IT frameworks ITIL, CMMi, Cobit, eSCM 23 06 2007 http://youssoufchotia.info [email_address] What you can do with this document ? http://creativecommons.org/licenses/by-nc/3.0/deed.fr

Needs Why are you here ? What are your needs ? Why will you be satisfied ?

Why are you here ?

What are your needs ?

Why will you be satisfied ?

IT as matured and start industrializing IT frameworks flourished but few is getting mainstreamed COBiT, ITIL, CMMi and eSCM actualy fit the best the CIO needs CobiT : IT gouvernance Cmmi : Software delivering ITIL : IT as service mgt eSCM : Because (out)sourcing issue is irreversible « quality » issues => new kind of jobs in IT

IT as matured and start industrializing

IT frameworks flourished but few is getting mainstreamed

COBiT, ITIL, CMMi and eSCM actualy fit the best the CIO needs

CobiT : IT gouvernance

Cmmi : Software delivering

ITIL : IT as service mgt

eSCM : Because (out)sourcing issue is irreversible

« quality » issues => new kind of jobs in IT

Agenda Process mgt IT frameworks ITIL COBiT CMMi eSCM

Process mgt

IT frameworks

ITIL

COBiT

CMMi

eSCM

No institution can possibly survive if it needs geniuses or supermen to manage it. It must be organized in such a way as to be able to get along under a leadership composed of average human beings. Peter Drucker 1 - Process mgt

No institution can possibly survive if it needs geniuses or supermen to manage it. It must be organized in such a way as to be able to get along under a leadership composed of average human beings.

Peter Drucker

Between specialisation and adaptation Static environment Mass production => Real need to improve production process => Taylorism Company is divided in highly dedicated functions for specialised people Changing environment Change as a principle => permanently adapting objectives of the company Focus on a customer vision (internal or end-user) What is your entity/company delivering ?

Static environment

Mass production => Real need to improve production process => Taylorism

Company is divided in highly dedicated functions for specialised people

Changing environment

Change as a principle => permanently adapting objectives of the company

Focus on a customer vision (internal or end-user)

What is your entity/company delivering ?

Functions 5 main functions Research and development Production Marketing and sales Human ressources Financial mgt Corporate mgt is not enough to create a synergy between people with very different objectives

5 main functions

Research and development

Production

Marketing and sales

Human ressources

Financial mgt

Corporate mgt is not enough to create a synergy between people with very different objectives

Process examples Beyond the functions, what are the objectives ? External view : the customer What are the needs (explicit and implicit) ? What do we deliver ? Internal view : the organisation What is our added value ? Are we efficient in doing the product ? Process examples Neuf Telecom Devoteam

Beyond the functions, what are the objectives ?

External view : the customer

What are the needs (explicit and implicit) ?

What do we deliver ?

Internal view : the organisation

What is our added value ?

Are we efficient in doing the product ?

Process examples

Neuf Telecom

Devoteam

Process definitions Set of linked activities and controls done by humans or machines that creates value by transforming an input into a more valuable output

Set of linked activities and controls done by humans or machines that creates value by transforming an input into a more valuable output

Responsibilities Process mgt More interactions with different functions Defining everybody’s roles is even more important RACI R: Responsible -> Realise A: Accountable -> Approve C: Consulted I: Informed

Process mgt

More interactions with different functions

Defining everybody’s roles is even more important

RACI

R: Responsible -> Realise

A: Accountable -> Approve

C: Consulted

I: Informed

Objectives Specific Mesurable Acceptable Realisable With a Time objective Ex : We must improve our quality ! After the audit, we must lower the time of incident resolution by 30% in 3 monthes by affecting 2 people to this task S M A R T

Specific

Mesurable

Acceptable

Realisable

With a Time objective

Ex :

We must improve our quality !

After the audit, we must lower the time of incident resolution by 30% in 3 monthes by affecting 2 people to this task

Indicators You can’t improve what you can’t measure !

You can’t improve what you can’t measure !

How to deal with a process KGI Key goal indicator Indicators to measure the results of your process KPI Key performance indicator Indicators to measure interactions inside your process KPI KGI

2 - IT frameworks Process mgt IT frameworks ITIL COBiT CMMi eSCM

Process mgt

IT frameworks

ITIL

COBiT

CMMi

eSCM

History of IT organisations IT as a black box IT as a cost center IT as a profit center IT supporting business strategy IT driving innovation for the business

IT as a black box

IT as a cost center

IT as a profit center

IT supporting business strategy

IT driving innovation for the business

IT global trends IT needs industrialisation Reducing cost Improving security Reducing risks Becaming agile to support changing business strategy IT seen as a service IBM : 92 billion $ in 2006 : 40% by IBM global services ASP -> Application on demand -> SaaS Salesforce Service-now google mail : 50$ /user / year for 10Gb

IT needs industrialisation

Reducing cost

Improving security

Reducing risks

Becaming agile to support changing business strategy

IT seen as a service

IBM : 92 billion $ in 2006 : 40% by IBM global services

ASP -> Application on demand -> SaaS

Salesforce

Service-now

google mail : 50$ /user / year for 10Gb

Frameworks overview ISO27000 ISO14000 ISO20000 ISO9000 PRINCE2 PMP ABC ITIL COBiT eSCM Business IT CMMi Val IT Six sigma COPC-2000 IT scorecard Balance scorecard

The tetralogy IT tetralogy ITIL COBIT CMMi eSCM ITIL COBiT eSCM CMMi Wagner tetralogy The Rhinegold The Valkyrie Siegfried Twilight of the Gods

IT tetralogy

ITIL

COBIT

CMMi

eSCM

Wagner tetralogy

The Rhinegold

The Valkyrie

Siegfried

Twilight of the Gods

IT house Support process Solution CMMi Operation ITIL ISO20000 Governance COBiT PROJECT : PMI, Prince2 SOURCING : eSCM

Frameworks global trends Maturity approach Progressive steps to achieve the entire scope Deming’s « Plan Do Check Act » cycle Continual improvement Life cycle approach Adressing specific needs at different moments

Maturity approach

Progressive steps to achieve the entire scope

Deming’s « Plan Do Check Act » cycle

Continual improvement

Life cycle approach

Adressing specific needs at different moments

Maturity Level 1 : Initial (chaotic, ad hoc, heroic) the starting point for use of a new process. Level 2 : Repeatable (project management, process discipline) the process is used repeatedly Level 3 : Defined (institutionalized) the process is defined/confirmed as a standard business process. Level 4 : Managed (quantified) process management and measurement takes place. Level 5 : Optimised (process improvement) process management includes deliberate process optimization/improvement.

Level 1 : Initial (chaotic, ad hoc, heroic) the starting point for use of a new process.

Level 2 : Repeatable (project management, process discipline) the process is used repeatedly

Level 3 : Defined (institutionalized) the process is defined/confirmed as a standard business process.

Level 4 : Managed (quantified) process management and measurement takes place.

Level 5 : Optimised (process improvement) process management includes deliberate process optimization/improvement.

Frameworks overview : functions map Business IT Solution Operation COBiT ITIL CMMi eSCM

Frameworks overview : abstraction / diffusion All companies IT High abstraction COBiT ITIL CMMi eSCM Low abstraction Software company Big corporation

Frameworks history 1991 COBiT V1 1996 2002 2000 2005 2006 2007 2004 1994 COBiT V4 ITIL V1 ITIL V2 ITIL V3 CMM CMMi eSCM-CL eSCM-SP COBiT V3 ISO20000 CMMi 1.2

Defining a service 3 Technology SERVICE 1 Process 2 Organisation S P O T

3 - ITIL Process mgt IT frameworks ITIL COBiT CMMi eSCM

Process mgt

IT frameworks

ITIL

COBiT

CMMi

eSCM

2 - ITIL IT infrastructure library

IT infrastructure library

ITIL global map

Certification ITIL Certification Management Board OGC : Office of Government Commerce (UK) IT Service Management Forum EXIN (Netherlands) ISEB (UK ) Levels Foundation Certificate : the basics Practitioners Certificates : for a specific topic Managers Certificate

ITIL Certification Management Board

OGC : Office of Government Commerce (UK)

IT Service Management Forum

EXIN (Netherlands)

ISEB (UK )

Levels

Foundation Certificate : the basics

Practitioners Certificates : for a specific topic

Managers Certificate

Service support Concerning the accessibility of users to the appropriate services Service Desk Incident Management Problem Management Configuration Management Change Management Release Management

Concerning the accessibility of users to the appropriate services

Service Desk

Incident Management

Problem Management

Configuration Management

Change Management

Release Management

Service delivery Concerning proactive and forward-looking services for the business requirements Service Level Management Capacity Management IT Service Continuity Management Availability Management Financial Management

Concerning proactive and forward-looking services for the business requirements

Service Level Management

Capacity Management

IT Service Continuity Management

Availability Management

Financial Management

Mapping SS and SD

ITIL adoption Step1 : large and quick adoption Quickwins industrialisation Step2 : slow and focused adoption Maturity process assessment Justification and ROI to go beyond ITILV3

ITIL adoption : step 1 IT state Focused on itself : server, storage, network, … Silos centric , no process management ; No industrialized methods ITIL response Client centric Process oriented Industrialized methods Common language for the IT world

IT state

Focused on itself : server, storage, network, …

Silos centric , no process management ;

No industrialized methods

ITIL response

Client centric

Process oriented

Industrialized methods

Common language for the IT world

ITIL adoption : step 2 IT state Large adoption of service support process Starting maturity assement No more quick wins Why investing more on ITIL best practices ? ITIL V3 response Back to the ROI Alignement with business priorities and IT governance (COBIT)

IT state

Large adoption of service support process

Starting maturity assement

No more quick wins

Why investing more on ITIL best practices ?

ITIL V3 response

Back to the ROI

Alignement with business priorities and IT governance (COBIT)

ITIL V3 Service Strategies Service Design Service Transition Service Operation Continual Service Improvement 3 differences Strategies, life cycle and PDCA

Service Strategies

Service Design

Service Transition

Service Operation

Continual Service Improvement

3 differences

Strategies, life cycle and PDCA

ITIL V3 – 30/05/07

What’s new Security mgt more detailed (cf ISO27000 ) CLOSELY LINKED Access and security mgt Release and deploy mgt Service asset and configuration mgt Risk and testing mgt Request management Supplier and contrat mgt (cf eSCM) Knowledge mgt system Service catalogue mgt out of service level mgt …

Security mgt more detailed (cf ISO27000 )

CLOSELY LINKED

Access and security mgt

Release and deploy mgt

Service asset and configuration mgt

Risk and testing mgt

Request management

Supplier and contrat mgt (cf eSCM)

Knowledge mgt system

Service catalogue mgt out of service level mgt

…

4 - COBit Process mgt IT frameworks ITIL COBiT CMMi eSCM

Process mgt

IT frameworks

ITIL

COBiT

CMMi

eSCM

Definition Control Objectives for Information and related Technology IT governance IT audit Information System Audit & Control Association ( ISACA ) 1996 4 domains 34 high level objectives 318 control objectives categorized

Control Objectives for Information and related Technology

IT governance

IT audit

Information System Audit & Control Association ( ISACA ) 1996

4 domains

34 high level objectives

318 control objectives categorized

IT governance What the company wants Effectiveness Confidentiality Availability Efficiency Reliability Integrity Compliance What CIO can action People Information Applications Infrastructure Control between business needs and IT operations

What the company wants

Effectiveness

Confidentiality

Availability

Efficiency

Reliability

Integrity

Compliance

What CIO can action

People

Information

Applications

Infrastructure

Link the business to IT

Plan and Organize PO1 Define a Strategic IT Plan and direction PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organization and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects PO11 Manage Quality

PO1 Define a Strategic IT Plan and direction

PO2 Define the Information Architecture

PO3 Determine Technological Direction

PO4 Define the IT Processes, Organization and Relationships

PO5 Manage the IT Investment

PO6 Communicate Management Aims and Direction

PO7 Manage IT Human Resources

PO8 Manage Quality

PO9 Assess and Manage IT Risks

PO10 Manage Projects

PO11 Manage Quality

Acquire and Implement AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes

AI1 Identify Automated Solutions

AI2 Acquire and Maintain Application Software

AI3 Acquire and Maintain Technology Infrastructure

AI4 Enable Operation and Use

AI5 Procure IT Resources

AI6 Manage Changes

AI7 Install and Accredit Solutions and Changes

Deliver and Support DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations

DS1 Define and Manage Service Levels

DS2 Manage Third-party Services

DS3 Manage Performance and Capacity

DS4 Ensure Continuous Service

DS5 Ensure Systems Security

DS6 Identify and Allocate Costs

DS7 Educate and Train Users

DS8 Manage Service Desk and Incidents

DS9 Manage the Configuration

DS10 Manage Problems

DS11 Manage Data

DS12 Manage the Physical Environment

DS13 Manage Operations

Monitor and Evaluate ME1 Monitor and Evaluate IT Processes ME2 Monitor and Evaluate Internal Control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance

ME1 Monitor and Evaluate IT Processes

ME2 Monitor and Evaluate Internal Control

ME3 Ensure Regulatory Compliance

ME4 Provide IT Governance

IT audit Process audit using CobiT Understand how a process contributes to the business needs Assess effectiveness of the controls Test if controls are done consistently Assess the risk if objectives are not met

Process audit using CobiT

Understand how a process contributes to the business needs

Assess effectiveness of the controls

Test if controls are done consistently

Assess the risk if objectives are not met

CobiT quickstart Simple self assessment tool for small companies Basics controls 34 -> 32 process 318 -> 62 activities / detailed controls

Simple self assessment tool for small companies

Basics controls

34 -> 32 process

318 -> 62 activities / detailed controls

5 - CMMi Process mgt IT frameworks ITIL COBiT CMMi eSCM

Process mgt

IT frameworks

ITIL

COBiT

CMMi

eSCM

Definition Capability maturity model integrated Funded by the US Air Force Objective = evaluation of software subcontractors. Study at the Carnegie-Mellon Software Engineering Institute Model for managing software process published in 1989

Capability maturity model integrated

Funded by the US Air Force

Objective = evaluation of software subcontractors.

Study at the Carnegie-Mellon Software Engineering Institute

Model for managing software process published in 1989

Process area and capability levels

Process area

Goals for each of 22 process Generic goals and practices are a part of every process area. L2 Institutionalise a Managed Process GP 2.1 Establish an Organizational Policy GP 2.2 Plan the Process GP 2.3 Provide Resources GP 2.4 Assign Responsibility GP 2.5 Train People GP 2.6 Manage Configurations GP 2.7 Identify and Involve Relevant Stakeholders GP 2.8 Monitor and Control the Process GP 2.9 Objectively Evaluate Adherence GP 2.10 Review Status with Higher Level Management

Generic goals and practices are a part of every process area.

L2 Institutionalise a Managed Process

GP 2.1 Establish an Organizational Policy

GP 2.2 Plan the Process

GP 2.3 Provide Resources

GP 2.4 Assign Responsibility

GP 2.5 Train People

GP 2.6 Manage Configurations

GP 2.7 Identify and Involve Relevant Stakeholders

GP 2.8 Monitor and Control the Process

GP 2.9 Objectively Evaluate Adherence

GP 2.10 Review Status with Higher Level Management

Configuration Management (CM) CM : establish and maintain the integrity of work products using configuration identification, configuration control, configuration status accounting, and configuration audits. SG 1 Establish Baselines SP 1.1 Identify Configuration Items SP 1.2 Establish a Configuration Management System SP 1.3 Create or Release Baselines SG 2 Track and Control Changes SP 2.1 Track Change Requests SP 2.2 Control Configuration Items SG 3 Establish Integrity SP 3.1 Establish Configuration Management Records SP 3.2 Perform Configuration Audits

CM : establish and maintain the integrity of work products using configuration identification, configuration control, configuration status accounting, and configuration audits.

SG 1 Establish Baselines

SP 1.1 Identify Configuration Items

SP 1.2 Establish a Configuration Management System

SP 1.3 Create or Release Baselines

SG 2 Track and Control Changes

SP 2.1 Track Change Requests

SP 2.2 Control Configuration Items

SG 3 Establish Integrity

SP 3.1 Establish Configuration Management Records

SP 3.2 Perform Configuration Audits

Measurement and Analysis (MA) L2 Develop and sustain a measurement capability that is used to support management information needs. SG 1 Align Measurement and Analysis Activities SP 1.1 Establish Measurement Objectives SP 1.2 Specify Measures SP 1.3 Specify Data Collection and Storage Procedures SP 1.4 Specify Analysis Procedures SG 2 Provide Measurement Results SP 2.1 Collect Measurement Data SP 2.2 Analyze Measurement Data SP 2.3 Store Data and Results SP 2.4 Communicate Results

Develop and sustain a measurement capability that is used to support management information needs.

SG 1 Align Measurement and Analysis Activities

SP 1.1 Establish Measurement Objectives

SP 1.2 Specify Measures

SP 1.3 Specify Data Collection and Storage Procedures

SP 1.4 Specify Analysis Procedures

SG 2 Provide Measurement Results

SP 2.1 Collect Measurement Data

SP 2.2 Analyze Measurement Data

SP 2.3 Store Data and Results

SP 2.4 Communicate Results

Process and Product Quality Assurance L2 Provide staff and management with objective insight into processes and associated work products. SG 1 Objectively Evaluate Processes and Work Products SP 1.1 Objectively Evaluate Processes SP 1.2 Objectively Evaluate Work Products and Services SG 2 Provide Objective Insight SP 2.1 Communicate and Ensure Resolution of Noncompliance Issues SP 2.2 Establish Records

Provide staff and management with objective insight into processes and associated work products.

SG 1 Objectively Evaluate Processes and Work Products

SP 1.1 Objectively Evaluate Processes

SP 1.2 Objectively Evaluate Work Products and Services

SG 2 Provide Objective Insight

SP 2.1 Communicate and Ensure Resolution of Noncompliance Issues

SP 2.2 Establish Records

Project Planning (PP) L2 Establish and maintain plans that define project activities. SG 1 Establish Estimates SP 1.1 Estimate the Scope of the Project SP 1.2 Establish Estimates of Work Product and Task Attributes SP 1.3 Define Project Life Cycle SP 1.4 Determine Estimates of Effort and Cost SG 2 Develop a Project Plan SP 2.1 Establish the Budget and Schedule SP 2.2 Identify Project Risks SP 2.3 Plan for Data Management SP 2.4 Plan for Project Resources SP 2.5 Plan for Needed Knowledge and Skills SP 2.6 Plan Stakeholder Involvement SP 2.7 Establish the Project Plan SG 3 Obtain Commitment to the Plan SP 3.1 Review Plans that Affect the Project SP 3.2 Reconcile Work and Resource Levels SP 3.3 Obtain Plan Commitment

Establish and maintain plans that define project activities.

SG 1 Establish Estimates

SP 1.1 Estimate the Scope of the Project

SP 1.2 Establish Estimates of Work Product and Task Attributes

SP 1.3 Define Project Life Cycle

SP 1.4 Determine Estimates of Effort and Cost

SG 2 Develop a Project Plan

SP 2.1 Establish the Budget and Schedule

SP 2.2 Identify Project Risks

SP 2.3 Plan for Data Management

SP 2.4 Plan for Project Resources

SP 2.5 Plan for Needed Knowledge and Skills

SP 2.6 Plan Stakeholder Involvement

SP 2.7 Establish the Project Plan

SG 3 Obtain Commitment to the Plan

SP 3.1 Review Plans that Affect the Project

SP 3.2 Reconcile Work and Resource Levels

SP 3.3 Obtain Plan Commitment

Pros of CMMi L2 / L3 Creation of Software Specifications, stating what is going to be developed, combined with formal sign off, an executive sponsor and approval mechanism. This is NOT a living document, but additions are placed in a deferred or out of scope section for later incorporation into the next cycle of software development. A Technical Specification, stating how precisely the thing specified in the Software Specifications is to be developed will be used. This is a living document.

Creation of Software Specifications,

stating what is going to be developed, combined with formal sign off, an executive sponsor and approval mechanism. This is NOT a living document, but additions are placed in a deferred or out of scope section for later incorporation into the next cycle of software development.

A Technical Specification,

stating how precisely the thing specified in the Software Specifications is to be developed will be used. This is a living document.

Pros of CMMi L2 / L3 Peer Review of Code (Code Review) with metrics that allow developers to walk through an implementation, and to suggest improvements or changes. Note - This is problematic because the code has already been developed and a bad design can not be fixed by "tweaking", the Code Review gives complete code a formal approval mechanism. Version Control a very large number of organizations have no formal revision control mechanism or release mechanism in place. The idea that there is a "right way" to build software, that it is a scientific process involving engineering design and that groups of developers are not there to simply work on the problem

Peer Review of Code (Code Review)

with metrics that allow developers to walk through an implementation, and to suggest improvements or changes. Note - This is problematic because the code has already been developed and a bad design can not be fixed by "tweaking", the Code Review gives complete code a formal approval mechanism.

Version Control

a very large number of organizations have no formal revision control mechanism or release mechanism in place.

The idea that there is a "right way" to build software,

that it is a scientific process involving engineering design and that groups of developers are not there to simply work on the problem

Dangers Relying only on process with a top down vision Low creativity Low motivation Only procedures Lack of responsibilities

Relying only on process with a top down vision

Low creativity

Low motivation

Only procedures

Lack of responsibilities

CMMi facts 3 years to go from level 1 to level 3 L2 assessemnt of projects (same method) change of customer requirements Mgt Assessing all the consequences in the planning Indicators of produictivity, bugs, spec, … L3 assessement of all the entity

3 years to go from level 1 to level 3

L2 assessemnt of projects (same method)

change of customer requirements Mgt

Assessing all the consequences in the planning

Indicators of produictivity, bugs, spec, …

L3 assessement of all the entity

CMMi certified French IT provider (10 to 20) Atos, CapGemini, Steria, Unilog, SQLI CMMi 3 or 4 100 indian companies at CMMi 5

French IT provider (10 to 20)

Atos, CapGemini, Steria, Unilog, SQLI CMMi 3 or 4

100 indian companies at CMMi 5

6 - eSCM Process mgt IT frameworks ITIL COBiT CMMi eSCM

Process mgt

IT frameworks

ITIL

COBiT

CMMi

eSCM

Definition e Sourcing Capability Model eSCM SP : Service Provider Can our provider outsource reach my expectations and add value to my contract ? eSCM SC : Service Client Do I have the maturity to outsource ?

e Sourcing Capability Model

eSCM SP : Service Provider

Can our provider outsource reach my expectations and add value to my contract ?

eSCM SC : Service Client

Do I have the maturity to outsource ?

Why eSCM ? We can’t manage an outsourcing contrat only with contractual indicators … Not enough transparency !

eSCM model overview 3 dimensions to deal with Differents skills to assess at each step Different steps of the contract Initialisation, Operation, Ending Diffrent level of maturity 1 to 5

3 dimensions to deal with

Differents skills to assess at each step

Different steps of the contract

Initialisation, Operation, Ending

Diffrent level of maturity

1 to 5

Domains Generic skills Knowledge mgt HR mgt Performance mgt Relations mgt Technology mgt Risks mgt Specific skills Contract mgt Service design Service mgt Reversibility

Generic skills

Knowledge mgt

HR mgt

Performance mgt

Relations mgt

Technology mgt

Risks mgt

Specific skills

Contract mgt

Service design

Service mgt

Reversibility

CONCLUSION

From

To

 Questions ? Thank you