ITIL based IT management with live alerts and KPI s

Transcription

1 ITIL based IT management with live alerts and KPI s This whitepaper describes, as a sample, the deployment of Ba-PRO for IT management as implemented within Ba-PRO development b.v. IT governance (ITIL), Corporate governance, Segregations of Duties (SoD), KPI dash boarding, fraud management, real time risk management. Look no further, Ba-PRO offers the current generation, integrated solution. Control, process and risk documentation integrated with back office data providing continuous monitoring, alerts on control violations and risks, and management KPI s on all relevant processes. Improvement and clarity at your fingertips. What is GRC? Governance, Risk, and Compliance is the business integration of: Governance that manages the strategic directives a company wants to follow. Risk management that assesses the areas of exposure and potential impacts. Compliance that is the tactical action to mitigate risk. The integration of the distinct GRC aspects determines your ability to effectively and efficiently manage the processes within your organization to become successful. Some Ba-PRO benefits efficient control documentation (e.g. Coso based framework, IFRS, Cobit) or upload from point solutions like Axentis, Excel, Open Pages, Paisley, Word. continuous control monitoring (automatic alerts and KPI s) give you the up to date status of affairs. real time risk management (5000+ business rules included) fully integrated solution (control documentation, automatic monitoring, improvement process supported) most cost effective solution available to date Topics Software: Business Control, Sarbanes, ITIL, CMMI, Service management Real time alerts / risk management Note: The screenshots are taken from a live system using data from Mantis (Call-Incident- Problem Management Process), dotproject (Project planning) and Availability Management (Server logs) Home page of the Ba-PRO IT governance application - Dashboard o KPI on availability of demo server o KPI on IDS (intrusion detection system) of firewall o Score of planned vs. actual hours o KPI on reported incidents per person/module - Alert when o reported hours exceeds 5% of planned hours (dotproject) o priority 1 incidents stay open longer than 1 day o demo server is less than 99.5% available over a period of 4 weeks o number of reported incidents within 1 week exceeds x Page 1

2 a. alert to corporate Ba-PRO NL when in Ba-PRO RO the number of reported vs planned hours exceeds 5% or overtime exceeds 10 hours per week drill down to resource and which hours reported on which tasks Page 2

3 b. alert on severe incidents reported by customers or testing department stay unsolved (open) longer than 24 hours drill down to incident and customer -> alert to take action to CTO or customer support manager c. demo server is available less than 99.5% (uptime) over a period of 4 weeks (information extracted from log files of server) -> alert per to take action to COO d. number of incidents reported within one week exceed x (extracted from Mantis) drill down to module in ba-pro -> alert to CTO or developer All alerts are generated by business rules, executed on real life data from agents, linked to controls, linked to ITIL processes. Business Rules generate alerts that are assigned to employees with certain roles (Approver, editor, viewer, consultant) Page 3

4 A set of ITIL process descriptions with business functions, process flows and responsibilites according the RACI model exist. Process descriptions are attached in PDF from ITIL (descriptions) Page 4

5 The linkage between FW items can be best seen at BaPRO BV -> processes -> Service Support -> Problem Management -> Knowledge management Process Flows can be viewed (not edited) End user can drill down to the detail data causing the alert and drill up to the process descriptions and diagrams as well as see the responsible persons. Page 5

6 End user is alerted when no action is taken after specified time. Reports show: alerts with no actions and alerts with actions with the possibility to review the actions Ba-pro can be used as procedure management system (waterfall model in flash as attached document) Controls and linked business rules: Page 6

7 Drill down to rule: Data for Business Rules is gathered by agents. Additional: - ITIL PDF or CobIT-ITIL documents are attached in PDF and linked to the respective processes. Process flow charts are attached to each ITIL process. Page 7

8 Ba-PRO uses the application for internal document management (product, project documentation) Page 8

9 Appendix What is ITIL? What is COSO? What is CobiT? What is CMMI? What is ISO17799 All of above are best practice business frameworks, defining processes and (technical) procedures, risks, workorders and controls. All of them have a different level of detail and overlap. COSO (the committee of sponoring organizations of the treadway commission, initially founded in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative) is a best practice framework defining organization wide controls, with no special focus on IT. CobiT extends COSO with a set of IT controls going into more detail. ITIL is a set of best practice IT processes extends CobiT. The best practice development of IT processes has been initiated in the 70 s by the OGC in the UK with market leaders of all industries and provide a general guideline of IT processes that cover all areas. At the moment ITIL is being renewed with the ITIL 2.0 initiative that includes also project management. ISO17799 is a set of best practice IT Security controls for organizations to meet the standards for CobiT security. CMMI (Capability Maturity Model Integration, initiated by the Carnegie Mellon Software Engineering Institute) focuses on Software development processes and controls. Starting from software design to project planning and budgeting to execution, release management and maintenance and support, processes are defined. Maturity levels exist from ad-hoc processes (level 1) to institutionalized processes (level 3) to the highest level: process improvement (level 5). Page 9