6. Three Categories of Control Frameworks
according to the study of Nicho (Nicho, 2008)
• Business Oriented Controls:
– COSO (Committee of Sponsoring Organisation)
– SAS (Statement of Auditing Standards)
• IT Focused Controls:
– ITIL (The IT-Infrastructure Library)
– ISO/IEC17799:2000 ‘family’ (ISO 27001:2005,
ISO27002:2005)
• Business-IT Alignment focused Controls:
– COBIT
7. ITIL: Foundation for Quality IT Service Mgt
• ITIL gives comprehensive best practices of how to plan, design,
and implement effective service management capabilities, and
describes approaches, functions, roles and processes upon
which organisations may base their own practices.
• The Processes of Service Support are:
– Incident management
– Problem management
– Configuration management
– Change management
– Release management
8. • The Key practices of Service Delivery are:
– Service Level management
– Financial management for IT services
– Capacity management
– IT Service continuity management
– Availability management
• In the third version, ITIL attempts to move from a process-
based framework to a more comprehensive structure
reflecting the life-cycle of IT services with complete
operational phases, namely design, transition and
operation, also stresses the importance IT strategy and
continual service improvement (Zhang, 2013)
9. COBIT
• Initially created by Information Systems Audit and Control
Foundation (ISACF) in 1996 as part of the Committee of
Sponsoring Organisations of the Treadway Commission
(COSO) evaluation framework.
• COBIT 4.1 has 34 high level processes that cover 222
control objectives categorized in four domains:
– Plan and Organise (PO)
– Acquire and Implement (AI)
– Deliver and Support (DS)
– Monitor and Evaluate (MF)
• Aims to bridge the gap between business control models
and IT control models.
10.
11.
12. Common COBIT Tools
• Performance Goals and Metrics: enabling IT
Performance to be measured.
• Maturity Model: assisting in benchmarking and
decision-making for process improvements.
• RACI Chart: identifying who are Responsible,
Accountable, Consulted, or Informed for specific IT
process.
13. Focuses of COBIT
• COBIT contributes to enterprise needs by
ensuring that:
– IT is aligned with the business.
– IT enables the business and maximizes its
benefits.
– IT resources are used responsibly.
– IT risks are managed appropriately.
14. Relations between COBIT, ITIL,
ISO27000
• COBIT as a high-level reference framework in which
information security governance is well positioned.
COBIT focuses on what should be done as an IT
governance and control framework.
• ISO 17799 a lower level guideline for information
security detailed issues.
• ITIL are not so comprehensive as COBIT in term of IT
governance, however it gives detailed guidance on
how thing should be done.
15. ITIL and COBIT
• ITIL is complementary to COBIT. The high-level control
objectives of COBIT can be implemented thru the use of
ITIL. COBIT's control objectives tell what to do and ITIL
explains how to do it. i.e., what the best-practice
processes are to realise these objectives.
21. COBIT
• COBIT offers a maturity model for IT governance, consisting of five
maturity levels:
– Ad Hoc: There are no standardised processes. Ad hoc approaches
are applied on a case-by-case basis.
– Repeatable: Management is aware of the issues. Performance
indicators are being developed, basic measurements have been
identified, as have assessment methods and techniques.
– Defined: The need to act is understood and accepted. Procedures
have been standardised, documented, and implemented. BSC ideas
are being adopted by the organisation.
– Managed: Full understanding of issues on all levels has been
reached. Process excellence is built on a formal training curriculum.
IT is fully aligned with the business strategy.
– Optimised: Continuous improvement is the defining characteristics.
Processes have been refined to the level of external best practices
based on the results of continuous improvement with other
organisations.
22. IT Service Delivery and Support: ITIL
(infra Lib)
• ITIL comprises a series of documents giving guidance on the
provision of good IT services, and on the facilities needed to support
IT.
• ITIL has a process-oriented approach to service management. It
provides codes of practice that help organisations to establish
quality management of their IT services and infrastructure.
• The core of ITIL consists of two broad groups processes:
– Service Delivery, comprising service-level management,
availability management, financial management for IT services,
IT service contingency management, and capacity management;
– Service Support, covering problem management, incident
management, service desk, change management, release
management, and configuration management.
25. Capability Maturity Model (CMM and
CMMI)
• CMMI maturity models have 5 maturity levels (CMMI
Product Team 2002):
– Initial (Process adhoc and chaotic)
– Managed
– Defined
– Quantitatively Managed
– Optimising
26. Conclusions
• First, we position enterprise architecture relative
to a number of well-known standards and best
practices in general and IT management.
• Second, we outline the most important
frameworks and methods for enterprise
architecture currently in use. It describes a
number of relevant languages for modelling
organisations, business processes, applications,
and technology.
27. References
• Enterprise Architecture at Work Modelling,
Communication and Analysis,: Lankhorst, Marc
• An Introduction to Enterprise Architecture: Third
Edition, Scott A. Bernard, AuthorHouse