Getting In-Control - Combining CobiT and ITIL for IT Governance and Process Excellence. Executive Summary: What is the business problem?



Similar documents
ITIL: What is it? How does ITIL link to COBIT and ISO 17799?

WHITE PAPER Hitachi Data Systems Optimizes Storage Management Through ITIL-Based Consulting Services

The ITIL Story. Pink Elephant. The contents of this document are protected by copyright and cannot be reproduced in any manner.

The ITIL Story White Paper

IBM and the IT Infrastructure Library.

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

Information Technology Auditing for Non-IT Specialist

ITIL: What it is What it Can Do For You V2.1

Trustworthy Computing Spring 2006

Introduction: ITIL Version 3 and the ITIL Process Map V3

HDI Support Center Certification: A Pragmatic Approach to Verifying Core ITIL Process Maturity

ITIL Service Lifecycles and the Project Manager

Practical IT Service Management: Rapid ITIL Without Compromise

Applying ITIL v3 Best Practices


AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Somewhere Today, A Project is Failing

The Value of ITIL to IT Audit

Metricus for ServiceNow

BADM 590 IT Governance, Information Trust, and Risk Management

ITIL AND COBIT EXPLAINED

The Future of Best Practices in IT Service Management - ITIL Version 3 Explained

ISO20000: What it is and how it relates to ITIL v3

Aligning CMMI & ITIL. Where Am I and Which Way Do I Go? cognence, inc.

IBM asset management solutions White paper. Using IBM Maximo Asset Management to manage all assets for hospitals and healthcare organizations.

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

Effectively Using CobiT in IT Service Management

The IT Infrastructure Library (ITIL)

ITIL's IT Service Lifecycle - The Five New Silos of IT

Revised October 2013

Tutorial on Service Level Management in e- Infrastructures State of the Art and Future Challenges. The FedSMProject Thomas Schaaf & Owen Appleton

Tutorial: Towards better managed Grids. IT Service Management best practices based on ITIL

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

White Paper Case Study: How Collaboration Platforms Support the ITIL Best Practices Standard

Whitepaper: 7 Steps to Developing a Cloud Security Plan

MANAGING DIGITAL CONTINUITY

An IT executive with over 25 years in the field A few companies I have worked for:

Contents. viii. 4 Service Design processes 57. List of figures. List of tables. OGC s foreword. Chief Architect s foreword. Preface.

IPMA 2006 ITIL in Practice The Alignability Process Model and HP OpenView Service Desk

IT Governance Dr. Michael Shaw Term Project

Procuring Penetration Testing Services

Incorporate CMMI with Corporate Governance Using Enterprise Software Change Management Solutions

Succeeding with Business Process Outsourcing

HP ITSM Assessment Services Helping you reach the levels of service your business requires

RESEARCH PAPERS FACULTY OF MATERIALS SCIENCE AND TECHNOLOGY IN TRNAVA SLOVAK UNIVERSITY OF TECHNOLOGY IN BRATISLAVA

Improve Your Business Through Best Practice IT Management. A White Paper Prepared for Kaseya September 2007

How To Manage A Patch Management Process

INFORMATION TECHNOLOGY FLASH REPORT

IT and Business Process Performance Management: Case Study of ITIL Implementation in Finance Service Industry

IT Service Management

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

BPTrends January 2005 etom and ITIL. etom and ITIL: Should you be Bi-lingual as an IT Outsourcing Service Provider? Jenny Huang

SURVEY RESULTS: ITIL BEST PRACTICES IN SAP ENVIRONMENTS. Version : 1.0 Date : June 2007 : Troy DuMoulin, Pink Elephant Ken Turbitt, BMC Software

Achieving Business Imperatives through IT Governance and Risk

IT Governance. Infocom India Presentation. Pathfinder Technology Solutions. December 6, 2006

February 8, Analysis of Consulting-Portal s 5th Annual ITSM Industry Survey

How To Save Money At The University Of California

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

INTERNATIONAL JOURNAL OF ENGINEERING SCIENCES & RESEARCH TECHNOLOGY

IT Service Management

Integrating CMMI with COBIT and ITIL

Can You Really Get ITIL Out of the Box?

Best Practice Methodologies for the Project Management Office (PMO)

Dynamic Data Center Compliance with Tripwire and Microsoft

The IBM data governance blueprint: Leveraging best practices and proven technologies

Certified Software Quality Assurance Professional VS-1085

iso20000templates.com

Gobierno de TI Enfrentando al Reto. IT Governance Facing the Challenge. Everett C. Johnson, CPA International President ISACA and ITGI

Combine ITIL and COBIT to Meet Business Challenges

ITIL Version 3.0 What It Means to You

The Importance of IT Controls to Sarbanes-Oxley Compliance

An InControl Technology White Paper

ORGANIZED FOR BUSINESS: BUILDING A CONTEMPORARY IT OPERATING MODEL

HOW COBIT CAN COMPLEMENT ITIL TO ACHIEVE BIT

Leveraging ITIL to Manage Your Virtual Environment. Laurent Mandorla, Manager Fredrik Hallgårde, Consultant BearingPoint, Inc.

Measuring IT Governance Maturity Evidences from using regulation framework in the Republic Croatia

ITIL V3 AND THE SERVICE LIFECYCLE PART I THE MISSING COMPONENT

White Paper: AlfaPeople ITSM This whitepaper discusses how ITIL 3.0 can benefit your business.

Backlog Management Index (BMI) Evaluation and Improvement An ITIL Approach

Why you need an Automated Asset Management Solution

Business Process Management The Key to ITIL Success

Frameworks for IT Management

fs viewpoint

sample exam ITMP.EN IT Management Principles (ITMP.EN) edition 2010 content introduction 3 exam 4 answer key 9 evaluation 16

IT Governance. What is it and how to audit it. 21 April 2009

10 Best-Selling Modules For Home Information Technology Professionals

Embracing CHANGE as a Competitive Advantage

Project Management and ITIL Transitions

Transcription:

Getting In-Control - Combining CobiT and ITIL for IT Governance and Process Excellence Executive Summary: Nearly all of us who are running an IT shop feel the need to gain or increase control, predictability, and efficiency. That s true whether we ve just come off achieving CMM level 3, or are still struggling with legacy IT management practices. Solving these problems from scratch can take daunting amounts of time and effort, and still leave you vulnerable to audit issues. CobiT and ITIL together are a powerful force for IT Operational efficiency and effectiveness. CobiT provides a framework for IT governance, aligning IT with business requirements. ITIL is a collection of best practices in Service Management, Security, Infrastructure Management, and Application Management. Together they can make the process improvement task much more achievable. Using CobiT and ITIL in combination links proven IT best practices (ITIL) to CobiT s regulatory and business requirements. CobiT s objectives define the Key Performance Indicators for each major IT process area, assuring both a well-run IT Organization and the ability to meet regulatory requirements. This paper describes CobiT and ITIL, why Alcyone Consulting combined them, and how your organization can benefit from this work for better IT effectiveness. What is the business problem? Before we introduce CobiT and ITIL, and the value of combining them, let s review the business problem that makes this a compelling discussion. The following describes a typical public company s IT organization and change drivers: Your auditors are telling you that your team is not doing something right and you have to change it now! The business is telling you that you don t understand their needs or are not responsive enough. The CEO is telling you that you have to make your IT organization more cost effective. On top of all this, you are being asked to make improvements while living within this year s operating budget. Leveraging either CobiT or ITIL will help you with the above objectives. The questions are: What are they? How do you know which to use - and when? ITIL is a Registered Trade Mark and a Community Trade Mark of the UK Office of Government Commerce. CobiT is a registered Trade Mark of The Information Systems Audit and Control Foundation, and the IT Governance Institute Alcyone Consulting 2005 1 / 6

What ARE these things? CobiT: Control Objectives IT CobiT was developed in the early 1990s by Information Systems Audit and Control Foundation (ISACF) with the goal of providing a set of best practices that are meaningful and useful to IT Staff, auditors, and customers. A major research effort delving into all relevant existing standards and best practices was undertaken to develop the CobiT objectives. The initial release of the Framework, Control Objectives and Audit Guidelines, was in 1996. Over the next four years two additional books were published: Implementation Toolset and Management Guidelines. These books contain maturity models, performance indicators and critical success factors. A quote from the introduction: The resulting control objectives have been developed for application to organization-wide information systems. The term generally applicable and accepted is explicitly used in the same sense as Generally Accepted Accounting Principles (GAAP). CobiT is organized into four domains: Planning and Organization, Acquisition and Implementation, Deployment and Support, and Monitoring. Each of the high-level control objectives in the above diagram are divided into detailed control objectives. COBIT identifies a broad set of 318 control points (e.g., Procurement Control) designed to provide reasonable assurance that certain objectives will be achieved. What it does not do, is describe a complete set of IT processes more on this to come. Alcyone Consulting 2005 2 / 6

CobiT was largely ignored by the marketplace until the Sarbanes-Oxley Act of 2002 (SOX). Once this act took effect in the United States, CobiT was able to show the direction for compliance was already in place. SOX requires that companies certify internal financial processes, and that auditors issue opinions regarding the completeness of those processes. In addition, SOX requires that companies understand and document internal controls around financial reporting. And that s exactly what implementing CobiT is able to deliver. ITIL: IT Infrastructure Library ITIL was developed in the late 1980s by the UK s Central Computer & Telecommunications Agency (in April 2001 the CCTA was renamed into Office of Government Commerce OGC). The OGC started the project in recognition of the fact that government organizations were becoming increasingly dependent on Information Technology. The objectives of the OGC in developing ITIL were to promote IT business effectiveness and to reduce costs while maintaining or improving IT services. The specific ITIL best practices were developed by involvement of leading industry experts, consultants and practitioners. It is the only holistic, non-proprietary best practice framework available in the technology marketplace. As a result, it has quickly become the global benchmark by which organizations measure the quality of IT service management. The Infrastructure Library went through a major re-write in the 1990s. There are eight books in publication today covering everything from implementing ITIL processes through application life cycle management and the core of ITIL IT operations processes. The following graphic represents the ITIL library in its current form: Source: Information Technology Infrastructure Library Within the eight domains, each book s processes can be reviewed, utilized, and implemented independently of the others. That said the overall provision of IT services can best be optimized by considering each process as part of the whole. The most popular (and first published) ITIL books are Service Support and Service Delivery. They describe the processes that are common to every IT service provider and must be Alcyone Consulting 2005 3 / 6

addressed to enhance the provision of quality IT services for its customers. These sets form the basis of the certifications granted by the Netherlands Examination Institute for IT (EXIN) and the Information Systems Examinations Board (ISEB). Many organizations have embraced the ITIL concept because it offers a systematic and professional approach to the management of IT service provision. There are many benefits to be reaped by adopting the guidance provided by ITIL. Chief of which is getting to the goal of control and predictability much more quickly than starting from scratch. When should you use one or the other? In general, CobiT is used for audit functions and ITIL is used for process improvement. We recommend that, instead of selecting between CobiT and ITIL, you combine both from the beginning in all process improvement activities. In the long run, you will eventually get there, so starting with an integrated approach is the most effective option. It will save you time and money and provide a process which meets stakeholder requirements earlier in the game. As a public company, your auditors will expect use of CobiT for SOX compliance. As a growing IT Organization, you will formalize your processes and procedures either based on ITIL or another framework which borrows heavily from ITIL (for example the Microsoft Operations Framework.) As described earlier, both ITIL and CobiT are excellent tools for the IT Organization to improve processes and align IT functions with business and regulatory requirements. In An informal survey of IT Organizations in the Chicago-land area shows that many are implementing SOX compliance in a process vacuum. The additional paperwork (or electronic equivalent) generated for compliance does not add value to the IT work flow - but rather detracts from product deployment and incident resolution activities, and comes off as additional regulatory burden bringing them to the table as one initiative instead of two separate initiatives, you gain from both a single work effort and an integrated IT process and compliance solution. CobiT and ITIL complement each other. For example, the COBIT framework identifies a Software Release Policy as a control point, but leaves it to the organization to define those processes and procedures associated with Software Release. ITIL describes the best practices associated with Software Release Management; the interfaces to other activities such as Infrastructure Deployment, Change Management and Configuration Management; and how to implement Software Release Management within the ITO. What is the industry saying? Gartner Group: CobiT and ITIL are not mutually exclusive and can be combined to provide a powerful IT governance, control and best-practice framework in IT service management. Enterprises that want to put their ITIL program into the context of a wider control and governance framework should use CobiT. (June 2002 / TG-16-1849) Alcyone Consulting 2005 4 / 6

Meta: It is critical, that organizations taking advantage of the COBIT framework have a set of defined IT processes/procedures and utilize COBIT as a control checklist against their defined IT processes/procedures. (Oct 2004 / Meta Practice #2263) Alcyone Process Framework for IT Effectiveness: At Alcyone Consulting, we have performed the upfront analysis and combined ITIL and CobiT to create an effective IT process framework that enables you to quickly and easily understand the impact of regulatory requirements on every aspect of your IT processes. Our framework also allows you to identify the impact a specific IT process has on your regulatory environment. The Alcyone process framework is based on a review of the complete set of ITIL books (not just Service Management.) After laying out the initial ITIL process families, we aligned all 318 detailed CobiT objectives to a specific process family. The detailed CobiT objectives which were yet unassigned we grouped into process families which fit harmoniously within the existing framework. This completed the Alcyone Process Framework for IT Effectiveness. As the Alcyone framework is based on existing standardized IT frameworks, you are not locked into a proprietary solution that depends upon one company to maintain. You are able to leverage the training and tools which exist for CobiT and ITIL in the marketplace today and in the future. Leveraging the Framework in your organization: We start our engagements by identifying all known IT processes, whether they have been documented or are yet-to-be-documented within your organization. We then map those processes into the appropriate process family. After this exercise, you will have a solid assessment of the completeness of your IT processes which prepares you for making the necessary improvements. Next we work with company executives, the legal department and auditors to identify the regulatory drivers for your business, which are then aligned to their appropriate CobiT objective. For SOX and HIPPA this is well understood, and auditors have already identified the specific CobiT objectives. Now we look at your organization s existing IT processes that are affected by your regulatory environment and answer these questions: Alcyone Consulting 2005 5 / 6

Do you have a process? Is the process documented? Does the process address the Key CobiT Objectives? Will your auditor agree that your process is sufficient? The answers to the above questions will give you a good idea of how well the IT processes protect your company and its stakeholders. The resulting information is typically eye-opening and can lead to projects geared to improving your IT Organization s effectiveness (not to mention the sleep of your company s officers). About Alcyone Consulting: Alcyone Consulting is an IT Consultancy providing IT Strategy and Governance services. Our principals have worked together for over a decade providing high quality IT solutions to a wide range of clients. Our practitioners are all former Big-5 consulting professionals with years of experience. The Alcyone Process Framework for IT Effectiveness comes out of a rich history of process activities, starting in the late 1980s with the introduction of Service Level and Operational Level Agreements, and then maturing into IT Support Organizations and the subsequent reporting metrics. In the early 1990s Alcyone practitioners created some of the initial development methodologies for the then-new client/server systems. By the mid 1990s we were performing Capability Maturity Model assessments for our own development organizations. Exposure to the ITIL concepts started in the late 1990s with growing an IT support organization from 14 Chicago based individuals to a global team of 80 supporting over 1200 users in seven locations in five countries. This specific framework comes from working on client engagements which required HIPPA and SOX compliance in addition to IT process improvements. At Alcyone Consulting we speak IT, CobiT, ITIL and Business. We leverage this to provide our clients with high quality solutions that maximize their Information Technology investment. For more information contact Mary Kay Laurent: 1.312.403.4150 mkglaurent@alcyonegroup.com Alcyone Consulting 2005 6 / 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information