Using cobit to integrate build and run

2,277 views

Published on

Lucid IT Presentation:- www.lucidit.com.au

Governing BUILD and RUN with COBIT

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,277
On SlideShare
0
From Embeds
0
Number of Embeds
16
Actions
Shares
0
Downloads
120
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Using cobit to integrate build and run

  1. 1. Governing BUILD and RUN 11/17/2010 Harold Petersen NUS ISS & Lucid IT Pte Ltd Governing BUILD and RUN 12 November 2010www.iss.nus.edu.sgwww.lucidit.com.sg 1
  2. 2. Governing BUILD and RUN 11/17/2010 OUR MISSION Develop Infocomm Leaders, drive Innovation. OUR VISION Provide Thought-Leadership in Innovation. 2 ©2009 NUS. All Rights Reserved. COBIT in Action Harold Petersen, Director Lucid IT November 2010 h.petersen@lucidit.com.sg www.lucidit.com.sg www.iss.nus.edu.sgwww.iss.nus.edu.sgwww.lucidit.com.sg 2
  3. 3. Governing BUILD and RUN 11/17/2010 Agenda  IT Governance  RUN, BUILD  Integrating governance of RUN and BUILD  Case studies : good, bad, ugly  Conclusion : Now let‘s get real Agenda  IT Governance  RUN, BUILD  Integrating governance of RUN and BUILD  Case studies : good, bad, ugly  Conclusion : Now let‘s get realwww.iss.nus.edu.sgwww.lucidit.com.sg 3
  4. 4. Governing BUILD and RUN 11/17/2010 IT Governance IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organisational structures and processes that ensure that the enterprise‘s IT sustains and extends the organisation‘s strategies and objectives. IT Governance specifies the decision rights and creates an accountability framework that encourages desirable use of IT - Weill and Ross (IT Governance, 2004) 8 Control Framework Corporate Objectives Setting the ―tone at the top‖ Legislation, etc. (e.g. SOX, Privacy, Fin .Mgt) Enterprise Governance Framework (e.g. COSO, AS8000) IT Governance Framework (e.g. COBIT, ISO/IEC 38500) IT Best Practice Frameworks (e.g. ITIL, CMMi, P3O, PRINCE2, ISO27002) The Organisation‟s Management System 9www.iss.nus.edu.sgwww.lucidit.com.sg 4
  5. 5. Governing BUILD and RUN 11/17/2010 Value…. ‘…the enterprise’s IT sustains and extends the organisation’s strategies and objectives…’  So what comprises ‗good‘ IT?  And how to achieve and enforce it? ISO 38500 „Extend‟ „Sustain‟ „Build the IT services‟ „Run the IT services‟www.iss.nus.edu.sgwww.lucidit.com.sg 5
  6. 6. Governing BUILD and RUN 11/17/2010 Governance: the old-fashioned way CobiT CobiT 13www.iss.nus.edu.sgwww.lucidit.com.sg 6
  7. 7. Governing BUILD and RUN 11/17/2010 CobiT Control Objectives for Information and related Technology (CobiT) provides an IT governance and control framework to ensure alignment of IT to organisational objectives  Plan and Organise (PO)— Provides direction to solution delivery (AI) and service delivery Plan and Organise (DS)  Acquire and Implement (AI)— Provides the solutions and passes Acquire Deliver them to be turned into services and and  Deliver and Support (DS)— Implement Support Receives the solutions and makes them usable for end users  Monitor and Evaluate (ME)— Monitor and Evaluate Monitors all processes to ensure that the direction provided is followed 14 The CobiT v4 framework BUSINESS OBJECTIVES PO1 Define a strategic IT plan. PO2 Define the information architecture. GOVERNANCE OBJECTIVES PO3 Determine technological direction. PO4 Define the IT processes, ME1 Monitor and evaluate IT performance. organisation and relationships. ME2 Monitor and evaluate internal control. PO5 Manage the IT investment. ME3 Ensure regulatory compliance. PO6 Communicate management aims ME4 Provide IT governance. and direction. INFORMATION PO7 Manage IT human resources. PO8 Manage quality. PO9 Assess and manage IT risks. PO10 Manage projects. •Effectiveness •Efficiency •Confidentiality •Integrity Domains •Availability •Compliance •Reliability. IT RESOURCES •Applications Processes •Information DS1 Define and manage service levels. •Infrastructure DS2 Manage third-party services. •People DS3 Manage performance and capacity. DS4 Ensure continuous service. AI1 Identify automated solutions. DS5 Ensure systems security. AI2 Acquire and maintain application DS6 Identify and allocate costs. software. DS7 Educate and train users. AI3 Acquire and maintain technology DS8 Manage service desk and incidents. infrastructure. DS9 Manage the configuration. AI4 Enable operation and use. DS10 Manage problems. AI5 Procure IT resources. DS11 Manage data. AI6 Manage changes. DS12 Manage the physical environment. AI7 Install and accredit solutions and DS13 Manage operations. Adapted from: IT Governance Institute changes. 16www.iss.nus.edu.sgwww.lucidit.com.sg 7
  8. 8. Governing BUILD and RUN 11/17/2010 Agenda  IT Governance  RUN, BUILD  Integrating governance of RUN and BUILD  Case studies : good, bad, ugly  Conclusion : Now let‘s get real PLAN, (part of) BUILD, RUN and IMPROVE:The ITIL Service Lifecyclewww.iss.nus.edu.sgwww.lucidit.com.sg 8
  9. 9. Governing BUILD and RUN 11/17/2010 CobiT ITIL COSO CobiT ITIL ITIL ITIL ITIL ITIL ITIL ITIL ITIL ITIL ITIL ITIL ITIL ITIL ITIL ITIL ITIL ITIL ITIL ITIL ITIL ITIL 19 Detailed CobiT - ITIL Mapping 1/2 CobiT Process - ITIL Lifecycle and/or Process PLAN AND ORGANISE  PO1 Define a Strategic Plan - Service Strategy  PO2 Define the Information Architecture - Service Design  PO3 Determine Technological Direction - Service Strategy  PO4 Define the IT Processes, Org & relation‘s - All lifecycle phases  PO5 Manage the IT Investment - Service Portfolio Management  PO9 Assess and manage IT risks - IT Service Continuity Management ACQUIRE AND IMPLEMENT  AI4 Enable Operation and Use - Release Management  AI5 Procure IT Resources - Supplier Management  AI6 Manage Changes - Change Management  AI7 Install and Accredit Solutions and Changes - Change and Release Management 20www.iss.nus.edu.sgwww.lucidit.com.sg 9
  10. 10. Governing BUILD and RUN 11/17/2010 Detailed CobiT - ITIL Mapping CobiT Process - ITIL Process DELIVER AND SUPPORT  DS1 Define and Manage Service Levels - Service Level Management  DS2 Manage Third-party Services - Supplier Management  DS3 Manage Performance and Capacity - Capacity and Availability Management  DS4 Ensure Continuous Service - IT Service Continuity and Availability Management  DS6 Identify and Allocate Costs - Financial Management of IT Service  DS7 Educate & Train Users - Continual Service Improvement, Service Desk  DS8 Manage Service Desk and Incidents - Service Desk and Incident Management  DS9 Manage the Configuration - Configuration Management  DS10 Manage Problems - Problem Management  DS13 Manage Operations - Service Operations MONITOR AND EVALUATE  ME1 Monitor & evaluate - Continual Service Improvement 21 PLAN & BUILD: P3O P3  Portfolio Management  Programme Management  Project Management O  Office P3O® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries The P3OSwirl logo® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries This is a Value Added product which is outside the scope of HMSO Core Licence. Sections of the P3O® Reference Manual have been reproduced under licence from OGC © Lucid IT Pty Ltd, 2010 - All rights reservedwww.iss.nus.edu.sgwww.lucidit.com.sg 10
  11. 11. Governing BUILD and RUN 11/17/2010 Example portfolio SPMI Regional Symposium 2010 Example Prioritisation Project Prioritisation Matrix 2 1.8 Alignment with Strategy ―Low Hanging Fruit‖ ―Hard-earned Value‖ 1.6 1.4 1.2 1 0.8 0.6 0.4 ―Join the Queue‖ ―Dogs‖ ―No Go zone‖ 0.2 0 0 5 10 15 20 25 30 Complexity Size of ‗bubble‘ in this model indicates the size of the Investment. This could be tailored to NPV, IRR, etc. SPMI Regional 27 Symposium 2010www.iss.nus.edu.sgwww.lucidit.com.sg 11
  12. 12. Governing BUILD and RUN 11/17/2010 Example: ITIL/ITSM Implementation Programme Programme Management Structural Organisational/Cultural Change Alignment Event Problem SD/Incident Management Management Management Request Fulfillment Operations Strategy Release and Deployment Change Management Management Service Asset and Configuration Management Transition Knowledge Management Service Catalogue Management Service Level Management Design Availability Capacity Management Management Tools Implementation & Alignment Time PRINCE2  Introduction  Principles  Themes  Processes  Tailoring  Appendices  Glossary  Index © Crown copyright 2009 Reproduced under licence from OGC 32www.iss.nus.edu.sgwww.lucidit.com.sg 12
  13. 13. Governing BUILD and RUN 11/17/2010 The PRINCE2 Journey Initiation Subsequent Final delivery Pre-project stage delivery stage(s) stage Mandate Directing a Project Directing SU SB SB CP Managing IP Controlling a Stage Controlling a Stage Managing Managing Delivering Product Delivery Product Delivery Key SU = Starting up a Project IP = Initiating a Project SB = Managing a Stage Boundary CP = Closing a Project Based on OGC PRINCE2® material. Reproduced under livcence from OGC 33 CobiT and PRINCE2 High Level Mapping of Prince2 with CobiT COBIT 4.0 Processes and Domains 1 2 3 4 5 6 7 8 9 10 11 12 13 Plan and Organise - - - + + - - + + + Acquire and Implement + + - - - - - Deliver and Support - - - - - - - - - - - - - Monitor and Evaluate + - - - Index (+) Frequently addresses (-) Not or rarely addressed ( ) A COBIT IT process does not exist 34www.iss.nus.edu.sgwww.lucidit.com.sg 13
  14. 14. Governing BUILD and RUN 11/17/2010 Example High Level P3O Model Organisation Portfolio Office (permanent) Centre of Excellence Hub Portfolio / Hub Portfolio / Programme Programme Office Office (permanent) (permanent) •Standards •Skills/training •Assurance •Knowledge Mgmt © Crown copyright 2008 Reproduced under licence Programme Project from OGC Office Office (temporary) (temporary) 36 SPMI Regional BSC CobiT ITIL COSO CobiT ITIL ITIL ITIL MSP ITIL ITIL ITIL ITIL ITIL ITIL ITIL ITIL Prince2 PMO ITIL pmBOK ITIL ITIL ITIL ITIL ITIL ITIL ITIL ITIL ITIL 37www.iss.nus.edu.sgwww.lucidit.com.sg 14
  15. 15. Governing BUILD and RUN 11/17/2010 Agenda  IT Governance  RUN, BUILD  Integrating governance of RUN and BUILD  Case studies : good, bad, ugly  Conclusion : Now let‘s get real Methodology Map Customers ―Plan‖ ―Build ― ―Operate‖ IT Services IT Services IT Services ISO38500 Framework of Principles Guiding Principles Evaluate, Direct, Monitor ―WHAT‖ Plan and Acquire And Deliver And Monitor and COBIT Organise Implement Support Evaluate Continuous ITIL Service Strategy Service Design ―HOW‖ Service Transition Service Operation Service Improvement Val IT BSC PMBoK ISO27001 Specific TOGAF ―DETAILED PRINCE2 ISO20000 Best Practices MSP HOW‖ SDLC SAM P3O SPICE ISO15504 39www.iss.nus.edu.sgwww.lucidit.com.sg 15
  16. 16. Governing BUILD and RUN 11/17/2010 Integration Dashboard 41 PRINCE2 PMBOK COSO 17799 Mappings CMM ITIL ISO COBIT Process PO1 + + - - - + Summary PO2 PO3 - - + + + + - - - - - + PO4 + + + + - + PO5 - + - + - + PO6 + - + - - + PO7 + - + - - - PO8 + - - + - + PO9 + + + + + + PO10 - - - + + + AI1 - - + + - + AI2 + - + + + + AI3 + - + - - + AI4 + + - - - + AI5 + + - - + - AI6 + + + - - + AI7 + + + - + + DS1 + + - - - - DS2 + + + - - + DS3 - + - - - - DS4 - + + - - - DS5 + + + - - - DS6 - + - - - + DS7 + + - - - + DS8 + + + - - - DS9 + + + - - + DS10 + + - - - + DS11 + - + - - + DS12 + - + - - - DS13 + + + - - - ME1 + + - + + + ME2 + - + - - - ME3 + - + - - - ME4 + - - - - + 42www.iss.nus.edu.sgwww.lucidit.com.sg 16
  17. 17. Governing BUILD and RUN 11/17/2010 Agenda  IT Governance  RUN, BUILD  Integrating governance of RUN and BUILD  Case studies : good, bad, ugly  Conclusion : Now let‘s get real ITIL and IT Service Management - Dimensions to consider when implementing it -  Effective implementation of IT Service Management involves a combination of:  Organisational Alignment  Effective IT Leadership & Governance  People (skills, motivation, training, culture)  Processes – ITIL and PMO best practices  Technology (Applications, infrastructure, tools)  Quality framework for continuous improvement 44www.iss.nus.edu.sgwww.lucidit.com.sg 17
  18. 18. www.lucidit.com.sgwww.iss.nus.edu.sg Governance Governing BUILD and RUN 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 Define a strategic IT plan Define the information architecture Determine Technological Direction Define the IT processes PLAN AND ORGANISE Manage the IT investment Plan Vision Drivers Communicate management aims and direction Business Go/No Go Objectives (Roadmap) Assessment Manage IT human resources Business Case Manage quality Assess and manage IT risks Manage projects PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 Identify automated solutions Acquire and maintain application software Acquire / maintain technology infrastructure Build Enable operation and use Go Live Planning Procure IT resources Transition Implement Process Design Manage changes ACQUIRE AND IMPLEMENT Implementation CobiT Domain Install, Accredit Solutions / Changes AI1 AI2 AI3 AI4 AI5 AI6 AI7 Case 1 (Good) Holistic Define and manage service levels Maturity Assessment Manage third-party services Manage performance and capacity Tool Implementation framework Ensure continuous service Communication and Training Selection Functional Alignment Ensure systems security Maturity Target Evaluation & DELIVER AND SUPPORT Specification Organisational Identify and allocate costs Educate and train users Manage service desk and incidents Manage the configuration Manage problems Manage data Manage the physical environment Manage operations DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10DS11DS12DS13 Optimise Service Maintain Improvement Monitor and evaluate IT performance Monitor and evaluate internal control EVALUATE Ensure regulatory compliance MONITOR AND Provide IT governance ME1 ME2 ME3 ME4 11/17/201018
  19. 19. Governing BUILD and RUN 11/17/2010 Real improvement : an ‗alive‘ process RFC Report Change Submit Intention Originator RFC form to Close Stakeholders (Operations Stakeholder Applications Review & RFC Security Sign off form SLA) Approve Authorise Review & Change RFC & schedule accept Manager (Minor) Implementation closure Approve Authorise Review & CAB RFC (Major & schedule accept &Significant) Implementation Closure Change Build & Implement Builders & Test Implementers Change Change Stakeholders (Operations Stakeholder Applications Review & Security SLA) Sign off From a change mgt tool workflow like this 48www.iss.nus.edu.sgwww.lucidit.com.sg 19
  20. 20. Governing BUILD and RUN 11/17/2010 To something like: 49 Example KPIs : costs/benefits Costs SGDccc Costs SGDccc 50www.iss.nus.edu.sgwww.lucidit.com.sg 20
  21. 21. 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0www.lucidit.com.sg Define a strategic IT planwww.iss.nus.edu.sg Define the information architecture Determine Technological Direction Define the IT processes Governing BUILD and RUN Manage the IT investment PLAN AND ORGANISE Communicate management aims and direction Manage IT human resources Quality Management System Assess and manage IT risks Mood/Energy Manage projects PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 Source: Kubler-Ross Identify automated solutions Acquire and maintain application software Acquire / maintain technology infrastructure Denial Enable operation and use Procure IT resources Manage changes The ‗journey‘ ACQUIRE AND IMPLEMENT Install, Accredit Solutions / Changes AI1 AI2 AI3 AI4 AI5 AI6 AI7 Anger Define and manage service levels Manage third-party services Manage performance and capacity Ensure continuous service Negotiation Time Ensure systems security DELIVER AND SUPPORT Identify and allocate costs Educate and train users Stages of Acceptance Manage service desk and incidents Manage the configuration Manage problems DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 Acceptance of the Inevitable Manage data DS11 Manage the physical environment DS12 Manage operations Post Implementation Maturity DS13 Exploration Monitor and evaluate IT performance Monitor and evaluate internal control of Possibilities Integration Low Ensure regulatory compliance High EVALUATE Importance Medium MONITOR AND Provide IT governance ME1 ME2 ME3 ME4 52 51 11/17/201021
  22. 22. Governing BUILD and RUN 11/17/2010 Case 2 (Bad): A vision, but no sense of reality  Current state assessment : alarming current state!  Months of business case development for a large ITIL programme (zero subsequent BC progress control)  Decision to develop their own tool  Managers, back-office staff and consultants prepare ITIL processes, but no involvement of the ones who are supposed to execute them  Once business case approved, management focuses on other things, programme abandoned Impact: Huge cost, Zero results, Resentment Conclusion: Lack of true senior management steering & commitment beyond initial initiative, No understanding 53 of the people aspects © GamingWorks Reproduced with kind permission of GamingWorkswww.iss.nus.edu.sgwww.lucidit.com.sg 22
  23. 23. Governing BUILD and RUN 11/17/2010 © GamingWorks Reproduced with kind permission of GamingWorks Case 3 (Ugly): Academic processes & Academic ITIL ‗champions‘, not seasoned implementers that  tools understand organisational change  Academic current state assessment, full of ‗motherhood statements‘  Very detailed process documents that no-one reads  Trying to automate each and every step in a tool workflow and over focus on all tool bells and whistles Impact: People ‘get lost’ in the tool, No understanding of processes, Resentment, People pretend to comply, KPI reports irrelevant and a waste of time Conclusion: Academic approach, Focus on ‘cheap’ solution, hiring certified people who however do not have the management and organisational change skills, tool vendor staff just follow academic functional specifications and build the solution, senior management doesn’t realise what they would need to control and improve 56www.iss.nus.edu.sgwww.lucidit.com.sg 23
  24. 24. Governing BUILD and RUN 11/17/2010 Tool workflow design for Change Management This cover to be removed in presentation mode, but not Included in handouts as it potentially contains confidential info 57 © GamingWorks Reproduced with kind permission of GamingWorkswww.iss.nus.edu.sgwww.lucidit.com.sg 24
  25. 25. Governing BUILD and RUN 11/17/2010 Case 4 : P3O assessment Will they have the Will? P3M3® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries The P3M3Swirl logo® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries This is a Value Added product which is outside the scope of HMSO Core Licence. Sections of the P3O® Reference Manual have been reproduced under licence from OGC © Lucid IT Pty Ltd, 2010 - All rights reserved ―Some really Some quotes: good Project Managers‖ ―We tried ―Poor planning portfolio is at the core of prioritisation ―I exceeded the issues‖ and tossed it‖ budget: no questions were ―There‘s a difference asked‖ between what we thought ―Real issues are we were buying and what we usually not put on actually got‖ ―Operations the table until late‖ are under the hammer‖ ―There is no reliable “Projects data to feed portfolio appear on our controls‖ doorstep” “The PMO is “Reluctance to manage ―Over ambitious or important expectations and to us” under resourced‖ challenge the boss” 60www.iss.nus.edu.sgwww.lucidit.com.sg 25
  26. 26. Governing BUILD and RUN 11/17/2010 PMO mapping onto P3O model Organisation Portfolio Office (permanent) ‗PMO‘ 1 Centre of Excellence Hub Portfolio / Hub Portfolio / N/A (Informal) Programme Programme (Operations) BU Office Portfolios Office ‗PMO‘ 2 •Standards (permanent) (permanent) •Skills/training •Assurance •Knowledge Mgmt Programme Project (Operations) Office ‗PMO‘ 2 Office (temporary) (temporary) © Crown copyright 2008 Reproduced under licence from OGC 61 Portfolio Management Target Maturity Management Control 5 Resource 4 Benefits Management 3 Management 2 1 Organisational 0 Financial Governance Management Stakeholder Risk Management Management 62www.iss.nus.edu.sgwww.lucidit.com.sg 26
  27. 27. Governing BUILD and RUN 11/17/2010 Project Management Target PRINCE2 Themes Maturity Business Case 5 4 Project Progress 3 Organisation 2 1 0 Risk Plans Management Change Quality 63 Project Management Target PRINCE2 Processes Maturity Starting Up a Project 5 Directing a 4 Initiating a Project 3 Project 2 1 Closing a 0 Controlling a Project Stage Managing Managing Stage… Product… 64www.iss.nus.edu.sgwww.lucidit.com.sg 27

×