You are on page 1of 58

Case Study

Using CobiT and


ITIL to Implement IT

Governance
Robert E Stroud
Director, Strategy
Business Service Optimization
CA, Inc.
Robert.Stroud@ca.com
Abstract
- Many organizations have been looking to Best Practices
to assist them with in aligning IT to the Business, whilst at
the same time achieving IT Governance.
- Using COBIT and ITIL, this session will deliver an
overview of how these best practices have been used
together by a major financial organization to deliver their
IT Governance requirements while meeting business
objectives.

2 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Trademark Notice
COBIT is a registered trademark of ISACA/ITGI - Information Systems Audit
and Control Association / IT Governance Institute
ITIL is a registered trademark of OGC - the Office of Government
Commerce.

DISCLAIMER
CA nor its speaker warrant or guarantee the concepts or the
accuracy of information provided herein.
All rights reserved

No part of this publication may be reproduced in any form by print, photo


print, microfilm or any other means without written permission by CA.

3 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Agenda
- IT Governance
- IT Infrastructure Library (ITIL)
- The fastest introduction to COBIT ever
- Mapping ITIL to COBIT or is COBIT to ITIL
- The Role of ITIL and COBIT in addressing Compliance
a Case Study
- Summary
- Questions and Answers

4 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
IT Governance

5 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Governance, a practical example

6 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Governance
- IT must be managed and controlled from within itself as an
organizational entity with respect to the overall governance of a given
corporation.
- Governance manifests itself in the roles and responsibilities of its
staff resources through the definition of polices and processes it uses
to define its management and decision making of technology use,
and how the technology provides IT Services to the corporation with
which it belongs.
- Governance Is considered present only if it can be measured and
controlled with the means in place to provide metrics of both post fact
and pre-planning intelligence of, and for, the IT Services it Provides.

7 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
What is IT Governance?
IT governance is the term used to describe how those
persons entrusted with governance of an entity will
consider IT in their supervision, monitoring, control and
direction of the entity. How IT is applied will have an
immense impact on whether the entity will attain its vision,
mission or strategic goals

8 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Why is IT Governance Important?
Why is IT more critical:
- Increasing risks (security, compliance, projects etc.)
- Critical business processes depend on information and
systems.
- Growing dependence on service providers.
- IT failures impact reputation.
- IT is dramatically changing organizations and business
practices to create new opportunities and reduce cost.
- IT knowledge is essential to sustain and grow the
business.

9 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
How Can IT Governance Help?
- Responsibilities:
- Ensures ownership by the Board
- Increases understanding of IT significance to the
business and the impact of potential risks
- IT no longer just the CIOs responsibility it is shared
by the whole of management
- Places CIOs role in a clearer corporate perspective

10 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
IT Governance Benefits
CobiT provide s the

business
c ommon languag e &

support
Aligned Framework

time

IT risks
Secure
Controlled
service
quality

Better
time

time stakeholder
value

delivery
time
service

Faster
cost

Cheaper

time
time

11 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
The Story So Far
- IT Governance is a key part of Corporate Governance,
and the way to ensure IT activities are aligned, managed
and measured to ensure business success
- IT Governance is important because IT is so critical to
business success, represents very significant
investments, and is complex and risky to manage
- COBIT provides the framework and resources to support
and enable IT Governance to be implemented
- ITIL is rapidly adopted framework for IT Operations

12 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Infrastructure Library (ITIL)

13 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
ITIL?
- Information Technology Infrastructure Library (ITIL)
- A set of books detailing best practices for IT Service
Management
- Originally developed by the UK government to improve IT
Service Management
- Now becoming more globally accepted as a basis for IT
Service Management

14 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
The Magnificent NINE!

Planning to Implement Service Management T


T h
h e
e Service Management

Infrastructure
T

Management
Perspective

Service
Business

B e
Support

ICT
The

u c
s Service h
i Delivery n
Security
n o
Management
e l
s o
s Applications Management g
y
The Software Asset
Business
Perspective 2 Management

15 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
But only 2 of the 9 get used!
Service Support
Service Desk
Incident Management

Problem Management

Configuration Management

Change Management

Release Management
Service Delivery Service Level Management

Capacity Management

Availability Management

Service Continuity Management

Financial Management

16 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Benefits?
- Improved quality service provision
- Cost justifiable service quality
- Services that meet Business, Customer and User
demands
- Integrated centralized processes
- Everyone knows their role and knows their responsibilities
in service provision
- Learn from previous experience
- Demonstrable performance indicators
- Common Terminology

17 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
ITIL Benefits from practitioners
- By streamlining our processes we improved our efficiency

- We reduced the time to deliver base services by 80% which higher


quality

- Reduction in re-work

- Understand what is impacted from a business perspective when a


component fails

- We reduced the number of people required to do stuff

18 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Issues from the field?
- No measurement model
- No standard processes
- Doesnt follow Plan Do Check Act model

19 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
The fastest introduction to COBIT
..ever!

20 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
What is COBIT?
- Control OBjectives for Information and related Technology
- A framework for IT governance
- Bridges the gaps between business risks, control needs
and technical issues
- Documents good (best) practices
- Increasing Global 2000 adoption
- SOX increasing use..

21 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
COBIT Top Down Approach

4
Domains

34
Processes

220
Control Objectives

22 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
COBIT Activities/Tasks
Plan Do Check
Control
Act

Planning and Organization


Acquisition and Implementation
Delivery and support
Monitoring

Manage risks / Realize Benefits

Effective use of resources


Business/IT Alignment
Risk Management

23 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
COBIT Framework

Acquire and Implement

Plan and Organize

Monitor and Evaluate

Deliver and Support

24 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
" PO1 Define a strategic IT plan
PO2 Define the information architecture
PO3 Determine the technological direction
PO4 Define the IT processes, organisation and
relationships
PO5 Manage the IT investment
PO6 Communicate management aims & direction
PO7 Manage IT human resources
PO8 Manage quality
PO9 Assess and manage risks
ME1 Monitor & evaluate IT performance PO10 Manage projects
ME2 Monitor & evaluate internal control
ME3 Ensure regulatory compliance
ME4 Provide IT governance

! !& $ $
$
# $ $
% &
' $

DS1 Define service levels


# !& # $
DS2 Manage third-party services
DS3 Manage performance and capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and attribute costs &% $
DS7 Educate and train users AI1 Identify automated solutions
DS8 Manage service desk and incidents !! AI2 Acquire and maintain application software
DS9 Manage the configuration AI3 Acquire & maintain technology infrastructure
DS10 Manage problems AI4 Enable operation and use
DS11 Manage data AI5 Procure IT resources
DS12 Manage the physical environment AI6 Manage changes
DS13 Manage operations AI7 Install and accredit solutions and changes
25 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
COBIT Publications

Executive Summary

Framework Implementation Tool Set

Management Guidelines Detailed Control Objectives Audit Guidelines

Critical Key
Maturity Key Goal
Success Performance
Models Indicators
Factors Indicators

26 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Key COBIT Concepts
- Information Criteria
- Key Goal Indicators (KGI)
- IT Resources\RACI
- Key Performance Indicators (KPI)

27 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Key Definitions
- Maturity model
- Maturity models are an instrument to analyse the current position, the
position relative to a defined standard
- Critical Success Factors
- Critical success factors define the most important management-oriented
implementation guidelines to achieve control over and within the IT
processes.
- Key Goal Indicators
- Key goal indicators define measures that tell management after the fact
whether an IT process has achieved its business requirements.
- Key Performance Indicators
- Key performance indicators are lead indicators that define measures of
how well the IT process is performing in enabling the goal to be reached.

28 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
COBIT Maturity Model
0 Non-existent
1 Initial/Ad-hoc
2 Repeatable but Intuitive
3 Defined Process
4 Managed and Measurable
5 - Optimized

29 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Mapping ITIL to COBIT

or is it

COBIT to ITIL

30 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
COBIT and ITIL compliment each other

ITIL COBIT
- Best Practice - Controls Audit
- Process - Requirements
- Relationships - Maturity Scale

PROCESS/PROCEDURE & RESULTS

31 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
COBIT & ITIL Mapping
PO: Assess Risk
DS: Define & Manage Service Levels
DS: Manage 3rd Party Services
DS: Manage Performance & Capacity
DS: Ensure Continuous Service
DS: Identify & Allocate Costs
DS: Ensure System Security AI: Manage Change
AI: Install & Accredit Systems
DS: Assist & Advise IT Customers
DS: Manage Problems & Incidents
DS: Manage Operations DS: Manage Configuration
DS: Manage Facilities
DS: Manage Data
AI: Acquire & Maintain Technology Infrastructure

AI: Acquire & Maintain Application Software

32 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
ITIL Books to COBIT Control Objectives

33 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Mapping to ITIL Service Support and
Service Delivery

34 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
COBIT and ITIL used together
- Use the Cobit control objectives with the Cobit maturity
model and Key Performance indicators to manage and
measure performance of your ITIL processes.

35 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
ITIL and COBIT together
addressing Compliance
- a Case Study

36 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Changes for IT
It is NOT sufficient for you to be in
compliance as you have to be able to
readily demonstrate (to prove) that youve
met the control objectives.

If you cant prove that youre doing it right,


the presumption is that you are not doing it
right and as such, you are deficient.

37 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Case Study
- Large Bank founded almost 200 years ago
- Diversified provider of financial services
- Personal
- Commercial
- Corporate
- Institutional
- North America, Asia and Europe

38 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Initially an ITIL implementation
May 2003 Nov 2003 May 2004 Nov 2004 May 2005 Nov 2005 May 2006 Nov 2006

Incident

Problem
Service Mgmt
ViaTIL Tool
Tool For For Inc/Prob
Incident/Problem

Service
ServiceLevel Management
Level Management

Financial Management
Financial Management

Change Management
Change Management

Configuration Management
Configuration Management

Capacity Management

IT Service Continuity Management

Release
Release Management Management
Availability Management (New)

Continuous Improvement

39 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Process Management

!
"

#
#

$ "% % " & #


! #
'

$ " & #

40 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Governance Team
- A small team of internal advisors accountable to the ITIL Executive
Team
- Ensure overall compliance and integration of the ITIL processes
- Ensures a coherent and comprehensive approach to design and
implementation of each process
- Balance program initiatives with service demands
- Monitor performance, KPI(s), Policy and programs
- Recommend changes to process, or services as needed
- Align policies, performance measures and process initiatives with
organizations strategic objectives

41 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Governance
(

,&

( ( (
$ $ $

) ) )

*+ *+ *+

Process Design, Advocacy & Compliance

42 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Process Dashboard & KPIs

43 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Process Dashboard

44 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS9 Delivery & Support
Manage the Configuration
Control of the process of managing the DS9 Maturity Model
configuration that satisfies the business
to account for all IT components, prevent
unauthorized alterations, verify physical 0 Non-Existent
existence and provide a basis for sound
change management 1 Initial / Ad Hoc

Key Goal Indicators 2 Repeatable but Intuitive

Key Success Factors 3 Defined Process

4 Managed & Measurable


Key Performance Indicators
5 Optimized
Resources

45 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
COBIT/ITIL Mapping for DS9 Manage Configuration
COBITDS9 Manage Configuration ITIL Configuration Management
Critical
CriticalSuccess
SuccessFactors Critical
Factors CriticalSuccess
SuccessFactors
Factors
- - Control
Establish ControlofofITITassets
Establishowners
ownersofofall
allconfiguration
configurationelements
elements&&
assets
maintain
maintaininventory
inventoryand
andchange
changecontrol
control
- - Support,
Support,integration
integrationand
andinterfacing
interfacingtotoall
allITSM
ITSMprocesses
processes
Enforcement
Enforcementofofrelease
releasemanagement
managementpolicy
policy Key
KeyPerformance
PerformanceIndicators
Indicators
Integration
Integrationwith
withprocurement
procurement&&change
change - % reduction in number of configuration items (CI)
- % reduction in number of configuration items (CI)
management process
management process attributes
attributeserrors
errorsfound
foundininCMDB
CMDB
- - %%increase
increaseininthe
thenumber
numberofofCIs
CIssuccessfully
successfullyaudited.
Key
KeyGoal
Goal&&Performance
PerformanceIndicators
Indicators audited.
- - variances
variancesbetween
betweenaccounts
accountsand
andphysical
physicalsituations
situations
Reduction
Reductionininnumber
numberofofvariances
variancesbetween
between - - Reduce
Reduce%%ofofchange
changefailures
failuresand
andimprove
improveincident
accounts and physical situations
accounts and physical situations
incident
resolution
resolution time using accurate configurationdata
time using accurate configuration data
Usage
Usageindex
indexofofinformation
informationfor
forproactive
proactiveactions,
actions, - - %%reduction
reductionininHWHW&&SWSWcosts
costs
including preventive maintenance & upgrade
including preventive maintenance & upgrade
Quality
Qualityindex
indexofofinformation,
information,age,
age,changes
changesapplied,
applied,
status and related problem criteria
status and related problem criteria

46 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS9 Critical Success Factors

- Owners are established for all configuration elements and


are responsible for maintaining the inventory and
controlling change
- Information is maintained and accessible, based on up-to
date inventories, and naming conventions
- Integration with Procurement and Change Management

47 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS9 Information Criteria
- Primary:
- Effectiveness
- Efficiency
- Confidentiality and integrity
- Secondary:
- availability
- Compliance
- reliability

48 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS9 Key Goal Indicators
- % of IT Configuration identified
- % of IT Configuration accounted for
- Reduction in number of variances between accounts and physical
situations
- Quality index information, including the interrelationships, age,
changes applied, status and related problem criteria
- Usage index of information for proactive actions, including preventive
maintenance and upgrade criteria

49 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS9 Key Performance Indicators
- % of Configuration components [data] updated
automatically
- Frequency of physical verifications
- Frequency of exception analysis
- Time lag between modification to the configuration and
the update records
- Number of releases
- % of reactionary changes

50 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
DS9 Maturity Model
0 Non-existent
Management does not appreciate the need for a process to manage hardware or
software
1 Initial / Ad Hoc
Recognized need, basic inventories, no standard.
2 Repeatable:
But Intuitive: Implicit reliance on personal knowledge and expertise. Some tools. No
consistent working practices.
3 Defined Process:
Accuracy is enforced, documented practices, consistent tools, some automation,
information used by other processes.
4 Managed and Measurable
Implicit reliance on personal knowledge and expertise. Some tools. No consistent
working practices.
5 Optimized
All components are managed, interrelationships exist, audit reports, authorized
software installation, asset tracking.

51 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Example of Process Maturity

AI2 Acquire/Maintain Software


5
PO9 Assess Risk 4 AI3 Acquire/Maintain Tech Infra
3
2
DS9 Configuration 1 DS1 Service Levels
0

DS6 Manage Change DS10 Problems and Incidents

DS13 Manage Operations DS12 Manage Facilities

52 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Compliance Status at a glance

53 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Summary

54 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Summary
- IT Governance is important to most aspects of the
business not just the IT department
- The use of control frameworks (COBIT) provide the
guidelines to the controls needed to ensure good IT
Governance
- ITIL processes allow for automation and repeatability of
processes to deliver constantly
- Governance is not only mandatory it adds competitive
edge to your organisation

55 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
IT Governance Benefits
CobiT provide s the

business
c ommon languag e &

support
Aligned Framework

time

IT risks
Secure
Controlled
service
quality

Better
time

time stakeholder
value

delivery
time
service

Faster
cost

Cheaper

time
Ref: Price Waterhouse Coopers

time

56 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Questions

57 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Case Study
Using CobiT and
ITIL to Implement IT

Governance
Robert E Stroud
Director, Strategy
Business Service Optimization
CA, Inc.
Robert.Stroud@ca.com