ITIL AND COBIT EXPLAINED 1 AGENDA Overview of Frameworks Similarities and Differences Details on COBIT Framework (based on version 4.1) Details on ITIL Framework, focused mainly on version.2. Comparison of COBIT and ITIL v.2 sections. Maturity Capacity Models Q&A © Copyright of Elevate Consulting LLC, All Rights Reserved 2 POSITIONING THE FRAMEWORKS CMM = capability maturity model Specific CobiT = Control Objectives for Information and Related Technology TCO CMMI ITIL ISO 20000 ITIL = IT Infrastructure Library TCO = total cost of ownership CobiT IT Relevance IS0 20000 = IT service mgt standard People CMM ISO 9000 = quality mgt standard Point solutions are useful, but a broader, holistic approach to process and quality improvement is POWERFUL. Six Sigma ISO 9000 Holistic Low Level of Abstraction National Awards (e.g., Baldrige) Scorecards High 3 ITIL and COBIT can enable organizations to achieve key objectives: Establish proven best practice IT service management processes to manage IT from a business perspective and achieve business goals, including that of compliance Put in place clear process goals, based on the organization’s business goals, and provide a means of measuring progress against them Ensure effective IT governance and control at the process level, and enable IT to demonstrate that it meets or exceeds the requirements set forth by government or external regulations Frameworks are highly complementary, and together provide greater value than using just one or the other. COBIT outlines what 4 you need to do to meet these challenges and ITIL shows you how to get there. Why is IT governance and best practices implementation needed? The effective management of information, information systems, communication and IT services is of critical important and survival of most enterprises. This criticality arises from: - The pervasiveness of and dependence on information, the services and the infrastructure that deliver the information - The increasing scale and cost of current and future technology- related investments - The potential for technologies to enable transformation of enterprises and business practices 5 Some Facts: - ITIL strong in IT HOW to carry on processes (delivery and support) , but limited in security and system development - COBIT is strong in IT controls and IT metrics, it concentrates on WHAT should be achieved rather than how (e.g. process flows) to achieve effective governance, management and control. – No contradictions or real overlaps, they complement – No discussion on specific technologies or configuration requirements (e.g. unlike PCI) 6 Control OBjectives for Information and related Technology Originally released in 1996 by the Information Systems Audit and Control Foundation (ISACF) (1st Edition) Current primary publisher is the IT Governance Institute( ITGI) - formed by the Information Systems Audit and Control Association (ISACA) in 1998 (2nd Edition) By 2000, ISACF and ITGI became one entity, and the 3 rd Edition was issued. In 2005, 4th Edition was issued. COBIT was formed through research of sources such as the technical standards from ISO, codes of conduct issued by the Council of Europe and ISACA, professional standards for internal control and auditing issued by COSO, AICPA, GAO, etc. The above sources were used to formulate COBIT to “be both pragmatic and responsive to business needs while being 7 independent of the technical IT platforms adopted in an organization.” COBIT EDUCATION: The COBIT curriculum includes the following courses: COBIT Awareness Course (2 hours, self paced elearning) COBIT Foundation Course (8 hours, self paced elearning or 14 hours, classroom) COBIT Foundation Exam (1 hour, online 40 questions) IT Governance Implementation Course (14 hours, classroom) COBIT for Sarbanes-Oxley Compliance (5 hours, self paced e-learning) 8 COBIT ONLINE: WWW.ISACA.ORG/COBITONLINE o Provides full browsing capabilities by enabling you to download the selected COBIT content as either a Microsoft Word or Access template, for subsequent use offline. oAll or selected COBIT components can be accessed, and they can be filtered based on several search criteria: •Framework •Control Objectives •Inputs/Outputs •RACI Charts •Goals and Metrics •Maturity Models •Control Practices •Assurance Steps 9 COBIT ON IT GOVERNANCE.. IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization's strategies and objectives. For IT to be successful in delivering against business requirements, management should put an internal control system or framework in place. The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the 10 associated responsibilities of business and IT process owners. COBIT Family of Products 11 COBIT IT Domains and Processes 12 COBIT COMPONENTS 4 Domains •Planning & Organization (PO) •Acquire & Implement (AI) •Delivery & Support (DS) •Monitor and Evaluate (ME) 34 Control Objectives 318 Detailed Control Activities 13 14 INTERRELATIONSHIPS WITH COBIT COMPONENTS 15 How Does Governance and the Business Drive IT? 16 How Does Governance and the Business Drive IT? 17 How Does Governance and the Business Drive IT? IT Goals: 18 How Does Governance and the Business Drive IT? COBIT information Criteria 19 How Does Governance and the Business Drive IT? 20 How Does Governance and the Business Drive IT? COBIT information Criteria 21 COBIT FRAMEWORK NAVIGATION 22 COBIT FRAMEWORK NAVIGATION- EXAMPLE 23 COBIT FRAMEWORK NAVIGATION- EXAMPLE 24 CHANGE MANAGEMENT ITIL PROCESS FLOW SUMMARY CMDB Change to: Hardware Software Documentation Infrastructure Training Engineering specs Tactical planning Assessments Change Management Release Management RFC Reasons: Fix a Problem Changing business requirements Changing technology Continuous SIP External forces (e.g. competition, legislations) Change Advisory Board Service Management Technical Experts Customers and Users Interested Parties 25 ITIL Information Technology Library 26 INTRODUCTION TO ITIL During the late 1980’s the Central Computer and Telecommunication Agency (CCTA) in the United Kingdom started to work on what is now known as ITIL, the Information Technology Infrastructure Library ITIL is a set of books that provides comprehensive and interrelated codes of practice in achieving the efficient support and delivery of high quality, cost effective IT services Version 2 available in 2000 Version 3 available in 2007 27 ITIL EDUCATION PATH 28 ITIL MYTH As Jan Van Bon (author and editor of many IT Service Management publications) notes: There is a lot of confusion about ITIL, stemming from all kinds of misunderstandings about its nature. ITIL is a set of best practices. The there is no claim that ITIL’s best practices describe pure processes.. That is what most of its users make of it, probably because they have such a great need for such a model CIO Magazine columnist Dean Meyer has also presented some cautionary views of ITIL, including five pitfalls such as "becoming a slave to outdated definitions" and "Letting ITIL become religion." As he notes, "...it doesn't describe the complete range of processes needed to be world class. It's focused on ... managing ongoing services." 29 ITIL V.2 AND V.3 ITIL v2 , seven books with two main areas: •Service Support •Service Delivery In ITIL v3 moves from a process approach to a service life cycle approach: • Service strategy- which type of services, to which customers and markets • Service design- identifies service req’s, devices new service offerings • Service transition- builds and deploys new or modified services • Service operation- carries out operational tasks • Continual service improvement- learns from the past, improve the effectiveness and efficiencies of services and process 30 What is the difference between Version 2 and Version 3? V3 articulates the relationship between IT and the business far more clearly than earlier versions of ITIL. Instead of focusing on processes as in V2, V3 considers a wider view of IT by considering the Lifecycle of a service from its initial planning, which should be aligned to the business need, through to its final retirement. V3 focuses more on the treatment of strategic options, functions, roles and responsibilities as well as continual improvement. The existing processes from earlier ITIL versions remain in V3 but have been improved and added to. ITIL V3 also looks more closely 31 at alignment with other best practices and standards. ITIL V.2 AND V.3 PROCESSES 32 COBIT Control Objectives Linked with ITIL V.2 Plan and Organize Direct link with ITIL Acquire and Implement 33 COBIT Control Objectives Linked with ITIL Define and Support Direct link with ITIL Monitor and Evaluate 34 ONE TO ONE COMPARISON COBIT 4.1 AND ITIL V.2 Process Description V.2 Section COBIT Section Financial Management Provides cost effective stewardship of IT assets used in providing IT services Service Delivery PO.5 Release Management Ensure that all technical and non technical aspects of a release are dealt with in a coordinated approach. Service Support AI.4 Change Management Ensure standardized methods and approaches are followed for efficient, prompt and authorized handling of all IT changes. Service Support AI.6 Incident Management Restore normal service operations as quickly as possible Service Support DS.8 Configuration Management Provide a logical model of the IT infrastructure by identifying, verifying, maintaining and controlling all version of IT Configuration items (CIs) Service Support DS.9 35 ONE TO ONE COMPARISON COBIT 4.1 AND ITIL V.2 Process Description V.2 Section COBIT Sectio n Problem Management Prevent and identify the business errors in the IT infrastructure. Service Support DS.10 Service Level Management Maintain and improve IT service quality through a constant cycle of agreeing, monitoring and reporting IT service level agreements Service Delivery DS1. and some of DS.2 Availability Management Optimize the capacity of the IT infrastructure and supporting organization to deliver cost effective and sustained level of availability to satisfy business objectives. Service Delivery DS.3 Capacity Management Ensure the capacity and performance aspects of the business requirements are provided timely and cost effectively. Service Delivery DS.3 IT Service Continuity Ensuring that the required IT services and facilities can be recovered within the agreed times Service Delivery DS.4 36 MATURITY MODELING Maturity modeling for management and control over IT processes is based on a method of self-evaluation by the organization. In COBIT and ITIL a maturity model has been defined for each section, providing an incremental measurement scale from 0, non-existent, through 5, optimized. Using the maturity models developed for each IT process, management can identify: • The actual performance of the enterprise—Where the enterprise is today • The current status of the industry— The comparison • The enterprise’s target for improvement—Where the enterprise wants to be The maturity attributes list the characteristics of how IT processes are managed and describes how they evolve from a non-existent to an optimized process. These attributes can be used for more comprehensive assessment, gap analysis and improvement planning. 37 MATURITY LEVEL RANKING 38 Maturity Model- Where Does Your Organization Stack? Defined Process Repeatable/ Intuitive Control/ Proactive Awareness/ Reactive Managed and Measurable Integration/ Service Level 4 Optimization/ Value Level 5 IT as strategic business partner Initial/ Ad Hoc Level 3 IT as a service IT and business provider metric linkage Initiation/ Chaotic Level 2 Analyze trends Define services, IT/business Set thresholds classes, pricing Level 1 collaboration Fight fires Understand costs Predict improves Inventory problems Guarantee SLAs business Ad hoc Initiate process Measure appli- Measure & report problem mgt cation Undocumented service availability Real-time process availability infrastructure Integrate Manage IT as a Business Unpredictable Alert and Automate processes Business event mgt Multiple help planning Service and Account Management Mature Capacity desks Measure problem, mgt component Service Delivery Process Engineering configuration, Minimal IT availability change, asset operations (up/down)Operational Process Engineering and 39 User call performance notification Tool Leverage mgt processes PROCESS MATURITY MODEL 40 IN SHORT- WHAT ARE SOME OF THE BENEFITS oBetter alignment of IT environment based on business focus and customer needs oA view, understandable to management of what IT does oClear ownership and responsibilities based on process orientation oGeneral acceptability with third parties and regulators oCommon language spoken by IT (specially for ITIL) oIntegration of the processes oImproved decision support by better management information 41 SO, HOW THEN DO WE IMPLEMENT A GOVERNANCE FRAMEWORK? 42 QUESTIONS & ANSWERS Questions & Answers THANK YOU!!!! 43 Contact Information: Angela Polania, CPA, CISA Elevate Consulting 5757 Blue Lagoon Drive Suite 350 Miami FL 33126 C.305.975.5121 [email protected] Elevate Consulting is a premier South Florida based firm, specialized in: IT Compliance and Governance, Internal Controls and IT Auditing, ITIL Assessments and Implementations Project Management and IT Project Management. 44