TECHNICAL WHITE PAPER

BSM for COBIT 4.0

A Practical Path to Supporting COBIT
TABLE OF CONTENTS

EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
» About COBIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
» Business Service Management — A Practical Path to Supportting COBIT . . . . . . . . . . . . . . . . . 1
BMC SOLUTIONS AND COBIT CONTROLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
» COBIT and IT Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
» COBIT and ITIL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
» PLAN AND ORGANIZE (PO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
BMC Solution Fit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
BMC Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
» Acquire and Implement (AI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
BMC Solution Fit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
BMC Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
» Deliver and Support (DS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
BMC Solution Fit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
BMC Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
» Monitor and Evaluate (ME). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
BMC Solution Fit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
BMC Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
» BSM Makes Compliance a Result of Running I.T. Well . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
EXECUTIVE SUMMARY
ABOUT COBIT
Control Objectives for Information and related Technology (COBIT®) is an IT-focused governance and
control framework created by the IT Governance Institute (ITGI) and Information Systems Audit and Control
Association® (ISACA). COBIT was developed as an open standard, and provides good practices across a
domain and process framework. COBIT presents activities in a manageable and logical structure. COBIT is
being increasingly adopted globally as the governance and control model for implementing and demonstrating
effective IT governance. The first, second, and third editions/versions of COBIT were published in 1994, 1998, and
2000, respectively.

COBIT harmonizes well with established frameworks, such as the Soware Engineering Institute’s Capability
Maturity Model, ISO 9000, ISO 17799 (standard security framework, now ISO 27001) and ITIL. In fact, 13 of the 34
high-level control objectives are derived directly from the ITIL Service Support and Service Delivery areas.

BUSINESS SERVICE MANAGEMENT  A PRACTICAL PATH TO SUPPORTING COBIT

BMC Soware has been recognized by leading analysts for our comprehensive offering of solutions that help
IT organizations control their IT environment and meet compliance objectives. Just as ERP provided a platform
for effective business planning and operations, Business Service Management (BSM) provides a platform for
effective IT planning and operations.

BSM offers a common and consistent way for information to be shared across IT functions and departments.
BSM simplifies, standardizes, and automates IT processes through out-of-the-box best practice templates and
integrated workflows that include IT Governance, Risk and Compliance elements for multiple regulations and
frameworks, across multiple platforms. BMC BSM solutions enable IT to manage based on business priorities.

BSM solutions from BMC help IT organizations automate IT controls while complying with governmental
regulation, industry best practices and internal policies. With BSM solutions from BMC, IT organizations
can meet and exceed business objectives AND mitigate risks while delivering superior performance within
constraints.

Many BMC solutions align with the fulfillment of COBIT, but to maximize the impact upon COBIT controls, we
recommend that you focus first on building your foundational controls in the following key solution areas:

» Change and Configuration management

» Soware Compliance management
» Security and Access Management
» Compliance Automation

With the foundation controls in place, you will be well positioned to address:

» Data Recovery Management, Application management, and general IT controls

» Infrastructure coverage — from mainframe to mobile, data center to desktop.
» Support of control frameworks (COBIT), best practices (ITIL), and standards (ISO 20000 and ISO 27000)

This document maps BMC solutions to COBIT control objectives outlined in the COBIT 4.0 guide. In many cases, text from the COBIT 4.0 document has been summarized in order to condense the information. Sections in boxes are direct
quotes from COBIT 4.0, “Source: COBIT 4.0. ©1996, 1998, 2000, IT Governance Institute. All rights reserved. Used by permission. ” Visit www.isaca.org to get a free download of the complete COBIT document.

1
BMC SOLUTIONS AND COBIT CONTROLS
Overall, BMC solutions apply to 32 of the 34 COBIT control objectives. These solutions offer a broad range of
coverage in many important areas, and are organized into the following four main groups to best address COBIT
Controls.

PLAN AND ORGANIZE 8 of 10 control objectives

ACQUIRE AND IMPLEMENT 7 of 7 control objectives

DELIVER AND SUPPORT 13 of 13 control objectives

MONITOR AND EVALUATE 4 of 4 control objectives

Figure 1 BMC solutions and COBIT controls

COBIT AND IT GOVERNANCE

One way to define IT Governance is “management, measurement and reporting to facilitate good decision
making.” The COBIT framework provides a reference process model and common language for everyone in an
enterprise to view and manage IT activities. To govern IT effectively, it is important to appreciate the activities

2
and risks within IT that need to be managed. They are usually ordered into the responsibility domains of plan,
build, run and monitor. Within the COBIT framework, these domains are called:

» Plan and Organize (PO)—Provides direction to solution delivery (AI) and service delivery (DS)
» Acquire and Implement (AI)—Provides the solutions and passes them to be turned into services
» Deliver and Support (DS)—Receives the solutions and makes them usable for end users
» Monitor and Evaluate (ME)—Monitors all processes to ensure that the direction provided is followed.

COBIT AND ITIL

BMC solutions help automate ITIL best practices and COBIT guidelines. Combined, ITIL and COBIT help you
increase the quality of business services that your IT organization delivers, while also lowering overall
costs. ITIL is a framework that addresses IT service management best practices, and COBIT addresses
the establishment of business goals, providing the processes to deliver toward those goals and measure
progress. By following these frameworks, your IT organization can provide fast, consistent, reliable
technology services that increase revenue, reduce costs, and demonstrate compliance with the Sarbanes-
Oxley Act (SOX), Basel II, and other regulatory standards. These frameworks help you achieve BSM by
managing IT based on business priorities.

PLAN AND ORGANIZE PO

This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute
to According to COBITof
the achievement 4.0:
theSuccessful
businessenterprises
objectives.understand the risks
The realization andstrategic
of this exploit thevision
benefits of IT,toand
needs befind ways to
planned,
deal with:
communicated, and managed for different perspectives. Furthermore, a proper organization and
technological infrastructure should be put in place.
» Aligning IT strategy with the business strategy
» domain
This Cascading IT strategy
typically and goals
addresses down
the into themanagement
following enterprise questions:
» Providing organizational structures that facilitate the implementation of strategy and goals
» »AreCreating
IT and constructive
the businessrelationships
strategy aligned?
and effective communications between the business and IT, and with external
» Is partners
the enterprise achieving optimum use of its resources?
» »Does everyone
Measuring IT’sin the organization understand the IT objectives?
performance
» Are IT risks understood and being managed?
» Enterprises cannot
Is the quality of IT deliver
systems effectively against
appropriate forthese business
business and governance requirements without adopting and
needs?
implementing a governance and control framework for IT to:

» Make a link to the business requirements

» Make performance against these requirements transparent
» Organize IT activities into a generally accepted process model
» Identify the major resources to be leveraged
» Define the management control objectives to be considered

Business orientation is the main theme of COBIT. It is designed to be employed not only by IT service providers,
users, and auditors, but also, and more importantly, as comprehensive guidance for management and business
process owners.

COBIT defines IT activities in a generic process model within four domains. These domains are Plan and Organize,
Acquire and Implement, Deliver and Support, and Monitor and Evaluate. The domains map to IT’s traditional
responsibility areas of plan, build, run, and monitor.

3
BMC SOLUTION FIT
Plan and Organize control objectives are what we refer to as general IT management controls. These controls
result in many of the decisions and policies that are input into the IT service management system.

This section will examine all ten of the Plan and Organize control objectives, drilling deeper into the eight
objectives directly supported by BMC solutions:

» PO2 — Define the Information Architecture

» PO4 — Define the IT Processes, Organization, and Relationships
» PO5 — Manage the IT Investment
» PO6 — Communicate Management Aims and Direction
» PO7 — Manage IT Human Resources
» PO8 — Manage Quality
» PO9 — Assess and Manage IT Risks
» PO10 — Manage Projects.

BMC SOLUTIONS
» BMC Atrium Discovery
» BMC Atrium CMDB Suite
» BMC Atrium Orchestrator
» BMC BladeLogic Client Automation
» BMC BladeLogic Network Automation
» BMC BladeLogic Server Automation Suite
» BMC Remedy IT Service Management Suite
» BMC Remedy Identity Management Suite
» SailPoint IdentityIQ
» BMC IT Business Management Suite

ACQUIRE AND IMPLEMENT AI

This domain covers objectives that help realize the IT strategy. IT solutions need to be identified, developed,
acquired, implemented, and integrated into the business process. In addition, changes and maintenance of
existing systems are covered by this domain to make sure the solutions continue to meet business objectives.

This domain typically addresses the following management questions:

» Are new projects likely to deliver solutions that meet business needs?
» Are new projects likely to be delivered on time and within budget?
» Will the new systems work properly when implemented?
» Will changes be made without upsetting current business operations?

BMC SOLUTION FIT

This section will examine all seven of the Acquire and Implement control objectives directly supported by BMC
solutions:

» AI1 — Identify Automation Solutions

» AI2 — Acquire and Maintain Application Soware
» AI3 — Acquire and Maintain Technology Infrastructure
» AI4 — Enable Operation and Use
» AI5 — Procure IT Resources
» AI6 — Manage Changes
» AI7 — Install and Accredit Solutions and Changes

4
BMC SOLUTIONS
» BMC Atrium CMDB Suite
» BMC Atrium Orchestrator
» BMC Event and Impact Management
» BMC BladeLogic Client Automation
» BMC BladeLogic Network Automation
» BMC BladeLogic Server Automation Suite
» BMC BladeLogic Application Automation
» BMC Remedy IT Service Management Suite
» BMC Remedy Identity Management Suite
» SailPoint Identity IQ
» BMC IT Business Management Suite

DELIVER AND SUPPORT DS

This domain is concerned with the actual delivery of required services, which includes not only service delivery,
but also management of security and continuity, service support for users, and management of data and the
operational facilities.

Typically addressed are the following management questions:

» Are IT services being delivered in line with business priorities?

» Are IT costs optimized?
» Is the workforce able to use the IT systems productively and safely?
» Are adequate confidentiality, integrity, and availability in place?

BMC SOLUTION FIT

This section will examine all thirteen of the Deliver and Support control objectives directly supported by BMC
solutions:

» DS1 — Define and Manage Service Levels

» DS2 — Manage Third-Party Services
» DS3 — Manage Performance and Capacity
» DS4 — Ensure Continuous Service
» DS5 — Ensure Systems Security
» DS6 — Identify and Allocate Costs
» DS7 — Educate and Train Users
» DS8 — Manage Service Desk and Incidents
» DS9 — Manage the Configuration
» DS10 — Manage Problems
» DS11 — Manage Data
» DS12 — Manage the Physical Environment
» DS13 — Manage Operations

BMC SOLUTIONS
» BMC Atrium CMDB Suite
» BMC Atrium Discovery
» BMC Atrium Orchestrator
» BMC Analytics for BSM
» BMC Dashboards for BSM
» BMC MainView

5
» BMC Control-M
» BMC Control-D
» BMC Data Management for z/OS
» BMC Database Recovery Management
» BMC ProactiveNet Performance Management
» BMC Event and Impact Management
» BMC Service Level Management
» BMC BladeLogic Client Automation
» BMC BladeLogic Networks
» BMC BladeLogic Decision Support for Network Automation
» BMC BladeLogic Server Automation Suite
» BMC BladeLogic Decision Support for Server Automation
» BMC BladeLogic Application Automation
» BMC Remedy IT Service Management Suite
» BMC Remedy Identity Management Suite
» Sailpoint Identity IQ
» BMC IT Business Management Suite

MONITOR AND EVALUATE ME

This domain covers objectives that IT processes need for regular assessment of their quality and compliance
with control requirements. It addresses performance management, monitoring of internal control, regulatory
compliance, and providing governance.

This domain typically addresses the following management questions:

» Is IT’s performance measured to detect problems before it is too late?

» Does management ensure that internal controls are effective and efficient?
» Can IT performance be linked back to business goals?
» Are risk, control, compliance, and performance measured and reported?

BMC SOLUTION FIT

This section will examine all of the Monitor and Evaluate control objectives, which are all supported by BMC
solutions:

» ME1 — Monitor and Evaluate IT Performance

» ME2 — Monitor and Evaluate Internal Control
» ME3 — Ensure Regulatory Compliance
» ME4 — Provide IT Governance

BMC SOLUTIONS
» BMC Atrium CMDB Suite
» BMC Atrium Orchestrator
» BMC Analytics for BSM
» BMC Dashboards for BSM
» BMC MainView
» BMC Control-M
» BMC Control-D
» BMC ProactiveNet Performance Management
» BMC Event and Impact Management

6
» BMC Service Level Management
» BMC BladeLogic Client Automation
» BMC BladeLogic Networks
» BMC BladeLogic Decision Support for Network Automation
» BMC BladeLogic Server Automation Suite
» BMC BladeLogic Decision Support for Server Automation
» BMC BladeLogic Application Automation
» BMC Remedy IT Service Management Suite
» BMC Remedy Identity Management Suite
» SailPoint Identity IQ
» BMC IT Business Management Suite

CONCLUSION
BSM MAKES COMPLIANCE A RESULT OF RUNNING I.T. WELL
As your IT organization transitions to face the challenge of managing IT based on business priorities, you can
use COBIT controls and Business Service Management solutions from BMC to help meet the challenge. COBIT
provides the framework for setting business goals and objectives, and measuring the progress of how those
goals are accomplished. BSM solutions from BMC provide you with the most effective approach for managing IT
from the perspective of the business. All potential users can benefit from using the COBIT content as an overall
approach to managing and governing IT, orchestrated with more detailed standards.

When you introduce solutions that enhance implementation and maintenance of COBIT controls enterprise
wide, you can better meet business objectives and deliver higher quality business services — at lower costs to
your organization.

BMC offers solutions that enable you to control your IT environment and meet governance and compliance
objectives, as defined by COBIT. BSM solutions from BMC help you automate IT controls; comply with
government regulations, industry best practices, and internal policies; manage risk effectively; and improve
overall business performance. These solutions help you manage IT based on business priorities, and align IT
processes to business needs.

7
Business runs on IT. IT runs on BMC Soware.
Business thrives when IT runs smarter, faster, and stronger. That’s why the most demanding IT organizations in
the world rely on BMC Soware across both distributed and mainframe environments. Recognized as the leader
in Business Service Management, BMC offers a comprehensive approach and unified platform that helps IT
organizations cut cost, reduce risk, and drive business profit. For the four fiscal quarters ended March 31, 2010,
BMC revenue was approximately $1.91 billion. Visit www.bmc.com for more information.

*141967*
BMC, BMC Soware, and the BMC Soware logo are the exclusive properties of BMC Soware, Inc., are registered with the U.S. Patent and Trademark Office, and may be
registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other
countries. All other trademarks or registered trademarks are the property of their respective owners. ©2010 BMC Soware, Inc. All rights reserved.