure of relationships and processes
to direct and control the IT enterprise
in order to achieve the enterprise’s goals by adding value
while balancing risk versus return over IT and its processes
Is a decision rights and accountability framework (structure) to ensure desirable behaviour in the
use of IT
Links IT processes, IT people, IT technology and information to enterprise strategies and objectives
*Source: Control Objectives for Information and Related Technology (CobiT®) IT Governance Institute
© 2007 IT Governance Institute. All rights reserved. www.itgi.org

Typical IT Governance Mission
“ To leverage industry best practices (i.e. ITIL) to engineer the lifestyle change required to achieve the IT strategy and enable the overall Company corporate vision.”
COBIT ITIL

The IT Governance Lifecycle TASK ENVIRONMENT • Ethics & Culture • Laws and Regulations • Mission & Vision • Role Models • Industry Practices • … MONITOR MONITOR WHY ? WHY ? CREATE CREATE PROTECT PROTECT EXECUTE EXECUTE KEY PERFORMANCE INDICATORS COBIT PROCES FRAMEWORK CSF, CO and CP KEY PERFORMANCE INDICATORS COBIT PROCES FRAMEWORK CSF, CO and CP ALIGNMENT VALUE DELIVERY PERFORMANCE MEASUREMENT RISK MANAGEMENT IT RESOURCE MANAGEMENT MATURITY MODELS CONTROL OBJECTIVES CONTROL PRACTICES CSF IT BSC COBIT BENCHMARK MATURIT MODEL Audit guidelines BUSINESS AND IT KEY GOAL INDICATORS WHAT ? WHAT ? TASK ENVIRONMENT • Ethics & Culture • Laws and Regulations • Mission & Vision • Role Models • Industry Practices • … MONITOR MONITOR WHY ? WHY ? CREATE CREATE PROTECT PROTECT EXECUTE EXECUTE KEY PERFORMANCE INDICATORS COBIT PROCES FRAMEWORK CSF, CO and CP KEY PERFORMANCE INDICATORS COBIT PROCES FRAMEWORK CSF, CO and CP ALIGNMENT VALUE DELIVERY PERFORMANCE MEASUREMENT RISK MANAGEMENT IT RESOURCE MANAGEMENT MATURITY MODELS CONTROL OBJECTIVES CONTROL PRACTICES CSF IT BSC COBIT BENCHMARK MATURITY MODEL Audit guidelines BUSINESS AND IT KEY GOAL INDICATORS WHAT ? WHAT ?

How do the Frameworks Support & Guide the Business of IT C OBI T IT Wide CMMI ITIL Infrastructure / Operations Application Development IT Finance IT People Technology Architecture Customer Relationship ISO 17799 / NIST 800 Security & BCP/DRP

The Governance Program Office enables ITG Strategy

What is C OBI T
Developed in 1996 by the Information Systems Audit
and Control Association and IT Governance Institute as a standard for IT security and control practices.
Provides a reference framework for IT, security, auditing managers and users.
It helps companies deploy effective governance over systems
and networks.
C OBI T's Management Guidelines component consists of tools to measure a company's capabilities in 34 IT processes.
These include performance measurement elements, a list of critical success factors that provides best practices for each IT process, and maturity models to help in benchmarking.

Organizes IT into 4 primary domains
Divides these domains into 34 processes and provides a high level control objective for each
Focuses on fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT
Is supported by a set of 318 detailed control objectives and supporting control practices
Effectiveness
Efficiency
Availability
Integrity
Confidentiality
Reliability
Compliance
Planning & Organization
Acquisition & Implementation
Delivery & Support
Monitoring
Key Aspects of the CobiT Framework

Key C OBI T Terminology Domains Processes Control Objectives CobiT Terms / Concepts Summary Description
Planning & Organization (PO) – Management Oversight, Governance, Policy, Strategy, Metrics, Risk Management, Investment, Quality
Acquisition & Implementation (AI) – Acquire, Development, Implementation, Manage, SDLC, PMM, Change Management
Delivery & Support (DS) – Change Management, Operations, Security
Monitoring (MO) – Compliance, Management Monitoring, Auditing
Drill down of key processes within each domain
Key IT processes akin to key business processes within a business cycle
Key Control Objectives or Control Statements that assist management in meeting business objectives and the risks to business information
Suggested control activities are identified by objective
Potential high-level audit steps are identified for activities
This is also referred to as Activities or Tasks – IT activities or tasks that make up the processes

Key C OBI T Terminology Where most organizations start What most compliance regulations require
CobiT Terms / Concepts Summary Description Business Requirements for Information
Quality: Effectiveness, Efficiency
Fiduciary: Compliance, Reliability of Information
Security: Confidentiality, Integrity, Availability
Critical Success Factors
Define most import issues and actions for management
Get processes under control
Key Goal Indicators
Measures that define after the fact success in achieving business requirements
Monitor achievement of IT process goals
Key Performance Indicators
Indicators defined how well IT processes are performing
Monitor performance within IT processes
Maturity Model
Maturity of processes (controls) – 0-5
0 = Non-existent
1 = Initial
2 = Repeatable
3 = Defined
4 = Managed
5 = Optimized

C OBI T with other Frameworks

What other organizations are saying
"C OBI T's real focus is on whether or not you have controls in place that ensure you are compliant with relevant regulatory authorities."
"It helps organizations determine if they are doing what they said they would and if they are able to show evidence of this."
"C OBI T has proven to be an excellent tool for measuring and assessing our IT controls." Lockheed Martin, which also uses CMMi and ISO 17799 to improve its processes and IT service levels.
Source: NetworkWorldFusion “IT frameworks demystified”, 02/21/08

What other organizations are saying
“ ITIL is absolutely the best framework available for IT operation. There are no competitors.”
- Ben Worthen, CIO Magazine
“ We now have the ability to assess how we are performing at any point in time. We’ve identified where we had bottlenecks, and now the total number of problems is going down. And we have evidence to show people that we are improving.”
-Suresh Kumar, CIO, Pershing
“ ITIL is common sense. It’s what many successful organizations already do…ITIL forges a bond between IT, management and external customers…”
-Bruce Boardman, 2005
“ ITIL is like an elephant, you can eat the whole thing one bite at a time or in phases”
-Stephen Bajada, CIO, Magazine

IT Service Management & ITIL Defined
ITIL is the “de-facto industry best practice” for IT Service Management
Non-proprietary and based upon proven practitioner experiences
International user support (IT Service Management Forum - itSMF)
ITIL was developed by the UK Office of Government Commerce (OGC)
Developed in the late 1980s and continuously updated since
ISO 20000 – Formal, international standard for IT Service Management certification, based upon ITIL best practices (formerly BS 15000)
ITIL is a comprehensive and consistent set of industry “best practices” for IT Service Management organized in an integrated, process-based framework in order to add VALUE to customers

What is ITIL®?
ITIL®, I nformation T echnology I nfrastructure L ibrary is the most widely accepted approach to IT service management in the world
ITIL® is also supported by a comprehensive qualifications scheme, accredited training organizations, and implementations and assessment tools

What Is ITSM?
ITSM is an acronym for IT Service Management

Source: The Art of Service Quality Flexibility Cost Management How / What ? Why! ITIL Framework Service Management Objective Tree effective efficient organization effective efficient IT service provision

What are the Benefits of ITIL?
Reduced Costs
Improved IT Services through the use of Proven Best Practices
Customer Service Satisfaction
IT Value through Business, IT Operational, and Goal Alignment
Improved Productivity, Skills, and Experience
Improved delivery of third party services through the specification of ITIL®
Documented Common Sense

Where Does ITIL Fit? Focuses on Process (Not Technology)
You don't implement ITIL:
You use it to help create organizational change
ITIL doesn't offer guidance on how to actually apply the best practices it catalogs
each organization must design its own processes based on ITIL
To run IT like a business, you need to understand the key services that go into it
ITIL makes that work visible. It allows you to measure what is important, so you can emphasize the things that add value and take out the things that don't

ITIL v3 – The Service Lifecycle Source: ITIL Refresh Project Service Design Service ITIL Service Strategies Service Operation Service Design Continual Service Improvement Service Transition Complimentary Guidance Quick Wins Governance Methods Case Studies Value-added Products Templates Qualifications Study Aids

COBIT & ITIL: CSF’s Align!
Sustained executive and management support
Transformation must be institutionalized
Plan and drive organizational change
Don’t “boil the ocean” – utilize a prioritized and phased implementation approach
Listen, understand, communicate, communicate and communicate

Key Success Indicators
Customer Satisfaction
Process Maturity & Adoption
Performance Benchmarks
Quality Certifications
Compliance with Regulatory & Audit Requirements
Employee Development & Competence

Maturity Level Definitions
They provide a “short hand” method for describing key attributes of a control or a process
Maturity levels can be used to describe the attributes of our current controls or our current processes
They can also be used to describe the target level or attributes of our controls or processes
Controls maturity levels are different than an overall process maturity level definition
Controls maturity levels are different (but similar) than the current ITIL and CMMI maturity level definitions

Process MM: Gartner View Getronics Confidential Page Source: Gartner (November 2005)
IT Management Process Maturity Model
Based on 0.00 – 4.00 Best Practice Maturity Scale
CMMI uses a 5 point scale:
1: Initial
2: Repeatable
3: Defined
4: Managed
5: Optimized

Lessons Learned: Other Companies
COBIT
COBIT is a reference, a set of best practices, not an “out of the box” solution
Enterprises still to need to analyze its control requirements and customize based on:
Value drivers
Risk profile
IT infrastructure, organization
and project portfolio
Understand that Control Maturity (COBIT) and Process maturity (ITIL) is different.
Leverage other frameworks for security area (NIST, ISO 17799, etc)
ROI is still difficult to quantify
ITIL
ITIL is Guidance,not an “out of the box” solution
Enterprises still to need to analyze its process requirements and customize/make “fit for purpose” based on:
Value drivers
IT infrastructure, organization
Risk and Project Portfolio
Understand that process maturity (ITIL, CMMI, etc) and control maturity (COBIT) is different.
Leverage other frameworks for security area (NIST, ISO 17799, etc)
ROI is still difficult to quantify

C OBI T with other frameworks for SOX SOX Guidelines COBIT ITIL CMMi
IT Control Environment
Define a strategic IT plan
Define the IT Organization and Relationships
Communicate Management Aims and Direction
Ensure Compliance with External Requirements
Assess Risks
Monitoring
N/A N/A
Program Changes (Change Management)
Manage Projects
Manage Changes
Manage Quality
Change Management
Release Management
Requirements Management
Requirements Development
Project Planning
Process & Product Quality Assurance
Verification & Validation
Program Development (SDLC)
Manage Projects
Manage Quality
Install and Accredit Systems
Change Management
Release Management
Requirements Management
Requirements Development
Project Planning
Process & Product Quality Assurance
Verification & Validation
Computer Operations
Manage Problems and Incidents
Manage Operations
Manage Data
Incident Management
Problem Management
N/A
Access to programs and data (Security)
Ensure Systems Security
Manage Data
Manage Facilities
Manage Configuration
Configuration Management

C OBI T with other frameworks – Non SOX Objectives Other IT Process Areas COBIT ITIL CMMi
Asset Management
Manage Configuration
N/A
Quality Management
Manage Quality
Service Level Management
Process and Product Quality Assurance
DRP & BCP
Ensure Continuous Service
Continuity Management
Availability Management
N/A
Service Levels
Define and Manage Service Levels
Continuity Management
Capacity Management
N/A
Performance and Capacity Planning
Manage Performance and Capacity
Capacity Management
N/A
Help Desk and Customer Support
Educate and Train Users
Assist and Advise Customers
Service Desk
Organizational Training
Control IT Costs
Manage the Information Technology Investment
Manage Human Resources
Identify and Allocate Costs
IT Service Financial Management
Supplier Agreement Management
Others
Define the Information Architecture
Determine the Technological Direction
Identify Automated Solutions
Develop and Maintain Procedures
N/A
Technical Solution
Product Integration

C OBI T In Practice: An Example
DS 5 – Ensure Systems Security
DS5.1 Manage Security Measures
DS5.2 Identification, Authentication and Access
DS5.3 Security of Online Access to Data
DS5.4 User Account Management
DS5.5 Management Review of User Accounts
DS5.6 User Control of User Accounts
DS5.7 Security Surveillance
DS5.8 Data Classification
DS5.9 Central Identification and Access Rights Management
DS5.10 Violation and Security Activity Reports
DS5.11 Incident Handling

DS 5.5 Management Review of User Accounts
Control Objective
Management should have a control process in place to review and confirm access rights periodically.
Risk (why)
Without periodic review of user account access a user could have access to systems or data that he or she no longer needs or should not have access to.
Control Activities (who, what, when)
On a quarterly basis data owners review the Top Security Transaction Code Reports to verify that only authorized users can create, read, update and/or delete the information that they own.
Supporting Evidence
Confirmations are stored within a Lotus Notes database. Exceptions result in a help desk ticket being created.

ITIL Access Management: Guidance
Provides Guidance on IT Access Management Processes
Found in the Service Operations Phase of the ITIL V3 Lifecycle
Additional source for process guidance, benefits, etc.

C OBI T In Practice: An Example #2
AI 6 – Manage Change
AI6.1 Change Request Initiation and Control
AI6.2 Impact Assessment
AI6.3 Control of Changes
AI6.4 Emergency Changes
AI6.5 Documentation and Procedures
AI6.6 Authorized Maintenance
AI6.7 Software Release Policy
AI6.8 Distribution of Software

AI 6.3 Control of Changes
Control Objective
Requests for changes, application maintenance and supplier maintenance are standardized and are subject to formal change / release management procedures.
Risk (why)
Without a change management methodology, application changes could be implemented without proper testing or approval and could result in unscheduled downtime which disrupts business processes.
Control Activities (who, what, when)
A change management system is utilized to track all change requests. Change requests are entered by the change manager and reviewed by the change control board twice a week.
Before promotion to production, each change is tested using an appropriate testing strategy given the size and nature of the change. Testing may include end user testing when appropriate and the test results must be reviewed and approved by an appropriate manager.
Once changes have been reviewed, tested and accepted, the production environment is updated to include the accepted changes.
Supporting Evidence
Documentation is maintained within the change management system XYZ.

Change Management: Process Guidance
ITIL Provides guidance on how to implement Change Mangement in your IT Organization
Provides guidance on how to assess impact and risk
Found in the Service Transition Phase of the Lifecycle

Making Changes on an Organizational Level Workshop Exercise

Organizational Change – The Influence
Fact #1:
People will not align with ‘bad aims’ and are less inclined if the organization does not align with their belief systems
Most staff will simply nod and smile demurely as if in servile acceptance
And then nothing happens
The people can't be bothered
WHAT DO WE DO?
Re-assess and re-align your organization's aims, beliefs, integrity - all of it - with your people's
Then they might begin to be interested in helping with new skills and change, etc.

Organizational Change – The Influence
Fact #2:
People can't just drop everything and 'change', or learn new skills, just because you say so
Perception: Even if they want to change and learn new skills, they have a whole range of issues that keep them fully occupied
What they might be thinking…:
"So you want me to attend this training course, so you can earn more (etc, etc), and when I come back from two days away in some rotten hotel my personal pile of meaningless jobs will just have magically disappeared will it? And when I come to try to implement these new skills and make all these new things happen, everyone will be completely in step will they? Pull the other one.. Again, no can do.."

Organizational Change: The Influence
WHAT DO WE DO?
Consult with people!
Save yourself from incorrect Assumptions
Consulting with people does not mean that you hand over the organization to them - they wouldn't want the corporation if you paid them anyway
No, consulting with people gives you and them a chance to understand the implications and feasibility of what you think needs doing
Consulting with people, and helping them to see things from both sides generally throws up some very good ideas for doing things better than you could have dreamt of by yourself!
It helps you to see from both sides too!

Organizational Change: The Influence
Fact #3:
Organizations commonly say they don't have time to re-assess and re-align their aims and values, etc., or don't have time to consult with people properly, because the organization is on the edge of a crisis
Organizations get into crisis because they ignore facts one and two
In general, ignoring these facts again will only deepen the “crisis”

Organizational Change – the Influencers
What Do We Do?
Take Advantage of “Crisis”
Crisis is the best reason to re-align your aims and consult with people
Crisis is wake-up and change the organization and its purpose - not change the people
When an organization is in crisis, the people are almost always okay - it'll be the organizational purpose and aims that are not

Organizational Change – Summary
You cannot just “Tell” and “Command” Change within the organization
Look at Organizational Goals and Objectives
What does your organization actually seek to do?
Whom does your organization benefit?
And whom does it exploit?
Who are the winners, and who are the losers?
Does your organization have real integrity?
COMMUNICATE COMMUNICATE COMMUNICATE
Communicate does not equal Consensus – but it does foster trust and change!

More Information
www.isaca.org
www.itsmf.com
www.itgi.org
www.acend.com

Why is ITIL® training important?
Your company will improve business with ITIL® processes that you learn in the training
Working Together
Lowering Costs
Optimizing Performance
Ensuring Compliance
Improving IT Service Strategy, Design, Transition, Operation and Continual Service Improvement

Why is ITIL® training important?
ITIL® certification will allow you to understand the common language of ITIL®, understood by IT professionals worldwide, and will increase your standing within the IT community
ITIL® gives you an adaptive and flexible framework for managing IT services and encourages you to use common sense rather than follow a rigid set of rules

Certification Scheme

Course Offerings (Accredited Training Powered by Ahead-Technologies Courseware )
ITIL® Service Management (Foundations) – 2 Credits
Prerequisite: None
Duration: 2.5 ILT days
Attendance: Anyone working in IT
ITIL® Practitioner Series (5 courses available) – Total 12 Credits
Prerequisite: Foundation Certification in IT Service Management
Duration: 3 ILT days for each course
Attendance: Middle Managers & Team Leaders
Manager’s Certificate in IT Service Management – 17 Credits
Prerequisite: Foundation Certification in IT Service Management & approved criteria
Duration: 12 ILT days
Attendance: Those that are managing, implementing, & advising on ITIL® processes, through project or day-to-day management, who have 5 years experience with IT Service Management.

Why is COBIT® training important?
Your company will improve business and overall business to IT Alignment with IT Governance Objectives that you learn in the training
Working Together
Optimizing Performance
Ensuring appropriate controls and compliance
Benefit from completing the Internationally Recognized COBIT® Foundations Exam

CobiT And ITIL Breakfast Seminar

by Acend Corporate Learning on Mar 05, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 24

Statistics

CobiT And ITIL Breakfast Seminar — Presentation Transcript