WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Using COBIT and ITIL Robert E Stroud CGEIT International Vice President, ISACA VP Service Management & Governance

Using COBIT and ITIL

Robert E Stroud CGEITInternational Vice President, ISACA

VP Service Management & Governance

Service Management, Governance & Cloud Computing Evangelist CA Technologies

robert e stroud (CGEIT)

— Vice President, Service ManagementService Management and Governance Evangelist

— 27 years Industry Experience

— 15+ years Banking Industry

— ITSM − Treasurer, itSMF International Executive Board

Director Audit, Standards and Compliance

− Former Director, itSMF USA

− Member ITIL V3 Advisory Group (IAG)

− Mentor ITIL V3 Service Transition

− Contributor ITIL Business Perspectives Volume II

− Author ITIL\COBIT\ISO17799 Management Overview

— IT Governance − International Vice President ISACA\ITGI

− Chair COBIT Steering Committee

− IT Governance Committee

− Contributor to COBIT and VAL IT

− Contributor to Basel II Guidance

— BLOG: www.ca.com/blogs/stroud

Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud

trademark notice

ITIL® is a registered trademark and a registered community trademark of the UK Office of Government and Commerce (OGC) and is registered in the U.S. Patent and Trademark Office.

COBIT® is a registered trademark of ISACA

DISCLAIMER

CA nor it’s speaker warrant or guarantee the concepts or the accuracy of information provided herein.

No part of this publication may be reproduced in any form by print, photo print, microfilm or any other means without written permission by CA.


risk & compliance lifecycle

TIME

MATU

RIT

Y

BlissfulUnawarenessPhase

ReactiveFragmentedImplementationPhase

ConsolidationPhase

OperationalExcellencePhase

Ad hoc, “must-do” activities only

Create inventory of governance, risk, and compliance initiatives

Rush projects to react to mandate

Start on a unified GRC approach

Continuous process improvement

benchmark data

Best Outcomes (12%)1 in 10 Organizations



Operating Results Worst Normative Best

Top-line Financial Results -12% 0% +8%

Loss/Theft of Customer Data More than 16 3 to 16 Less than 3

Hours of Downtime due to IT More than 60 4 to 60 Less than 4

IT Audit deficiencies More than 16 3 to 16 Less than 3N: 3,280 Source: IT Policy Compliance Group, 2009

sustainable operations

value ofIT capabilities

to the business

control over IT capabilities

high

high

low

low

Implementation of the IT improvement strategy:

• Quality• Domain• Effort• Output & effect• Feedback

Ongoing use and management of the IT infrastructure:

• Business Added Value• Quality• Change• Capacity• Cost• Control

ITservice

ITservice


risk posture

Imp

act

Likelihood

H

M

L

L M H

Mitigating controls

Mitigating controls


8 February 2009 Quelling the Perfect Storm within IT Copyright © 2009 CA

COBIT

operational compliance

> Governance Framework

> Certifiable

> Defensible position with audit community (internal & external)

> Predictable Risk Model

> Operational Excellence

TOGAFDev.Meth

ITIL

Development

MythologyITIL

Portfolio Mgmt.Enterprise Development Service &

Support

Corporate Governance of ITISO 38500

Corporate Governance of ITISO 27000

Service ManagementISO 20000

Compliance

“IT governance is the responsibility of the

board of directors and executive management.

It is an integral part of enterprise governance

and consists of the leadership and

organisational structures and processes that

ensure that the organisation’s IT sustains and

extends the organisation’s strategies and

objectives.”Source: Board Briefing on IT Governance, 2nd Edition. © 2003 ITGI. All rights reserved.

IT governance


governance solves

— Meets the increasing risks (security, compliance, projects etc.)

— Ensures continuity of critical business processes depend on information and systems

— Integrates organizational objectives with the growing dependence on service providers, third parties and cloud computing

— IT is enabling organizations to rapidly innovate andtransform business practices to create new opportunities and reduced cost

— Ensures continuity of IT knowledge which is essential to sustain and grow the business.


enterprise governance of IT domains

—Strategic Alignment

—Value Delivery

—Resource Management

—Risk Management

—Performance Measurement

Strate

gic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

entIT IT

GovernanceGovernanceDomainsDomains

Strate

gic

Alignm

ent

Value Delivery

Ris

k M

anag

emen

t

Resource Management

Performance

Measurem

entIT IT

GovernanceGovernanceDomainsDomains

Source: COBIT 4.1. © 1996-2007 ITGI. All rights reserved.


COBIT™ - the roadmap

—Globally accepted set of tools and good practices that ensures IT is working effectively

—Provides common language to communicate goals, objectives, expected results

—Based on industry standards and good practices in:−Strategic alignment of IT with business goals

−Value delivery of services and new projects

−Risk management

−Resource management

−Performance measurement


Governance DriversGovernance Drivers

Information Criteria

• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability

Information Criteria

• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability

COBITFramework

IT RESOURCES• Applications• Information• Infrastructur

e• People

IT RESOURCES• Applications• Information• Infrastructur

e• People

Business GoalsBusiness Goals

MONITOR AND EVALUATEMONITOR AND EVALUATE

PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine the technological directionPO4 Define the IT processes, organisation and relationshipsPO5 Manage the IT investmentPO6 Communicate management aims & directionPO7 Manage IT human resourcesPO8 Manage qualityPO9 Assess and manage risksPO10 Manage projects

AI1 Identify automated solutionsAI2 Acquire and maintain application softwareAI3 Acquire & maintain technology infrastructure AI4 Enable operation and useAI5 Procure IT resourcesAI6 Manage changesAI7 Install and accredit solutions and changes

ME1 Monitor & evaluate IT performanceME2 Monitor & evaluate internal controlME3 Ensure regulatory complianceME4 Provide IT governance

DS1 Define service levelsDS2 Manage third-party servicesDS3 Manage performance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and attribute costsDS7 Educate and train usersDS8 Manage service desk and incidentsDS9 Manage the configurationDS10 Manage problemsDS11 Manage dataDS12 Manage the physical environmentDS13 Manage operations

PLAN AND ORGANISEPLAN AND ORGANISE

ACQUIRE AND IMPLEMENTACQUIRE AND IMPLEMENT

DELIVER AND SUPPORTDELIVER AND SUPPORT


who is doing what? RACI



measurement of processes



maturity model

Awareness and

Communication

Policies, StandardsProcedures

Tools and Automation

Skills and Expertise

Responsibility and

Accountability

Goal Setting and Measurement

5

4

3

2

1

Overall Process Maturity

Maturity Attributes

as-is


maturity model

to-be improvement measures

as-is

Awareness and Communication

Policies, Standards and

Procedures

Tools and Automation

Skills and Expertise

Responsibility and

Accountability

Goal Setting and Measurement

5

4

3

2

1

Overall Process Maturity

Maturity Attributes


• Financial Management• Return on Investment• Service Portfolio Mgmnt• Demand Management

SERVICE STRATEGY

• Event Management• Incident Management• Request Fulfilment• Problem Management • Access Management

SERVICE OPERATION

• 7-Step Improvement Process

CONTINUAL SERVICE IMPROVEMENT

• Service Catalogue Management• Service Level Management • Capacity Management • Availability Management• IT Service Continuity Management• Information Security Management• Supplier Management

SERVICE DESIGN

• Transition Planning and Support• Change Management• Service Asset & Configuration

Management• Release & Deployment

Management• Service Validation• Evaluation• Knowledge Management

SERVICE TRANSITION


ITIL processes

relationship between COBIT & ITIL

—COBIT is an IT Governance and Control framework and focuses on WHAT should be addressed to ensure good governance of all IT related processes, including service management processes.

—COBIT provides guidance, framework and tools on achieving desired levels of conformance and performance of IT Processes required to satisfy business needs.

— ITIL provides best practices describing HOW to plan, design and implement effective service management processes.

—By leveraging COBIT guidance, an enterprise can ensure that its service management effort is aligned with its overall business, governance and internal control requirements.


COBIT

IT Operational Processes - ITIL

Application Development Processes - CMMI

Project & Portfolio Management - PMBOK

Establish the work

Align with roles

RACI

Responsible, Accountable, consulted and informed

RACI

Responsible, Accountable, consulted and informed

Measurement

Governance COBIT

using frameworks together

Slide 20Governance for your ITSM Environment © 2008-2010 CA, Inc. All rights reserved.

the COBIT user guide for service managers

— Explains importance of governance of the focused area

— Defines the need for good practices

— Provides an overview of the specific role

— Explains the relationship between COBIT and the best practices for the role

— Explains how to use the COBIT and ITIL support the governance of IT enabled businessservices

— Provides a roadmap for getting started.

— Provides a table of key service manager activities based on ITIL V3 x-referenced to COBIT 4.1 and ISO20000


RACI for the service manager – DS1 manage service levels

CobiT® User Guide for Service Managers © 2009 IT Governance Institute. All rights reserved


generic role descriptions an aid to areas of responsibility



coverage of ITIL to COBIT processes

by Jimmy Heschl

21

43

65

721 43 65 87 109

21 43 65 87 109 1211 13

21

43

Plan and OrganiseA

cquire and Implem

ent

Deliver and Support

Mon

itor a

nd E

valu

ate

full none

COBIT processes addressed byIT Infrastucture Library v3

x x xCobiT® User Guide for Service Managers © 2009 IT Governance Institute. All rights reserved


key processes in the lifecycle – example service operation

ITIL V3 Service Operation

ITIL V3 COBIT 4.1

Event Management DS3, DS8, DS13

Incident Management DS8

Request Fulfilment DS8

Problem Management DS10

Access Management DS5

Operation Management DS13


mapping IT goals to IT process

CobiT® User Guide for Service Managers © 2009 IT Governance Institute. All rights reserved Copyright © 2010 CA - Robert E Stroud – [email protected] - BLOG: www.ca.com/blogs/stroud

goals and metrics for DS1 – managing service levels


control practices (DS1)


mapping of COBIT DS1.1 to ITIL



achieve governance of IT services


linking COBIT, ITIL & governance of IT services

CobiT® User Guide for Service Managers ISBN 978-1-60420-071-3 © 2009 IT Governance Institute. All rights reserved


example financial management

4. Financial Management (Service Strategy – 5.1, 5.2)Service Manager Key Activities

Based on ITIL v3 ITIL V3 x-ref COBIT 4.1 x-ref ISO

20000

KeyDeliverables

R A C I

FM1. Understand the business and IT culture and attitude towards financial management, and any regulatory or compliance requirements

5.1.4.3 Plan PO1.1 IT value management

7.2 7.3

Service Business Case

BPO SM CFOCIO

CIO

FM2. Identify all internal and external contacts that provide and/or receive IT financial information. Define financial reporting and analysis requirements.

5.1.4.3 Plan PO5.1 Financial managementframework

7.2 7.3

Financial management requirements.

SM CIO CFOBPO

CFO

FM3. Guide the financial reporting outputs to meet the business and IT needs.

5.1.4.3 Analyse

PO5.4 Cost management

6.4 Financial Reports

SMCIO

CIO CFOBPO

CFOBPO

FM4. Maintain awareness of the value of the services and of the current costs and use this information when considering the business case for new services.

5.1.4.3 Analyse

PO5.5 Benefit management DS6.1 Definition of services

SMBPO

BPO CIOCFOSPM

CIOCFOSPM

FM5. Define together with the business and IT, financial measures of success.

5.1.4.3 Measure

DS6.2 IT accounting

6.4 Cost allocations.

SMBPO

CIO CFO CFO

FM6. Ensure financial information about the service is presented clearly to business and IT management.

5.1.4.3 Measure

DS6.3 Cost modelling and chargingDS6.4 Cost model maintenance

Cost model. SMCIO

CIO CFOBPO

CFOBPO


example: change management

33

ChangeProposal (optional)

Create RFC

Record the RFC

Review RFC

Assess and evaluate Change

Authorise Change

Plan updates

Co-ordinate change implementation

Review and close change record

Authorise Change proposal

Update change and configuration information in CM

S

Evaluation report

Work orders

Work orders

ready for evaluation

requested

ready for decision

authorized

scheduled

implemented

closed

ITIL v3 activity

AI6.1Change Standards and Procedures

CobiTControl obj

AI6.2 Impact Assessment, Prioritisation and Authorisation

AI6.4 Change Status Tracking and Reporting

AI6.5 Change Closure and Documentation

10.1.2Change management

ISO 27002 Control

Investment Management (IM)

Portfolio Management (PM)

Value Governance (VG)


detailed mapping (excerpt)

COBIT Control

Objective

Name

ITIL

Coverage

PO1 Define a Strategic IT Plan

SS 1 Introduction SS 2 Service management as a practice SS 3 Service Strategy principles SS 3.5 Service Strategy fundamentals SS 4 Service strategy …

A+

PO1.1 IT Value Management

SS 2.2 What are services? SS 3.1 Value creation SS 3.4 Service structures SS 4.4 Prepare for execution SS 5.1 Financial Management SS 5.2 Return on Investment SS 5.3 Service Portfolio Management

C

PO1.2 Business-IT Alignment

SS 2.1 What is service management SS 2.3 The business process SS 2.4 Principles of service management

C

PO1.3 Assessment of Current Capability and Performance

SS 4.4 Prepare for execution CSI 5.2 Assessments

C

PO1.4 IT Strategic Plan SS 3.3 Service provider types SS 3.5 Service Strategy fundamentals SS 4.1 Define the market SS 4.2 Develop the offerings SS 4.3 Develop strategic assets …

C

PO1.5 IT Tactical Plans SS 4.4 Prepare for execution SS 7.1 Implementation through the lifecycle SS 7.2 Strategy and Design …

C


next steps

—Purchase the COBIT User Guide for Service Managers

—Identify your target areas for implementation

—Implement

—Communicate the value

—Move onto the next implementationtarget

—ISACA guidance is available at www.isaca.org


http://www.isaca.org/

IT Governance

Benefits

$

$

value of governance

—Reliable services

—Transparency

—Responsiveness of IT to business

—Management confidence

—Higher Return on Investment (ROI)

—Business and IT Integration


more information

Email: [email protected]

Web: www.ca.com/itil

Twitter: www.twitter.com\RobertEStroud

BLOG: www.ca.com/blogs/stroud


mailto:[email protected]

http://www.ca.com/itil

http://www.twitter.com/RobertEStroud

http://www.ca.com/blogs/stroud

Governance for your ITSM Environment

Robert E Stroud

Blog: www.ca.com/blogs/stroud

Documents

WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Using COBIT and ITIL Robert E Stroud CGEIT International Vice President, ISACA VP Service Management & Governance