BADM 590 IT Governance, Information Trust, and Risk Management

Transcription

1 BADM 590 IT Governance, Information Trust, and Risk Management Information Technology Infrastructure Library (ITIL) Spring 2007 By Po-Kun (Dennis), Tseng

2 Abstract: This report is focusing on ITIL framework, which is a set of guidelines for an IT department to control and measure their quality of IT operation. The principles of ITIL mainly deal with processes about IT Service Delivery and Support in order to reach the objectives of the organization. The content of this report includes three major parts which are, first of all, the advance of information security issues involved with SOX Act and other best practices such as COSO, CobiT, and ISO Secondly, the ITIL overview and its main processes and coverage, which will be coming up with the other two case studies, that are deriving from educational organization and other areas. Finally, the report will discuss the connection of ITIL with other key practices to see how they complement and link with ITIL.

3 Background: The bottom line of information security: Recently, most of the enterprises rely on using information technologies to fulfill their enormous data and transactions, such as an online banking service and an internal control process. By applying the sophisticated information technologies, those firms can simplify their business processes, raise their efficiency, and save their time and costs dramatically. With the continuous advance of information technologies and the commercial dependency, information security has started to play a key role in the real business world. This is why enterprises are on pins and needles since most companies are using the information technologies to assist with their tasks, the reliability and accountability of employing these technologies will become critical issues as well as how a company select a suitable IT control framework to maintain and measure its internal security level. IT security threats such as Spyware, Fishing web-side, or even employees could lead to incalculable damages. From 1992, the Committee of Sponsoring Organization (COSO) issued a report for enterprise internal control. Businesses have started to search a right and precise framework for fitting into the specific industry of the businesses. In addition in finding the best practice, the companies also faced more and more regulations from government and requirements from customers. There are some examples below: Financial controls SOX (2002)

4 Privacy Privacy Amendment Act (2001) Health information HIPAA (1996) Customer information GLBA (1999) Except for IT control framework, however, IT service management (ITIL) is also a key part of the whole IT security management area. As a result, this report will be focused on here and connection of ITIL with other frameworks. Sox (the Sarbanes-Oxley Act): In order to prevent financial problems such as Enron s bankruptcy and WorldCom s false accounting report, the US. Legislature had to pass the Sarbanes-Oxley Act (SOX) supervising public companies internal financial states in The first principle of SOX is that To improve quality and transparency in financial reporting and independent audits and accounting services for public companies, to create a Public Company Accounting Oversight Board, to enhance the standard setting process for accounting practices, to strengthen the independence of firms that audit public companies, to increase corporate responsibility and the usefulness of corporate financial disclosure, to protect the objectivity and independence of securities analysts, to improve Securities and Exchange Commission resources and oversight, and for other purposes. 1, which is the most important function for SOX. The overall Act, 1

5 however, has 11 titles and 66 sections. From title 1 to 6, the contents are mainly involved with establishing an independent Public Company Accounting Oversight Board, PCAOB, which deals with auditing and financial reports of public companies. From title 8 to 11, the purpose is to emphasize responsibilities of top managers. Otherwise, the section 302, Corporate Responsibility For Financial Reports, and 404, Management Assessment Of Internal Controls, required a suitable internal control framework. However, what is suitable for organizations acting in different industries and embracing different requirements? The most recognized standards are COSO, Cobit, ISO 17799, and ITIL. What are the Best Practices? COSO: In 1992, the Committee of Sponsoring Organization issued a report especially for enterprise internal control divided into 5 sections that are Monitoring, Information and Communication, Control Activities, Risk Assessment, and Control Environment. Until now, most of the accounting firms have already recognized COSO as an internal control framework. CobiT: Cobit emerged from the COSO practice. It was derived from the information systems audit and control associations (ISACA) and the IT governance institutes (ITIG) in Simply put, Cobit is the control objectives for information and related technologies. Hence, its

6 mission is to research, develop, publicize, and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers, IT professionals, and assurance professionals. 2 As the result, CobiT will not offer how to do it but what to do, and it also not covers any software or tool for improving IT services. There are four domains for CobiT,(1) Plan and Organize, (2) Acquire and Implement, (3) Deliver and Support, (4) Monitor and Evaluate. ISO 17799: ISO 17799, published by the international Organization for Standardization in 2001, is international accepted information security management standard. ISO provide a series of management guidelines, which include three dimensions that are Confidentiality, Integrity, and Availability. As CobiT, ISO is also not a technical standard and product or technology driven; contrary, it covers only the management of information security controls. Otherwise, ISO covers almost all information fields not just about IT areas. ITIL (Information Technology Infrastructure Library): Internal and external IT Service and Support professionals are all taking ITIL as their judging criterion. Even Microsoft operations framework (MOF) frequently references ITIL and its corresponding language. 2

7 What is ITIL? ITIL is not a now term and in fact that it has been introduced over two decades. The development of ITIL originated from Central Computer and Telecommunication Agency (CCTA), called the Office of Government Commerce (OCG) now. It has been widely accepted by many organizations from different countries. (A example of how ITIL measure the maturity of organization refers to appendix )However, it has just been applied in the US. within 10 years. It appropriately details a multitude of processes, totally eight books, which explain how IT service should be managed. Book 1. Service Support Book 2. Service Delivery Book 3. Business Perspective Book 4. ICT infrastructure Book 5. Applications Management Book 6. Security Management Book 7. Planning & Implementation Book 8. Software Asset Management At the heart of ITIL is IT service management (ITSM), which includes two books, Service Support and Service Delivery. There are ten basic processes to be defined by the two books as following:

8 Service support Service Delivery Configuration Management Availability Management Incident Management Capacity Management Problem Management Service Continuity Management Change Management Financial Management Release Management Service Level Management There are no standards for these processes. How well this work is enough for the organizations to be up to their requirements. In general, ITIL plays a role in the organizations as a set of guideline, which can be customized to: (1) Assist in getting a handle on the big picture. (2) Help build order and structure where there may be chaos. (3) Reference theory as well as practical tips on what should be done, not how to do so. Where to apply ITIL? Some use it as specifically for only the content from the Service Delivery and Service Support books while others use it for all of ITIL. Basically, whole service management must refer to any components relating to IT service prerequisites and so it must take account of the whole ITIL fields and has not been confined in only just two major orientations or two books. This is the definition of Service Management and the principle of ITIL. Otherwise, the

9 prerequisites of improving customer service quality are another core area that ITIL must focus on. To satisfy customers requirements will be the fundamental to ITIL and below shows several key activities that are essential for building successful ITIL processes within this area: (1) Documenting, negotiating, and agreeing customer and business quality targets and responsibilities in Service Level Agreements (SLAs). (2) Regular assessment of customer opinion in customer feedback and customer satisfaction surveys. (3) IT personal regularly taking the customer journey and sampling the customer experience. (4) IT personnel taking the customer and business perspective and always trying to keep customer interaction as simple and enjoyable as possible. (5) Understanding the ICT infrastructure. 3 The inner of ITIL: Service Delivery: There are five components that include Service Level Management, Financial Management for IT Service, Capacity Management, IT Service Continuity, and Availability Management, which cover whole quality improving plans for IT services as exhibit

10 Exhibit 1: The Service Delivery Processes (Source: An Introductory Overview of ITIL, itsmf, April 2004, p.13 ) Service Level Management is the most important position of processes in ITIL. It provides clear service delivery standards and the major interface for each organization and user. The major components of SLM are the Service Catalogue, Service Level Agreements (SLAs), and Operational Level Agreements (OLAs). Especially Service Catalogues provides definitions of each service, which include the deliverables, limitations of services, and measurements of service delivery performance, within the IT organization. In order to define what level of service an organization needs, Capacity Management can be ran with business, service support, and financial units together to establish the annual IT

11 infrastructure growth plan. The processes of Financial Management for IT Service gets involved with three major financial aspects, which are budgeting, IT Accounting including audit reports, and Chargeback. Availability Management allows organizations to review business requirements that include availability, reliability, maintainability, serviceability, and security. In order to recover and to avoid incidents that could cause disruption of service, IT Service Continuity focuses on contributing an acceptable level of service disruption with an agreed schedule. As a result, businesses can minimize the service disruption and keep trace the risk of disruption. Service Support: One of the major disciplines in Service Management is to support these services that were established by the Service Delivery group. This includes: Help Desk or Service Desk, Incident Management, Problem Management, Configuration Management, Change Management, and Release Management. The relations of these units show in the exhibit 2. Exhibit 2: The Service Support Processes

12 (Source: An Introductory Overview of ITIL, itsmf, April 2004, p.16 ) The Service Desk is responsible for reporting all incidents and requests, services as a center of all units and users within an organization and provides an interface for other Service Support processes. Incident Management is in charge of solving and detecting all incidents and must reinstate the system to the normal service level of organizations as fast as possible. The objective of Problem Management is to reduce impacts and damages that result from Incident Management. Thus, Problem Management is used to work as an assister for Incident Management to solve the detected problems.

13 To manage changes effectively, Change Management has to ensure that all changes are accepted through proper testing, risk assessment, and scheduling. The main function of Configuration Management is to deal with all operating data relating to the operating factors of any IT infrastructure elements in the organization. Near to Change Management, Release Management has to govern and to update the newest launching software versions and enterprise applications. Planning & Implementation: The six work stages can perform the implementation tasks of IT Service Management as following: Exhibit 3: (Source: Implementing ITIL-Adapting Your IT Organization to the Coming Revolution in IT Service, Randy A. S., 2005, CH 3, p. 15) Visioning stage is to identify and confirm what should be covered by the implementation

14 of ITIL as well as the benefits of implementing ITIL. Through this stage, IT organizations can know where to put more efforts and to avoid unnecessary labor force wasted. The goal of assessment stage has three: find out the gaps between organizations, fill up these gaps, and establish the Win projects which is like a small project fulfill to accomplish a tactical task, such as implementing IT Service Catalog. After finishing the preparation, the planning stage will take place to design implementation plans and come up with the overall implementation program. Then, the foundation stage will commence to work on establishing the strategic goals and defining the working procedures and the responsibilities. In this stage, organizational, technological, and governance strategies will be all getting together. The objective of Initial Win stage is to offer immediate benefits by building 2-5 small projects for each ITSM process. The small projects all have specific functions that are visible and touchable in the organization. Finally, the Control stage will carry out the process designed in the foundation stage and start the life cycle regularly. However, the efforts of implementing ITIL will not be over 12 months. Case Study : University of Canterbuey in New Zealand The seasons for using ITIL:

15 (1) The IT service level of the University had been reduced by several incidents of miscommunication and misunderstanding. (2) Various units and support groups need standardization of internal control and re-alignment. (3) Rather than act as only a support function, ITIL can improve the IT service group s overall services quality and correspond to the university s core business value. Implementing process: (1) Identified requirements for change (2) Identified the scope of this project (3) Defined the objectives of this project (4) Established the project structure (5) Organized the project deliverables and benefits for the IT department The project organizational structure: (1) ITIL implementation project manager (2) Service management project team (ITSM) (3) Implementation teams for each specific process within ITIL framework (4) Steering group (5) Reference groups (6) Reporting lines Resource requirements:

16 (1) Human resources Facilities will be required to fully participate or partly participate in this project. (2) Helpdesk telephone system Since the project tries to increase ability of helpdesk to solve incidents at first point of contact, the resource requirements are still unidentified. (3) Software Benefits of using ITIL: ITIL provides an approach that helps enterprises deriving their core business process more reliable, valuable, and effective. Benefits can be produce such as: Improved productivity Service standardization Improved customer satisfaction Improved communication quality between IT service group and customers Reduced cost Improved the business process as clearly defined roles and responsibilities Saved reaction time for managers Avoided problems effectively

17 Benefits to the customer of IT services: Provide documented procedures for external users Enable the customer to reach business objectives Provide feedback and necessary changes from monitoring of service performance Case Study : Service-Oriented IT Management: Benefit, Cost, and Success Factors The six organizations appreciate that the benefits of using ITIL are not only increased service quality and reduced risks, but also helping with managerial and service efficiency. Standardization and optimizing of process, for instance, will greatly improve managerial efficiency because managers can guarantee that all support centers located around globe will be all consistent and systematic. Exhibit 4 shows that the comparison of per- and post- adopting ITIL in terms of three levels of business engineering: strategies, processes, and systems. After implementation of ITIL, the six organizations getting rid of problems including most are not uniform, not standardized, and without interfaces. Exhibit 4: Gives an overview of the initial situation and the new solution on the three levels of business engineering

18 (Source: Service-Oriented IT Management: Benefit, Cost and Success Factors, Alex, H., 2005, p.4) Mapping ITIL into other best practices: ITIL cannot work alone and we all known that if you can t measure it you can t control it, and if you can t control it you can t manage it.. This is why we must use CobiT to set up the IT control framework and then establish ITIL for IT service Management. In fact that

19 ITIL can address the 34 CobiT processes linking with Service Delivery and Support even though, regarding to the appendix, there are some overlaps, which actually enable you to integrate CobiT and ITIL. On the other side, organization can use the security processes and controls defined by ISO to complement weaknesses of ITIL as well since ISO is used for the entire information security section not just for IT-related issues. Especially, when an organization wants to specify issues that will have an impact for the whole organization s security, ISO will be highly helpful. Otherwise, obviously ITIL s Problem Management and Configuration Management do not correspond to ISO according to appendix. However, Change Management, for example, will be directly complemented by CobiT s Change Management and also in ISO s Operational Change Control. We can say that the guidance, indicators, and controls for the definition of service level agreements, availability management, and business continuity management providing by CobiT and ISO17799 enable one to totally supplement ITIL s service delivery processes referring to appendix. Conclusion: As previously mentioned, we notice that ITIL is well-developed on delivery and support

20 processes yet it is weak on security controls. Therefore, in order to create a round-the-clock information security environment, the best way is to integrate these frameworks and to take from the long to add to the short. Organizations may use ITIL as defined processes, use CobiT as metrics or benchmarks, and use IS as risk mitigation for security management. Besides, to be more efficient organizations, it is better not try to complete implementation of ITIL, CobiT, and ISO at the same time because the goals for each organization may be different based on cost, benefit, risk control, or regulatory compliance perspectives. References: 1. ISACA: Serving IT Governance Professionals. (2006) How does ITIL link to COBIT and ISO Article available online at

21 2. H, Axel., T, Gerrit., and B, Walter.(2005). Service-oriented IT Management: Benefit, Cost, and Success Factors Article available online at 3. A, Randy.(2005). Implementing ITIL p John, W. (2005). Combining ITIL with COBIT and Article available online at 0Cobit%20and% pdf 6. Alex, H. (2005). Service-Oriented IT Management: Benefit, Cost and Success Factors. Article available online at 7. itsmf,( April 2004) An Introductory Overview of ITIL. Article available online at 8. D, Hamish.(2002). Proposal to Implement the Information Technology Infrastructure Library Framework for IT Service Management. Article available online at %20ITIL.pdf Appendix ITIL Maturity Measures

22 Appendix ITIL Service support vs. CobiT: Integration of ITIL and COBIT

23 ITIL Service Delivery vs. CobiT: Appendix Integration of ITIL and ISO ITIL Service Support vs. ISO 17799

24 ITIL Service Delivery vs. ISO 17799