Integrating with COBIT and ITIL Dr. Bill Curtis Chief Process Officer 2005 Agenda 1) The IT Space 3 2) and COBIT 7 3) and ITIL 27 C M M IT T I O B C L CMM and are registered with the US Patent and Trademark Office COBIT is a registered trademark of ISACA ITIL is a registered trademark of the UK Office of Government Commerce 2 1
Section 1: The IT Space IT Strategy Data and Operations Center Service Desk Application Development IT-Enabled Services 3 The Standards Standard Parent Org. Industry Sponsor Group 4 2
Gartner s Review of Models 5 Application Application Domain Application Development Service Plan Define Design Build Deploy Operate Support Optimize 6Source: ITIL: Application (2002, p.7) 3
Section 2: COBIT COBIT: Control OBjectives for Information and related Technology 3 rd edition July 2000 Sponsorship: Open standard of IT Governance Institute Published by ISACA The Information Systems Audit and Control Association & Foundation Certified Information Systems Auditor certification 23,000+ auditors 7 Focus: IT Governance - How does executive management fulfill its responsibilities with respect to IT? Audit of IT operations Source: COBIT Guidelines (2000) Approach to Using COBIT Manage IT-related business risks: base use on business objectives in the COBIT Framework select IT processes and controls appropriate for the organization from the COBIT Control Objectives operate from the organization business plan assess procedures and results with COBIT Audit Guidelines assess status of the organization, identify critical success factors, measure performance with the COBIT Guidelines To develop a sound set of processes: choose Control Objectives that fit the business objectives identify industry models that provide guidance for supporting processes (, People CMM, ITIL, ) 8 4
COBIT Architecture 34 Information Technology control objectives: 11 planning and organization 6 acquisition and implementation 13 delivery and support 4 monitoring 318 detailed control objectives & audit guidelines: 3-30 detailed control objectives per process Each IT process is supported by: 8-10 Critical Success Factors 5-7 Key Goal Indicators 6-8 Key Performance Indicators 9 Source: COBIT Guidelines (2000) Evaluating COBIT Processes Critical Success Factors: s key issues to control and actions to take Focused on implementing and controlling the right processes Key Goal Indicators: Indicators of whether an IT process has achieved its goals Focused on monitoring achievement of goals Key Performance Indicators: Measures of how well an IT process is performing Focused on monitoring performance to predict goal achievement 10 Source: COBIT Guidelines (2000) 5
Architectural Comparison COBIT Control objectives Detailed control objectives Process Areas Practices 11 Critical success factors Key goal indicators Key performance indicators Practice level goals Measures in Directing Implementation Measures in Directing Implementation Architectural comparison is suggestive of relationships, but the mapping between these elements is not exact. Font sizes indicate relative scope of the element between models. 12 Level 5 Optimised Level 4 Managed Level 3 Defined Level 2 Repeatable Level 1 Initial Level 0 Non-existent COBIT s Maturity Model Processes refined to level of best practice Automation integrates workflow Process compliance monitored & measured Constant improvement, some automation Standard, documented procedures based on existing practice with no process assurance Similar procedures followed by people performing the same task, but no training Ad hoc processes developed case by case Recognition of issues to be addressed Complete lack of recognizable processes No recognition of issues to be addressed Source: COBIT Guidelines (2000) 6
Maturity Model Types Level to Which Best Practices Are Characterized Descriptive Prescriptive Models that assign a specific set of process attributes to each maturity level and require that for a process to be rated at a specific level, all the attributes at that level and all lower levels must be implemented for that process. Processes are appraised independently and can be rated at different levels Models that provide a simple scale for assigning a level of maturity to a single process based on a generalized characterization of its behavior or results without requiring that any specific attributes be implemented. Processes are appraised independently and can be rated at different levels Models that assign a specific set of process areas to each maturity level and require that for an organization to be rated at a specific level, all process areas at that level and all lower levels must be implemented. Each process area usually contains a collection of practices for implementing that process. Models that provide a simple scale for appraising the attributes of an organization and assign it to a level of maturity based on a generalized characterization of its behavior or results without requiring that specific processes be implemented Single process Organizational 13 Focus of the Transformation Maturity Model Types Level to Which Best Practices Are Characterized Descriptive Prescriptive Continuous COBIT ITIL Maturity Model Crosby Quality Maturity Grid Staged ITIL Org. Growth People CMM 14 Single process Organizational Focus of the Transformation 7
COBIT Maturity Evaluations Maturity comparisons for each IT process: Status of organization s current process Status of best in class industry process Status of current industry standard guidelines Strategic objective for organizational improvement Non-existent Initial Repeatable Defined Managed Optimised AI7 Company status Industry status Industry guidelines Company objective 15 Source: COBIT Guidelines (2000) COBIT-MM vs. CMMs Not mapped to CMM s view of maturity: Level 2 uses local procedures Level 3 compliance is not left to individuals Level 4 measurement focused on compliance not stability or predictability Weak focus on continual improvement COBIT-MM is evolving and will include an assessment method COBIT uses the continuous approach Process focus, not organizational focus No roadmap for implementation 16 Confuses process maturity and auditability 8
Planning & Organization 1 COBIT PO1 Define a strategic IT plan align IT opportunities with business requirements and ensure accomplishment PO2 Define the information architecture optimize the organization and integration of information systems PO3 Determine technological direction exploit current and emerging technology to achieve business strategy PO4 Define the IT organization and relationships deliver the right IT services Process Maturity Framework no clear referent Level 3 issue no clear referent Level 3 issue no clear referent Level 3 issue L3 OEI Level 3 issue 17 Source: COBIT Guidelines (2000) Planning & Organization 2 COBIT PO5 Manage the IT investment ensure funding and control of financial resources PO6 Communicate management aims and directions ensure user awareness of directions PO7 Manage human resources sustain a motivated, competent workforce & ensure individual contributions PO8 Ensure compliance with external requirements meet legal, regulatory, and contractual obligations Process Maturity Framework no clear referent Level 3 issue GP2.1 Policy Level 2 issue People CMM OT Level 3 issue L2 REQM, PPQA L3 RD, VAL 18 Source: COBIT Guidelines (2000) 9
Planning & Organization 3 COBIT PO9 Assess risks support management decisions and reduce threats Process Maturity Framework L2 PP L3 RSKM PO10 Manage projects set priorities and deliver on time and within budget L2 REQM, PP, PMC L3 IPM, RSKM PO11 Manage quality meet IT customer requirements L2 REQM L3 RD, TS, VER, VAL 19 Source: COBIT Guidelines (2000) Acquisition & Implementation 1 COBIT AI1 Identify automated solutions ensure effective, efficient approach to satisfy user requirements AI2 Acquire and maintain application software provide automated functions to support business processes AI3 Acquire and maintain technology infrastructure provide appropriate platforms to support business applications AI4 Develop and maintain procedures ensure proper use of applications and technical solutions deployed Process Maturity Framework L2 REQM, SAM L3 RD, TS, RM, DAR, ISM L2 SAM L3 RD, TS, VA, IPM, ISM L2 CM L3 RD, TS L3 RD, TS 20 Source: COBIT Guidelines (2000) 10
Acquisition & Implementation 2 COBIT AI5 Install and accredit systems confirm that solution is fit for intended purpose Process Maturity Framework L3 VER, VAL AI6 Manage changes minimize disruption, unauthorized changes, and errors L2 REQM, CM 21 Source: COBIT Guidelines (2000) Delivery and Support 1 COBIT DS1 Define and manage service levels establish a common understanding of the level of service required DS2 Manage third party services ensure that third party responsibilities are defined and met DS3 Manage performance and capacity ensure that adequate capacity is available and used to best effect DS4 Ensure continuous service make IT services available and minimize business impact in case of disruption Process Maturity Framework L2 REQM, PP, PMC L3 IPM L2 SAM L3 ISM L3 RD, TS no clear referent Level 2&3 issue 22 Source: COBIT Guidelines (2000) 11
Delivery and Support 2 COBIT DS5 Ensure system security safeguard information against unauthorized use, disclosure, modification, damage, or loss DS6 Identify and allocate costs ensure awareness of costs attributable to IT services Process Maturity Framework no clear referent Level 2&3 issue no clear referent Level 3 issue DS7 Educate and train users ensure users make effective use of technology and are aware of responsibilities DS8 Assist and advise customers ensure problems experienced by users are resolved People CMM L3 OT no clear referent Level 3 issue 23 Source: COBIT Guidelines (2000) Delivery and Support 3 COBIT DS9 Manage the configuration prevent unauthorized alteration, verify existence, provide change mgt. DS10 Manage problems and incidents ensure problems and incidents are resolved and causes investigated DS11 Manage data ensure data remains complete, accurate, and valid during input, update, and storage DS12 Manage facilities provide physical environment that protects people and equipment against hazards Process Maturity Framework L2 CM no clear referent Level 3 issue L2 PP, PMC People CMM WE 24 Source: COBIT Guidelines (2000) 12
Delivery and Support 4 COBIT DS13 Manage operations ensure IT support functions are performed regularly in an orderly fashion Process Maturity Framework no clear referent Level 3 issue 25 Source: COBIT Guidelines (2000) Monitoring 1 COBIT M1 Monitor the processes ensure achievement of performance objectives set for IT processes M2 Assess internal control adequacy ensure achievement of internal control objectives for IT processes M3 Obtain independent assurance increase confidence and trust among IT, customers, and suppliers M4 Provide for an independent audit ensure proper use of applications and technical solutions deployed Process Maturity Framework L2 PMC L2 PMC L3 IPM L2 PPQA L2 PPQA 26 Source: COBIT Guidelines (2000) 13
-COBIT Coverage COBIT Planning and Organization provides light support for achieving organization-wide objectives, but better support for objectives with greater project focus such as requirements, risks, quality, and project mgt. Acquisition and Implementation provides excellent coverage for achieving acquisition and implementation objectives 27 Delivery and Support Monitoring s management processes can be translated to support the management of service levels, third parties, capacity, problems, and data; however continuous operation and user support services are not well covered in provides for monitoring functions at the project level, but does not involve audit controls at the organizational level -COBIT Summary and COBIT have different objectives: COBIT focuses on governance of all IT functions focuses on improving application development processes and COBIT are complementary: Use COBIT to appraise overall management of IT Use to appraise the maturity of application development 28 Use to guide the implementation of control processes for: acquisition and implementation processes project management processes some delivery and support processes 14
Section 3: ITIL ITIL Information Technology Infrastructure Library Guide for cost-effective use of UK public sector IT resources Requirements for IT service management Collection of best practices in IT Vendor independent Supporting organizations: UK Office of Government Commerce Published by The Stationary Office (London) itsmf IT Service Forum intro book EXIN, ISEB professional certifications in ITIL 29 ITIL & BS 15000 BS 15000-1 Specification BS 15000-2 Code of Practice Aspiration Guidance PD 0005 ITIL Overview How-to Internal Processes and Procedures As-is 30 Source: PD 0015 (2000) 15
ITIL Publication Framework T h e B u s i n e s s Planning to Implement Service The Business Perspective Service Service Delivery Application Service Support ICT Infrastructure Security T h e T e c h n o l o g y 31 Source: ITIL: Planning to Implement Service (2002, p.4) ITIL Topic Areas 1 Service Delivery: Service level management Financial management for IT services Capacity management IT service continuity management Availability management 32 Service Support: Service desk Incident management Problem management Change management Release management Configuration management 16
ITIL Topic Areas 2 ICT Infrastructure : Design and planning Deployment Operations Technical support Applications : Managing business value Aligning delivery strategy with business drivers Application management lifecycle Organizing roles and functions Control methods and techniques 33 ITIL Topic Areas 3 Planning to Implement Service Mgt Security Software Asset The Business Perspective 34 17
ITIL-Related Models HP ITSM Reference Model ITIL IBM IT Process Model Microsoft MOF Etc., etc., etc. 35 Configuration Change Release Incident Application Security Environmental Infrastructure The ITIL Processes ITIL Process Problem Service Desk Service Level Capacity Financial Mgt. for IT Services Customer Relationship ICT Infrastructure PA Configuration Configuration Configuration Verification, Causal Analysis & Res. RM, TS, PI, VE, VA, ISM Project PP, PMC, SAM, ISM, SAM 36 Source: ITIL: Service Support (2002, p.11-16) 18
Application Mgt. Lifecycle Requirements Application development Optimize domain Design Operate Build Service management Deploy 37 Source: ITIL: Application (2002, p.7) ITIL-AM: Requirements ITIL Application Functional requirements Non-functional requirements Usability requirements Change cases Testing requirements Requirements management checklist Organization of the requirements team RM-Manage requirements: Obtain understanding of requirements Obtain commitment to requirements Manage requirements changes Maintain bi-directional traceability Identify inconsistencies between project work and requirements RD-Develop customer requirements Elicit needs Develop the customer requirements RD-Develop product requirements Establish product & product-component reqts. Allocate product-component reqts. Identify interface requirements 38 RD-Analyze and validate requirements Establish operational concepts & scenarios Establish definition of required functionality Analyze requirements Analyze requirements to achieve balance Validate reqts with comprehensive models Source: ITIL: Application (2002), (2003) 19
ITIL-AM: Design ITIL Application Design for non-functional requirements/manageability Risk-driven scheduling Managing tradeoffs Application-independent design guidelines and application frameworks Design management checklist Problems with design guidelines Testing the requirements Organization of the design team TS-Select product component solutions Develop detailed alternatives and selection criteria Evolve operational concepts & scenarios Select product component solutions TS-Develop the design Design the product or product component solution Establish a technical data package Design interfaces using criteria Perform make, buy, or reuse analyses TS-Implement the product design Implement the design Develop product support documentation 39 Source: ITIL: Application (2002) ), (2003) ITIL-AM: Build 1 ITIL Application Consistent coding conventions Application-independent building guidelines Operability testing Build management checklist Organization of the build team PI-Prepare for product integration Determine integration sequence Establish the integration environment Establish integration procedures and criteria PI-Ensure interface compatibility Review interface description for completeness Manage interfaces PI-Assemble product deliver product confirm readiness for integration Assemble product components Evaluate assembled components Package and deliver the product or component 40 Source: ITIL: Application (2002) ), (2003) 20
ITIL-AM: Build 2 ITIL Application Consistent coding conventions Application-independent building guidelines Operability testing Build management checklist Organization of the build team VE-Prepare for verification Select work products for verification Establish the verification environment Establish verification procedures and criteria VE-Perform peer reviews Prepare for peer reviews Conduct peer reviews Analyze peer review data VE-Analyze selected work products Perform verification Analyze verification results and identify corrective action 41 Source: ITIL: Application (2002) ), (2003) ITIL-AM: Deploy ITIL Application Planning the deployment Approving the deployment Distributing applications Pilot deployments Deployment management checklists Organization of the deployment team 42 Source: ITIL: Application (2002) 21
ITIL-AM: Operate ITIL Application Day-to-day maintenance activities to maintain service levels Application state Benefits of an application Operations management checklist Organization of the operations team 43 Source: ITIL: Application (2002) ITIL-AM: Optimize ITIL Application Application review process Optimization management checklist Organization of the optimization team 44 Source: ITIL: Application (2002) 22
Service Delivery Processes Availability Service Level Capacity Requirements Targets, Achievements Financial Alerts & exceptions, Changes Continuity 45 Source: ITIL: Planning to Implement Service (2002, p.7) ITIL-SD: Service Level Mgt. ITIL Service Delivery Planning service delivery Service catalogue Service level requirements Service level agreement Operational level agreements Monitor and report service delivery Service improvement program PP REQM, RD PP SG 3 PP SG 3 PMC OPF, OID 46 Source: ITIL: Service Delivery (2001) 23
ITIL-SD: Financial Mgt. ITIL Service Delivery Budgeting IT accounting system IT charging system Planning IT financial mgt Implementing IT financial mgt Financial operation and reporting Managing variances 47 Source: ITIL: Service Delivery (2001) ITIL-SD: Capacity Mgt. ITIL Service Delivery Business capacity management Service capacity management Resource capacity management Monitoring Analysis Tuning Implementation Demand management Modeling Application sizing Capacity planning PMC SG1 OPP OPP, OID QPM 48 Source: ITIL: Service Delivery (2001) 24
ITIL-SD: Continuity Mgt. 1 ITIL Service Delivery Initiate business continuity mgt. Business impact analysis Risk assessment Business continuity strategy Org. and implementation planning Implement standby arrangements Develop recovery plans Implement risk reduction measures Develop procedures Initial testing RSKM PP PP RSKM OPD, TS VER 49 Source: ITIL: Service Delivery (2001) ITIL-SD: Continuity Mgt. 2 ITIL Service Delivery Education and awareness Review and audit Tuning Change management Training Assurance OT VER, PPQA CM OT VAL, PPQA 50 Source: ITIL: Service Delivery (2001) 25
ITIL-SD: Availability Mgt. ITIL Service Delivery Availability requirements Failure impact analysis Availability targets Availability measures and reporting Monitoring and trend analysis Availability problem detection Availability problem prevention Availability planning REQM, RD CAR REQM MA PMC SG1 PMC SG2 PMC SG2 PP 51 Source: ITIL: Service Delivery (2001) Service Support Processes Incident Incidents Problem Changes Change Releases 52 Configuration Repository Release Source: ITIL: Planning to Implement Service (2002, p.6) Configuration 26
ITIL-SS: Incident Mgt. ITIL Service Support Incident detection and recording Classification and initial support Investigation and diagnosis Resolution and recovery Incident closure Ownership, monitoring, tracking, and communication 53 Source: ITIL: Service Support (2000) ITIL-SS: Problem Mgt. ITIL Service Support Problem identification and recording Problem classification Problem investigation and diagnosis Error identification and recording Error assessment Error resolution recording Error closure Problem/error resolution recording CAR SP1.1 VER SP3.2, CAR SP1.2 VER SP3.2 VER SP3.2 VER SP3.2 VER SP3.2 54 Source: ITIL: Service Support (2000) 27
ITIL-SS: Configuration Mgt. ITIL Service Support Configuration management planning Configuration identification Control of configuration items Configuration status accounting Configuration verification and audit CMDB backups, archives, and housekeeping Configuration management service CM GP2.2 CM SP1.1 CM SP1.2, SP2.2 CM SP3.1 CM SP3.2 CM SP1.2 55 Source: ITIL: Service Support (2000) ITIL-SS: Change Mgt. 1 ITIL Service Support Planning the implementing of operational processes Change logging and filtering Allocation of priorities Change categorization Change Advisory Board meetings Impact and resource assessment Change approval Change scheduling Change building, testing, and implementation CM GP2.2 CM SP2.1 CM SP2.1 CM SP2.1 CM SP2.2 CM SP2.1 CM SP2.2 CM SP2.2 CM SP2.2 56 Source: ITIL: Service Support (2000) 28
ITIL-SS: Change Mgt. 2 ITIL Service Support Urgent change scheduling Urgent change building, testing, and implementation Change review Reviewing the change management process for efficiency & effectiveness Roles and responsibilities CM SP2.2 CM SP2.2 CM SP2.2 CM GP2.8, GP2.9, P2.10 CM GP2.4 57 Source: ITIL: Service Support (2000) ITIL-SS: Release Mgt. ITIL Service Support Release planning Designing, building, and configuring a release Release acceptance Rollout planning Communication, preparation, and training Distribution and installation CM GP2.2 CM SP1.3 VE SP3.1 CM GP2.2 58 Source: ITIL: Service Support (2000) 29
ICT Infrastructure Mgt. Design and planning Deployment Operation Technical support 59 Source: ITIL: ICT Infrastructure (2002, p.9) ITIL-ICT: Design & Planning ITIL ICT Infrastructure Mgt. Strategic management Review current position Define desired state Design and implement a plan Review progress of the plan 60 Source: ITIL: ICT Infrastructure (2002) 30
ITIL-ICT: Deployment ITIL ICT Infrastructure Mgt. Design phase Working environments Build phase Acceptance testing Rollout phase Handover TS IPM TS VER 61 Source: ITIL: ICT Infrastructure (2002) ITIL-ICT: Operation ITIL ICT Infrastructure Mgt. Manage ICT infrastructure events Operational control and management Workload, output, resilience testing management, & schedules Storage mgt., backup, &recovery ICT operational security Manage support operating processes Proactive operational mgt. processes 62 Source: ITIL: ICT Infrastructure (2002) 31
ITIL-ICT: Technical Support ITIL ICT Infrastructure Mgt. Research and development Supplier management Document management SAM, ISM PP SG 2 63 Source: ITIL: ICT Infrastructure (2002) BS 15000 Processes Service Delivery Processes Capacity Service Continuity and Availability Service Level Service Reporting Control Processes Information Security Budgeting and Accounting for IT Services Release Process Release Configuration Change Resolution Processes Incident Problem Relationship Processes Business Relationship Supplier 64 Source: BS 15000-2: Service (2003) 32
Maturity of IT Organizations Organization Growth Model high Influence on the business low Value chain Stage 5 Business focus Stage 4 Customer focus Stage 3 Product/Service Stage 2 Technology Stage 1 65 Source: ITIL: Planning to Implement Service (2002, p.27) ITIL s Maturity Model Level Characterization 1 Initial 2 Repeatable 3 Defined 4 Managed 5 Optimized Little process management activity. Loosely defined processes and procedures, totally reactive, irregular unplanned activities Process activities are uncoordinated, without direction, focused on process effectiveness. Defined processes and procedures, largely reactive Documented process with process owner, but no formal recognition of its role in IT. Clearly defined and occasionally proactive Process fully accepted in IT, with targets based on business goals. Proactive and integrated with other IT service management processes Process has strategic objectives that are institutionalized, self-contained improvements creating a pre-emptive capability. 66 Source: ITIL: Planning to Implement Service (2002, p.187-190) 33
Key Business Drivers IT-Business Alignment Business objectives should be reflected in all levels of IT. Business Function Service Level Requirements Operational Level Requirements SLAs OLAs IT Service IT System 67 Strategic Alignment Objectives Model (SOAM) Process Requirements Skill Requirements Technology Requirements Application Characteristics Data Characteristics Infrastructure Characteristics Applications Data Infrastructure Source: ITIL: Application (2002, p.14) IT Processes IT People Technology Rethinking Issues by Level Project level configuration management issues in space may become organizational issues in IT CM Content Control System components, documentation, tools, environment, etc. Under local control (project) IT Service components (system components, service processes, forms, training, etc.) Not under local control (different functional units) Level New issue Level 2 - project Level 2 local unit Level 3 service-wide Transaction integrity 68 34
Using ITIL and ITIL and best apply to different parts of the IT organization: Use in application development Use in ICT Infrastructure projects Use ITIL in IT operations and services The problem service level application activities: Option 1 treat each modification/enhancement as a project (may require translation) Option 2 treat the service level agreement as a project (requires translation) Option 3 treat the service level agreement as a service ITIL 69 Summary, COBIT, and ITIL (BS 15000) provide complementary models for different IT functions: Use and ITIL to implement practices that support COBIT control objectives Apply or ITIL to appropriate parts of the IT organization Select appraisal/certification methods based on appropriateness of fit to the IT processes to be assessed Draw from all standards when designing and implementing processes to ensure a more complete and robust implementation 70 35
Relevant Websites www.itgi.org www.isaca.org IT Governance Institute Information Systems Audit and Control Assoc. www.itil.co.uk www.itsmf.com UK Office of Government Commerce IT Service Forum www.sei.cmu.edu Software Engineering Institute www.ndia.org National Defense Industrial Assoc. 71 Dr. Bill Curtis Bill Curtis is the Chief Process Officer of Borland Software Corp. Prior to its acquisition by Borland, he was the Co-founder and Chief Scientist of TeraQuest in Austin, Texas. He is a former Director of the Software Process Program in the Software Engineering Institute at Carnegie Mellon University. He is a co-author of the Capability Maturity Model for Software, and is the principal architect of the People CMM. Prior to joining the SEI, Dr. Curtis directed research on advanced user interface technologies and the software design process at MCC, developed a global software productivity and quality measurement system at ITT s Programming Technology Center, evaluated software development methods in GE Space Division, and taught statistics at the University of Washington. P.O. Box 126079 9108 Benview Court Fort Worth, Texas 76126-0079 1-817-228-2994 curtis@borland.com 72 36