OACA CMM Analysis Questionaire v4

Business Name:
Address:
Business Contact Name:
Email
Phone #
Instructions
#
1
2
3
4
5
#
1
2
3
4
5
This self-assessment is designed to enable you to identify what are the outcomes that are necessary in 25 key domains to
achieve the desired capability of your IT operational model transformation to support a journey to cloud implementation.
On the following page you will find 25 domains of questions in four main categories with descriptions of the capability at
each level of the maturity model.
How to complete the assessment
1. Define your Business and IT Goals (on this page)
2. Define the Cloud Value proposition desired state description & time frame for implementation
3. Define Cloud Service Capability desired state description & time frame for implementation
4. Complete the analysis page and evaluate each question and:
• Rank your current state in the current state column
• Rank your future state requirement in the future state column based on the capability you wish to achieve in your IT
operational model Transformation/cloud implementation and your business and IT goals.
• Identify which business goals and IT goals are contributed to by the transformation of the question
• Rank the contribution to the desired cloud capability Value Proposition Rating (rate each in importance using numbers 1
to 5 (1 = most important, 5 = least important)
• Identify the urgency to achieve the transformation (1-5). Urgency Rating (rate each in importance using numbers 1 to 5
(1 = Least important, 5 = Most important) Consider this as timeframe measure
5 = 6 months
4 = 12 months
3 = 18 months
2 = 24 months
1 = Greater than 24 months
Your results will be tabulated and presented in a radar chart at the bottom of the page. These results can help you then to
identify the projects that should be done to help you achieve your desired capability. The current questionnaire ratings are
place holders and need to be erased before you add your information
Business Goals
Business IT Goals
Acronyms
Acronym Full Name

AI Artificial Intelligence
API Application Programming Interface
APM Application Performance Management
ATIS Alliance for Telecommunications Industry Solutions
BCP Business Continuity Plan
CAPA Corrective and Preventative Actions
CAPEX Capital Expenditure
CDMI Cloud Data Management Interface
CEN Comité Européen de Normalisation
CENELEC Comité Européen de Normalisation Electrotechnique
CERT Computer Emergency Response Team
CIMI Cloud Infrastructure Management Interface
CMDB Configuration Management Database
CMS Configuration Management System
COE Centers of Excellence
CSA Cloud Security Alliance
CSC Cloud Standards Coordination
CSCC Cloud Standards Customer Council
CSMIC Cloud Services Measurement Initiative Consortium
CSP Cloud Service Provider
DHCP Dynamic Host Configuration Protocol
DL Deep Learning
DMTF Distributed Management Task Force
ELT Extract Load Transfer
ENISA European Union Agency for Network and Information Security
ERP Enterprise Resource Planning
ESB Enterprise Service Bus
ETL Extract Transform Load
ETSI European Telecommunications Standards Institute
ETSI European Telecommunications Standards Institute
FaaS Function as a Service
FOSS Free Open Source Software
FSA Financial Supervisory Authority
GICTF Global Inter-Cloud Technology Forum
HA High Availability
HLUC High-Level Use Case
IaaS Infrastructure as a Service
IAC Infrastructure as Code
IAM Identity and Access Management
IEC International Electrical Commission
IEEE Institute for Electrical and Electronics Engineers
IETF Internet Engineering Task Force
IIS Internet Information Services
ILM Information Lifecycle Management
IOP Interoperability
IoT Internet of Things
IPaaS Integration Platform as a Service
IPAM IP Address Management
ISO International Organization for Standardization
ITIL IT Infrastructure Library
ITSM IT Service Management
ITU International Telecommunication Union
ITU-T ITU Telecommunication Standardization Sector
JIT Just-In-Time Compilation
KPI Key Performance Indicator
LOB Lines of Business
MCC Mobile Cloud Computing
MDM Mobile Device Management
ML Machine Learning
MoU Memorandums of Understanding
NFV Network Functions Virtualization
NIST National Institute of Standards and Technology
NOC Network Operations Center
OASIS Organization for the Advancement of Structured Information Standards
OCCI Open Cloud Computing Interface
ODCA Open Data Center Alliance
OGF Open Grid Forum
OLA Operational Level Agreement
OPEX Operational Expenditure
OSI Open Systems Interconnection
OSS/BSS Operations Support System/Business Support System
OSS/BSS Operational Support System / Business Support System
PaaS Platform as a Service
QoS Quality of Service
QuEST Quality Excellence for Suppliers of Telecommunications
RPO Recovery Point Objective
RTO Recovery Time Objective
SaaS Software as a Service
SAML Security Assertion Markup Language
SDN Software Defined Network
SDO Standards Development Organization
SIEM Security Incident and Event Management/Monitoring
SLA Service Level Agreement
SLO Service Level Objective
SNIA Storage Networking Industry Association
SOA Service Orientated Architecture
SOX Sarbanes-Oxley Act
SSO Single Sign-On
STaaS Storage as a Service
TGx Task Group 1 to 3 of CSC
TIA Telecommunications Industry Association
TMF TeleManagement Forum
TOG The Open Group
VM Virtual Machine
VPN Virtual Private Network
WAN Wide Area Network
XaaS "X" as a Service
Process for Using this Excel to perform a CMM based Analysis and build a Hybrid IT Roadmap
For detail see ODCA CMM v3.0 Usage Model
Step
1. Define analysis scope: The first step in defining an analysis scope is
defining the use cases that have to be enabled for the enterprise. Some
example use cases are discussed in this CMM document.
2. Identify stakeholders: Based on the identified Use Cases, the next step
would be to identify interested, impacted and participating parties for each
domain, pertinent to the important Use Case.
3. Perform assessment: The following step is to assess the environment

based on the defined Use Case for each domain relevant to that Use Case.
This will be in context of people, process and technology. The CMM excel
based domain questions and outcomes provide a good foundation for this
analysis. An initial pass of all 25 domains can be done by a management
team by answering the key questions by the in-depth questions will need to
be answered by subject-matter experts. The key questions are highlighted
in yellow on the spreadsheet.
4. Identify Barriers: When planning a roadmap to enable Hybrid IT, the

experienced analyst also considers which barriers they will have to overcome.
There are a few common ones in this area, which should be considered per
domain, during the analysis:
1. Do Cloud Skills Exist
2. Are there unique applications in the environment that inhibit
cloud use
3. Is there a perception of "entitlement”
4. Are there Union driven Job Classifications
5. Does leadership provide a Mandate to move to Cloud
6. Is there a compensation scheme supporting Cloud Adoption
For each of these, a solution will need to be found, considering the leveraging
of hierarchy, culture, structure, and business strategy.
5. Consolidate results: Review the results of the analysis in context with what
is a probable desired state, and consider the real impacts and priorities of
any gaps / changes required per domain. Also consider which frameworks,
standards, tools or methods would best be applied to help close the defined
gaps for each domain.
6. Identify gaps between current and target maturity levels, and develop
closure actions: Based on the result of the analysis per selected domain, create
a practical implementation plan of change actions (from the previous step) that
groups and synchronizes any changes and actions into logical bundles. This
should result in a project plan of some sort.
7. Create report incl. assessment results, suggested roadmap and actions:

Create a management level report which identifies the key gaps and the
impacts of these on the organizational objectives, as well as the proposed
closure actions, proposed timelines, and the amount of estimated effort
required to perform these actions. Also identify a set of proposed measures
(in context of Business Objectives / defined Use Case to quantify progress
through the changes,
build a Hybrid IT Roadmap
Activities
Define the target scope, including for example:
· overall intended scope and objectives for cloud services
· specific target use cases required, & the enabling cloud service models
· select the domains relevant to each use case
· identify the target CMM levels (per use case)
· specify the timeline and milestones per use case / quality gates
· basic conditions and project risks
Identify relevant stakeholders and personnel to interview
Agree interview schedule
Conduct interviews
Review existing documentation, processes, methods, strategies and

problems.
Consolidate Barriers
Consolidate result documentation
Reconcile draft results with stakeholders and interviewees (if required)

Identify potential gaps between assessment results and targeted
Maturity level
Develop closure requirements / actions between current and target

maturity levels per domain.
High level resource estimation and action timing
Create report including:
· Assessment results
· Roadmap of actions
· Gap closure plan between current and target Maturity Levels
· Draft Project charter

· Barrier elimination projects
Result
Analysis charter: A clear mandate, scope statement including target Use Case/s to enable, and the
timeline in which those Use Cases should be delivered, and list of overall objectives that the analysis
should address.
Interview schedule: Based on the selected Use Case/s, relevant Domains are selected, and the
appropriate stakeholders for each domain can be identified. This schedule should list the stakeholders
to be interviewed, as well as listing what information needs to be obtained from each one.
Resulting Preparation: The following documents would normally be created in preparation for the
analysis:
1. A list of questions and possible outcomes per domain, specifically appropriate to the
selected Use Case/s, compiled into a single “audit” document
2. A short slide overview to introduce the stakeholders to the audit, providing objectives for
the audit, timeline, and setting feedback expectations
3. A statement of the desired target state per domain, based on executive management
inputs, against which current state will be audited
Resulting documentation: Produce a Pareto chart of barriers and identify the most common barriers
that will need to be eliminated
Resulting documentation: The following documents would normally be outputs of the analysis:
1. Statement of Current State of the selected domains, and any key problems identified
that may prevent achievement of the selected Use Case/s and enterprise objectives
Roadmap for maturity level achievement / Hybrid IT establishment:
Define a set of steps needed to move each domain from current state to target state, including
suggested reference models, recommended frameworks and standards, as well as actions needed in the
process and people layers per domain.
Produce a logical grouping of actions across the involved domains to increase project efficiency, simplify
the tasks overall, and maximize sharing/single efforts at once between domains.
Resulting Report: The following documents are suggested outputs of the analysis and Hybrid IT
Roadmap:
1. Written gap Analysis between Current and Target State, per domain, including impacts of
the gap, and recommended frameworks/standards/models to incorporate to close the gaps,
with a benefit summary of each. (This represents the Roadmap to Hybrid IT enablement at the
required levels)
2. A draft project plan for closing the gaps, with timing and logical grouping of activities
3. An executive management overview presentation showing what needs to change and
what the resource requirements may be to achieve it in the desired timeline, mapped to the
overall resulting benefits.
Radar Chart
Domain Today 2 Years

1. Finance 0.0 0.0
2. Enterprise Strategy 0.0 0.0
3. Structure 0.0 0.0
4. Culture 0.0 0.0
5. Skills 0.0 0.0
6. Compliance 0.0 0.0
7. Governance & Controls 0.0 0.0
8. Business Process 0.0 0.0
9. Procurement 0.0 0.0
10. Commercial 0.0 0.0
11. Portfolio Mgnt 0.0 0.0
12. Projects 0.0 0.0
13. Operations (IT) Processes 0.0 0.0
14. Management Tools 0.0 0.0
15. Security 0.0 0.0
16. Information Lifecycle Management 0.0 0.0
17. DevOps 0.0 0.0
18. PaaS 0.0 0.0
19. IPaaS 0.0 0.0
20. IT Architecture 0.0 0.0
21. Applications 0.0 0.0
22. SaaS 0.0 0.0
23. Data 0.0 0.0
24. IaaS 0.0 0.0
25. STaaS 0.0 0.0
26. Network 0.0 0.0
27. AI 0.0 0.0
28. IoT 0.0 0.0
29. Mobility 0.0 0.0
30. API's 0.0 0.0
31. ConfigMgt 0.0 0.0
Chart Title
31. ConfigMgt 1. Finance 2. Enterprise Strategy
30. API's 3. Structure
29. Mobility 1 4. Culture
28. IoT 5. Skills
27. AI 6. Compliance
0.5
26. Network 7. Governance & Controls
25. STaaS 8. Business Process
0
24. IaaS 9. Procurement
23. Data 10. Commercial
22. SaaS 11. Portfolio Mgnt
21. Applications 12. Projects
20. IT Architecture 13. Operations (IT) Processes

19. IPaaS 14. Management Tools
18. PaaS 15. Security
17. DevOps 16. Information Lifecycle Management
e
Skills
6. Compliance
7. Governance & Controls
8. Business Process
9. Procurement
10. Commercial
11. Portfolio Mgnt
12. Projects
perations (IT) Processes

ment Tools
nagement
Domain Descriptions
Domain
Finance Domain
Enterprise Strategy Domain
Culture Domain
Structure Domain
Governance & Controls Domain
Skills Domain
Compliance Domain
Business Process Domain
Procurement Domain
Commercial Domain
Commercial Domain
Portfolio Management Domain
Projects Domain
Technical Base Domain
IT Applications Domain
Architecture Domain
Management Tools Domain
Operations (IT) Processes Domain
DevOps Domain
DevOps Domain
Security Domain
IaaS Domain
PaaS Domain
STaaS Domain
SaaS Domain
IPaaS Domain
Information Lifecycle Management

Domain
Domain
Data Domain
Network Domain
AI Domain
IOT Domain
Mobility Domain
API Domain
Config Mgt Domain
Config Mgt Domain

Description
Considers the financial management, control and budget processes necessary to enable cloud services when moving from CAPEX to OPEX models
Contains capabilities such as:
· Business motivation,
· Expected benefits,
· Guiding principles,
· Expected costs, and funding models.
· Capabilities such as service selection and service-level agreements (SLAs) also gain relevance in cloud initiatives
Contains the mindset and behavior pattern that:
· Supports the business with choice (says yes not no), and facilitates innovation, and demonstrates flexibility,
· Transformed from being a supplier to being a business partner.
· Nurtures innovative practices through self-service and automation.
· No technology silos,
· Is committed to being and efficient, fast and service oriented where a service is measured from a customer's point of view not IT’s
Contains capabilities related to;
· Development of organizational competency (work) around cloud computing,
· Organizational structure and new tasks
This area considers the process and technology updates that should be integrated into an existing environment, to deal with and control cloud and any ext
Contains capabilities related to:
· Competency in cloud implementation Skills
· Business process knowledge,
· Emerging standards & technology knowledge such open source, OpenStack, Cloud Foundry and cloud native application development,
· DevOps methods of Continuous Integration and Deployment,
· Big data technology, and data lake architecture, Six Sigma, ITIL v3 and IT4IT Operational models
Compliance in general means to fulfill laws and regulatory requirements, specifications and standards as well as specific demands imposed by other extern
Examples from the perspective of a certain enterprise:
Law: publish yearly financial statement

Regulatory: Validate Computer System when manufacturing medical devices
Specifications and Standards: transmitting unit in Wi-Fi devices needs to use certain frequencies incl. a maximum deviation
Specific demands of external party: a customer expects a certain interface for data exchange with e.g. ERP system
Internal stakeholder: a foreign subsidiary requires a process or IT system to be designed in a certain manner
· How the business processes are structured and designed
· What processes are deemed support/ shared and which are unique to the business unit
· The Procurement Processes are cloud aware,
· The Procurement Tooling is cloud aware,
· Training and Development performed for supporting organizations,
· Sourcing & contracting been updated to accommodate cloud,
· A Cloud Service Catalogue exists,
· Reporting is updated to monitor and measure cloud services
· Cloud Contract templates,
· Processes updated to accommodate cloud service delivery,
· Key performance indicators exist for cloud based services,
· Partner & Client Interactions updated for Cloud service delivery, and
· Costs of a service billed to the consumer of the service.
· Consistent methodology for product and service development at both business and enabling technology layers
· Project Initiation updated to enable innovation and “cloud first” thinking,
· Standardized online documentation for services and products, which enables effective selection and matching of enabling and underpinning offerings
Projects are enabled by means of defined processes, blueprints, skills, and governance frameworks. This domain considers some of the key cloud enablers
Standard questions to be applied in conjunction with all technical domains.
Contains modernized and optimized applications ecosystem that:
· Are service oriented, API accessible, fully aligned to business needs and cost effective
· Able to be migrated to a Hybrid cloud delivery model.
· Contains hybrid cloud application design mechanisms
· Supports cloud native application design.
· Utilizes restful api, micro services, container models of application design
· The definitions of the overall architecture and guidelines for various practitioners to ensure adherence to the architecture.
· Capabilities fundamental to cloud architectures such as:
· Resource pooling,
· Interoperability, and
· Self-service
· Enterprise architecture program defined:
o Policies,
o Principles and
o Architecture domains
o Technology standards & roadmaps enforced. Cloud Native Patterns and Code samples
Contains capabilities of tools that:
· Manage & monitor all technology,
· Enable ITIL V3 Processes, IT4IT Value chain models, End to end service monitoring.
· Provide Integrated portfolio management system,
· Enterprise architecture system.
· Service catalogue with workflow,
· Integrated test management and software development environment,
· IT asset management,
· IT Automation and Cloud service provisioning

· Enables 24x7, business continuity , data center fail-over and
· ITIL Version 3, Service Strategy, Design, Operations, and continuous improvement processes.
· Asset Management, Workforce Management and Service design, build and test development processes.
· Integrated IT Value chain (Open Group IT4IT model) That service life cycle is captured in the four IT Value Streams
o Plan (Strategy to Portfolio)
o Build,(Requirement to Deploy)
o Deliver (Request to Fulfill)
o Run (Detect to Correct)
DevOps is a framework that allows development, quality assurance, and operations to meet customer needs it contains capabilities related to:
· Integrating Development and Operations teams to facilitate communication, collaboration, and integration to manage today’s rapidly changing busin
· It enables Developers to provision, change and manage their development environments without IT operations involvement
· It enables Developers to promote to production cloud native applications without IT Operations involvement
· It enables both conventional application development acceleration and cloud native application development techniques
Contains capabilities to enable
· Single sign on access,
· Role based identity management
· Real time per transaction authentication for SaaS Integration.
· Detection and auto response mechanism to all threats at any level of the OSI model
· Provision processing, storage, networks, and other fundamental computing resources
· Enabling a consumer to be able to deploy and run arbitrary software, which can include operating systems and applications.
· The subscriber does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applica
· The subscriber may also have possibly limited control of select networking components (such as host firewalls).
· Deploy onto the cloud infrastructure subscriber-created or acquired applications created using programming languages, libraries, services, and tools s
· The subscriber does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has con
the application-hosting environment
· The provider provides platform services such as Apache tomcat, Jboss, .net, Cloud Foundry to develop applications
· The provider provides database as service, such as Oracle, Microsoft SQL, Cassandra, Mongo, Maria, Vertica etc.
Storage as a service (STaaS) is a cloud service that provides a platform to support users, applications, and data projects with Storage
· Storage services include Elastic:
· Object storage
· Block storage
· File storage
· Off-premises "Dropbox" services
· One location for all data across the enterprise using a global file system
· Ability to sync files across any device, PC, server
· Data Encryption at rest and in transit
· The Servicer (software) provider’s applications running on a Service provider’s infrastructure.
· The applications are accessible from various client devices through either a thin client interface, such as a web browser (for example, web-based ema
· Applications are integrated with internal applications and data stores
· Integration platform as a service (iPaaS) is a cloud service that provides a platform to support application, data and process integration projects, usua
premises systems.
· iPaaS delivers some combination of capabilities that are typically found in enterprise service buses (ESBs), data integration tools, B2B gateways, mana
· IT departments, line of business developers, mobile application development teams, application teams and even business users (aka "citizen integrat
integration interfaces (or "integration flows") in the cloud .
Contains capabilities to enable:
· Capture, manage, retain, retrieve and deliver information according to its business relevance and specific industries
· Information Management Lifecycle process enforcement from creation to disposal
· Record retention policy enforcement
· Backup and archiving policy enforcement
· Efficient use of hierarchical storage technology
· An enterprise to go beyond storage management to information management by application, data classification, and business function.
· Backup services for applications, services and PCs
· Data Archiving services
· Deduplication services
Contains the capability of:
· Information stored in data lake architecture or a storage as a service model that is a highly scalable, high performance, easily accessible, cost effective
· Enables data virtualization of structured and unstructured data
· Promotes a shift from ETL (Extract, Transform, Load) to ELT (Extract Load Transform) of data.
· Enables Insight and Foresight reporting based on aggregated unstructured and structured data versus conventional Hindsight reporting based on stru
· Designing and operating a network to support cloud connectivity with the enterprize

· The ability to apply Artificial Intelligence (AI) and Machine Learning (ML) to disciplines of Cloud Operations, Hybrid IT, and cloud-native Software Deve
· • Enabling greater effectiveness and efficiency in managing on-premises and off-premises cloud environments
· • Mitigating risk in cloud environments
· • Using AI for detecting atypical patterns of behavior and performance in Cloud infrastructure, its operators, and external threats
· • Improving decision making as it relates to IT/Operations management and procurement
• Making AI/ML/DL training/learning platforms available as a service (AIaaS / MLaaS / DLaaS)

· IOT use, skills and implementation in an organization
· Being able to map and report business objectives against specific metrics
· Having services defined in the IOT space

· How the organization consumes and uses API's,
· How API management focuses on the planning, design, implementation, publication, operation, consumption, maintenance, and retirement
· Associated API services.
The overall goal is to make use of API's easy, cost effective, secure, and sustainable to allow organizations to drive value from the API's they use

· Ensuring use of the cloud aligns with the organization's Configuration Management process while still enabling the organization to realize the benefit
Use Cases
2
3
4
6
7
10
11
12
1
2
3
4
5
6
7
8
9
Describe what you want to achieve by implementing this solution. Some categories of business value are:
• Improve efficient use of Infrastructure resources,
• Increase velocity of Infrastructure, platform and application provisioning time,
• Support flexible and rapid capacity supply,
• Improve overall quality of service
Describes business enablement capability you wish to support such as the Democratization of IT
Common use cases

The ability to rapidly provision infrastructure as a service and platform as a service from an private, public or commu
cloud for development and test systems
The ability to integrate software as a service with back office systems
The ability to provide on-premises data residency for software as a service implementations
The ability to deliver datastores as a service (relational, object, KV, graph, etc). from a private, public or community
cloud for development and test applications
The ability to deliver middleware and similar platforms (e.g. JBoss, .net, Apache, Tomcat, Citrix, IIS) from an a private
public or community cloud for development and test applications
The ability to begin experimenting with cloud native applications (i.e. running on Openstack and cloud foundry)
The ability to rapidly provision infrastructure as a service and platform as a service from a private, public or commun
cloud for production applications with full operations support and integration with service and operational
management systems and processes
The ability to deliver datastores as a service (relational, object, KV, graph, etc). from a private, public or community
cloud for production applications with full production support and integration with service and operational
management systems and processes
The ability to deliver middleware and similar platforms (e.g. JBoss, .net, Apache, Tomcat, Citrix, IIS) from a private,
public or community cloud for production applications with full operations support and integration with service and
operational management systems and processes
The ability to migrate production workloads from a private, public or community cloud to a separate private, public
community cloud provider, on demand (SLA driven, peak load times, financial drivers, etc)
The ability to develop and deploy production-ready cloud native applications (i.e. running on Openstack and cloud
foundry)
The ability to dynamically manage production workloads with a combination of traditional and cloud native applicati
associated middleware and infrastructure, providing geographic redundancy while maintaining SLA’s for a peak busi
event; utilizing internal on-premises, two or more public or community cloud providers
Customer Specific Use cases

6 months 12 months 18 months 24 months
Cloud Service Capability Desired State Description
Check of the Service portfolio and capability you wish to support by your cloud
implementation
Infrastructure as a Service
Physical Server Provisioning (bare metal)
RHEL 6.3 Application Server(Virtual Machine with Vanilla OS)
Windows 2008 R2 SP1 Application Server
Windows 2012 & Windows 2012R2(Virtual Machine with Vanilla OS)
OpenStack Distro (Helion OpenStack)
Create/delete & configure load balancers
Object Storage
Block Storage
File Storage
Hypervisor Support
VMware ESX
KVM
Hyper-V
Integration Platform as a Service
Informatica
Dell Boomi
Mulesoft
SAP
SnapLogic
IBM
Platform as a Service
IIS 8.0 on WIN2012 R2
Apache 2.2 on RHEL 6.0
Tomcat
JBoss
Window Azure
Amazon Web Services
Cloud Foundry (Helion Development Platform)
Docker container
Database as a Service
Oracle
MS-SQL
Cassandra
MongoDB
Maria
Software as a Service
Sales Force.Com
Force.com
Workday
Etc.
Storage as a Service
Elastic Object storage
Elastic Block storage
Elastic File storage
Off-premises "Dropbox" services
One location for all data across the enterprise using a global file system
Ability to sync files across any device, PC, server
Backup services for applications, services and PCs
Data Archiving services
Deduplication services
Record Retention Management services
Data Encryption at rest and in transit
Application Ecosystem Provisioning
Ability to provision complete 3-tier application/infrastructure/platform/database/network in
one provisioning activity
Management Services
Replication service
Server Management: Service Request/Ordering, Power features ( reboot, reset, shutdown,

off, on),Snapshot, Restore snapshot (restore data and state of the last snapshot), Edit server -
edit CPU, MEM, disk configuration, Rebuild Server - rebuild OS, wipes all data, Contract
Mgmt.
Application monitoring
Backup Services
Cloud Native application Development
Openstack Management tools (Chef, Heat, Puppet)
On-premises Off-premises
Development Integrated Test Production Development Integrated Test
premises Timeframe
Production 6 months 12 months 18 months 24 months
Barriers
Identify Barriers:
1
2
3
4
5
6
Consolidate Barriers:
1
2
3
4
5
6
7
8
9
10
11
12
13
Resulting documentation:
When planning a roadmap to enable Hybrid IT, the experienced analyst also considers which barriers they will have to overcom
few common ones in this area, which should be considered per domain, during the analysis:
Do Cloud Skills Exist
Are there unique applications in the environment that inhibit cloud use
Is there a perception of "entitlement"
Are there Union driven Job Classifications
Does leadership provide a Mandate to move to Cloud
Is there a compensation scheme supporting Cloud Adoption
The process of consolidating barriers into a Pareto chart requires the assessor to make a judgment call on the unstructured co
collected into categories. Here is a list of common categories of barriers. This is a starting point. You may find very unique cate
enterprise when doing the assessment
Process design, ownership (accountability), or handoff (inter-process accountability) problem
Management or Measurement system problem
Policy, rule, value or belief conflict
Job description, skills or organizational problem
Information system: Application System is inadequate, or nonexistent
Information System: Data is not collected or available
Information system: Infrastructure is inadequate, or nonexistent
Information system: Service or Service Levels inadequate, or nonexistent
Physical layout or location problem
Service Delivery technology problem
Corporate culture issue
IT Governance
Lack of leadership problem
Produce a Pareto chart of barriers and identify the most common barriers that will need to be eliminated.
For each of these, a solution/project will need to be included in the Hybrid IT transformation plan considering the leveraging o
culture, structure, and business strategy.
Cost /Benefit Summary Page
Content acknowledgement: several of the categories of benefits and costs are taken from the ISACA whitepaper: Cal
Benefits
Tangible Description
1
Capex Cost reduction: Computing cost is shifted from a capital
expenditure to an operational cost because the cloud provider
supplies the underlying infrastructure as part of the service bundle.
In addition, the cloud promises a cost reduction in the following
areas:
• Hardware costs
• Application software (SaaS only)
• Licensing purchase and maintenance
• Technical support and user support
• Hosting (physical building, power, cooling, etc.)
2 Opex Cost Reduction/Transformation: Reduction in Maintenance,
administration and support costs
• Labor—IT system administration hours/headcount MAC
• Maintenance (upgrades, updates, patches, etc. Provisioning.)
• Labor- Provision labour for infrastructure
• Labor- Provision labour for platform
• Labor- Provision labour for patch management
3
Enhanced productivity (change of maintenance to innovation
ratio): User mobility and ubiquitous access can increase
productivity. Collaborative applications increase productivity and
reduce rework however you need labour to accomplish this. By
moving to cloud approach the Maintenance to Innovation ratio of
labour changes and more time is available for innovation projects
4
Optimized resource utilization: Enterprises use only the computing
resources they need, thus reducing system idle time waste.
Supports seasonal or peak/event capacity demand
5
Improved security/compliance: Public Cloud providers may offer
robust security controls as a market differentiation. However it
depends on the security service level that is purchased from the
cloud provider
6
Access to skills and capabilities: Public cloud customers benefit from
top-notch skills and capabilities while avoiding employment costs
(recruiting, salary, benefits, training, etc.).
7
Access to the best applications: Application providers are now bring
the best features to the cloud version applications first. Some
applications are only available as SaaS
8
Access to complex applications such as Big Data tools: that would
require extensive infrastructure and application and skilled labour
costs
9 Scalability On-demand provisioning or computing resources:
eliminate some of the cost of capacity planning.
10 Agility: Agility contributes to cost reduction and productivity
enhancement due to faster provisioning of systems:
• Faster application deployment (SaaS)
• Faster application development/testing (PaaS)
11
Customer satisfaction: Effective utilization of cloud applications can
increase collaboration between the enterprise and its customers or
reduce response time to customer inquiries.
12
Reliability: Cloud providers have redundant sites that can address
business continuity and disaster recovery in a more efficient
manner.
13 Availability: Cloud Providers can now guarantee 7x24 availability
14
Performance: Better performance and up-time can result from

continuous and consistent operations monitoring by the cloud
provider. Public cloud can also guarantee response time of a service
15 IT Transformation: Ability improve key IT KPI by better than 30%
Intangible
1
Avoidance of missed business opportunities.(how many
opportunities were missed because there is no labour to build
system)
2 A cloud application (SaaS) may be the critical element to land a
new business or expand into new markets.
3 Ability to focus on core business: IT resources can be allocated to
support core business functions not just IT work.
4
Employee satisfaction/innovation: Mobility and faster
performance can improve employee satisfaction and boost
innovation.
5
Collaboration: Real-time collaboration can increase quality and
innovation if a cloud service is implemented that facilitate cross BU
collaboration
6 Risk transfer : Some risk can be transferred to the CSP (e.g.,
7 Strategic Alignment: ability to contribute to corporate goals
8 Company Capability: ability to improve capability of company
9 Legal/audit: ability to improve audit compliance or reduce time to
demonstrate
10 Technical alignment: to Company strategy
Total Benefits
Costs
Upfront costs (Public or Private Cloud)
1
Technical readiness: Some investment in bandwidth may be
necessary to accommodate the new demand for network/Internet
access. Other
2 Infrastructure components: may need to be upgraded to integrate
with cloud services.
3 Security Gateway: many need to be integrated to support SaaS
Integrated Data stores: may be required if data residency policy
require that data cannot leave a company's data centre
4 Implementation Professional services: may be needed for
managing the transition to the cloud.
5
Integration Professional services may be needed: for Application
Transformation, integrating in-house and Private and Public cloud
services into a hybrid IT services model.
6 Configuration/customization: This applies to customer-based
configuration for SaaS applications.
7
Training IT resources may require training to manage cloud vendors
and services. Users may need training on new applications.
8
Organizational change Processes may require some reengineering
to accommodate cloud-specific needs (e.g., change management,
resource utilization monitoring, user access provisioning, internal
audit).
Public Cloud Recurring costs
1
Public Cloud Subscription fees: These will comprise agreed-on
periodic fees (monthly, quarterly, yearly) for the use of cloud
services. It also includes usage fees
• Compute
• Storage
• Network
• Data transfer costs
• Software
• Support & Maintenance cost
2
Change management: These may comprise the cost associated with
the change management process and any cost incurred when
requesting system changes.
3
Vendor management: These are costs associated with monitoring
CSP activities, contract management, service level agreements
(SLAs) monitoring and enforcement:, or any other activity geared to
manage service delivery and evaluation.
4
Cloud coordination: For enterprises running more than one cloud
service, a cloud coordination group is necessary to ensure
integration and consistency.
5
End-user support and administration: Some of these costs will be
part of the subscription fee while some may be retained by the
enterprise.
6
Downsize/upsize: Unless otherwise specified in the contract, some
vendors may charge for downsizing or upsizing computing
resources.
Public Cloud Termination Cost
1
Revert to on-premises or transfer to a different provider: The
enterprise may need to revert to an in-house model when/if new
regulations or economic problems render the cloud impractical.
Some of the possible costs are:
• Extracting data from the cloud and validating their accuracy and
completeness
• Cost to sanitize or shred data from cloud storage and processing
hardware
• Configuration and provisioning in-house systems to replace cloud
services
• Penalties for early termination
• Reallocation or recruitment of IT resources to support services
being reverted
• Reallocation or procurement of physical resources to host services
being reverted
IT Operating Model Transformational Costs
1 Finance
2 Enterprise Strategy
3 Structure
4 Culture
5 Skills
6 Compliance
7 Governance & Controls
8 Business Process
9 Procurement
10 Commercial
11 Portfolio Mgnt
12 Projects
13 Operations (IT) processes
14 Management Tools
15 Security
16 Information Lifecycle Management
17 DevOps
18 PaaS
19 IPaaS
20 IT Architecture
21 Applications
22 SaaS
23 Data
24 IaaS
25 STaaS
Total Costs
en from the ISACA whitepaper: Calculating Cloud ROI from the Customer Perspective
Relevant
Relevant
omer Perspective
Dollars Saved
Dollars Spent
Reasoning
Reasoning
Indirect Benefits score
Reasoning
Indirect Benefits
Finance Domain
Financial management,
Is this domain Control and budget processes necessary to enable cloud
relevant? Yes/ No
CMM 0
Control Question
(None)
Is cloud awareness Training and No cloud awareness training done

Development performed for
supporting enterprises
People Has the organizational structure Non cloud-aware structure exists

been updated to enable Cloud
based Service delivery
Are the costs of a service billed to Each unit has independent

the consumer of the service? budget for IT. There is no usage
based billing process for the IT
Costs to the business
Do Key Performance Indicators No cloud related KPI's exist

exist for cloud based services?
Is there an Incentive Scheme for There is no incentive scheme in

creative Cloud adoption? place
Processes
Processes
Is Project Funding biased towards Funding criteria do not consider

cloud enablement projects cloud
Is there a formal migration of IT There is no active management of

investment from CAPEX over to a migration towards OPEX
OPEX to bring IT costs in line with
production revenue
Is Financial Reporting and Financial reporting ignores cloud

Monitoring in place to monitor
and measure cloud services
Technology
as:
sses necessary to enable cloud services when moving from CAPEX to OPEX models
CMM 1 CMM 2
(initial, ad-hoc) (repeatable, opportunistic)
Finance team understand the Finance team are trained about

generic commercial models for cloud, and the specific
cloud services commercial models that the
business is applying, as well as the
benefits it seeks from these
investments
Whoever encounters a cloud Responsibility for cloud

investment deals with it in their investments is clearly assigned to
own way the appropriate role players, as
defined points of contact
according to a structured process
IT Costs are handled by a Yes, costs are billed to the main

common IT budget, kept within departments (Production,
IT. Some projects are paid for by Management, R&D, …), but only
business on a non-usage based 1 -2 times a year, on a pre
level calculated long term pricing
model (maybe fixed for 2 years)
Success of cloud services is Financial KPI's are used to

evaluated by different roles on an measure the success of the
ad-hoc basis. There is no common implementations against specific
definition of success from a financial objectives for cloud
financial perspective. based services
General innovation framework Ideas are mailed to and evaluated

exists, but does not address cloud by "the experts", without formal
concepts or management support.
incentivisation specifically - no Employees receive individual
formal budget item exists responses to their idea, and each
manager may determine financial
incentives independently for this
Each project is independently A defined budget exists for the
funded according to its needs enablement of the enterprise for
using cloud services, and projects
draw from this according to their
use of cloud
Constant drives exist for overall Focus is defined on selected cost

cost reduction reduction areas, and objectives
are defined for specific elements
which often lead to moving to
pay-per-use services
CAPEX investments are collected, Defined interfaces for data supply

analyzed, and processed and financial reports exist, for
according to defined cycles. OPEX cloud providers to integrate to
expenditure invoices are received and supply data
at the end of the month, captured
into the system and assigned to IT
costs.
odels
CMM 3 CMM 4
(defined, systematic) (managed & measurable)
Team is incentivized based on Real-time authorization and

cloud strategy achievement approval KPI's are defined and
contracted with the involved
employee
Real-time authorization and Teams are measured by KPI's.

approval capability and roles are Active planning exists against
defined and operational anomalies and deviations, and
Cloud related KPI's are identified status is reviewed regularly
per role
IT Costs are billed on a IT Costs are billed per use to the

generalized level based on the business and the business has a
Use. There is a capability for the constant view on the actual costs
consumer to check ordered which are constantly monitored.
Services and their corresponding Unused resources are optimized
costs. The costs are billed to the or returned to the available
consumers cost center once a resource pool
month
Financial KPI's are used to All cloud based investments are

measure the strategic enterprise tracked according to financial KPI
wide migration of identified pre-planning, and deviations are
services to identified cloud analyzed and corrected
environments
An idea management process An incentive scheme exists and

exists which is orientated towards employee measurement and
cloud, with a defined and compensation (where
communicated incentive scheme appropriate) aligns to the
for employees. Achievement of implementation and success of
enterprise cloud adoption the idea or objective.
objectives form part of the
measurement.
Cloud service deployments Well defined R&D budgets
leverage the "approx. 80%" of leverage existing cloud elements,
existing cloud based building thereby optimizing cloud projects
blocks, and most new cost is to only focus on the new
directed towards "approx. 20%" development, at people, process
for new capability and technology levels, consistent
with the business objectives and
cloud KPI values to the enterprise
All costs are shown relative to No "spare capacity " investments

each revenue item, as a are made in IT infrastructure any
percentage of its production more - all capacity is applied and
costs, with target reductions paid for only when it is needed
Standardized supplier contracts Clear standard online contract

enable JIT ordering, financial and supply management is
authorization, and service integrated with supplier systems,
delivery, from pre-selected to ensure that the cloud service
suppliers, with defined financial never runs out of capacity, by pre-
reporting and source data warning authorized users about
available according to pre- financial thresholds automatically
determined financial parameters, and pro-actively
in real time
CMM 5
Benefit Analysis
(optimized)
The team understand the key Reduced errors and repeat task
financial trends they should watch time (reduced costs for duplicated
for and manage relating to cloud work)
consumption and landscape
sprawl
The financial organizational Processes run effectively

structure is able to bring tangible according to business needs,
business benefits - and the enabling and advising/supporting
operating model is an integral the business in real-time to
part of the culture, with defined achieve its objectives
KPI achievement as the norm
There is a constant process which Allocation of costs to actual areas

monitors the billing. Growing of consumption, and thereby to
costs are proactively monitored the products of the business more
and are constantly discussed with accurately, enabling better
the consumer. There is a process competitiveness per product
which terminates unused
Services, as well as service
selection based on technical and
cost optimization
The KPI definitions are reviewed Defined criteria enable employees

regularly, and include to focus their work = better use of
confidentiality and security their time
dimensions for Finance-related
topics
The process is evaluated on a Incentivized employees will follow

regular base and re-aligned to the through to ensure the defined
organizational needs. objectives are realized, through
business optimization or revenue
enhancement
Project budgets are approved or By selecting projects based on
declined based on their alignment their adoption of cloud services as
to the enterprise strategy and aligned to the Enterprise Strategy,
value proposition to achieving the the business can incentivize and
company's strategic cloud direct investments more quickly
objectives and associated KPI's to enable early benefit realization
from investments in change
Consolidation of IT assets is The closer the real costs per

ongoing with respect to financial product or service are to reality,
investment in renewals and the more competitive or
lifecycle management innovative a business can be in
how they deal with opportunities,
threats and weaknesses in each
product
Integrated reporting and data Errors can be caught before they

sharing of relevant data is enabled become costly to recover from by
between pre-selected contracted attracting management and
suppliers and the cloud provider, specialist resource time
to ensure that pre-warning of
Procurement events is possible,
and that service quality can be
monitored and managed pro-
actively
Stakeholders Current State Future State Barriers
HR & Training
0 0
Finance & Procurement
Management
0 0
Finance and Administration teams
0 0
IT Executive Management
0 0
IT Management
0 0
IT Executive Management
0 0
Financial Admin & Procurement
0 0
Administration Teams
0 0
Total 0 0
Enterprise Strategy Domain

• Business motivation,
• Expected benefits,
• Guiding principles,
• Expected costs, and funding models.
Is this domain • Capabilities such as service selection and service-level a
relevant? Yes/ No
CMM 0
Control Question
(None)
Have the Executive Management / No education done

Management been educated
about Cloud Services, and the role
they can play in the business
landscape
People
Does a formal enterprise level No strategy defined

strategy exist positioning the use
of cloud based services?
Is there a Cloud Adoption No formal plan exists

Framework
Processes
Is Organizational Change planned, No planning exists for

in order to enable cloud organizational change
effectiveness?
Who judges / defines the success There is no evaluation - whoever

of cloud services? use cloud, use it at their own
discretion
Is the business strategy available No formal guide is commonly
online, to enable daily real-time documented for the enterprise,
decision making based on it and how its services must evolve
Technology
as:
ding models.
ce selection and service-level agreements (SLAs) also gain relevance in cloud initiatives
CMM 1 CMM 2
Different views exist - the All employees are aligned to a

employees are not aligned to each common understanding and view
other, and key cornerstones of of cloud services, and their
cloud services have not been applicability within the enterprise
identified
Different units apply different Yes, a common shared strategy

strategies exists across the enterprise, but
with ad-hoc adoption
The current application landscape Classification framework exists for

has been analyzed for possible all Business Applications & Data,
cloud migration. with all applications which could
be considered for cloud, classified
as such
Impacts of cloud service delivery Planning and design of structure

on some affected teams have updates is done for selected
been identified departments, to improve cloud
adoption
Success of cloud services is KPI's may be defined to measure

evaluated by different users. the success of the cloud strategy
There is no common definition of
success.
Strategy exists as Shelf ware with The strategy is published on
some management, dusted off Intranet, for general visibility, but
every 2 or 3 years and updated not used as a daily decision
making tool.
initiatives
CMM 3 CMM 4
All employees understand the key All employees understand their

steps and enablers that the role in context of cloud services,
enterprise needs to address in and how they need to change
order to effectively use cloud approaches and cultures within
services, and the benefits they the enterprise, to maximize cloud
could bring service benefit achievement
within the parameters of
Confidentiality and Security
Cloud strategy is well The cloud strategy guides all new

communicated throughout the system deployments and
enterprise and signed off by all technology renewals as "the
key stakeholders rule".
The coverage is measured by
means of tracked KPI's.
A cloud service adoption plan The use and success of the cloud
exists, with Milestones defined, adoption framework is managed
planning, and budget - by means of KPI's
representing a "cloud first"
mandate.
Structured implementation plan All partners are integrated into

exists for an updated enterprise the organizational plan, with roles
that is more relevant to the & responsibilities defined bi-
market laterally
KPI's are agreed to measure the The KPI's are constantly

success of the cloud strategy measured, and the results are
reviewed.
Strategy Published on Intranet Tracking is done of the strategy
and integrated into performance and enterprise objectives as they
management of enterprise to are achieved, and linked into HR
support daily decision making and management reporting
systems, determining how
divisions are rewarded
CMM 5
Benefit Analysis
(optimized)
Diversity of various employees are

regularly harnessed into think-
tanks for improving the
effectiveness and use of Cloud
Services in the enterprise. An
executive management
champions the use of cloud
services and owns KPI's and SLA's
for the business
The cloud strategy enables the

growth and optimization of
business outcomes across the
Enterprise. The strategy is revised
on a regular basis, according to a
defined timeframe.
One common vision and set of

objectives enables a common
New opportunities offered by mandate, common understanding
cloud services are evaluated and between all teams, and reduces
included in the Cloud Adoption diverse approaches which may be
Framework on a regular basis. mis-aligned. This helps to reduce
"recovery" costs later, and
becomes a "guide" for
management decisions
Organizational culture includes
high performance aspect, to take
advantage of technology
opportunities in all initiatives
The definition of the KPI's are

checked and reviewed regularly
against business outcomes to
determine the success of cloud
services
Regular version updates are
applied to the online strategy (e.g.
Agile delivery), based on
important influencers (e.g.
Porters' 5 Forces model)
Managers (Exec, IT, and Business)
0 0
CxO
0 0
Enterprise Architecture
0 0
HR & Managers
0 0
Managers
0 0
Managers (Exec, IT, and Business)
0 0
Total 0 0
Structure

Is this domain • Development of organizational competency (work) around c
relevant? Yes/ No • organizational structure and new tasks
CMM 0
Control Question
(None)
Is formal Cloud Training evident? No training exists
People
Has the Business and IT Structures don't consider cloud

organizational structure been service delivery
updated to enable Cloud based
Service delivery and planning
Is the role and definition of IT functions and roles do not

Internal IT and its function consider cloud based service
updated to address cloud and delivery
partner based service provision?
Processes
Processes Are business processes modified Processes do not consider
to leverage the use of Cloud differences between cloud and
Services traditional IT
Has the internal IT co-ordination No systems exist

and process management system
been aligned to an updated cloud
orientated unit structure
Technology
ed to;
ational competency (work) around cloud computing,
and new tasks
CMM 1 CMM 2 CMM 3
(initial, ad-hoc) (repeatable, opportunistic) (defined, systematic)
Incidental, Training in new topics Training by external parties on A training and development plan
and unit needs is done by new topics aligned to a defined exists and is implemented,
individual employees with structure is discussed in teams, defined per structure element
personal commitment or interest with some organizational and associated business unit.
support. KPI's exist for relevant business
objective achievement
Current structure deals with ad- A Structure to enable cloud Teams have been created in the
hoc adoption service models is defined and IT function area to deal with
partially implemented, ongoing cloud services, incl business and
as projects occur technical functions.
A Business Analyst role exists to
consult with Developers and
Business on Cloud
Cloud KPI's per team are
identified
IT Continues handling internal IT IT and Business collaborate on an Clear positioning exists of IT as a

and internal data center / ad-hoc basis in selected projects Cloud Provider, Facilitator,
outsourcing topics. No cloud relating to cloud, with roles and Consultant and/or Broker, with
specific processes exist processes having been defined for updated roles and processes
key cloud related functions implemented
No formalized Business processes Formalized Business processes Formalized Business processes
for cloud services, each business exist including cloud based exist across business units for
unit operates as a silo leveraging process steps, but each business common process, Each silo adds
their own cloud solutions. unit operates in a silo. Each silo new process and structures to
Cloud use is optional adds a new process structure to address
address • Cloud Service delivery
• Cloud based Service delivery management
management • Cloud Procurement
• Cloud Procurement • Cloud Risk management
• Cloud Risk management • Internal audit
Cloud use is recommended • Finance
• IT services
• Project management and
delivery
• Security (including information
security)
Systems use the shortest possible The system recognizes business The service request process caters
method, not aligned to structure units and roles, and is often used, for structure, roles and workflow
or roles, but can be bypassed but does not operate in real-time according to defined processes -
there is no bypassing it, and it
operates in real-time
CMM 4 CMM 5
Benefit Analysis
(managed & measurable) (optimized)
The use and success of enterprise A training concept exists to

based training and a development complement the structure
plan for each organizational unit updates and changes, which is
and function is supported with constantly updated to align to the
identified relevant product changes of the cloud strategy of
certifications, and other the enterprise.
knowledge tests. KPI's are applied The operating model is an integral
to measure business objective part of the culture, with defined
achievement, and individual KPI's.
recognition of those Duplication of functions and roles
achievements is avoided in the organisation
through use of publicised shared
functions which have a common
definition
Business unit structures are The organizational structure

updated to support cloud service brings tangible business benefits
use. Active planning is by having clear roles and
performed to close gaps in the structures identified across the
overall structure, and reviewed business units, in context of the
regularly business objectives, with regular
reviews and updates as needed
Defined IT roles Consult with IT Acts as a bridge between

appointed Business external providers, internal All enterprise units operate as
representatives on appropriate providers, and manages service one, towards achieving the
cloud platforms for their needs definitions, taking care of the business objectives, with sub-
Security and requirements elements of the objectives
between the participating entities apportioned appropriately to the
relevant structures
elements of the objectives
apportioned appropriately to the
relevant structures
Composable process model Composable process model

formalized for common cloud formalized for all business
process work: processes designed to be
• Cloud Service delivery supported by a democratized IT
management delivery model.
• Cloud Procurement Shared process elements are well
• Cloud Risk management defined, with input and output
• Internal audit data requirements, to improve
• Finance integration and re-use
• IT services opportunity
• Project management and
delivery
• Security (including information
security)
Cloud use is mandated (i.e. Cloud
First)
An exception handling process Statistics are drawn, and

exists for non-standard effectiveness of the system is
requests(i.e. Cloud First logic)- all regularly analyzed, with
activity is handled via real-time improvements being released
systems aligned to organizational updates.
IT Department, General
Management
0 0
enterprise Strategy, HR
Department
0 0
IT Management
0 0
Process Management
Architecture
IT Management
0 0
Enterprise IT
0 0
Total 0 0
Culture
Contains the mindset and behavior pattern that:

• Supports the business with choice (says yes not no), and fac
• Transformed from being a supplier to being a business partn
• Nurtures innovative practices through self-service and autom
Is this domain • No technology silos,
relevant? Yes/ No • Is committed to being and efficient, fast and service oriented
CMM 0
Control Question
(None)
How do the IT employees think, Management emphasizes

what is of value to them? importance of legacy system's
operations
People
How does management drive Management strives to preserve
innovation within the area of status quo in order to keep legacy
cloud consumption as well as systems up and running as
delivery and encourage employees expected from business
to challenge how (well) things are departments
done?
People
How does management value No specific, visible appreciation of

skills and their development? skills related to cloud
How is the compensation scheme Enterprise's compensation
(including rewards and scheme does not contain
incentives) designed to drive components that relate to cloud
achievement of group, division
and performance targets related
to cloud?
How does management involve No Cloud Strategy or policies

employee in the development and related to cloud evident
Process communication of strategies,
concepts and policies related to
Cloud?
How does the enterprise make use Enterprise does not seek for
of tools to involve and get feedback from employee
feedback from employee as well
as external business partners /
stakeholders??
Technology
behavior pattern that:
ith choice (says yes not no), and facilitates innovation, and demonstrates flexibility,
a supplier to being a business partner.
tices through self-service and automation.
nd efficient, fast and service oriented where a service is measure from a customer's point of view not IT’s
CMM 1 CMM 2 CMM 3
Departmental silos and Expert (specialist trained) teams Service and system integration
competency heroes exist. Employees think focused. Provides Competitive
no connected thinking or common department-centrically and offerings (based on "cloud first"),
understanding of values and mainly within their own is a service broker. Silos in IT
priorities technology domain. Employees almost eliminated / not existing.
strongly value and pursue Efficient and accountable for
departmental goals without Service measured at the customer
considering interdependencies point of view
and side-effects.
Employee rarely communicates Employee sometimes Employee can communicate ideas
ideas for improvement communicates ideas for for improvement via a basic, non-
Ideas are rejected regularly by improvement formalized process (e.g.
management Ideas make it to realization on presentation during meetings or
rare occasions, only via email), no tool support
a lot of energy and time is available
required to convince stakeholders Idea rating is conducted not
and force through individual formalized and not
changes comprehensible
management does not encourage Usually, a lot of energy is required
employee to think about possible to force through individual
improvements changes
Employee is not encouraged to
think outside the box
Technology-area specific Management is open for targeted Skills related to cloud are valued
appreciation of specific skills by development of skills, but training because management is aware of
e.g. assignment of prominent measure has to occur within a the business benefit generated by
roles (Project Leader etc.) current cloud initiative and to cloud services
promise a strong RoI Management selectively supports
development of skills by trainings
requested by employee
For senior management On individual agreement, specific From compensation scheme
compensation scheme does compensation components employee understand that
contain KPIs that are affected by related to cloud are available moving to cloud technology
cloud implementation to a Compensation scheme strengthens the enterprises'
limited extent encourages employee to hold competitiveness, opens up career
their knowledge up to date and perspectives and increases
to continually look out for compensation
improvement opportunities Incentives and rewards are
within their technical domain available for those who achieve
outstanding results, innovation
and business value
IT Management has a vague idea Management involves hand- Management invites experts to
of cloud and what to achieve with selected employee into participate in formalized
it, communicating it verbally and development of strategies, development of strategies,
occasionally, only concepts and policies concepts and policies
Management sets clear barriers process is setting off from the IT
regarding focus areas, strategy / operations
participation and contribution of requirements
employee responsibilities during the
Communication is informal and development process are defined
only visible to those who are for development, a timeline is set
involved Cloud strategy and policies are
communicated on a regular basis
via workshops, training and other
occasions
Enterprise uses paper-based Enterprise uses emails containing Enterprise uses tool-based
feedback processes questions and 'free text-answers' surveys with a clear structure and
No formalized feedback process timeframe
established Formalized feedback process
established
Results are communicated
CMM 4 CMM 5
Customer / business partner Business/commercial centric perspective

centric and marketing aware Always willing to develop 'best solution for
behavior. the enterprise business' and focused on
IT employee provides innovation holistic service delivery for end user
counseling and advisory services Employees dealing with cloud technology are
Committed sparring partner for seen as consultants and catalysts for
customer and / or business innovations driven by the business
partner Cloud technology is seen as a creative
Perceived as innovation driver innovation driver and future technology
The people understand what
needs to be protected and the
enterprises security and privacy
requirements
Ideas are communicated via a Management strongly encourages employee
known and tool-based process to think 'cloud first'
through an established innovation IT management is constantly looking for (new)
initiative / board ways to improve service delivery related to
Ideas are assessed and rated cloud
transparently, the result is Ideas are communicated via a known and
communicated to employee tool-based process through an established
Rewards for best ideas are innovation initiative / board
available an idea-database for browsing, inspiration
Initiator is involved into (steering and a blog for connecting with others are
of) realization available
Employee is encouraged to Working groups are established for idea
proactively think outside the box generation and development
and look for innovative solutions Ideas are assessed and rated, the result is
and concepts communicated to employee
Rewards are available for best ideas
Employee is encouraged to proactively think
outside the box and look for innovative
solutions
Partners and other Third Parties are involved
into the innovation process using concepts /
approaches like Open Innovation etc.
Change is change generated by all levels of
employee (bottom-up and top-down)
Management emphasizes value of Cloud Experts are widely known and

cloud technology for business respected throughout the enterprise, highly
success and visibly appreciates esteemed and involved in every initiative
technical and managerial skills connected to cloud
related to cloud Experienced employee is strongly encouraged
Management drives development to share knowledge in non-Profit-enterprises
of skills by encouraging employee and drive industry acceptance
to participate in e.g. trainings and
conferences and internal
knowledge sharing
Management places increased Compensation scheme is clearly driving
value on rewards and incentives innovation by the consumption and delivery
for those who think and act in of cloud services.
innovative patterns To a certain extent, compensation is
Enterprise maintains a reward measured against KPIs related to cloud
system that encourages KPIs reflect different domains such as
employee to increase their cloud- effectivity, efficiency etc. in regard to
skills and transparently rewards business and technology
technical acumen and idea KPIs are transparent to and influenceable by
creation those whose compensation is based on these
KPIs are defined and used to
measure employee's contribution
to innovation as well as cloud
consumption and delivery
Management delegates Management established a continuous

responsibility to team leads incl. improvement process and employee is
clear definition of responsibilities encouraged to contribute
and timeframes, monitors employee knows where strategies, concepts
development process and reviews and policies are published (e.g. dedicated
results intranet section)
employee is continuously employee are trained regularly on strategies,
encouraged to develop strategies, concepts and policies incl. technology and
concepts and policies frameworks preferred by the enterprise
employee knows where employee vertically and horizontally
strategies, concepts and policies exchanges experience with strategies,
are published (e.g. dedicated concepts and policies on a regular and
intranet section) institutionalized basis
employee is trained regularly on
strategies, concepts and policies
and exchanges horizontally, also
Enterprise uses tool-based Enterprise uses tool-based surveys adaptable
surveys adaptable to role, to role, department etc. of the employee
department etc. of the employee Feedback is asked for and processed
Formalized feedback process continuously
established Enterprise established an open feedback
Results are communicated and culture on every hierarchy level
measures for improvement are Results are communicated and measures for
developed improvement are developed with
Enterprise established an open involvement of employee and tracked for
feedback culture on every benefit realization
hierarchy level
Benefit Analysis Stakeholders Current State Future State
Executive Management, HR, Team

management
0 0
Executive Management and Line
Managers
0 0
Line Management, HR
A culture which is managed to

drive the organisation forwards in
context of its strategy, enable
teams and employee to maximise
their performance. They are also
able to focus their energy and
creativity into areas defined under
the Enterprise Strategy, with an
enabling mandate. Encouraging 0 0
teams and employee to look for
opportunities for the business
also enables the business itself to
become more competitive.
able to focus their energy and
creativity into areas defined under
the Enterprise Strategy, with an
enabling mandate. Encouraging
teams and employee to look for
opportunities for the business Finance, Compensation
also enables the business itself to Management, Line Management
become more competitive.
0 0
Executive management, Line
Management, Communications
0 0
HR, Communications, Line
Management
0 0
Total 0 0
Barriers
Skills

• Competency in cloud implementation Skills
• Business process knowledge,
• Emerging standards & technology knowledge such open sou
Is this domain • DevOps methods of Continuous Integration and Deploymen
relevant? Yes/ No • Big data technology, and data lake architecture, Six Sigma, I
CMM 0
Control Question
(None)
What are the skills and values that No cloud aspects included
your IT enterprise is compensated
for
Do employee have the right "soft No training or awareness in

skills" needed to ensure cloud evidence
development and adoption can
be successful? (e.g. ITaaS,
Brokerage, Service Management,
ITIL, Business Acumen, etc.)
Are employees technically skilled No cloud training has been

in the appropriate areas within performed
the various Cloud-related
functions? (e.g. private cloud
People Architecture, off-premises Product
Management, Vendor
Management, Hybrid Cloud
Integration, Cloud Native, etc.)
Do employee have a mechanism No mechanisms are in place to

to help improve skill development support cloud skill development
opportunities?
Do employee get a chance to no formal exposure mechanism is
cross-train by interacting with established
other areas or by having exposure
via projects in order to develop
new skills?
Is there an appropriate skill set No support function exists

(technical and "soft") defined to
support all relevant roles within
each Cloud-related function?
Is skill development part of career Cloud does not feature in any

development and performance career development or
evaluation plans? performance evaluation planning
Is there a process defined to No consideration of cloud and

ensure new hires' skills are cloud skills is incorporated into
assessed appropriately? the process
Processes
Is there a skills competencies No skills or competency

matrix defined and available to framework relating to cloud
employee? technology exists
Is budget made available to No budget is planned for cloud
employee for skill development, skills development
training and/or certifications?
Are skill (technical or professional) No tracking of participation in

development opportunities opportunities is done
tracked by ,and integrated into
existing HR to Management
supporting systems?
Technology Are training opportunities made No training materials are made

available via internal or external available for cloud technology
e-learning or CBT training
options?
ed to:
plementation Skills
dge,
chnology knowledge such open source, openstack, cloud foundry and cloud native application development,
tinuous Integration and Deployment,
data lake architecture, Six Sigma, ITIL v3 and IT4IT Operational models
CMM 1 CMM 2 CMM 3
Deeply skilled/IT operations ITIL V3 Process Knowledge Business process knowledge

experts, Standards knowledge Business Acumen & Leadership
Operational IT process- Services-oriented architecture Cloud Native application design
knowledge, IT administration & skills and development skills
continuity experts Ability to integrate off-premises
Cloud Service knowledgeable Services with internal applications
Some Employees possess limited 10-25% of employees possess 25-50% of employees possess
skills and exhibit the appropriate skill and exhibit the appropriate skill
level level, with supporting
certifications
Some Employees possess limited 10-25% of employees possess and 25-50% of employees possess and
Cloud skills (Basic) exhibit the appropriate skill level exhibit the appropriate skill level
(Intermediate/Advanced) (Advanced)
Employee provide informal, Managers or Supervisors request Feedback loop mechanisms are
undocumented feedback feedback as part of employee available for employee to
meetings and informal sessions leverage as needed/desired
Employees rarely seek Employees seek opportunities to Employees are encouraged to
opportunities to cross-train with cross-train with other team seek opportunities to cross-train
other team members members when time and with other cloud team members,
opportunity allows via project assignment and re-
prioritization of their activities
Cloud skills are assumed, and A Cloud Skill set has been Skill set has been identified &
understanding on needed vs. identified for some of the defined for most of the
preferred skills vary greatly technologies for which a technologies for which a
team/function is responsible team/function is responsible
Employees choose to develop Some Managers or Supervisors Employees are encouraged to

skills and attend training when encourage employees to develop attend Cloud-relevant training at
opportunities arise, and make it skills and attend training when least once a year
part of their annual career opportunities arise or when
development plans budgets allow
HR / Talent Acquisition performs HR / Talent Acquisition performs HR / Talent Acquisition matches

basic checks to match technical basic checks to match technical technical and soft skills required
skills required by the position as skills required by the position for by the position for all postings,
specified by Hiring Managers all postings, as specified by Hiring leveraging the existing skill
Managers competency matrix defined by
Hiring Managers
A Basic list of skills is known by A Basic list of skills is Documented A high-level skills competency list
most Leaders & Employees; but used inconsistently exists; Managers or Supervisors
Assumptions are made about are encouraged to socialize within
depth, meaning and scope teams
Limited availability of training 10-25% of employees attend 25-50% of employees attend
classes (online or face-to-face) for available training available training
a few employee, as budget allows
Employee might track classes or Managers or Supervisors might Skill development & training
development opportunities on have ad-hoc tracking mechanisms tracking system (e.g. online Skills
their own, using ad-hoc methods Profile) is available, but usage is
not encouraged/enforced
Training consists mostly of "on the Training is informal and not A Basic training catalog (internal,
job" learning regularly scheduled external or mixed) exists and is
leveraged by Managers or
Supervisors to offer to Employees
CMM 4 CMM 5
Benefit Analysis
Conscious of enterprise, Solving Business Problems,

Understand all security and Catalyst for change
information policies. Thorough Proactively identifying solutions to
understanding of relevant off- meet future business
premises services that will assist requirements
the Business Six Sigma Quality
50-75% of employees possess 100% of employees possess and

and exhibit the appropriate skill exhibit the appropriate skill level
level (pervasive), based on training on
the business strategy
50-75% of employees possess and 100% of employees possess and

exhibit the appropriate skill level exhibit the appropriate skill level
(Advanced) (pervasive), based on
certifications
Formal Employee feedback is Formal Employee feedback is

regularly sought and used to regularly sought and used to
improve the education and improve the cloud training and
training process certification process; reports on
improvement areas are provided
to employee on a yearly basis
Managers & Supervisors identify A formal plan exists to rotate
opportunities to allow certain certain Employees within some
Employees to get exposure to functions to expose them to new
new skills, based on demand skills and provide career growth
management and existing opportunities
talent/skill set available
Skill set has been identified and Minimum Skill set has been
defined for all of the technologies identified and defined for all of
for which a team/function is the cloud technologies for which a
responsible team/function is responsible; a The skills that are required in each
process exists to keep it updated of the units of organisational
structure are pro-actively defined,
developed, and monitored. This
Employees attend Cloud-relevant Employees attend Cloud-relevant enables units to perform and
training towards fulfilling specific training towards fulfilling specific deliver on tasks as expected.
requirements for the requirements for the Team members are also more
role/function they serve role/function they serve, and to motivated, and constantly
ensure they're on track with developing / moving forwards in
specific skill competency goals support of ongoing organisational
included in their annual development and the evolution of
goals/plans the organisation and its products
HR / Talent Acquisition matches HR / Talent Acquisition matches

technical and soft skills required technical and soft skills required
by the position for all postings, by the position for all postings,
leveraging the existing skill leveraging the existing skill
competency matrix - Candidates competency matrix - Candidates
are only sent to Hiring Managers are only sent to Hiring Managers
once technical competency matrix once technical competency matrix
matches >70% matches >70%; Hiring Managers
assess depth of skills via panel
interviews, case studies, and
presentation skills analysis
A skills competency matrix exists, A detailed skills competency

with crisp definitions; Managers matrix exists and is updated
or Supervisors are encouraged to regularly; Managers or
socialize within teams, and to use Supervisors are encouraged to
them to plan and execute skill socialize within teams, and to use
development plans them to plan and execute skill
development plans
50-75% of employees attend All employees seek out and attend
available training relevant cloud training according
to their proportional training
budget allocation
Tool usage is part of formal SoP, Tool usage is part of formal SoP
and tracked yearly for cloud services, tracked yearly
and updated to ensure relevancy
A comprehensive training catalog A comprehensive self-service

(internal, external or mixed) exists training catalog (internal, external
and is leveraged by Managers or or mixed) exists and is leveraged
Supervisors to offer to Employees by Managers or Supervisors
regularly as part of the formal
skills development plan
Executive Management,
Managers, HR, Finance
0 0
Managers, HR
0 0
Managers, HR
0 0
Managers, HR, Training
0 0
Managers, HR
0 0
Managers, HR
0 0
Managers, HR
0 0
Managers, HR
0 0
Managers, HR, Finance
0 0
Managers, Finance
0 0
Managers, HR
0 0
Managers, HR, Training
0 0
Total 0 0
Compliance
Compliance in general means to fulfill laws and regulat

Examples from the perspective of a certain enterprise:
• Law: publish yearly financial statement
• Regulatory: Validate Computer System when manufa
• Specifications and Standards: transmitting unit in WiF
Is this domain • Specific demands of external party: a customer expec
relevant? Yes/ No • Internal stakeholder: a foreign subsidiary requires a p
CMM 0
Control Question
(None)
How is a formal Compliance No formal communications about

understanding communicated, compliance and the enterprise
incl. positioning of cloud specific requirements.
computing and its impacts on
compliance, and the specific
requirements for the enterprise?
How is ensured that employee Basic knowledge is distributed if

concerned with compliance required, no corporate policies or
- have sufficient knowledge about guidelines related to cloud
the impact of cloud on compliance compliance evident
and
- maintain and follow corporate
People policies and guidelines related to
cloud compliance?
How does the enterprise verify No formal procedures such as
that the off-premises services checklists or due diligence
being used support meeting the implemented
defined compliance
requirements?
Is there a formal Compliance No clear cloud aware compliance

framework, updated for Cloud? framework is documents
How does the enterprise ensure Enterprise does not verify that
that for the off-premises services relevant documents are
currently implemented relevant requested
attestations / certifications / self
declarations are obtained from
service providers?
Processes
Processes
How are events of non- Enterprise does monitor

compliance handled if they are compliance and acts event-driven,
caused by or connected to off- only
premises services?
How does the enterprise identify, Enterprise does not define

define and manage compliance requirements related to cloud
requirements that affect the
selection and use of off-premises
services?
How does the enterprise ensure Enterprise does not implement

privacy? How are sensitive (e.g. measures related to privacy / data
personal) data protected when protection
transferred and processed off-
premises?
To what extent are Continuous There is no compliance capable

Monitoring / Feedback practices tooling in place for cloud
used?
How are Compliance requirements Enterprise does not use tools for
and standards defined and management of compliance
maintained in the tools used for requirements
Technology management and monitoring?
ans to fulfill laws and regulatory requirements, specifications and standards as well as specific demands imposed by other external par
ctive of a certain enterprise:
cial statement
mputer System when manufacturing medical devices
ards: transmitting unit in WiFi devices needs to use certain frequencies incl. a maximum deviation
ernal party: a customer expects a certain interface for data exchange with e.g. ERP system
oreign subsidiary requires a process or IT system to be designed in a certain manner
CMM 1 CMM 2
Compliance requirements are Limited positioning of enterprise

available for those who look for specific compliance requirements
them, for cloud services, in context of cloud services, are
documented in an enterprise communicated to islands of
repository adoption
If required, employee concerned Enterprise maintains a basic cloud

with compliance strategy.
receive individual training Employee concerned with
regarding the impact of cloud- compliance has to confirm to have
technology on compliance. read and understood and would
No policies or guidelines related follow the strategy as well as
to cloud compliance evident corporate policies and guidelines
that govern the use of (public)
cloud services on a basic level.
Confirmation is added to
employee record in database.
Basic policies and guidelines
related to cloud compliance
evident, issued by management
On request, meeting of A basic compliance framework
compliance requirements and / exists.
or adherence to SLA is reviewed When implementing new cloud
manually for a small selection of services, following specified
key KPIs, mostly based on procedures is required to meet
manual collated data. compliance requirements.
Selected areas are checked for
Certifications / attestations are compliance on an as-needed
analyzed as required. basis, incl. certifications /
attestations published by cloud
provider.
Standard original compliance A Compliance framework is

framework carries forward, defined and includes cloud
without cloud awareness appropriate dimensions
Enterprise checks on request, Relevant attestations /

whether compliance certifications are requested from
requirements are met and / or service provider and reviewed on
SLAs are adhered to. a regular basis.
Small selection of KPIs is Obtaining, reviewing and action
reviewed, analysis strongly based upon analysis' result performed
on data collated manually. without greater integration and
Certifications / attestations are consideration of interconnections
requested with cloud provider and interdependencies
and analyzed as required.
After occurrence events of non- Events of non-compliance are
compliance are resolved with handled based on defined
countermeasures that are mostly procedures but not synchronized.
based on data collated manually Technical view prevails.
Meeting of compliance Consequences are communicated
requirements is monitored to selected stakeholders.
manually and mostly on request
and for a small selection of key
KPIs, only
Identification of requirements Enterprise develops compliance

conducted in individual project. requirements in rather isolated
Dependencies are not made islands, first attempts of
visible, and therefore not taken synchronization.
into account. Identification of requirements
No connection to corporate based on industry best practices
compliance management. and standards publicly available, if
Enterprise is strongly dependent required.
on support by external Enterprise strongly relies on
consultants. support by external consultants.
Enterprise conducts basic analysis Enterprise analyzes requirements

regarding privacy requirements. regarding data privacy based on
Avoids using services offered by defined data classes.
providers situated in countries
with insufficient / incompatible Sensitive data is encrypted or
privacy laws. tokenized before being
Sensitive data is encrypted or transferred to a cloud service.
tokenized before being
transferred to a cloud service.
Initial compliance of cloud Regular manual reviews of the

services is performed, and then compliance of cloud services are
written into contractual performed
agreements
Evidence of conformance to some Compliance reports are requested
key industry requirements are from each service provider and
requested of suppliers prior to reviewed periodically
committing services
as well as specific demands imposed by other external parties or internal stakeholders.
a maximum deviation
g. ERP system
manner
CMM 3 CMM 4
A communication plan exists Partners, clients and suppliers are

relating to compliance addressed and cloud based
requirements for cloud services, compliance requirements and
including detailed follow through implications are clearly defined at
activities with the impacted security, commercial, service and
business units, and ongoing business impact level, through
feedback mechanism, and regular training and information events
progress reports, possibly via the
enterprise communications
vehicles.
Current employee and new hires Responsibilities for compliance

have to complete training are defined. Management tracks
regarding the policies and training and compliance status
guidelines related to cloud continually using a tool-based
compliance on a regular basis, e.g. solution enabling for monitoring,
via classroom training or web alerting and automatic follow-up.
based training. Deviations are identified and
Responsibilities are defined. escalated to management.
Management tracks training Before hiring new employees
status. basic background check is
Before hiring new employees performed.
basic background check is Skills are evaluated on a regular
performed. basis supported by tools and DBs'
Policies and guidelines related to Policies and guidelines related to
cloud compliance issued by cloud compliance issued and
management, review triggered by reviewed review triggered by
changes document management system
A compliance framework exists An advanced compliance
and is established incl. framework exists and is
accountabilities, responsibilities established incl. accountabilities,
and documentation responsibilities and
requirements. documentation requirements.
Based on the compliance Online management and
requirements selected areas are monitoring systems enable for
checked for compliance on a checking for compliance of
regular basis. selected areas, systems
Checks are conducted by internal environments etc. in real-time,
and/or external employee. against defined compliance
Systematic analysis of relevant requirements.
certifications / attestations Deviations and exceptions are
published by cloud provider, reported and escalated.
stored and managed in e.g. DB. Systematic analysis and
management of certifications /
attestations published by cloud
provider.
Compliance framework is defined Categorization of compliance

and updated to include cross requirements exists graded
border legislation, data protection separately for Private, Hybrid,
in transit and at rest in cloud Public & Hosted cloud types.
environments, and data privacy Monitoring and Management of
requirements compliance requirements is
automated, sensitive per cloud
category
Requesting and reviewing of Requesting and reviewing of

relevant attestations / relevant attestations /
certifications governed by certifications supported by tools /
compliance process, considering DB providing e.g. alerting, info
basic dependencies and regarding need for request,
compliance requirements and dependencies as well as
obligations. compliance requirements and
Results are communicated and / obligations.
or available for those who look for Requesting of relevant
them. attestations / certifications is
monitored.
Events of non-compliance are Events of non-compliance are
remediated on a technical and identified automatically where
organizational level. possible and management is
Consequences of deviations are informed
analyzed, evaluated and Consequences of deviations are
communicated to relevant analyzed, evaluated and
stakeholders. communicated to management
and relevant stakeholders.
Root cause analysis is conducted
to avoid future issues (CAPA).
During requirements engineering Enterprise maintains a DB, which

the enterprise develops a contains compliance
catalogue with basic compliance requirements covering selected
requirements applying a business and IT areas, only.
systematic approach. DB is maintained by decentralized
Enterprise seeks for support by management via a systematic
external consultants for specific approach / process, e.g. regular
tasks. meetings, reporting lines etc.
Enterprise analyzes requirements Enterprise uses a Cloud Access

regarding data privacy based on and Security Brokering solution to
data classes maintained in the control data stream to cloud
storage systems. services.
Sensitive data is encrypted or
Sensitive data is encrypted or tokenized before or while being
tokenized before being transferred to a cloud service.
transferred to a cloud service.
KPIs exist for the number of Feedback on compliance events

compliance events that are cycles into automated processes
"acceptable" per cycle towards regular reporting
Internal Management tools are Real-time event monitoring is set
linked to each service as it up using tooling that is
migrates to cloud, and events compliance aware, against
relating to compliance are defined industry and business/
reported legal standards
keholders.
CMM 5
Benefit Analysis
(optimized)
Co-ordinated roadmap updates

and communications are
broadcast through the full eco-
system, with feedback loops in
place
Consumer & provider employees

who have not completed their
training are technically blocked
from performing certain tasks in
e.g. powerful management tools
(e.g. with access to customer
systems).
Deviations are identified and
escalated to Management.
Policies and guidelines related to
cloud compliance issued and
reviewed on a regular basis by
management, review triggered by
document management system
and updates made to
requirements database (e.g. due
to legal changes)
Compliance trends are reviewed
and analyzed, corrective and
preventive actions are triggered
based on data collected by tools.
Changes in compliance
requirements and system or
business environment can be
predicted and reacted upon, if
required.
Continuous, automatic
monitoring and alerting
established.
Well defined compliance

requirements that are properly
The compliance framework is documented, published and
regularly updated to reflect communicated, enable effective
changes in cloud services and decision making. They also help
usage. the organisation to understand
their requirements of a cloud
service more effectively, and
thereby to efficiently select
service offerings and options.
Cost avoidance is achieved
through pro-actively eliminating
services that may otherwise
Management console integrates create unacceptable risk or non-
all service providers and allows compliance later on, with
for central monitoring and direct expensive remediation activities.
access to their compliance related
data.
Continuous audit and monitoring
established leveraging trusted 3rd
parties.
Tool based alarm is sent to
management in case of non-
compliance / deviations or
unavailability of data.
Management systems monitor
trends in compliance and
identifies issues proactively.
Tools support management's
control activities by scanning IT
landscape and stakeholder
alerting.
Holistic consideration of
dependencies / consequences for
impact analysis and
countermeasures incl. CAPA.
Decentralized systems and tools

populate compliance
requirements DB automatically.
Management steers population
and maintenance process actively.
Data quality is checked on a
regular basis.
Enterprise uses a fully integrated

solution governing data flow and
data distribution. Data is
encrypted or tokenized based on
service localization, data
classification and access
permissions. Effective key
management is in place
Automation of monitoring for

compliance events is tuned on a
regular basis
All systems are designed with pre-
defined compliance and
compliance monitoring points,
and tooling is enabled to monitor
these compliance requirements.
HR, IT, Business, Partners
0 0
0 0
Compliance Mgt,
IT
Business
0 0
0 0
0 0
0 0
0 0
0 0
Development, Build, Release and
Operations teams.
0 0
Developers
IT Risk Mgt
Business
0 0
Total 0 0
Governance & Control
This area considers the process and technology updates t
Is this domain
relevant? Yes/ No
CMM 0
Control Question
(None)
Does a formal Communication No formal communications about

plan exist, positioning cloud and cloud services and rules exists.
the impacts?
People
Are Finance and Procurement in No specific information is passed

control / informed of the spend pro-actively, invoices just arrive
process on any external cloud
services?
Is Enterprise Architecture Cloud The Architects do not consider

aware and focused? cloud for business service
opportunities
Processes
Processes
Is Risk Management updated for The risk management team do

Cloud? not recognize cloud as different
from internal IT
Are security requirements and There are no requirements

rules defined for the use of cloud specifically for or updated to
services consider cloud services as any
different to internal IT services
What is the technology capability No Brokerage capability

to be a Service broker of private,
public, SaaS and traditional IT
Services
Technology Are controls in place to identify, Controls and tools do not monitor
assess and manage risk, security and report risk, security and
and compliance relating to cloud compliance information for cloud
deployments, and alignment to services
business objectives?
ocess and technology updates that should be integrated into an existing environment, to deal with and control cloud and any external
CMM 1 CMM 2
Governance, risk and compliance Limited positioning of cloud with

requirements are available for respect to requirements and
those who look for them, for compliance are communicated to
cloud services, documented in an islands of adoption
enterprise repository
Bills are received "after the fact", A formal list of partners and
and used to register cloud services are published, and
spend/procurement project budgets align to these
Cloud design is handled Written enterprise architecture

completely and separately by charter and operating documents
lines of business outlining scope of responsibility
and strategy (charter, RACI's,
decision process guidelines,
standards processes)
Risks may be evaluated in project Risks are discussed (4-eye
situations. No general risk principle), and
definition settlement/remediation agreed
on a case by case basis
Standard original security control A security framework concept is

framework carries forward, defined and includes cloud
without cloud awareness appropriate dimensions
Acknowledgement that access to Catalog of cloud services includes

multiple cloud services from one Private, Public ,Saas and
portal is of Value Traditional IT services
Ad-hoc deployments occur Defined system and service

leveraging "non virtualized" classes exist for cloud use, with
definitions and interpretations rules, policies and guidelines,
communicated to the enterprise
and deployed manually by
projects
ronment, to deal with and control cloud and any external dynamic services and solutions.
CMM 3 CMM 4
A communication plan exists Partners, clients and suppliers are

relating to cloud services, and addressed and cloud based
detailed follow through activities implications clearly defined at
with the impacted business units commercial, service and business
is ongoing, including a feedback impact level, through training and
mechanism, and regular progress information events
reports, possibly via the
enterprise communications
vehicles.
Based on an online list of partners Ordering and authorization of

and services, an authorization services and spend is run via
workflow co-ordinates and process on electronic
informs on cloud spending authorization systems, in real-
time
Security and Privacy requirements
are understood and considered at
every decision point
A centralized cloud service The cloud services are measured

selection process has been and the quality is evaluated
established. regulalrly to ensure that they met
the enterpise requirements.
Risks and remediations are A Risk management framework is
defined, known and documented. defined and contextualized for
cloud. Risks are constantly
monitored. Risk mitigation plans
are in place
The Security framework is defined Categorization of security

and updated to include any cross requirements exists graded
border implications, data separately for Private, Hybrid,
protection in transit and at rest in Public & Hosted cloud types.
cloud environments, and data Monitoring and Management of
privacy requirements security requirements is
automated, sensitive per cloud
category
Ability to order Private, Ability to order and facilitate

Public ,Saas and Traditional IT charge back to accounting for
services from one Portal Private, Public ,Saas and
Traditional IT services from one
Portal
Defined and communicated Automated deployment of

auditing and monitoring exist / services occurs, according to
signed off by all business units, business categorizations
with manual ad-hoc auditing
nd solutions.
CMM 5
Benefit Analysis
(optimized)
Co-ordinated roadmap updates

and communications are
broadcast through the full eco-
system, with feedback loops in
place
A reference model such as "ODCA
CMM" is used to analyse and
results are communicated, with,
new analysis conducted on a
regular basis to realign with
changing business conditions and
requirements
Regular reviews of trends and

opportunities for improvement
are identified and implemented
Opportunities for ongoing
increase of automation and
integration to speed business and
reduce errors are sought.
Alignment exists with internal
financial systems and process to
co-ordinate costs and production
Governance and Control not being

updated to enable cloud can be
The enterprise acts as a "Cloud some of the biggest inhibitors of
Service Broker" forward progress with a cloud
strategy. By pro-actively
considering the requirements,
and building cloud considerations
into the governance and control
requirements, guidelines and
processes, one can pro-actively
direct projects, decision making,
and operations. This is as
opposed to always having to re-
actively align the teams after the
fact, and having ongoing
bureaucratic "red-tape" style
discussions between providers,
consumers, and the governance
bodies.
and building cloud considerations
into the governance and control
requirements, guidelines and
processes, one can pro-actively
direct projects, decision making,
A governance structure has been and operations. This is as
implemented to manage risks for opposed to always having to re-
the business. The risk mitigation actively align the teams after the
plan is regularly updated. fact, and having ongoing
Computer Emergency Response bureaucratic "red-tape" style
Team (CERT) exists, which also discussions between providers,
extends to the cloud providers consumers, and the governance
bodies.
The security framework is

regularly updated to reflect
changes in cloud service threats
and usage.
Automated integrated testing of
security is in daily stable
operation
Ability to recommend best

workload location for an
application service and order and
facilitate charge back to
accounting for Private,
Public ,Saas and Traditional IT
services from one Portal
Automated exception reporting

occurs in real-time (e.g. by a data
loss prevention system)
0 0
Finance, Business, IT
0 0
IT Architecture
Business
0 0
Risk Management
0 0
Security,
Business
IT Management
0 0
Security,
IT Management
0 0
Data Security
Compliance Mgt
0 0
Total 0 0
Business Process

• How the business processes are structured and designed
Is this domain • What processes are deemed support/ shared and which are
relevant? Yes/ No
CMM 0
Control Question
(None)
Do the involved people No clear knowledge exists of how

understand the inter-relationship various systems support or
between the various business participate in the business
processes, and the under-pinning processes
IT systems
People
Are the business processes for No documentation is available

business product operations mapping the business products,
documented from an IT system processes, and supporting IT
and process perspective systems
Processes
Are the IT system interfaces No documentation can be
properly documented in produced of the IT system
accordance with their function in interfaces, and their inter-
the business process chain connection as part of the business
process chain
Technology
ed to;
sses are structured and designed
med support/ shared and which are unique to the business unit
CMM 1 CMM 2 CMM 3

Some people understand the Certain business process chains The teams know and understand
product process chains and some are known, together with the business processes, and
of the systems they depend on, identification of elements that can where the process related data is
but not end-to-end be safely run in the cloud stored, and what the rules are for
protecting it
Some business product process Each Business process is Key common elements of the
chains are documented, showing documented, together with the business process are aligned from
some involved IT elements underlying IT systems, and a semantics and data handling
SLA's / OLA's for handling perspective, and evaluated for
transactions cloud candidacy, with a migration
and consolidation plan in place.
Selected system interfaces are Some of the element interfaces Common semantics are applied to
documented, based on project underpinning the business systems, and the interface
focus work, but not towards cloud process are documented, but characteristics are well
system interfacing objectives naming and data structures are documented to enable dynamic
not aligned message queue based interaction
CMM 4 CMM 5
Benefit Analysis
The relevant people analyze The people involved understand

systems for cloud candidates the business process and OLA's
based on knowing the business for each step or stage, and
processes, and what the service analyze the reality measured in
levels and compliance each stage to identify
requirements are for each part. opportunities for improvement
There is a known plan and set of and consolidation between
business objectives for moving all business processes by leveraging
relevant parts to the right more efficient cloud based
platforms, and sharing common enablers
elements.
By having pre-defined well

documented business processes
in context of their enabling IT
systems, one can identify and
consolidate common data
repositories, specific compliance
Performance of common IT Performance and compliance areas of the process and
elements is measured, in the reality is measured for each IT supporting systems, and which
combined business processes, element underpinning the areas could potentially gain
and alerting is in place for when business process, and the process advantage from cloud use. Well
high or low performance or element is regularly updated documented coordinated
watermarks are crossed. to align on business objectives business processes make
Systems are categorized more effectively. governance, management, and
according to the data they hold control of environments much
for the business processes, and easier. They enable the analysis
located accordingly of key impact areas, service
availability requirements, and the
supporting management and
control systems/reporting that
should be in place and operating
control systems/reporting that
should be in place and operating
Application elements Systems auto scale according to

underpinning the business actual business process needs, in
processes are designed according real time
to well documented cloud native
models and frameworks, and are
robust and scalable
Developers
IT
Business
0 0
Strategy and Planning
IT
0 0
Developers
IT
Business
0 0
Total 0 0
Procurement

• The Procurement Processes are cloud aware,
• The Procurement Tooling is cloud aware,
• Training and Development performed for supporting enterp
• Sourcing & contracting been updated to accommodate clou
Is this domain • A Cloud Service Catalogue exists,
relevant? Yes/ No • Reporting is updated to monitor and measure cloud service
CMM 0
Control Question
(None)
Is cloud Training and No training on cloud is provided

Development performed for for non-IT supporting functions
supporting enterprises
People
Have Sourcing & contracting been No updates have been defined for
updated to accommodate cloud? the processes
Does a specific Cloud Service Cloud services are not defined in

Catalogue exist? an available catalogue of services
Processes
Is Procurement Reporting updated No reporting is defined for cloud
to monitor and measure cloud services from a finance and
Processes services procurement perspective
How is Shadow IT prevented? Shadow IT is not prevented, (and

is alive and well)
How are cloud vendors selected There is no central control of

and managed? cloud vendor selection
Is the Procurement Tooling cloud The tools that Procurement use

aware are not cloud aware or partner
integrated
Technology
ed to:
ses are cloud aware,
g is cloud aware,
nt performed for supporting enterprises,
een updated to accommodate cloud,
ue exists,
monitor and measure cloud services
CMM 1 CMM 2 CMM 3
Procurement team drives CAPEX Procurement team are trained Team is incentivized based on
based ordering activities, with about cloud, and the commercial cloud strategy deployment
some initial Cloud services driving models
disruption into the tribal
knowledge
Cloud resources are ordered on Default frame contracts exist for Frame contracts are integrated in
an ad-hoc basis from undefined cloud services, which are available procurement tools and standard
vendors. No standard partnering to the organizational business cloud vendors and offerings may
or frame contracts exist, although units, and re-used consistently. be chosen
initial ideas may be in play
Hardcopy brochures are used, A Cloud Portal exists and includes A well defined set of standards for
with functions and features a full integrated Catalogue of catalogue definitions are applied
defined per deployment, via a services, including technical and communicated (e.g. CIMI).
technically orientated portal functions and features, costs, and Processes are defined to enable
service level details, for IaaS and entries in the consumer facing
PaaS Services catalogue to be updated regularly,
and for retirements to be
performed according to a defined
roadmap process, without
contract changes being needed
Basic management and Defined interfaces and reports Standardized supplier contracts
Monitoring data is produced from exist for cloud providers to enable JIT delivery, from pre-
systems within the company's integrate to and supply data, in selected suppliers, with defined
own control real time reporting and source data
available according to pre-
determined business criteria
No controls exist and business Business Units are educated on Businesses willingly adhere to
units can buy anything they want the issues of cloud security and corporate policies for security,
requirements of all Cloud and IT record retention, and DR strategy.
services to adhere to enterprise IT is able to rapidly conduct a
policy for security, record cloud security audit on any
retention, backup and disaster proposed cloud provider.
recovery to minimize risk to the IT enables procurement audits to
corporation identify unauthorized cloud
service procurement and
unauthorized cloud service
detection program.
Vendor management team can Vendor management team Standardized criteria are used
engage with architecture to align engages regularly with across LOBs in vendor evaluations.
requirements with capabilities of architecture to align requirements Consultation with cloud
CSPs when requested. with capabilities of CSPs. consulting firms such as Forrester
and Gartner.
Each provider's own Cloud Portal Links exist from the enterprise Provider's catalogues and
is used for ordering & configuring Procurement Intranet to selected approval workflows are
services supplier's portals/catalogues integrated with the enterprise
order portal and standardized
workflow system
CMM 4 CMM 5
Benefit Analysis
Real-time authorization and Only exceptions are escalated for

approval is operational, aligned to personal interventions, while
enterprise budgets, and standard authorized service items
compliance and security are automated
parameters
Quality and quantity based Active partner management is in

performance for reporting of place with cloud vendors.
cloud vendors is in place, Multiple vendor sourcing is
documenting their compliance implemented for identical cloud
and security capabilities services
Procurement processes should be
integrated across the business
including all internal and external
cloud suppliers
Included in the Service catalogue All partnered or federated

are detail costs and calculations, services are mapped into a single
detail rules associated to services, well structured catalogue for the
and automated links and updates consumer, transparently, with
to contracts for changed services back-end integration automated
and orchestrated, based on
consumer requests.
Automatic feedback on catalog
usage patterns are used to drive
catalog improvement over time.
Procurement are a gatekeeper to

the Commercial relationships that
the business has with its partners,
suppliers, and even clients. Cloud
drives many changes in the
operating models for both service
delivery and financial transactions
Clear standard online contract Integrated reporting and data Procurement are a gatekeeper to
and supply management is sharing of relevant data is enabled the Commercial relationships that
integrated with supplier systems, between pre-selected contracted the business has with its partners,
to ensure that the cloud service suppliers and the cloud provider, suppliers, and even clients. Cloud
never runs out of capacity, by pre- to ensure that pre-warning of drives many changes in the
warning suppliers of approaching Procurement events is possible, operating models for both service
order events automatically and that service quality can be delivery and financial transactions
monitored and managed pro- in this regard. By proactively
actively updating the Procurement
function to understand and
support cloud based sourcing and
delivery, one can enable more
effective business development,
as well as track and control of
IT enables a Security Gateway in IT are enabled by Procurement to sprawl of IT systems outside of
conjunction with Procurement to allow the Democratization of IT the enterprise perimeter.
facilitate rapid assembly of through automated integration of
authorized public services any authorized off-premises
services quickly and automatically
Organizational standards define A range of parallel vendors are

preferred vendors. available and have compliant
contracts with the enterprize,
with scaling costs based on
volume of actual service usage
Provider's catalogue contents Defined partners are

updates are synchronized, electronically integrated into the
selected and published within the enterprise systems and processes
enterprise order portal based on A generic catalogue is available
application and data compliance on the enterprise portal, with
requirements transparent automated routing
to the appropriate provider
Procurement systems get
automated notification based on
capacity requirements when
additional infrastructure or
service supply is required
- IT Procurement
0 0
- IT Procurement
0 0
- Service Catalogue Management
- IT Procurement
- IT Service Delivery
0 0
- IT Procurement
0 0
IT
Procurement
0 0
Vendor management,
Architecture, Platform operations,
Service management
0 0
- Service Catalogue Management
- IT Procurement
- IT Service Delivery
0 0
Total 0 0
Commercial

• Cloud Contract templates,
• Processes updated to accommodate cloud service delivery,
• Key performance indicators exist for cloud based services,
Is this domain • Partner & Client Interactions updated for Cloud service delivery, a
relevant? Yes/ No • Costs of a service billed to the consumer of the service.
CMM 0
Control Question
(None)
Are Partner & Client formal No understanding exists of the

frameworks updated for differences between Cloud and
Cloud service delivery Traditional IT contracting
models?
People
Do Cloud Contract templates No template contracts or

exist? frameworks for cloud services
exist
Are Commercial Processes No updates have been done to

updated to accommodate the commercial processes to
cloud service delivery? specifically enable cloud service
integration
Processes
Do Key Performance No KPI's are defined for cloud
Indicators exist for cloud services
based services?
Are the costs of a service Costs of services are not billed or

billed to the consumer of the displayed to cloud consumers
service?
Are the Commercial Systems do not include contract

contracts and processes and process related information
integrated into supporting
electronic systems?
Technology
ed to:
s,
commodate cloud service delivery,
ors exist for cloud based services,
tions updated for Cloud service delivery, and
o the consumer of the service.
CMM 1 CMM 2 CMM 3
Cloud provision is handled like Some Suppliers are integrated Clear Service Levels and KPI's are
any other supplier by the involved into the Procurement and Event defined for all online services
teams and processes management systems from partners, together with
training of employee on the legal
and compliance requirements to
be considered in cloud service
contracting
No, still using original templates Leveraging contracts supplied by Zero $ based framework contracts
each cloud provider, with slightly (agreements defining services and
different terms and conditions, service level agreements, but with
and processes no volume commitments due to
the nature of cloud services) are
in place to enable service use, and
all roles and responsibilities and
remediations are clearly defined,
including risk, compliance, and
data related actions
Original internal IT processes are Defined manual handling of Standardized supplier contracts
used, and cloud is fitted to those, exceptions exists, where existing are defined, enabling JIT delivery,
as applicable systems don't accommodate from pre-selected suppliers, with
integration with cloud providers electronic levels of integration
consistently
Infrastructure availability SLA's SLA's are in place for IaaS, PaaS & KPI's are defined in context of the
are used to measure services SaaS expected benefits of cloud,
including availability,
performance, cost, flexibility,
compliance and security etc.
No, IT Costs are handled by a Yes, costs are billed to the main There is a capability for the
common IT budget departments (Production, consumer to check ordered
Management, R&D, …), but only 1 Services and their corresponding
-2 times a year costs. The costs are billed to the
consumers cost center once a
month
Salient points of an interaction are Defined products, contracts and All services and contracts are
manually captured into the partners exist in the systems, with standardized and aligned,
systems as comments zero value commitments, against enabling consistent decision
which services can be ordered making
CMM 4 CMM 5
Benefit Analysis
Clients interact via defined shared Partners are integrated at

cloud based interface and contractual, electronic and
commercial frameworks, for process levels, transparently
which training occurs, and which
adhere to strict SLA's
Contracts with multiple suppliers All commercial terms are

are synchronized to common electronically integrated and
terms and processes, enabling the linked to the service classes and
business to scale, migrate and qualities selected from the
adopt services transparently available catalogues, by the
consumer
Traditional contracts are usually

based on defined services,
quantities, costs and service
levels. Cloud based services are
Clear standard online contract Integrated reporting and data delivered "on demand", and
and supply management is sharing of relevant data is providers can update, change or
integrated with supplier systems, enabled between pre-selected cancel their services at short
to ensure that the cloud service contracted suppliers and the notice, as can the consumers. By
never runs out of capacity, by cloud provider, to ensure that having contract frameworks
pre-warning suppliers of pre-warning of Procurement which understand this, one is able
approaching order events events is possible, and that to establish well governed
automatically service quality can be monitored relationships with partners, that
and managed pre-actively support the dynamic delivery and
consumption of services, in line
with real-time business needs.
This should also enable the cost of
service unit production to more
closely align to the actual unit
sales, without excessive spare
capacity or cost carrying.
consumption of services, in line
with real-time business needs.
This should also enable the cost of
service unit production to more
closely align to the actual unit
Clear KPI's for service delivery Each Business objective has a KPI sales, without excessive spare
against procurement events are mapped to it, and data is capacity or cost carrying.
defined and automatically automatically collected to indicate
monitored in the system, in status and progress in achieving
context of defined business the objective KPI
objectives
Costs are constantly monitored, There is a constant process which

and billed to the consumer, and monitors the billing. Growing
unused resources are optimized costs are proactively monitored
or returned to the available and are constantly discussed with
resource pool the consumer. There is a process
which terminates unused
Services.
Based on real-time reporting Based on documented capacity

against existing contracts, trends and trends in existing contracted
can be analyzed, and improved service usage, services can be
commercial conditions aligned more directly to meet
negotiated. Exceptions are business requirements
identified
- IT Procurement
- IT Service Management
0 0
- IT Procurement
0 0
- IT Management
- IT Procurement
0 0
- IT Service Delivery Management
0 0
- Financial Controlling
0 0
0 0
Total 0 0
Portfolio Mgt

• Consistent methodology for product and service developme
Is this domain • Project Initiation updated to enable innovation and “cloud fi
relevant? Yes/ No • Standardised online documentation for services and produc
CMM 0
Control Question
(None)
Are the portfolio mgt people No training has been done and no
trained in a formal process for framework for service portfolio
the production, operation, and management is used
retirement of the business's
service portfolio elements, with
consideration for cloud
enablement?
People
Is there a standard definition of No service definitions exist

services at business and technical
level, centrally documented and
referenced?
Does a defined process exist for Each team produces their own
Processes the lifecycle management of services and they are not defined
services in the portfolio, allowing formally
for new requests, changes and
retirements?
Is an online service catalogue There is no defined portfolio of
available against which services services in any system
may be ordered?
Technology
ed to:
for product and service development at both business and enabling technology layers
d to enable innovation and “cloud first” thinking,
umentation for services and products, which enables effective selection and matching of enabling and underpinning offerings
CMM 1 CMM 2 CMM 3
Some teams have defined Common training exists regarding It is required that all members of
products and a common business services development, the enterprise undergo common
approach to portfolio including design, operation and training on the business products
development is defined for that changes which are defined and services according to an
group. according to a framework, and enterprise wide common
cloud training according to this framework for service portfolio
model is applied in all new management , including the
projects positioning of cloud services in
context of compliance and
security requirements of the
business
Some core business services and Common terminology is used for Internal services of the enterprise
their supporting processes are service descriptions, and common are defined according to a
documented but it is not terminology is defined standard, and recorded in a
mandatory generally available online service
catalogue with descriptions for
selection, ordering and
deployment
Some teams have defined their A standard process exists for All services are defined according
own non-aligned standards for documenting and publishing new to a set of standardized
documenting their services, but product and service development, definitions including business
each team updates, changes and used for all new services, requirements, business case,
retires their services supported by a "cloud first" features and functions, service
independently. platform selection concept. reviews, KPI's, and retirement
criteria
Some services are defined and A common system exists where All services are documented in a
published to specific groups, in some services are defined, and defined toolset, according to their
their own systems available to the whole enterprise. role in the business environment,
which publishes them as an online
catalogue, with some service
related reporting
ng offerings
CMM 4 CMM 5
Benefit Analysis
KPI's for people development Specific training is defined per

include Service Portfolio business function, according to a
development, operations and common framework which
management, at the appropriate defines cloud service positioning,
level and feedback on the
effectiveness of the defined
processes close the loop within
the enterprise.
Through having a catalogue of

defined products that the
business produces, one is able to
identify more effectively which
internal or partnered services are
key to the production of those
All services are defined for Management level reporting is services. One is also able to
recording in a central repository, available for all services, identify and select potential
and orderable online, including indicating key information such as supporting service elements from
both external and internal which portfolio elements are most cloud providers more effectively,
offering elements used, most costly, alignment level in direct context of the actual
to KPI's, and which are not used. requirements and cost limitations.
This helps the business to
understand its supporting services
in context of each product much
more effectively, and direct
A review process analyses all Services are regularly analyzed, resources and investment
services, regularly evaluating consolidated or retired based on accordingly. It also helps the
deviations from the "standard", business use, efficiency and business to determine where
effectiveness of the service, cost effectiveness potential cloud services could
benefit analysis, and recommends help them to become more
any changes that may be competitive, and to move more
required. quickly in line with opportunity,
revenue potential, and ongoing
optimisation needs.
Based on common service Online reporting regarding service
definitions, services may be use and effectiveness enables
compared between API integrated regular service and supplier
suppliers for best fit to business corrections
requirements.
Portfolio and Sales / Pre-sales,

Architecture
0 0
Business Units, Sales, Architecture
0 0
Architecture, Sales, Line
Management
0 0
Sales, Procurement, Architecture
0 0
Total 0 0
Projects
Is this domain
relevant? Yes/ No Projects are enabled by means of defined processes, blueprin
CMM 0
Control Question
(None)
Do Project Skills exist for cloud Project Management have no

projects understanding of cloud services
and how to work with cloud
delivery from external CSP's
People
Do consistently defined templates, No documented templates exist

guidelines, best practices and
blueprints for cloud based service
& product deployments exist
Is Project Initiation updated for Cloud is not a factor in selecting

Cloud? or initiating projects
Processes
Processes
Is Project Funding biased towards Project funding ignores cloud

cloud enablement projects opportunities, incentivisation or
favored biasing
Does a planned Project Portfolio No planned project portfolio

exist for migration to cloud based exists for the integration or
services adoption of cloud
Are Project Tools updated to Project tools and templates do

support Cloud projects not include any cloud factors
Technology
eans of defined processes, blueprints, skills, and governance frameworks. This domain considers some of the key cloud enablers for proje
CMM 1 CMM 2 CMM 3
Few internal skills exist aligned to Cloud Infrastructure Skills exist Application developers are skilled
common organizational cloud and cloud concepts are available in cloud use, aligned to the
designs to support/enable projects enterprise strategy, and available
to support projects
Developed by each project Use is made of centrally defined Comprehensive documentation

manager on an as-needed basis and published Blueprints, Best exists, and is used by all projects:
Practices, and Checklists for Cloud A clear framework exists and is
Service integration used for classifying applications
and data (protection) for projects
(for mapping systems against
cloud platforms and services) ,
prior to deployment, ranging from
Development, through Q&A, Pre-
Production and into Production
Ad-hoc projects developed by the Partial re-use of cloud Standard training is available for
project manager, developing own methodologies, defined by the various involved
processes, methodologies and certain new projects, and shared organizational units, tailored to
frameworks for Cloud service for further enhancement their needs, addressing
integration important cloud rules, policies,
aspects and skills that they must
develop and apply in their cloud
service adoption
Each project is independently A defined budget exists for the Cloud deployments always
funded according to its' needs enablement of the enterprise for leverage the "80%" of existing
using cloud services, and projects cloud based building blocks, and
draw from this according to their most cost is directed towards
use of cloud "20% new development"
Each project is initiated by Business Application landscape is A portfolio of planned and

separate units independently defined to platform level, and prioritized projects exists for
new opportunities leverage this migration of systems and services
guide to cloud, accommodating new
development initiatives
Each project is defined by the Cloud based project templates are Pre-defined elements are
assigned project manager, and shared between project managers automatically populated into the
built from scratch for re-use project plan by the tool, and
consistent feedback loops exist to
update approved steps and
methodologies with new learning
loud enablers for projects
CMM 4 CMM 5
Benefit Analysis
Partnered skills from Cloud Online interfaces and controls are

Providers are integrated into in place enabling skills to be
project teams, enabling internal sourced from wherever they may
resources to focus on corporate exist, for the specific requirement
objectives (I.e. skills requirements are placed
on external tender to specialists
Automated selection of platforms Online tooling, tracking and

is enabled (via a Cloud Portal) for reporting is implemented and
placing applications and data, supports all project based
based on business rules and deployments
application classification, all the
way through Orchestration and
deployment to Production
Projects are planned in a cloud Leveraging existing templates, By creating templates and
portfolio annually in advance, resources and methodologies for standardised concepts that
with clear budget, scope and cloud use, high performance projects can leverage, pre-
objectives towards enabling innovation is enabled, defining authorisations,
cloud benefits realization multiplying the enterprises new governance, reference models
product development by a and interfaces, and
defined factor methodologies, projects in the
new cloud era can move forwards
much more quickly, completing
work by leveraging as many
existing elements as possible, and
reducing duplication and effort.
This goes a long way to supporting
a DevOps capability, in
conjunction with adopting Agile
methodologies.
methodologies, projects in the
new cloud era can move forwards
much more quickly, completing
work by leveraging as many
existing elements as possible, and
Well defined R&D budgets Projects are approved or declined reducing duplication and effort.
leverage existing cloud elements, based on their value proposition This goes a long way to supporting
thereby optimizing cloud projects to achieving the company's a DevOps capability, in
to only focus on the new objectives and associated KPI's conjunction with adopting Agile
development, at people, process methodologies.
and technology levels, consistent
with the business objectives and
cloud KPI values to the enterprise
Based on the Business Application Planning for strategic re-

Landscape, each application is development of applications to
planned for appropriate cloud being cloud aware and correctly
location, as renewal occurs hosted, is in place against a
timeline and budget
Online project tool with Online project tool also integrates

integrated documentation is with and triggers / invokes
linked to selected cloud workflows and processes for
deployments and reporting partnered services, as part of the
systems. Cloud Service landscape
- IT Governance
- IT Management
0 0
-IT Service Management
- Quality Management
- Knowledge Management
0 0
- IT Service design
- IT Programme Management
- It Architecture
0 0
- IT Architecture
0 0
- IT Project Management
0 0
- IT Architecture
0 0
Total 0 0
IT Operations

• Enables 24x7, business continuity, data center fail-over
• ITIL Version 3, Service Strategy, Design, Operations, an
• Asset Management, Workforce Management and Serv
• Integrated IT Value chain (Open Group IT4IT model) Th
o Plan (Strategy to Portfolio)
o Build (Requirement to Deploy)
Is this domain o Deliver (Request to Fulfill)
relevant? Yes/ No o Run (Detect to Correct)
Control Question CMM 0
(None)
How is tribal knowledge of cloud Knowledge of cloud service

service management being fed management is not fed into
into process documentation? process documentation.
Is there a cloud specific Skills There is no formal skill planning.

Management and development
plan?
How are teams organized to Team enterprise does not take

support cloud service provider support of cloud services into
offerings? account.
People
How are people's roles changing Roles have not been impacted by
as a result of cloud adoption? the adoption or the planned
utilization of cloud.
Are clear processes (e.g. ITIL) for Service risk and compliance
service, risk and compliance management processes do not
management processes defined exist or are handled in
for cloud based services including nonstandard and ad hoc fashions.
Incident, Problem and Change
mgmt., and integrated with the
cloud provider and consumer eco-
systems
Is Capacity Management updated Cloud-based services are not

to include cloud based services included in the enterprise's
capacity management process.
Is there a methodical approach to Demand management does not
demand management (new VM or take cloud or cloud services Into
service requests) that includes consideration.
consideration of cloud platforms.
Are operational reports readily Operational reporting does not

available across Hybrid IT? take a hybrid IT model into
consideration.
Does Disasters Management Disaster management does not

consider cloud services that take into account cloud services,
support business critical regardless of the criticality of the
functions? business they support.
How are teams organized and There is no co-ordination of

Processes managed to support CSP support for CSP offerings
offerings?
Do Backup and recovery processes Backup and recovery processes do
exist for CSP provided services not exist for cloud service
where data is stored off-premises? provider services where data is
stored off-premises.
How are cloud technology Cloud technology is not selected

platforms selected? by the enterprise.
How are cloud vendors selected Vendor management is not

and managed? formalized in our enterprise
Do continuous quality feedback Feedback loops are not yet

loops exist with CSPs required as CSP offerings are not
yet in use.
To what extent are Continuous We're a waterfall shop!
Release and Deployment practices
used?
How is Runbook Documentation Runbook documentation is not

managed for cloud services? managed for cloud services. Cloud
services are not included in
operational run books.
Are traditional/legacy platforms Traditional/legacy platforms

transforming to leverage continue to run on physically
virtualization? dedicated systems.
Do in-house and custom built Traditional operations tools do

operations software packages not provide integration API's.
provide integration APIs?
Technology
Technology
How do the internal cloud services Traditional networking tools do
and off-premises service providers not provide integration services
networks support Hybrid IT across off-premises and on-
integration? premises services.
To what extent does the CMDB The enterprise does not utilize a
support cloud? CMDB.
ed to:
ontinuity, data center fail-over and
rategy, Design, Operations, and continuous improvement processes.
rkforce Management and Service design, build and test development processes.
n (Open Group IT4IT model) That service life cycle is captured in the four IT Value Streams
o)
eploy)
l)
CMM 1 CMM 2
Some groups have access to and All employee have access to and
understand operations process understand operations processes
and related tools to management and related tools for cloud
cloud services. processes.
Few internal skills exist aligned to A skills development programme

common organizational cloud exists, to develop cloud
designs orientated skills in all affected
technology units of the
enterprise. Cloud Infrastructure
Skills exist and are available to
support projects
Cloud service providers provide Individual teams have been

support to off-premises workloads combined into shared support
and internal employees provide groups focused on business areas
support to workloads running on- or individual lines of business.
premises with traditional The demarcation between
infrastructure. Support to supporting off-premises and on-
individual consumers is provided premises begins to dissolve - i.e.
on a per-incident, per-use case. teams are no longer organized
into one or the other.
Roles are still defined by Roles have shifted to be focused
technology area. on adoption of cloud and
increased automation.
Employees in the enterprise Service, risk and compliance

(human-based) provide service management processes are in use
management functions, across the enterprise but are not
responding to regular reports or integrated with the enterprises
events as they occur or are and service providers processes.
produced in arrears. Each cloud providers' processes
are utilized, with manual, ad-hoc
coupling to the consumer
enterprises' own processes.
Each division addresses its own Clearly defined processes exist for
resource and capacity needs and onboarding new services and
sets its own rules, roughly aligning capacity into cloud services.
to the enterprise requirements. Integration of cloud service
Inclusion of cloud infrastructure capacity and traditional capacity is
and cloud-based services varies by manual.
division.
Cloud first thinking does not yet The enterprise has instituted
exist or is limited to some LOBs consistent process for demand
only, but cloud begins to work its management across that includes
way into the demand cloud platforms. This is
management lens. Requests for implemented across various lines
new workloads are handled of businesses. Theses processes
through traditional manual address requirements gathering
processes. through to build specification and
project funding. This process is
followed for all new demands.
Custom reports are produced by Standard reports are produced by

some CSPs when requested. Any CSPs for pre-selected events as
integration of cloud service requested. Alignment between
provider and on-premises service provider and on-premises
operational reporting is handled operational reporting increases.
on a manual and ad hoc basis.
A cloud focused assessment of Some business critical functions

business-critical functions for have documented RTO and RPO
disaster recovery management is KPIs and processes that are
conducted on an ad hoc basis. occasionally tested with the CSP's
support.
Support for discrete CSP offerings Some SLO/SLAs are established

is available from CSPs across one for some consumer LOBs.
or more LOB.
Cloud service providers do not Cloud service providers provide
provide automated processes for the means to schedule backup
backup or restoration of stored and recovery of data stored off-
data. Responsibility for backup premises, but only when the
and recovery of data stored on consumer has configured data
the cloud service provider storage to provide the services.
platform is driven by the
consumer via manual request.
Validation of backup and recovery
activities is the responsibility of
the consumer and initiated by
manual request.
Cloud technology platforms are Cloud technology platform

chosen based on employee decisions are guided by formal
preference or vendor requirements gathering and
relationships. Little to no management reviews. This is
consistency exists in how this is practice is implemented
conducted across the enterprise. differently across various lines of
business.
Vendor management exists but Vendor management team can

they have not yet selected any engage with architecture to align
cloud vendors. requirements with capabilities of
CSPs when requested.
CSPs are able to receive and Periodic quality feedback reviews

consider feedback if/when are conducted with some CSP.
provided.
Agile practices are being adopted Broad use of agile practices.
by some departments. Automation is used to promote
new code through pre-production
environments.
Some cloud services have run Cloud services are covered in

books. Existing operational run operational run books. Employees
books have been updated to are randomly tested to ensure
reference cloud services but only understanding and compliance of
on an ad hoc basis. Runbook Documentation for
cloud services.
An initial set of traditional/ legacy A broad number of

systems begin leveraging traditional/legacy systems
virtualization. leverage virtualization for
compute and storage.
Some traditional operations tools Some traditional operations tools

are used in isolation to monitor are able to integrate with off-
workloads at off-premises service premises service providers and
providers and on-premises cloud with on-premises cloud platforms
platforms. to promote onboarding and
management simplification.
Traditional networking tools are Traditional networking tools are
used in isolation to manage able to integrate with off-
networks across on-premises premises service providers tools
platforms. and on-premises platforms to
promote onboarding and
management simplification.
The CMDB contains mostly Most cloud service entities have

traditional/legacy Configuration at least one configuration item
Items. Cloud service entities are represented in the CMDB.
being entered ad-hoc.
ses.
alue Streams
CMM 3 CMM 4
employee consistently refer to employee are regularly tested

documentation for operational against a core set of skills and skill
processes. When gaps in cloud development content that covers
service operations are identified, cloud management and cloud
documentation is updated and its operational process.
content verified with subject-
matter experts across the
enterprise.
Application developers are skilled Partnered skills from Cloud

in cloud use, aligned to the Providers are integrated into
enterprise strategy, and available project teams, enabling internal
to support projects resources to focus on corporate
objectives
A centralized support team A centralized support team

manages operational processes manages operational processes
across business areas and lines of across lines of business and
business. The need for the public various vendors of on and off-
and private cloud services no premises services. The team is
longer exists, although teams managed and guided by a set of
specializing in specific public operational KPIs, updated to
providers continue to exist (i.e. reflect management objectives
the AWS support team, the Azure specific to cloud.
support team, the Google support
team).
Individual roles have changed as a Organizational roles have merged,
result of increased automation removing much of the
and utilization of cloud specialization that used to exist in
technologies. Architects, siloed functions. Compensation
developers, integrators and plans include a component
administrators begin to merge. related to operational process
automation.
Although still manually Service, risk and compliance

integrated the process for management processes between
navigating a single issue across the consumer enterprise and its
the consumer enterprise and its cloud providers are well
cloud provider are well defined integrated. Manually traversing
consistent between consumer processes to address a single
and all providers. incident no longer occurs. An
integrated set of tools not only
provides the needed functionality
but also addresses management
reporting and tracking of KPIs.
A common capacity management A single, and common, capacity

process is utilized across the management process and strategy
enterprise. Though teams may is in use across the enterprise.
still vary in their adherence to the Automated threshold triggered
organizational standard. Alerting procurement events are
is in place to notify the enterprise operational for normal capacity
of new cloud deployments, and extension of the cloud
their alignment to the reporting infrastructure and software.
framework of the enterprise. The same events trigger
governance workflows and
control processes, invoking
planning, audit & review activities,
as needed.
The enterprise begins instituting a Inclusion of cloud platforms and
consistent and shared automated demand management continues
processes for demand to mature. Reporting and
management. These processes monitoring of KPIs for new
address requirements gathering demands enable predictive
through to build specification and capacity management and
project funding. Reporting and forecasting.
KPIs exist, associated with volume
type and velocity of new
demands.
Service provider and internal Hybrid IT reporting, spanning

cloud and traditional APIs are environments and providers, is
leveraged to access reporting data automatically generated at
for the production of custom regular intervals or triggered by
reports. Operational reporting is events.
generated automatically.
A repeatable process exists for Processes exist for failing over in

the testing of cloud services that disaster recovery cases to
support business critical alternate cloud service providers.
functions. This process can be These processes are highly
exercised independent of the CSP. automated for cloud services that
RTO and RPO KPIs are annually support business critical
reviewed with CSPs in conjunction functions. Testing of failover
with testing. capability is done independent of
the business users.
Support teams are managed via Delivery of support information is

SLO/SLA across all consumer automated across support teams.
LOBs.
Cloud service providers provide Backup and recovery processes
automated processes for backup are highly automated including
and recovery of data stored off- validation of backups across all
premises based on consumer set cloud service provider's services.
configuration. Backup validation
is automatic, including reporting
for some cloud service provider
services.
An architecture team or The enterprise has progressed to

equivalent role determines a point where cloud technology
platforms to be selected based on platforms can be selected based
business and technical on functional requirements. This
requirements and corporate-wide is built on the mapping of
adoption standards. functional requirements, technical
requirements, and cloud
capabilities.
Vendor management team Standardized criteria are used

engages regularly with across LOBs in vendor evaluations.
architecture to align requirements Consultation with cloud
with capabilities of CSPs. consulting firms such as Forrester
and Gartner.
Periodic quality feedback reviews Periodic quality feedback reviews

are conducted with all CSPs and are conducted with all CSPs and
incorporate provider defined KPIs. incorporate standardized KPIs for
ongoing tracking of improvement
over time.
KPIs are established to identify Application delivery through
areas for improvement in CR and containers is the standard.
CD processes. Some delivery
teams are exploring the use of
containers for application
deployment.
Infrastructure, application and The entire technology ecosystem

data audits have been reviewed is adequately covered by
to ensure that run books operational run books.
systematically address the entire Operational governance ensures
technology ecosystem. Employees run book updates are carried out
are regularly trained and tested to on a continuous basis and
ensure understanding and employee skills are updated as
compliance of runbook changes to the environment
documentation for cloud services occur.
and traditional services.
Education of new processes and
process changes are conducted as
changes are made.
The ability to leverage Cloud services are integrated

virtualization for across the entire technology
traditional/legacy systems stack, providing full support to
extends to the network layer. traditional/legacy systems.
Automation technologies are
deployed to manage legacy
systems.
Broad integration exists between Traditional operations tool usage

traditional operations tools and is being replaced with CSP
off-premises and on-premises provided tooling and services.
cloud services. Hybrid IT KPIs
exist for some services.
Consistent integration exists Traditional networking tool usage
between traditional networking is being replaced with off-
tools and off-premises and on- premises service provider tooling
premises services. Hybrid IT KPIs and services.
exist for some services.
All necessary configuration item Sufficient automation and API

for off-premises and on-premises integration exists for dynamic
service entities are represented in updating of cloud service provider
the CMDB. entities in the CMDB.
CMM 5 Benefit Analysis
(optimized)
The enterprise has instilled a Providing a skills management

culture of continual learning and development plan specific to
whereby employee engage each cloud will encourage employee to
other to determine best practices evolve their skills and drive
and ensure continual evolution of consistent knowledge across
operational process and teams.
associated training.
Online interfaces and controls are The movement towards

in place enabling skills to be centralization and automation of
sourced from wherever they may CSP offering support will enable
exist, for the specific requirement consistency and quality.
(e.g. skills requirements are
placed on external tender to
specialists
The most common support People are moving into higher

functions are automated across value roles throughout the
off-premises and on- enterprise.
premises services, offering
consumer self service features.
Many organizational roles have Operational process evolve from
radically changed. Due to high traditional IT service management
degrees of automation and practice to one that is agile and
orchestration, elastic scalability supports 3rd party CSP offerings.
and introduction of a common
core cloud brokering or
management capability,
employees become part architect
per developer parted
administrator and focus more on
delivering business value than on
constructing technology.
The enterprise cloud Moving towards more real-time

management and/or cloud valuations of capacity enables just
brokering capability seamlessly in time decision making and
processes incidents across the optimization of procurement
enterprise and its cloud ensuring the enterprise has
providers' infrastructure and infrastructure and services
services. All process by-passes or available when required.
exceptions are automatically
detected, triggering real-time
alerting and employee response.
Service capacity changes (add or Moving towards automation of

removal) are automatically the demand management
registered and integrated into the processes for all new service
management environment upon requests will allow the enterprise
instantiation of infrastructure and to optimize new service
software assets. The increase or provisioning processes and reduce
decrease in capacity is available in the time to enable new services.
real time to the enterprises cloud
brokering or management
capability.
Having achieved a high degree of By providing centralized and real-
integration and optimization, time reporting across Hybrid IT
systems automatically adjust to the enterprise will be able to
accommodate new demand as it make more dynamic decisions or
is requested. The use of even automate decision making.
metadata and historical KPIs
enable the demand management
process to determine best
placement of resources across
Hybrid IT platform choices.
Operational reporting is Movement towards more

seamlessly integrated Into the automated service and data
single, shared brokering or cloud recovery will allow the enterprise
management capability. The act to improve SLAs with the
of designing, engineering, business.
deploying or managing cloud
services on or off-premises
automatically triggers supporting
reports, metrics and KPIs.
The enterprises single, shared Centralized and shared support

brokering or cloud management for CSP offerings will improve
platform dynamically fails over to service availability.
alternate cloud service providers
as needed to support critical
business services. These
processes operate within RTO and
RPO parameters.
Centralized services teams exist Movement towards more

and support information is automated service and data
provided from CSP through a recovery will allow the enterprise
unified dashboard. to improve SLAs with the
business.
Backup and recovery are
seamlessly integrated into the
capabilities provided by the
enterprise's single, shared
brokering or cloud management
capability. Thresholds that trigger
backup and recovery processes
can be set by end-users.
A methodical approach to
selection ensures alignment
between business objectives and
both functional and non-
functional capabilities provided.
Brokering capabilities make
selection of cloud technology
platforms transparent to end-
users.
Organizational standards define Regular and consistent dialog with

preferred vendors. CSPs with measured KPIs will
improve the focus on service
quality.
Continuous feedback loop using Moving towards CR/CD will

structured KPI and unstructured reduce time delays associated
comments methods provides with traditional methods.
input to continuous delivery cycle
to improve Operations Processes.
Cross CSP CR / CD is enabled by Consistent documentation format
highly automated processes and and accessibility improves all
KPIs are used to report employee skills and enables the
optimization such as increased enterprise to move manual
application density per host. workflows towards automation.
Run books no longer exist Legacy systems are able to benefit

independent of the enterprises from both the operational and the
single, shared brokering and cloud functional aspects of cloud
management capability. delivery.
Registering of service and
infrastructure components, and
the service design process
includes steps to document
appropriate run book content.
Traditional/legacy systems are Legacy systems are able to benefit

seamlessly integrated with from both the operational and the
virtualization technologies. functional aspects of cloud
Transactions span across cloud delivery.
platform and traditional/legacy
systems.
The management of workloads Having highly integrated

across Hybrid IT is managed operations software will improve
centrally from a single pane of service quality and enable more
glass. Existing traditional dynamic decision making.
operations tools are integrated
with the single operations
management console through API
integration.
All aspects of networking
(security, capacity, topology etc. ),
across Hybrid IT landscape, is
managed centrally from a single
pane of glass.
All elements of public and private Complete and updated CMDB info
cloud and traditional systems will provide the enterprise with a
across a Hybrid IT environments centralized repository of Hybrid IT
are represented in the CMDB. info which can be used to support
Data flows are automated operational decision making.
between the CMDB(s) and cloud
services with automated updating
of configuration items.
Training Team, HR, Cloud

Management Team
0 0
Support teams, Service Owners
0 0
Operations and Development
teams.
0 0
Governance and Compliance
Team. Risk Management Team.
Service Management Team
0 0
Service Management Team,
Capacity Planning, Supply
Management, Technology Finance
Team, Operations Team
0 0
Capacity planning, IT Architecture,
Platform operational teams, Cloud
team.
0 0
IT Management, Operations,
Cloud Team.
0 0
Business continuity team, IT
Management, Cloud Team
0 0
IT Support, Operations, IT
Management
0 0
Business continuity team, IT
Management, Cloud Team
0 0
Architecture, Platform operations
0 0
Vendor management,
Architecture, Platform operations,
Service management
0 0
Development, Build/Integration,
Test, Release / Operations teams,
Service management
0 0
Development, Build, Release and
Operations teams.
0 0
Solution architecture, Operations
Management, Offering owners,
Service management
0 0
Platform teams, Cloud
management
0 0
Platform teams, Cloud
management
0 0
IT operations, Cloud Team,

Platform support
0 0
IT operations, Cloud Team,
Platform support
0 0
IT operations, Cloud Team, IT
Management
0 0
Total 0 0
Management Tools
Contains capabilities of tools that:

• Manage & monitor all technology,
• Enable ITIL V3 Processes, IT4IT Value chain mod
• Provide Integrated portfolio management system
• Enterprise architecture system.
• Service catalogue with workflow,
• Integrated test management and software devel
• IT asset management,
• IT Automation and Cloud service provisioning
Is this domain relevant? Yes/ No
CMM 0
Control Question
(None)
Who determines the management There are no standards for
tool standards? management tools.
Who owns and updates metrics Metric owners are not identified
related to CSP offerings? and or metrics are not used to
manage CSP offerings.
People
Who owns and updates service Service catalogs are not utilized
catalogs? within the enterprise.
How are management tools Management tools do not yet
evolving to support CSP offerings? support CSP offerings.
How are management tools used Policies are not used with our
to govern CSP offering policies? CSPs.
Processes
How are management tools Cloud-aware management tools
improving service delivery across are not in use, highly manual
CSP offerings? process based management
What level of IT automation and The enterprise has not pursued IT

process management tools that automation
are implemented or processed alignment tools.
Technology
To what extent are CSP providing Cloud Service providers are not
or making monitoring tools providing monitoring.
Technology available?
How are tools used to diagnose Management tools do not interact

issues as part of CSP offerings? with CSP offerings, or there is a
complete segregation between
cloud service management tools
and management tools managing
traditionally deployed
infrastructure and services.
ols that:
chnology,
s, IT4IT Value chain models, End to end service monitoring.
olio management system,
ystem.
orkflow,
ment and software development environment,
d service provisioning
CMM 1 CMM 2 CMM 3

Individual service consumers or Management tools standards for Internal and CSP provided
LOBs control management tool internal services are controlled by management tool standards
selection. a centralized IT team. Cloud including some integration that
management tool standards are provide a limited Hybrid IT view of
defined by use cases by discrete some services.
CSPs.
Some CSPs provide their own All CSPs provide their own CSPs are mandated to provide
proprietary metrics. proprietary metrics. Alerting common metrics but the
thresholds are managed by the enterprise selects which metrics
enterprise as a whole are included in monitoring and
reporting. Alerting thresholds are
managed by the service
consumer. Business analysts are
consulted in defining metrics
Service catalogs are Individual LOBs manage their own There is a shared service catalog
independently managed by some service catalogs which they across LOBs for some CSP
cloud service providers. Initial provide to their own user offerings. This instance is
cloud service metadata begins to communities. managed by a central services
combine with traditionally team.
deployed infrastructure and
service components.
Some pre-production support More production support teams CSP provided management tools
teams are leveraging CSP are leveraging CSP provided are integrated with internal
provided management tools. management tools. support management tools
including end to end real-time
service monitoring.
Some CSPs provide basic policy Internal management tools Centralized management tools
management tools for their provide a centralized view of CSP provide full visibility and control
offerings. Business and technical offering policies but updates are over all CSP offering policies
policy items are management via managed via CSP management including both business and
different tools. tools. technical policy items. Limited
KPIs exist for policy compliance.
Management tools are cloud Some service delivery processes Internal management tools are
aware on an ad hoc basis, but are automated through highly integrated with CSP
process management is still management tooling controlled offerings providing a unified
highly manual. by CSPs. Partial integration of service based view across Hybrid
tooling with some CSP offerings. IT components. Application
Containers are used by some deployment via containers in the
delivery teams to improve standard.
application deployments.
Tools for managing & monitoring Tools for managing Tools for managing
all Technology and ITIL V3 Service ITIL V3 Service Design, & Build & Portfolio and Program
Operations Service Transition & Test Management
IT Asset Management Work Force Management IT Architecture Enforcement
CMDB Operational IT Financial management Service Catalogue with workflow
Business Relationship
Management
Workflow Automation
Implement central cloud service
portal for configuring and
provisioning (and deprovisioning)
all cloud services directly by the
business.
Simple monitoring is provided, Basic monitoring and reporting All CSP offerings include service
but contained to those services are provided by CSPs. An internal dashboards with measured KPIs
running within the cloud platform service dashboard is used to including real-time end to end
itself. provide a service view to the monitoring and reporting for each
support team. In certain cases, cloud service. Monitoring spans
monitoring data spans beyond the across cloud platforms.
scope of a single cloud platform.
A small percentage of Internal and CSP management Triggers are used across CSP
management tools are able to tools are highly integrated and offerings to provide automated
communicate with CSP offerings provide Hybrid monitoring to aid alerting when issues arise for
to assist in manual diagnostics. in diagnostics. general conditions.
CMM 4 CMM 5
Benefit Analysis
Management Tool standards are Management tool standards are Having clearly identified standards
defined by Enterprise defined by Enterprise for management tools helps drive
Architecture for a Hybrid IT view Architecture and tool selection is consistency in IT delivery leading
of all services. CSPs and IT determined by a centralized IT to improved operational
delivery determine tool selection. team. efficiency.
Metrics and alerting are fully Business analytics automatically Metric ownership and evolution
customizable across CSPs. provides input to a centralized will improve consistency in how IT
services team or Enterprise deliver is measured and improve
Architecture regarding CSP metric operational efficiency.
baselines and targets.
Most CSP offerings are managed Service catalogs are periodically Service catalog ownership ensures
from a central service catalog. optimized based on usage data consistency of catalog offerings
This instance is managed by a provided by CSPs and standards and their optimization over time.
central services team. A central managed by Enterprise
service management governance Architecture.
process manages exceptions to
the centralized service catalog.
Exceptions are rationalized with
sufficient business justification.
Tools are enabled with Management tool task
standardized KPIs across CSPs to automation and integration to
provide analytical views of service CMDB across CSPs.
quality from a transaction
perspective.
Triggers provide automated A feedback loop across

alerting where policy violations management tools provides
exist across CSP offerings. automated input to period
updates to CSP offering policies.
The use of management tools in

supporting and governing CSP
offerings will lead to a optimized
Automation and event based CMDB discovery and config consumption of those offerings.
triggers have had a significant management across Hybrid IT is
impact on service delivery times. enabled by interface
Management tools provide a standardization and automation.
view of entire transactions along A unified service dashboard
with component service calls provides summary and detailed
dramatically reducing time to views with analytical features.
resolution of support tickets.
Statistical Process control Proactive incident identification

monitoring and reporting Incident prioritization based
IT Data Warehouse Business process impact
executive management
dashboard
Operational analytics
Management tools and their

consistent use across service
offerings drives operational
consistency and efficiency.
Monitoring is extended to provide Monitoring drives automated
a cross-CSP view including service discovery feeds that populate a Management tools and their
measurements of entire shared CMDB for all cloud and consistent use across service
transaction and component traditional infrastructure and offerings drives operational
service calls. This includes service components. Service consistency and efficiency.
spanning between cloud dashboard includes reporting,
platforms and traditional analyst and forecasting features.
infrastructure and service
deployment models.
Triggers are highly customizable A unified service dashboard

across CSP offerings including including analytical features
component service events provides pre and post event alarm
alerting. actions that can be executed
manually or automatically via
policies.
0 0
0 0
0 0
0 0
0 0
Offering owners, CSPs, Enterprise

architecture, Shared Services or
Operations , LOB IT leaders
0 0
0 0
0 0
0 0
Total
0 0
Security
Contains capabilities to enable

• Single sign on access,
• Role based identity management
Is this domain • Real time per transaction authentication for SaaS Integration
relevant? Yes/ No • Detection and auto response mechanism to all threats at an
CMM 0
Control Question
(None)
Are security training and Little to no security training

awareness materials updated to material exist, those that do exist
include cloud security? do not consider cloud-specific
security.
Has the organizational structure The enterprise continues to

People been updated to enable Secure operate as it did before cloud
Cloud Usage service, despite the use of cloud
services by the enterprise.
Are Policies & Rules cloud aware? No rules or policies exist for
Cloud security governance and identity and account management
compliance. of a cloud service user.
Do clear security frameworks and The enterprise lacks security

requirements exist for each class frameworks for classes of
Process of application? applications.
Does a Data Security and/or No data security or/and Privacy

Privacy Concept exist for Cloud? concept exist for cloud or non-
cloud based systems and
services.
Is Security Reporting and Security reporting is ad hoc or

Monitoring in place to be cloud- non-existent.
aware
Is Security Tooling updated for Security tooling does not
Cloud based services? operated against internal or
external cloud platforms.
Technology What is the current state of No security enforcement

security Enforcement technology technology exists.
able
agement
n authentication for SaaS Integration.
onse mechanism to all threats at any level of the OSI model
CMM 1 CMM 2 CMM 3
There is no structured security Common communication on Consistent employee training

awareness, the employees have Cloud Security topics is in place. occurs between all partners,
their own understanding of Training of employees includes suppliers and employees of the
security (by their own interest.) cloud concepts and business enterprise. There is a common
No match to the business objectives for cloud use, including understanding of needed security
objective is in place. governance aspects such as aspects. The employees know
enterprise security. how to handle an security alert.
Whoever encounters cloud The requirements for secure Approval capability and roles are
security deals with it in their own cloud usage according to the defined and operational
way business objectives are defined. security measures are identified
per role.
Responsibility for cloud security is
clearly assigned to the
appropriate role players, as
defined points of contact
according to a structured process.
Security requirements are A basic security concept is Integrated Security concept
analyzed and defined on a available for infrastructure and created. A set of appropriate
national basis. Cloud server application layers per host standard Rules, Policies,
location is known but does not country with clear defined Procedures and Guidelines are
call a need for action. Credentials authorization and access control. defined and published for use
for identity and accounting based Credentials for identity and when adopting Cloud Services
on local server management with accounting based on basic around the world. Individual
no process processes standards and legacy
requirements are defined per
country and are adopted including
access management.
Defined process and methods for
identity and account management
for all services
Use is made of original physical Applications are grouped and Requirements are defined for all
separation based individual requirements are set for business types of systems, application
system requirements. critical systems. groups and all cloud provider's
Applications are not classified by services are aligned to these
groups. categories
A data security and privacy Data security and privacy is Definition of data sensitivity
concepts are not differentiated evaluated on a project level for groups, clear differentiation
for cloud and not defined yet. cloud which includes data access, between privacy and security is
security and transmissions. set for an acceptable use in cloud
service. Enterprise-wide rule set
for data security and privacy
regarding Cloud services. Audits
are defined and done on regular
basis.
Reporting is based on what lies Business systems are categorized Consistent measurement and
within the corporate perimeter, with system and data protection reporting of Cloud systems is
without interfaces or defined data parameters per 'tier'. defined, and reports are
from external systems. generated.
Security tooling is connected on Security tools are used more Tooling exists and is integrated for
an ad hoc basis, and only to consistently with cloud-based SSO, SIEM across cloud and non-
systems located within the platforms. Use of standards such cloud based systems.
enterprise network perimeter. as SAML and CDMI increases. All Cloud services use the same
ITIL and Security tooling feeding
common databases / data
warehouses.
Mechanisms (process & Full OSI level Intrusion Protection, Mechanisms (process &
technology) for application and IT Application intrusion testing and technology) for continuous
control in place to demonstrate monitoring. Standardized Security compliance to government
compliance to government policies enforced across business regulation (SOX). Network Packet
regulation (SOX), security access units application proactive security inspection. Consolidated
controlled. security testing. security incident aggregation.
Single sign on access and common
security is a gateway for all off-
premises services and mobile
access. Standardized Security
policies enforced across Business.
Security Breach pattern detection
on all items in CMDB.
CMM 4 CMM 5
Benefit Analysis
Cloud security training and Consistent Cloud security Decrease security gaps and lower
certifications are required for all certification is aligned to the risks, data loss
involved parties. Q-Gates business objectives and required
assessments are done. through the defined cloud eco-
system of the corporation and its
partners
Active planning exists against The organizational structure is Processes run effectively
anomalies and deviations, and able to bring tangible business according to business needs,
status is reviewed regularly and benefits by working according to enabling and advising/supporting
measurable by criteria checks security risk ratings & fast the business in real-time to
adoptions achieve its objectives
Monitoring against all policies and The security concept is reviewed More efficient IT and business
rules is established, and non- regularly to adopt changes and operations,
compliancy is automatically follow country specific changes. Reduced friction between security
reported (e.g. audit). Country Automatic monitoring of access and technology teams,
specific requirements match management. Increased agility
company's corporate enterprise Uniform process and centralized
standards. identity and account management
Uniform process for identity and for all services
account management for all
services
Clear security perimeters and Fully integrated security Reduced risk and improved
controls are defined and framework exists capturing the security posture,
extended to the different cloud whole cloud environment which Decreased chance of compliance
services, according to defined is real-time monitored and issue
security qualities and criteria integrated to the enterprise
landscape
Documentation and assessing of Active data loss/ leakage Business processes run effectively
data flows and security/privacy prevention for cloud services. according to business needs,
classes. Audits and assessments Automated KPI monitoring of data enabling and advising/supporting
ensure data policy, including encryption during data hosting, the business in real-time to
encryption facilities are available interface management and data achieve its' objectives
for data in transit, and data at transmission matching corporate
rest. strategy and policy. Automated
audits ensure security and privacy
concept implementation.
Security data is generated by the Real-time information flows Improved Cloud security and
monitoring and control systems, across all participating service cloud governance operations,
aggregated into KPI's and environments, supporting a Improved security and decreased
leveraged by operating continuous governance risk
governance bodies across the environment.
enterprise.
Security tooling exists to Continuous stream analysis and Improved security posture and
automate the deployment of the other advanced security analysis reduced risk,
related rules and policies for techniques drive automated Improved security and risk
deployment of all systems and gating and enforcement of intelligence
services. security policy. These capabilities
are consistently applied across all
cloud services.
Mechanisms (process & Automated Threat response. Real By having Security enforcement
technology) for application and IT time email monitoring for technology in place, one is in a
control in place that is able to be intellectual property or critical better position to pro-actively
changed rapidly. Role based information theft. track active deployment activity
Identity management. Able to and prevent the need for later
conduct Cloud Security Alliance remediation activity
audits.
Governance and Compliance

Team. Service Management
Team, Cloud Product & Portfolio,
Audit
0 0
0 0
Compliance Team, Security,
Policy, Cloud Architecture, Cloud
Product & Portfolio
0 0
0 0
0 0
Security and Risk Management,
Cloud Architecture, Cloud Product
& Portfolio
0 0
0 0
0 0
Total 0 0
Information Lifecycle Management
Contains capabilities to enable:

• Capture, manage, retain, retrieve and deliver informatio
• Information Management Lifecycle process enforcemen
• Record retention policy enforcement
• Backup and archiving policy enforcement
• Efficient use of hierarchical storage technology
• An enterprise to go beyond storage management to info
• Backup services for applications, services and PCs
• Data Archiving services
Is this domain • Deduplication services
relevant? Yes/ No
CMM 0
Control Question
(None)
Are employees skilled and trained Employees are not trained on

in Information Lifecycle information lifecycle management
Management or Information or information management.
Management tools and methods?
People
Is there a commitment between of There is no agreement between

senior IT management and technical and business leaders to
business management, to leverage ILM across traditional
leverage ILM across traditional and cloud management.
and cloud platforms?
What is the current state of ILM There are not ILM processes or
processes and policies? policies.
Has the enterprise implemented There is no governance of ILM

governance over ILM processes processes or policies.
and policies?
Does the enterprise understand The enterprise does not consider

ILM requirements across ILM requirements.
traditional and cloud platforms?
Processes
Is ownership of ILM processes The enterprise does not utilize

clear? ILM processes.
Does the “Business” have defined No defined backup, archival and

backup, archival and recovery recovery services exist.
services?
Does the enterprise have an The enterprise does not have a
effective data protection and data protection or data recovery
disaster recovery capability for capability.
cloud services (SNIA)
How important are backup No backup services exist for

services for applications and applications and workstations.
workstations?
Has the enterprise deployed Record retention and data

record retention and data deduplication services do not
deduplication services? exist.
Technology
Is data encrypted at rest and in Data is not encrypted

transit?
able:
, retrieve and deliver information according to its business relevance and specific industries
nt Lifecycle process enforcement from creation to disposal
enforcement
licy enforcement
cal storage technology
nd storage management to information management by application, data classification, and business function.
cations, services and PCs
CMM 1 CMM 2
Some employees have ILM and IM The enterprise offers ILM and IM
skills, to the extent that they classes. Employees are trained
understand how to use and skilled on data deduplication
conventional backup and recovery and data management tools and
tools. Any training programs are methods.
put together ad hoc, on a group
by group basis.
A few technical and business Technical and business

leaders understand the value of leaders across the enterprise
ILM but their thinking is often understand the criticality of ILM.
constrained to ILM as applied to Thinking has been extended from
traditional platforms. ILM for traditional platforms to
ILM for traditional platforms and
for cloud platforms, but not to
the extent of ILM across hybrid
cloud.
The enterprise is reactive to The enterprise follows business
information issues, leveraging ad and technical processes, but does
hoc business and technical so inconsistently. Efforts to
processes. resolve information issues are still
largely reactive.
The enterprise has an ILM policy The enterprise has organized an

but the majority of employees are ILM governance function. The
unaware of its existence. function is largely focused on
business data governance
practices. The governance
function has little impact on the
enterprise.
Some teams understand and Teams across the enterprise have

track ILM requirements but do so documented ILM requirements.
within the scope of the individual These requirements cross
technical or business processes. business and technical functions
Requirements do not span though it is common for a gap to
traditional and cloud platforms. exist when a process relies on
both traditional and cloud
platforms.
Ownership of ILM processes are Individual groups (e.g. per

on a group by group basis. application) own ILM processes.
The enterprise has limited Individual backup, archival and

backup, archival and recovery recovery services have begun
services. These services are consolidation into groups based
deployed and managed on a team on similar applications or
by team basis. information sets.
Recovery timing predictions are RTO/RPO can be estimated on an
not possible or a guess Best effort ad hoc basis and may not be
basis. accurate, due to lack of testing.
Standard data protection tools are
identified and documented in a
business continuity plan.
Standard back-up and recovery
processes applied manually across
the enterprise
Limited backup services exist for As the enterprise recognizes the

applications and workstations. importance of information
These are managed on an ad hoc management, backup services for
basis (group by group / applications and workstations
application by application). begin to consolidate into logical,
concentrated groupings.
Record retention and data Record retention and data

deduplication services are deduplication services are
deployed for the most critical deployed across all critical
information only. Deployment of information sources.
these services is ad hoc and on
instance by instance basis.
Data encryption is utilized ad hoc, Encryption of data at rest and in

on a group by group and case-by- transit is utilized for critical
case basis. business data and in high risk
situations.
ecific industries
assification, and business function.
CMM 3 CMM 4
Enterprise provided ILM and IM ILM and IM training have been

training are required of integrated into individual
employees. Employees are employee learning plans and
trained on ILM operations across employee performance
all IT processes. evaluations. Skill deficiencies are
identified and training is selected
to close those gaps. Training
addresses the integration of
traditional and cloud based IM
and has matured beyond
traditional back-up and restore to
IM via application design methods
to implement transaction based
backup and recovery.
Technical and business leaders Technical and business leaders

are aligned in approach and have jointly conducts audits on all
pooled funding for information information lifecycle management
lifecycle management. disciplines, process, and
Accountability for ILM activities technology.
has been migrated from technical
employees to business roles.
The enterprise consistently Automated ILM processes have
follows ILM processes, in been implemented, ensuring that
accordance to a shared set of ILM near real-time resolution of
policies. information issues occurs.
Management of information
across the enterprise is consistent
with information policy.
The enterprise has a published Automated ILM processes inform

ILM governance process. Teams and provide measurement of the
across the enterprise consistently value that the ILM governance
participate in this program process delivers.
resulting in business operations
that align to policy.
The enterprise maintains a A single system, or federated

current and uniform set of ILM capability provides an enterprise
requirements. One or more view of ILM requirements;
groups have systematically inclusive of all processes and
assessed technical requirements both traditional and cloud
across traditional and cloud platforms.
platforms in support of business
processes.
Business teams have begun taking Ownership of ILM processes has

responsibility for ILM processes. progressed to the enterprise level.
The enterprise begins to establish The enterprise owns
a link between ILM and business information, not individual
metrics. application groups.
Backup, archival and recovery Backup, archival and recovery

services are systematically services are managed at the
deployed. Deployment is enterprise level. These capabilities
segregated into traditional and span traditional and non
cloud platforms respectively. traditional cloud platforms which
are agnostic to both on and off-
premises cloud providers.
RTO/RPO classification has been RTO/RPO are established and
standardized across the monitored against objectives.
enterprise. Standard back-up and Processes are tested periodically,
recovery processes applied based on near-real-time analysis.
automatically based on defined Processes are audited and
data criteria. RTO/RPO is recovery plans are tested on a
predictable, reliable and the frequency commensurate with
processes are tested periodically. business criticality or business
Dynamic backup/recovery risk.
processes based on policy and
changes to metadata
Backup services for applications Enterprise-wide recognition of the

and workstations are deployed value of information drives final
across the enterprise, ensuring consolidation of backup services.
coverage of the entire Backup services for applications
environment. and workstations are now
managed at the enterprise level.
Record retention and data record retention and data

deduplication services are deduplication services are
required for all information elevated to the enterprise level.
sources. Management of these services is
centralized, monitored and
governed.
At rest and in transit data At rest and in transit data

encryption is utilized encryption is applied
systematically for critical business systematically based on the value
data and in high risk situations. of business data and the risk of
data storage and transmission of
data. Encrypted and non-
encrypted data is monitored and
regularly reported on.
CMM 5
Benefit Analysis
(optimized)
Employees are trained on ILM and

IM tools and methodologies that
span traditional and cloud
platforms. Employee are
cognizant and aware of IM and
the impact that actions have on
the information is managed in the
platforms they utilize.
Technical and business leaders

have achieve a culture of
continuous improvement for
information lifecycle management
processes. Discussions have
moved from tactical to strategic.
Reduced risk due to poor data

management, data loss, and
ILM processes are seamlessly
executed in real-time in as a result
of full integration of ILM into
technical and business processes.
Feedback loops exist for
continuous improvement of ILM
processes to ensure alignment
with the enterprise's policies.
Reduced risk due to poor data

management, data loss, and
Governance of ILM process and ability to reinstate data in light of
policies is part of a continuous the disaster.
feedback loop, ensuring Increased efficiency by
optimization of ILM processes and eliminating redundancy of
an effectively managed set of knowledge-based work and
information assets for the reduce time involved with finding
enterprise. information
Improved accountability of Data
and what to keep or not to keep
Improved ability demonstrate
The enterprise employs a mature compliance to regulations and
and optimized process for standards surrounding records
managing ILM requirements. This management
results in effective management Reduced Litigation exposure due
of information as an to the ability to demonstrate
organizational asset. Governance policy enforcement on record
over ILM requirements is a management and destruction
continuous process; ILM
requirements are updated by
monitoring and analysis services
that trigger on the quality of data
across the enterprise.
Ownership of information, and

the associated ILM processes, are
fully integrated into business
management and governance
processes.
Backup, archival and recovery

services are fully integrated into
the single, shared cloud-based
broker or management platform.
These capabilities have become
an integrated component of STaaS
adoption.
RTO/RPO is managed dynamically
based on ILM policy. Automated
and dynamic risk mitigation
services are integrated into
management of the environment.
Backup services for applications Backup services are critical for

and workstations are integrated business continuity and
into the enterprises single, sustainment of services.
shared, enterprise-wide
information management
capability for the enterprise.
Record retention and data Record retention can be a critical

deduplication services are fully service and regulatory
integrated into the single, shared, compliance.
enterprise-wide information
management capability for the
enterprise.
Data encryption is fully integrated Data encryption is critical for data

into services and applications security and to protect IP
across the enterprise. Application (intellectual Property).
of encryption is transparent to
end-users but effective in
protecting information assets.
0 0
0 0
0 0
Data Architecture, Data

Governance, Cloud Architecture,
Cloud Engineering teams, Legal.
Directors of Firm 0 0
0 0
0 0
0 0
0 0
Cloud Architecture, Cloud
Engineering, Application
Development
0 0
Compliance Team, Security,
Policy, Cloud Architecture, Cloud
Product & Portfolio
0 0
Development
0 0
Total 0 0
DevOps
DevOps is a framework that allows development, quality

• Integrating Development and Operations teams to facili
• It enables Developers to provision, change and manage
• It enables Developers to promote to production cloud n
Is this domain • It enables both conventional application development a
relevant? Yes/ No
CMM 0
Control Question
(None)
Is your "traditional" IT enterprise The "traditional" IT enterprise is

struggling to adapt to the new not adopting Cloud Technologies
business demands to utilize Cloud to meet the depends of the
Technologies? business.
How well do your Developers and No collaboration exist between

operations group collaborate on the DevOps teams in the
Cloud projects and initiatives? development of "Cloud"
applications and projects.
People
Do your development and
infrastructure teams operate
functionally as a single unit?
People
People
Are the DevOps Teams developing The DevOps Teams have no skills
the skills to enable native cloud in "Cloud Technologies".
capabilities to meet the demands
of the business?
How extensive is DevOps There is no current

implementation of "Cloud implementation of "Cloud
Technologies" into your Technologies" into the
development and operation development or operations
processes? processes.
How are development The is no changes to the

methodologies changing to development methodologies to
support CSP offerings (i.e.: support CSP offerings.
waterfall iterative vs. agile)?
Are the DevOps teams utilizing DevOps teams have no
centralized version control and centralized version control and
automated build scripts to automated build scripts to
manage artifacts and manual manage artifacts and manual
deployment for provisioning, deployment for provisioning,
automated unit testing and a automated unit testing and a
separate testing environment? separate testing environment also
do not exist.
Has DevOps implemented DevOps has not implemented a

continuous delivery to meet the continuous delivery solution.
demands of the business?
Process
Are the DevOps teams providing The DevOps teams do not provide
an extensive continuous any assessments for capabilities
assessment of cloud capabilities that support the business
and functional alignment to the functional requirements to realize
business? cloud capability solutions.
What are the process goals and The are no stated goals or
perspective with regards to perspectives provided to the
DevOps? DevOps Teams.
What is extent of cloud There has been no

technology has been implemented implementation of cloud
to support DevOps operation and technologies or development
development of Cloud models? models to support DevOps.
How is your cloud architecture There is no defined cloud

defined to support DevOps? architecture to support DevOps.
Technology
Are the DevOps Teams aligned to No strategic "Cloud" roadmap
a strategic "Cloud" roadmap? exist for the DevOps Teams to
align to.
Is DevOps incorporating the There is no Is incorporation of

development of automation development and automation
technologies? technology.
at allows development, quality assurance, and operations to meet customer needs it contains capabilities related to:
t and Operations teams to facilitate communication, collaboration, and integration to manage today’s rapidly changing business dema
provision, change and manage their development environments without IT operations involvement
promote to production cloud native applications without IT Operations involvement
onal application development acceleration and cloud native application development techniques
CMM 1 CMM 2
Some initial use of Cloud Development and Operations

Technologies is used but it is Teams are combining when there
limited to ad-hoc is a consistent opportunity to
implementations and is not widely work together in implementing
adopted. cloud based solutions but lacks
full integration on an ongoing
basis.
DevOps collaborates in "ad-hoc" DevOps teams now have managed

cloud projects and there is poor communication and have some
communication and coordination shared Decision making in
between teams. repeatable Cloud Projects and
look for opportunities to
collaborate on Cloud Initiatives.
Separate groups with no Some development projects begin
operational integration. to experiment with IaC practices,
Development and infrastructure but limited to select pilots.
teams interact in traditional IT Separate development and
consumer/provider relationships. infrastructure teams still modeled
as consumer and provider.
The DevOps Teams have some The DevOps Teams are developing
initial skills in developing "Cloud" consistently "Cloud" applications
applications and capabilities. and services but they are
opportunistic and not part of the
development lifecycle.
The DevOps use of "Cloud DevOps has developed processes

Technologies is unpredictable and to manage the use of "Cloud
uncontrolled, often as a reactive Technologies" but it is
process to business demands. nonstandard and lacks a defined
approach.
There is initial use of CSP but it is The CSP process is defined for
for ad-hoc PoC and is limited. Cloud Service Adoption and there
is a developed repeatable
methodology that is used.
The DevOps Teams have initial DevOps Teams now can build and
centralized version control and re-created from source control,
automated build scripts but still management of build artifacts,
do not have any standardized automated deployment scripts,
management of artifacts. They automated provisioning of
still rely on manual deployment environments, automatic
however there are some ad-hoc integration tests, static code
environments provisioned analysis, test coverage and
through automation. Test analysis.
environments have initial
integration into the "Cloud"
lifecycle management.
The continuous delivery solution DevOps has a repeatable process

is infrequent and unreliable, for delivering continuous
releases are on an annual process. availability however it is painful
and infrequent but reliable does
have reliable monthly deployment
of applications.
DevOps is providing some DevOps Teams measure the

baseline process metrics, manual process of developing cloud
reporting, visible to report runner capabilities with automatic
assessments but it is limited and reporting and transparency to the
ad-hoc. business.
ITIL is introduced which provides a DevOps has implemented limited
mechanism to establish process self-service features but responds
goals and alignment with business to opportunities when goals are
objectives. set and processes defined.
There is limited development of DevOps implementation of Cloud

Cloud Technologies and Models Technology to support operations
but no implementation of and development has siloed
automation or orchestration. automation but no centralized
infrastructure.
Cloud Architecture is DevOps implements the use of

implemented to address ad-hoc static templates such as AMI
request and is manually-installed (Amazon Machine Image) to
on a monolithic stack. develop repeatable processes in
deploying images to cloud
environments.
There is initial strategic use of a Some "Cloud Automation" has

"Cloud Roadmap" but it is limited been developed by the DevOps
to ad-hoc implementations. teams but is not part of a strategic
"Cloud "roadmap.
There is limited use of source DevOps is releasing operations

code control and management tooling such as provisioning and
with artifact and application monitoring of the underlying
release tooling but it is sporatic infrastructure that addresses
and preliminary. major business requirements.
needs it contains capabilities related to:
ration to manage today’s rapidly changing business demands.
operations involvement
lvement
elopment techniques
CMM 3 CMM 4
Development and Operations DevOps Teams are now working

Teams are now working as one with managed services and
DevOps group to define cloud measure consumption against
based technology as it pertains to demands to implement agile
business needs and requirements. solutions.
DevOps teams now have defined DevOps Teams are "collaboration-

capabilities that align with the based" and have measured
systematic development of Cloud processes to identify bottlenecks
Applications and Projects. and inefficiencies.
Members of development and Formal cross-functional teams
infrastructure organizations are comprising developers and
beginning to informally operate as infrastructure services staff are
cross-functional teams focused on allocated to projects under single
specific projects which apply IaC direction.
practices.
The DevOps teams have defined DevOps team now have

development processes and are measurable skills that align with
using "Cloud Pattern" business demands and enable the
development in their application development of "Cloud Aware"
life cycle development. application development.
DevOps teams standardize on DevOps Teams are developing

processes and facilitate "Cloud Aware" applications and
communication and collaboration have visibility and predictability of
across the enterprise. entire process quality and
performance of the cloud
development life cycle.
DevOps has a defined and DevOps support of CSP is now

systematic process in place that managed and measured. DevOps
now supports CSP to meet the is building "Cloud Aware"
needs of the business and has applications to meet the
implemented an agile requirements of the business on
methodology. all cloud platforms.
DevOps Teams can now build DevOps Team priorities keeping
pushbutton deployment and code base deployable overdoing
release of any releasable artifact new work, builds are not left
to any environment, standard broken, 12 factor application
deployment process for all design discipline. Cloud Native
environments, automatic application design philosophy
functional tests, manual based on Container design fully
performance/security tests. automatic acceptance tests,
automatic performance/security
test, manual exploratory testing.
DevOps is providing Infrequent DevOps Teams now provide

but fully automated and reliable orchestration deployments, blue-
releases to support continuous green deployments, frequent fully
availability in any environment automated releases, deployment
with weekly deployments of disconnected from releases and
applications. daily deployment of applications.
DevOps Teams produce automatic DevOps team produce report

generation of release notes, trend analysis, real-time graphs
pipeline traceability, reporting on deployment pipeline metrics
history and provide visibility to and measurable assessments of
cross silo teams. capabilities.
DevOps has defined workload DevOps has managed workload
deployment choices and is deployment with measurable
developing systematic process systematic process goals that align
goals that align with business with business needs.
needs.
DevOps has defined central DevOps teams collect and analyze

automated processes across the metrics of the automated
application lifecycle, processes and measure against
Infrastructure as Code business goals to align with
implemented using a Cloud operations and development
Foundry/OpenStack architecture. cloud models.
DevOps has a defined cloud DevOps team manage distributed

architecture with mixed container-based solutions that
monolithic stacks and systematic are measurable which support
use of templates and AMI. the cloud architecture model.
The DevOps Teams are defining The DevOps Teams now have a
the capabilities of "Cloud strategic "Cloud" roadmap that
Services" and begin to develop captures measurable capabilities
tooling and automation needed that align with strategic business
for Cloud Service Adoption. goals.
DevOps has a defined process for DevOps is fully integrated with

developing automation and automation technologies and
orchestration services that is measures services and aligns to
implemented to meet business business requirements to manage
requirements. services and capabilities as
defined by the business.
CMM 5
Benefit Analysis
(optimized)
DevOps Teams are now optimized Cloud computing, Agile

in their approach to using agile development, and DevOps are
methodologies in addressing interlocking parts of a strategy for
business needs and requirements. transforming IT into a business
adaptability enabler. Without
complete adoption of these two
teams it would be nearly
impossible to realize the
capabilities that native cloud
technology has to offer.
There is effective knowledge By having DevOps teams work

sharing between the DevOps strategically on common
teams and individual platforms and methodologies
empowerment that results in enhanced collaboration can be
optimized Cloud Development. realized resulting in cost savings
and seamless enablement of
native cloud capabilities. Another
advantage of integrating
development and operations
teams is to facilitate
communication, collaboration,
and integration to manage today’s
rapidly changing business
demands.
Infrastructure services teams are Development and infrastructure
organized to align with functions exist within a single
development projects vs. organizational, utilizing IaC
traditional siloed IT services (i.e., methodologies as standard
compute, network, storage, etc.). practice.
Cross-functional project teams
are able to achieve project
deliverables more quickly than
previously with siloed functions.
DevOps Teams are now optimized The benefits of DevOps having

in their lifecycle development and extensive skills in developing
have transitioned from an cloud capabilities and
iterative waterfall approach to full methodologies into their
agile methodology. application and development
lifecycle capabilities helps to meet
the changing demands of the
business in meeting the
requirements of speed to market
in near real time.
All service and application The benefits of DevOps having an

deployments are automated with extensive implementation of
orchestration according to cloud capabilities and
business requirements and methodologies into their
process risk optimization is development and operations
realized. processes is realized by cost
optimization and improved speed
to market that aligns with
business requirements.
DevOps now collects metrics that Development methodologies

are constantly gathered and used need to change in order to realize
to incrementally improve the the native capabilities that
capabilities that enable an agile provide the business with an agile
methodology to respond to the and responsive DevOps team that
changing needs of the business. will align with CSP offerings.
There is now "zero touch" Centralized version control for the
continuous deployments, no DevOps Teams and "no touch"
rollbacks always rolling forward, automation builds enable savings
verify expected business value, in resources and reduces errors.
defects found and fixed Also time-to-market is greatly
immediately. increased with continuous
deployments of provisioned
services and systems that enable
the business to align its response
to market changes in near real
time.
DevOps Teams now have the When the DevOps Teams provide
ability to release containers under continuous availability the
developer control to production business applications built are
with hourly deployment of designed to be "always on" and
application features. "available". Administration and
operations are greatly simplified
and often inter-site DR is
combined with continuous
availability to provide the ability
to tolerate the loss of
infrastructure service, application
or database services and still
retain functional availability to the
business.
DevOps teams are optimized for When the DevOps Teams provide
dynamic self-serve of information, continuous assessment of
customizable dashboards and capabilities and services that align
cross reference across with the business needs the
organizational boundaries. benefits are that DevOps and the
business are strategically aligned
on a common road plan to deliver
services to meet the needs of the
business.
DevOps has optimized their When DevOps Teams have
operations to maximize business defined process goals that align
process goals and development with business requirements and
capabilities to meet business demands the realization of
demands. business agility and performance
can be realized.
DevOps models now support self- Having Cloud Technologies

service automation, self learning implemented to support the
using analytics and self- development and operations
remediation. teams which align with the
business models will provide
tremendous value.
DevOps Teams have optimized Having a defined cloud

service delivery utilizing architecture that both operations
lightweight services such as micro and develop adopt in order to
services that align with the agility align with business requirements
and reuse models adopted by the and objectives is key to leveraging
business and support the native capabilities and
adopted cloud based architecture opportunities that are inherent in
model. cloud technologies.
The strategic "Cloud" roadmap is Having a strategic "Cloud

optimized to meet the demands Adoption" roadmap that aligns
of the business and align with the with business objectives and
DevOps Teams capabilities. demands will ensure that the
needs and capabilities align at the
time they are needed.
DevOps is now optimized to meet The development of automation is

the demands of the business by key to boosting the abilities and
implementing automation skills of the IT teams as well as
provisioning, automating network realizing the capability of
configurations, automation implementing faster and simpler
monitoring and performance deployments of virtual machines.
management.
DevOps Teams, Cloud and

Application Architects, Project
Management Teams,
Implementation Teams,
Enablement Teams, business
management teams
0 0
Management Teams,
Enablement Teams.
0 0
Software development and Resistence to break from traditional
infrastructure services teams. IT functional and organizational
norms.
0 0
Management Teams,
Enablement Teams.
0 0
Management Teams,
Enablement Teams.
0 0
Management Teams,
management teams
0 0
Management Teams,
management teams
0 0
Management Teams,
management teams
0 0
Management Teams,
management teams
0 0
Management Teams,
management teams
0 0
Management Teams,
management teams
0 0
Management Teams,
management teams
0 0
Management Teams,
Enablement Teams.
0 0
Management Teams,
Enablement Teams.
0 0
Total 0 0
PaaS

• Deploy onto the cloud infrastructure subscriber-created
• The subscriber does not manage or control the underlyi
the application-hosting environment
• The provider provides platform services such as Apache
Is this domain • The provider provides data base as service, such as Orac
relevant? Yes/ No
CMM 0
Control Question
(None)
Do developers and operations Employees always build
employees think cloud first, or do applications using traditional
they gravitate to traditional application development
application development practices.
practices?
People
Are Common code and service No common code or re-usable

elements available for re-use cloud based resources exist
Is a Scaling concept available No concepts are defined for

scaling that leverage cloud
capabilities
Are your platforms and It is not known if the required
middleware solutions available via PaaS elements are available to the
your platform as a service? enterprise for use.
Processes
How are your applications Applications do not make use of

structured or integrated with any cloud related structure,
PaaS as the foundational pattern, design concept, PaaS
platform? platform or PaaS-based services.
Is a PaaS framework such as No standardized framework is

Cloud Foundry or OpenShift defined or published for the
available for the business to business developers to use
leverage for effective cloud
application development
Technology
Is a single DBaaS (database as a No defined standard DB or DB
service) available on a central service is centrally available
PaaS
Technology
Do Defined resources exist for No defined cloud resources or
cloud implementations tooling exists for building
applications.
ed to:
frastructure subscriber-created or acquired applications created using programming languages, libraries, services, and tools supported
manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over
vironment
atform services such as Apache tomcat, Jboss, .net, Cloud Foundry to develop applications
ata base as service, such as Oracle, Microsoft SQL, Cassandra, Mongo, Maria, Vertica etc.
CMM 1 CMM 2
Some developers in the enterprise Developers across the enterprise
are skilled with and utilize PaaS understand the benefits of PaaS,
platforms. are adept at using PaaS but
ubiquitous use of PaaS is not the
norm.
Developers use virtualized Developers use PaaS to develop

infrastructure (or IaaS) to deploy new applications
non-cloud applications
Services and capacity are Developers can scale their

manually scaled against defined applications using self-service
high and low watermarks, to within metering limits.
allocate sufficient change capacity
for an agreed period
No Platforms as a Service are Selected platforms have been
defined, although knowledge of identified, and are published for
options exists, and may be used common re-use within the
incidentally within pockets across enterprise (e.g. Vcenter, KvM,
the enterprise. Hyper-V)
Applications are integrated using Applications structures are

Non-standard proprietary starting to use shared
application integration, though components for integration,
they may make use of a PaaS including services built from PaaS
solution for certain services. platforms. e.g. an enterprise
service bus is utilized for
integration, services are built
using shared application platform
utilities, web and presentation
use shared utilities and databases
are shared through service
interfaces.
Ad-hoc development There are defined security

providers, messaging facilities,
standards and interfaces in place
to support ongoing application
development
Different DB's exist, with some Well defined standard DBs exist
consolidation to shared (e.g. MySQL), and they are used to
environments host all new projects
Recognition exists of Application stacks (web servers,

development tools and application runtimes) are
components, but is not re-used identified. Development
consistently or documented frameworks are understood.
formally.
amming languages, libraries, services, and tools supported by the provider.
rvers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for
p applications
Vertica etc.
CMM 3 CMM 4
A preferred PaaS platform is Performance targets are
identified and known to established for developers across
developers in the enterprise. the enterprise to ensure they are
Developers use this platform to skilled in using PaaS. Developers
construct applications in the know that any traditional
majority of cases. application development, that
which does not use a PaaS
platform, is reported as exception
to enterprise standard.
One set of re-usable service Developers leverage cloud

elements (including application application design patterns for
code) are available, and can be development, with re-use of
used to generate new services, existing elements and are
and are managed and maintained measured accordingly, focusing
in a database available for on development of the minority
developers. of new elements that are needed
for any new system or service,
and the majority is re-use of
existing /pre-built elements
principle.
Application templates/examples The PaaS platform auto-scales to

support cloud application patterns increase PaaS capacity. Capacity
*(Note: See ODCA Paper on planning automatically checks
Architecting Applications for the KPIs and trends against policies.
Cloud)
Selected standards are defined for A consolidation programme is
development of cloud defined with all common
applications (so as to ensure elements being consolidated to
interoperability and integration central standard instances of that
capability (e.g. Jboss, .net, functionality according to an
Apache, IIS) ongoing schedule, aligned to the
lifecycle updates of the various
business applications
Applications are often Application portfolio reporting

provisioned via platform as a and management processes
service, from off or on-premises, ensure that all applications and
through common portal. services are constructed from a
Integration, presentation and PaaS platform, available as
data services have moved from services using a restful API (SOA)
shared utilities to PaaS generated integration mechanism. Auto
services. Enterprise Architecture provisioning of full application is
contains patterns, samples and available on demand and
tutorials for constructing infrastructure is automatically
applications leveraging public scaled by the PaaS platform to
and private PaaS platforms. meet performance requirements
of the application.
Resilient design blueprints are Auto-scaling, uses pre-built or

available for common re-use of all scripted elements like web
key application elements services, message busses etc.
A Comprehensive multi-functional Common Development tools and
DB environment is established as services are in consistent use (e.g.
a service and is in common Mongo, Cassandra) to enable
general use catering for the common application element re-
various application needs (e.g. use in the horizontal layer
Oracle, MS SQL)
Application design patterns are Leveraging common components,

consistently applied, and common different cloud platforms are
components are used in all utilized to appropriately support
development - cloud or non- application elements, leveraging
cloud; Includes integration with the scalability and resilience
IDE tools, common code features of the cloud platform (for
repositories (e.g. GitHub); support example active/passive or
for agile development, CI/CD active/active operational
(continuous integration & patterns)
development)
cations and possibly configuration settings for
CMM 5
Benefit Analysis
(optimized)
PaaS is the only way applications The more the teams are aligned
are developed. on the enterprise strategy and
imperatives, the more consistent
will be their development and
achievement of those objectives
Use is made of defined PaaS rapid Re-use of common shared

application development tools for elements enables more efficient
developing all new applications operations, ongoing development,
such as mobile apps, prebuilt web and enables reduced
sites (e.g. WordPress), big data infrastructure below applications
apps (e.g. Hadoop), consistently
Applications that land on PaaS Scaling can be effected in

have a way to auto scale using different ways - having a common
metadata & policies, within concept enables consistent
metering limits. Applications approaches, especially when
monitor demand and automatic leveraging shared PaaS elements
alerting is implemented.
The enterprise carries out ongoing By pre-defining PaaS services, the
rationalization of applications, developers can leverage a
database instances and licenses. common standard, and avoid
Shared DBMS's are in use, and all creating their own
DBMS's are instantiated on the
PaaS platform.
All applications and services are Pre-defined PaaS elements enable

provisioned via PaaS from off or consistent application
on-premises, through a common development, and thereby
portal. Infrastructure supporting consistent platform selection,
these applications is highly orchestration and lifecycle
optimized to meet performance, management
financial and compliance targets.
PaaS provisioned applications are
automatically pushed through a
set of test suites, and upon
passing the applications are
deployed directly to production.
Dynamic orchestration
capabilities monitor the
effectiveness of applications by
leveraging A/B and muti variant
testing against defined targets,
ultimately resulting in an increase
in the prior or next version of
applications to meet business
needs.
Interoperable design elements Pre-defined PaaS elements enable

call external security providers consistent application
and message busses, enabling development, and thereby
cross-cloud application design and consistent platform selection,
development orchestration and lifecycle
management
Common development tools and Re-use of a consistent DBMS
services are in consistent use to enables consistent data
enable applications to scale up management, security control,
(e.g. Vertica, Autonomy) and cost efficiency
Systems are deployed across By offering the Developers and

clouds, and components project teams a standard
interoperate seamlessly; There is environment that meets their
a way to deploy the same app to needs, infrastructure efficiency
multiple clouds (hybrid peas) can be achieved regarding DR,
Architectures are designed to be Backup, licensing, commercial
interoperable and open agreements, and ITSM integration
Developers, Business Application

owners, IT Operations, DevOps
0 0
Development
0 0
Engineering, Operations
0 0
Engineering, Operations
0 0
DevOps, Operations, Architecture
0 0
Development
0 0
0 0
0 0
Total 0 0
Integration Platform as a Service (IPaaS) Domain

• Integration platform as a service (iPaaS) is a cloud ser
premises systems.
• iPaaS delivers some combination of capabilities that a
• IT departments, line of business developers, mobile a
Is this domain interfaces (or "integration flows") in the cloud.
relevant? Yes/ No
CMM 0
Control Question
(None)
What skills do employees need to The enterprise does not consider

effectively leverage IPaaS? IPaaS skills as critical.
People
What integration responsibilities Each team is responsible for

are associated with each team? determining their own strategy,
technology, language and method
for API's, data integration and
cloud integration.
What process steps exist to The enterprise has no plans to
ensure a consistent roadmap to implement IPaaS
IPaaS adoption?
Processes
How is application integration Applications are not integrated.

implemented?
Technology
Technology How is data integration Data is implemented through
implemented? non-standard, traditional point to
point scripts, ETL, ELT, or point to
point messaging methods.
ed to:
service (iPaaS) is a cloud service that provides a platform to support application, data and process integration projects, usually involvi
bination of capabilities that are typically found in enterprise service buses (ESBs), data integration tools, B2B gateways, managed file t
usiness developers, mobile application development teams, application teams and even business users (aka "citizen integrators") leve
flows") in the cloud.
CMM 1 CMM 2
An initial set of employees are A greater number of employees

skilled in the use of proprietary e.g. integration engineers) have
application integration methods IPaaS type skills, including the
and tools, service oriented ability to differentiate cloud to
architectures, foundational cloud cloud, cloud to ground and
services (IaaS, PaaS and SaaS) and ground to ground integration
API catalogs. Employees have the methods. Employees are able to
ability to integrate shared services build repeatable data integration
into STaaS service style offerings. pipelines, leveraging template
based development.
Centralized architecture and Centers of excellence emerge in

design teams release standard the areas of API design, data
approaches to API design, data integration, data modeling, and
modeling, metadata, data quality, cloud integration - teams begin to
data integration patterns and leverage these SME's more often,
cloud integration. Awareness and reducing the duplication of effort
use of these standards by teams across teams
across the enterprise is on an ad
hoc basis - most teams continue
to do their own thing.
Non standard integration Individual teams publish restful
methods are accepted and API design guidelines, integration
utilized across teams. standards, based on integration
method, security requirements
and type of data; other teams are
not required to follow.
An operating model emerges to
support integration engineers
and project integrators.
Applications are integrated via Teams within the enterprise

non-standard proprietary deploy ESB middleware for
application integration (e.g. data integration, shared platform as a
is manually extracted from two service, shared database as a
applications, combined in a service, shared web presentation
temporary data store and as a service and shared storage as
imported back into one of the a service emerge on a team by
applications - or - application team basis.
functionality is integrated via
custom scripts or a proprietary
tool, non-standard, unique to
each team and each application).
Teams across the enterprise begin More teams share data
sharing data integration packages, integration tools and packages,
ETL bundles, and messaging data modeling tools and data
templates. Integration standards models, messaging formats and
and design patterns emerge, but data quality standards. One or
are used on an ad hoc basis. more teams deploy a library of
data integration patterns, data
models and quality routines.
tion, data and process integration projects, usually involving a combination of cloud-based applications, APIs and on-
SBs), data integration tools, B2B gateways, managed file transfer products and API management platforms.
ms and even business users (aka "citizen integrators") leverage these capabilities to develop, execute and manage integration
CMM 3 CMM 4
Employees across the The enterprise has implemented a

organization are trained on the cross-enterprise training program,
enterprise standard for API integrated into employee
design, data modeling, data performance management, that
integration and messaging, addresses API service brokering,
particularly for application and use of standardized application
data architectures. brokering services, and
Employees possess the ability to integration for the internet of
integrate services into an things.
ecosystem (e.g. GT Nexus). Citizen Integrators and Project
Business users and developers Developers are adept at using
(Citizen Integrators) are trained to iPaaS platform(s), exceptions are
use iPaaS platform . monitored and managed through
an enterprise governance
program.
Specific teams in the enterprise The enterprise has implemented

are identified as responsible for integration governance, ensuring
iPaaS platform, addressing cloud alignment between integration
to cloud, cloud to ground and component development and
ground to ground integration aligning integrations through the
capabilities. iPaaS platform.
Applications across the The enterprise implements an
enterprise use a restful API integration governance model
Regener, Immo:
integration model. Project and thatsample code all applications are
ensures
Portfolio Management approval integrated
examples?via standardized
process are modified to enforce Restful APIs, and data integration
integration policies. is accomplished via templates
An operating model is put into and shared data integration
effect that supports citizen routines or shared tools (ETL, ELT,
integrators and project ESB, data streams, etc.).
developers.
The enterprise defines an Enterprise-wide governance

enterprise-wide shared portal for ensures that all applications are
provisioning applications via on- available as services, utilizing a
premises or off-premises, public Restful API (SOA) integration
or private platform as a service. mechanism. APIs are discoverable
An enterprise ESB middleware is through an API Service Catalog
used for most message and a service broker. Auto
integration. Enterprise provisioning of full application &
Architecture or a similar body in infrastructure stacks have been
the organization defines public implemented (e.g. Cloud
cloud service APIs, service Foundry), and are regularly
patterns, and sample code monitored, measured and
examples. Application Lifecycle adjusted to ensure SLAs are met.
Management and a citizen
integration platform as a service
are operational.
Data integration routines are An enterprise-wide, shared IPaaS
packaged into easy to deploy platform is the standard
packages, accessible through a mechanism for data integration.
shared IPaaS platform. This This platform contains a rich set of
platform is utilized by a number of data integration, data modeling,
teams but has not reached critical data quality and messaging
mass for standardization. Data capabilities. Data end-users are
lifecycle management is able to select and deploy
operational in support of standard, pre-packaged data
consistent and high quality data integration routines and data
integration. lifecycle management rules
without the need to engage data
engineers. All activities through
the IPaaS platform are monitored
and measured, compiling KPIs into
a central data metrics repository.
of cloud-based applications, APIs and on-
nd API management platforms.

ties to develop, execute and manage integration
CMM 5
Benefit Analysis
(optimized)
All employees participate in Intense knowledge and distinct

training and are adequately skilled skills ensure efficient and reliable
in use of the enterprise's IPaaS integration facilitated by IPaaS.
capabilities. Developers and
business users are sufficiently
skilled to bridge connectivity and
data processing; providing a
seamless selection of connectivity
protocols, data & messaging
integration, data transformation,
data quality, application & service
integration, orchestration and
workflow, API management, SaaS
integration and optimal use of
reusable templates.
The most common integration Distribution of data access

functions are automated across permissions based on a defined
off and on-premises services, framework enables for leveraging
freeing up teams to focus on a high degree of automation.
higher value activities and
enabling self service integration
features.
All integration processes have
been integrated as part of a Regener, Immo:
complete IPaaS capability instead of traditional
(centralized or federated), with maybe conventional?
supporting governance processes
(application, data, portfolio,
project) to ensure compliance
with policy.
All SaaS, on-premises cloud The use of of a central API-

applications and traditional framework reduces management
applications are integrated using overhead as well as likelihood of
standardized and optimized failures and increases reliability
Restful API broker services as and flexibility of cloud use.
implemented through an Furthermore, deployments run
enterprise-wide adopted IPaaS. faster and and are cost efficient.
Data integration is enabled By using a highly integrated and
through a shared IPaaS portal automated data handling
with drag and drop integration blueprint data end users keep
modeling. Integration models are authority over their data. They are
savable, reusable and executable enabled to fully concentrate on
through the IPaaS platforms, business operations.
resulting in scheduled and rules
driven data integration, dynamic
recovery and job retry, and
automated scaling of data
integration services.
Management, Cloud Architects,

Project Management Teams
0 0
EA teams, data responsible
0 0
0 0
EA teams, application
development, Project
Management teams/responsible
0 0
Management, Cloud, Data
Responsible, Project
Management, Application teams,
Application development
0 0
Total 0 0
IT Architecture

• The definitions of the overall architecture and guidelines fo
• Capabilities fundamental to cloud architectures such as:
• Resource pooling,
• Interoperability, and
• Self-service
• Enterprise architecture program defined:
o Policies,
o Principles and
Is this domain o Architecture domains
relevant? Yes/ No o Technology standards & roadmaps enforced. Cloud Native
CMM 0
Control Question
(None)
Have the Architects been trained Architects are not trained on

in Cloud Services and cloud services nor cloud specific
Architectures? architectures.
People Who is responsible for No specific accountability is

incorporating cloud service assigned for incorporating cloud
provider capabilities into services into an enterprise's
architecture? architecture.
Do standard architectural designs If architectural artifacts exist
exist to guide cloud based service they are not utilized to guide
deployments? cloud-based service
deployments.
How does architectural planning Architectural planning does not

consider cloud management consider cloud management
tools? tools.
Are Architecture Processes in Architectural processes do not

existence for Cloud based exist for cloud based services.
services?
Processes
Do Cloud Application Design & No cloud application design and

Development Patterns exist and development patterns exist.
are they utilized? Applications are developed using
traditional methods and
technologies.
Is the Business Application A business application landscape
Landscape mapped to platforms? has not been developed.
Are Standard Cloud Building Standard Cloud building blocks

Blocks Available? are not available.
Technology
ed to:
erall architecture and guidelines for various practitioners to ensure adherence to the architecture.
l to cloud architectures such as:
program defined:
roadmaps enforced. Cloud Native Patterns and Code samples

CMM 1 CMM 2 CMM 3
Based on personal interest, A group of cloud specialists exist All of the Architects share a
certain architects have some in the enterprise, who focus on common framework and
cloud knowledge. certain but not all projects. associated training regarding the
enterprise approach to leveraging
cloud services.
Periodically, engineers, DevOps, It is common for engineers, A standard framework such as

systems administrators and architects and DevOps to update TOGAF exists and is consistently
architects will update architecture architectural artifacts with cloud used for updating architectural
artifacts with cloud service service provider capabilities. artifacts with cloud service
provider capabilities. provider capabilities.
Architectural designs are utilized A foundational set of Cloud principles, architecture
on an ad hoc basis to guide cloud- architectural designs exist and blueprints, requirements and use
based service deployments. are often leveraged to guide stories are well documented and
cloud deployments. utilized in a most cloud-based
service deployments.
Architectural planning includes More often than not, architectural Consideration of cloud services is
cloud services within workflows, planning considers cloud services a central part of architectural
capability analysis and building when developing workflows, planning; representing
block development but only on an capability analysis' and consistently in workflows,
ad hoc basis. development of architectural capability models, architecture
building blocks. building blocks, standards and
patterns.
Cloud based solution design Templates for cloud platforms Solution teams consistently create
pursued at times but not exist and solution designs created architectural documentation for
consistently When carried out, for most cloud solutions. Some cloud solutions. A centralized or
cloud architecture is addressed teams share solution designs federated collection of standard
differently by different teams. across organizational boundaries cloud architecture templates and
but centralization or federation of processes are available. Team
designs has not been achieved. across the enterprise consistently
start solution design from the
core architecture processes and
artifacts.
applications are developed on New application development Application development

cloud services, but continue to leverages cloud design patterns; leverages cloud services and cloud
utilize traditional patterns. though a few exceptions continue platforms and are always based
to utilize traditional on cloud design patterns.
methodologies.
Landscape designs are utilized in Landscape design includes A complete target landscape is
an ad hoc fashion, often focused business applications, host cloud defined up to business
on infrastructure only. types, and interoperability applications including interfaces
standards requirements. for partners, leveraging
appropriate cloud elements for
application lifecycle stages.
Teams develop cloud building Use of RESTful API's emerge. RESTFul API's are a standard IT
blocks on an ad hoc basis. When Interfaces are programmatic and management methodology. The
used, building blocks are manually usable. End user can use the interfaces
developed/ integrated via the A clearly defined set of standard without knowing of their
portal of the cloud service interfaces exist for Cloud services existence.
solution. and their use, and these are used A set of standardized cloud
in all instances, as the foundation environment management tools
for managed integration. and interfaces exist.
CMM 4 CMM 5
Benefit Analysis
Architects across the enterprise Individual cloud learning plans are By training the architects in Cloud
are trained and evaluated against integrated with tailored classes Services Architecture, they can
a common cloud architecture for employees in architecture consciously make decisions and
training program such as EMC roles. Performance assessments select appropriate patterns to
Cloud Architect (EMCCA). and career planning include cloud leverage cloud for the enterprize
Employee performance advanced cloud architectures,
assessments take these skills into Hybrid IT architectures and
account when determining transitionary architectures for
performance ratings. moving to the cloud.
Updating architectural artifacts Current state architecture By pre-defining responsibility, the

with cloud service provider artifacts are dynamically randomness of approach and
capabilities is monitored and generated from the data sources occurrence is eliminated
managed. Governance and within the operating
periodic maturity assessments environment, representing a
ensure compliance with this snapshot of the existing
process. environment. Transitionary and
future state architectures are
generated by modeling increases
in scale, increases in performance
or cost optimizations.
Services can be modelled online, Service components are modeled By pre-defining selected patterns,
leveraging existing standard within the single set of tools that re-usable building blocks can be
building block architecture are also utilized for deploying established and leveraged
artifacts that are well and managing a highly
documented. Utilization of this automated and optimized cloud
methodology is evangelized as based ecosystem.
the expected behavior for
designing cloud-based service
deployments.
Cloud service principles are a core Architectural planning is inherent The creation of a set of pre-
element to architectural planning. to the cloud management system defined re-usable building blocks,
Workflows, capability models, that the enterprise utilizes. processes and tools reduces the
architectural building blocks, Technologists are able to plan, workload considerably for
standards and patterns that do implement and govern workflows ongoing development of business
not consider cloud are flagged as from standardized cloud functions
exceptions and addressed. capabilities.
A centralized or federated set of Designing, engineering deploying By identifying the processes and
processes are applied across the and managing of cloud services assigning responsibility, a
enterprise. These processes have merged. These are mandate is issued and doubt
ensure that cloud design review accomplished through a single removed, thereby enabling
documentations exists, tool interface. Existence of governance and control
demonstrating compliance to or operational metrics, used in
deviation from core cloud conjunction with architecture
reference architectures, principles governance and scoring, produce
and standards. a multi-dimensional score for
cloud implementations.
Central and standardized Application design patterns are Having selected application design
resources are utilized for encapsulated into a single cloud patterns for cloud helps
developing applications. This platform. Application, integration developers to adhere to centrally
includes Paas, SaaS and Platform and infrastructure are transparent defined concepts
Integration as a Service. Core as solution developers design,
cloud application designs are implement, deploy and
utilized in all cases. management solutions through a
single mechanism.
Process modelling is performed to All business applications are By pre-defining landscapes for
optimize the cloud based represented in a common, shared Business Applications, a clear set
application deployments. cloud management capability. of policies and rules can be
People, process and technology applied to all ongoing
elements are mapped across the development
application middleware and
infrastructure layers, and
accessible through this common
and shared capability.
Services can be constructed with Standard building blocks are The more standard building blocks
automated integration into selected through a design that are available for re-use, the
supporting processes (ordering interface resulting in automated less that has to be developed, and
Portal, Charging, Monitoring). This integration of additional cloud the more efficient ongoing
is accomplished utilizing standard services. This design interface is development and operations
cloud building blocks. the same interface that provides become
comprehensive development,
deployment and management of
cloud services.
CIO
Architects
0 0
Architects, Business Owners
0 0
Enterprise, Cloud, Application,
Infrastructure and Security
Architecture Teams. Application
Development/Engineering Teams.
0 0
Architecture Teams
0 0
Architecture Teams
0 0
Enterprise, Cloud, and Application
Development/Engineering Teams
0 0
Enterprise, Business and
Application Architecture Teams.
Business Operations.
0 0
Development/ Engineering
Teams.
0 0
Total 0 0
Applications
Contains modernized and optimized applications ecosyste

• Are service oriented, API accessible, fully aligned to bu
• Able to be migrated to a Hybrid cloud delivery model.
• Contains hybrid cloud application design mechanisms
• Supports cloud native application design.
Is this domain • Utilizes restful API, micro services, container models of
relevant? Yes/ No
CMM 0
Control Question
(None)
What skills do developers have Developers possess traditional

and what training takes place, to application development skills.
ensure optimal application
development for the cloud?
People
What application development Teams are staffed with traditional
roles are defined and staffed? architect, software developer and
operations roles, split between
teams in independently managed
enterprises.
How are your applications Applications are organized into
organized? traditional application
development silos. Applications
are deployed onto traditional
infrastructure, to serve a single
business need. Applications are
not leveraged across
heterogeneous processes.
Processes
How does application build and Applications and services are

deploy occur? constructed by hand and
deployed by people.
How are applications architected Applications are constructed as

and/or structured. traditional client server
applications, they may or may
not leverage virtualized
infrastructure.
Applications are managed by
organizational employees vs.
automation, orchestration,
automated build-deploy or
automated recovery.
How do applications/services Application to application and
communicate with each other? service to service interactions are
conducted as each team deems
appropriate. Various methods and
styles are utilized.
Technology
What technologies and Applications are built utilizing

frameworks are utilized to design traditional technologies and
and build applications? frameworks; even when deployed
onto cloud infrastructure. (i.e. no
evidence of containers, PaaS,
SaaS, no 12 factor app, etc.)
optimized applications ecosystem that:
accessible, fully aligned to business needs and cost effective
Hybrid cloud delivery model.
plication design mechanisms
plication design.
o services, container models of application design
CMM 1 CMM 2
Developers are aware of cloud Many developers take part in

native development, and training on cloud native
frameworks like 12 factor cloud development and frameworks like
development and concepts 12 factor application develop and
behind architecting applications the concepts behind architecting
for the cloud. Developers may be applications for the cloud,
trained in the use of service including features of and how to
providers, use of containers and utilize service providers,
on specific platforms like Bluemix, containers and cloud native
Pivotal, GoogleApp Engine, etc. application platforms (Bluemix,
Pivotal, Google App Engine, etc.).
Teams begin to organize around DevOps teams have become the

discrete products, aligning design, norm. Cloud developer roles are
development and operations into recognized and staffed into teams
a single team. across the enterprise.
Initial sets of dev and test Production applications
instances of applications are are running off-premises, are
deployed to off and on-premises designed for fault-tolerant and
services. Some applications have have self-healing capabilities.
been rationalized and are shared (monitor processes & services and
across multiple business restart failed instances based on
processes. Portable application service specific health checks).
and services emerge, representing The application ecosystem has
the first cases of infrastructure been architected with sufficient
independence. instrumentation to provide
feedback at all times.
Individual teams begin leveraging Shared, automated build and

automation in the build and deploy capabilities emerge and
deploy stages of their application begin being leveraged by multiple
lifecycle. teams to build and deploy their
applications.
Applications and Services are Most applications leverage

designed as and operate in a public/private cloud providers
stateless manner. They are like AWS, Microsoft's Azure or
composed of loosely coupled Google's compute and storage
discoverable services leveraging services. Applications are
one or more cloud services designed to monitor, retry and
(storage, compute, network). self heal, leveraging services
Management by automation, provided by on and off-premises
scripts or orchestration is used ad platforms.
hoc across teams.
Ad hoc and inconsistent use of App developers begin to coalesce
REST API's (HTTP and JSON around RESTFUL API standards for
serialization) are used for app/app, service/service
application to application / service interaction. Enterprises may
to service interaction. implement API Management
Solutions to ensure consistent API
endpoints and monitoring of APIs.

A few teams beginning utilizing Use of cloud native

cloud native application design application/service designs are
frameworks and guides, such as used more consistently across the
12 Factor Apps, ODCA enterprise. 12 Factor, ODCA
Architecting Apps for the Cloud. Architecting Cloud Apps, and
Individual teams begin developing other frameworks are common,
application and services as cloud as is cloud native development for
native for platforms like Bluemix, targeted platforms e.g. Stackato,
Google App Engine, Pivotal. Bluemix, Google App Engine,
Container emerge to support Pivotal, etc. Containers are
cloud native applications. (e.g. utilized for many
Docker, Photon OS, Netflix application/service development
Karyon) projects.
CMM 3 CMM 4
Cloud native and cloud The enterprise's Human

development training programs Resources and Talent teams
are mandatory and integrated review developer skills, ensuring
into employee onboarding and that all developers or DevOps are
annual performance assessments. trained and adequately skilled in
Application developers who are cloud use and cloud native
unskilled in cloud application application development.
development and who are
unfamiliar with off-premises
service offerings are atypical.
All teams are covered by one or Teams begin to move beyond

more cloud application architects. DevOps to an integrated set of
DevOps is a consistently utilized roles focused on delivering
organizational model. business outcomes. Architects,
developers and administrators
beginning to merge in a
combined, hybrid role.
Applications have been Public and private cloud services
modernized into a cloud aware integrated with Internal
architecture. Use of container applications. All applications are
architectures are common. Client developed as cloud native,
interfaces are standardized operating on a container
providing an agnostic client architectures. Scale out and
experience regardless of the type bursting across cloud providers is
(desktop, tablet, mobile). All automated and in response to
applications are provisioned as a performance, availability or cost
service. SLA boundaries.
One or more automated build and Automated build and deployment

deploy capabilities are defined as of applications is a cross-
an enterprise standards. Teams enterprise norm. Applications that
are expected to utilize these are built or deployed outside of
systems to build and deploy their this capability are identified to the
applications. Additional degrees build and deploy governance
of testing and quality assurance process.
are integrated into the build and
deploy pipeline.
Application are temporal, Application can be dynamically

working in an environment migrated across infrastructure
where each link in the service providers without interruption of
tendency chain and are unaware service or loss of transaction
of and unaffected by failure, start fidelity with the ability scale up
or elimination of dependent and scale down in response to
services or individual instances of performance, availability and
those services. Applications are cost SLA targets.
architected such that in-flight
transactions across service chains
are rolled forward/back
appropriately regardless of the
number or geographic
distribution of service instances.
The enterprise utilizes a shared Sufficient API governance has
API management solution, been instituted that exceptions
ensuring a standard set of REST are identified and evaluated and
API's are consistently utilized for remediated; resulting in
app/app, service/service consistent application and service
interactions. communications.
Cloud native designs are Any application development that

documented and accepted as the does not follow the organizational
standard application development standard (e.g. 12 factor) is
methodology. identified and flagged for
Cloud Native frameworks like 12 remediation. Application build
Factor, ODCA Cloud Apps are used manifestos are monitored for
as the norm. Containers are compliance to technology,
utilized as the norm across framework and design standards
application and service and applications and services are
development. tracked in a source of record, with
associated metadata to support
application technology
governance activities.
CMM 5
Benefit Analysis
(optimized)
The enterprise maintains a Business is responding in real time

mapping of employees, business to consumer demands requiring
objectives, and technical changes that application teams
capabilities. Individual learning need the skills to respond to in
plans are automatically order to meet this demand.
generated, tailored to addressing Having skills in cloud application
skill gaps in ensuring an development will allow the teams
adequately skilled workforce. to meet this demand and align
with business requirements.
Application development roles Identifying and filling the

have transcended coding to appropriate application roles will
become composers, or integrators ensure proper resources and skills
of services. Application are developed and available at the
components are selected from a time they are needed. This is a
library of building blocks. critical component of continuous
availability and sustainability in
utilizing native cloud capabilities
in meeting the needs of the
business.
Everything is cloud-based. Cloud based applications offer a
Applications are developed multitude of benefits that not
through a centralized and shared only include cost reduction but
cloud capability. Design, can also be a source of revenue
development, deployment and generation. Production
management of cloud services is applications are more resilient
seamlessly addressed do this and agile when developed on
single interface; providing cloud platforms and by
visibility into the macro enterprise implementing cloud application
of a cloud service, with the ability "patterns" which leverage the
to click into greater and greater native capabilities of the "cloud"
details of component breakdown. environment many of the benefits
are built in.
Build and deployment matured Building applications in which

into a continuous integration or automation and orchestration are
continuous deployment pipeline. integrated will bring a multitude
of benefits including rapid
deployment which increases time-
to-market as well as the removal
of manual processes which are
error prone and siloed.
Application patterns are utilized By applying "Cloud Application

to design applications which are Patterns" into the application life
instantiated by constructor cycle development many benefits
services. Application developers can be realized. Some of these
selected service building blocks are "high availability" and "high
to construct applications rather resiliency" which is native to
than code them. A high degree of many of the application patterns
automation removes most of the used in cloud development.
manual tasks that developers Another benefit is the benefits of
were traditional saddled with. "SOA" (Service Oriented
Architecture) which is inherent in
native cloud application
development.
Standard application integration Communication between the
RESTful API's are dynamically applications and the services they
included it all application consume are critical in attaining
construction. Architects and operational efficiency which is
developers model connectivity realized through enhanced
between application services application performance,
which are instantiated through maintaining a strong
factory services - generating the backup/disaster recovery plan,
code and deploying the instances facilitating faster onboarding of
to a live, production environment. new services, such as cloud-based
applications, infrastructure and
security, while at the same time
making it easier and faster to
identify cloud services established
for short term or pilot projects.
Applications are modeled in an Having an application framework

enterprise's single and shared that is cloud based is extremely
cloud capability. Adherence to beneficial when it comes to
framework and architectural designing and building continuous
standards is enforced within the availability solutions and
tool making it impossible for an maximizing resource utilization.
application to be instantiated Cloud architecture ensures better
outside of desired compliance. options in dealing with risk,
This shared cloud capability compliance and governance. COE
encapsulates IaaS, PaaS, SaaS, (Centers Of Excellence) are
IPaaS and other cloud capabilities, formed in which skills are
providing a seamless design, developed across multiple
build, deploy and manage verticals that align with a common
experience. global strategy in which
efficiencies are realized and
roadmaps align with business
needs.
Application Teams, infrastructure

Teams, DevOps Teams, project
management Teams,
0 0
management Teams, HR teams
0 0
management Teams, business
management teams
0 0
Application Teams, Infrastructure
Teams, DevOps Teams, Project
Management Teams, Deployment
teams
0 0
Teams, DevOps Teams,
0 0
Teams, DevOps Teams,
Integration Teams,
0 0
Teams, DevOps Teams, Business
Strategy Teams, Business
Technology Teams, COE
0 0
Total 0 0
SaaS

• The Service (software) provider’s applications running on a
• The applications are accessible from various client devices
Is this domain • Applications are integrated with internal applications and d
relevant? Yes/ No
CMM 0
Control Question
(None)
Does an understanding of SaaS No-one knows what SaaS models

exist are
People
Is any formal training provided on No formal training is offered
SaaS services about SaaS within the Enterprise
Does a enterprise policy exist for No policy exists

the use of SaaS services
Processes
Is a SaaS Integration concept No SaaS blueprints or reference
Processes available? frameworks exist
Is a SaaS Management concept No management systems exist to

available? support compliant SaaS use
Technology
Are SaaS Integration concepts No defined SaaS or integration
defined interfaces exist
ed to:
rovider’s applications running on a Service provider’s infrastructure.
essible from various client devices through either a thin client interface, such as a web browser (for example, web-based email), or a progr
ed with internal applications and data stores
CMM 1 CMM 2 CMM 3
People use SaaS without really People understand SaaS and the A clear understanding of SaaS
understanding what the benefits it offers, and understand exist covering both the
difference is what to look for from a SaaS opportunities and the risks, in
service context of the business's
applications
Some web style articles are Formal training and information Selected SaaS providers provide
available to interested users sessions from selected providers scheduled training shaped to
are scheduled on demand different business units needs
Employees try to align use of Each cloud providers' own Well defined software policies
SaaS to existing application security offering is generally exist and offerings are
classification policies. accepted consistently evaluated from all
providers
Ad-hoc use is made of Software A clear set of defined blueprints Specific business functionality is
based Systems and service and reference frameworks for the mapped to SaaS resources, and
offerings from the cloud, based on integration and use of SaaS are existing systems are being retired
the cloud providers' proposed identified, supported by according to a managed plan, and
methods contractual frameworks migrated over to these target
SaaS offerings
Some SaaS offerings are defined
in the CMDB
Reports are received from each Selected SaaS providers offerings Data monitoring and credential
SaaS provider, and their services are pre-integrated into enterprise management is in place, ensuring
are connected to, terms accepted catalogue and procurement extensive compliant use of
online by ad-hoc employees, and portal, with electronic reporting common services
used via the internet defined.
Opportunistic use is made of SaaS
offerings based on selected use
cases
Limited integration exists, ` Duplicate internal systems are
leveraging the SaaS providers' systematically replaced with SaaS
offering and security and offerings as their lifecycle
reporting on an ad-hoc basis management process proceeds
(e.g. SAP R/3 to S/4HANA)
based email), or a program interface.
CMM 4 CMM 5
Benefit Analysis
The appropriate teams Developers and leadership By understanding what SaaS is,
understand the business understand and drive re-use of organisational units can look for
application categorization, its standard offerings as a core opportunities to buy rather than
applications, and which ones can / culture, to avoid unnecessary own make common functionality
will be provisioned from SaaS development
offerings
Deep understanding is developed Training is performed on "tips and By training relevant teams on the
based on selected SaaS offerings, tricks", integration options, and SaaS offerings selected for the
for Developers, Integrators, and opportunity for influencing future business, they are more likely to
operations teams development of the SaaS offering use and result in critical mass to
is available make the SaaS effective for the
business
Policies are supported by All policy by-passes or exceptions Having a defined policy guides
monitoring tooling and are automatically detected and decision making and removes the
enterprise governance. real-time alerting occurs, doubt in applicability of certain
Policies for location and supported by appropriate services in various use cases
protection of Confidential governance structures
systems and content are defined,
identifying what must be
retained within the enterprise
perimeter, and which "generic
information" may be linked
anonymously from the SaaS
provider
Public and Private SaaS offerings Public and Private based SaaS are Having clearly defined interfaces
are in use and all of them are in standard daily use, with data and functions makes the selection
registered in the CMDB, and all exchange occurring through of appropriate SaaS services much
services are actively managed to defined standard interfaces (cloud faster and easier. It also helps to
use these highly standardized to cloud, cloud to enterprise), clarify how SaaS may be
functions, UNLESS a significant according to defined policies and integrated into the enterprise,
proprietary need exists for a methods, enabling complex and what data may and may not
deviation from this standard business systems and functions be located within the SaaS
seamlessly (e.g. between partner environment
supply enterprises to the
enterprise and the enterprise
itself, leveraging off or on-
premises cloud
Defined integration interfaces and A seamless SaaS experience exists Having a clearly defined set of
tools are used to interconnect for users. End users access management requirements helps
internal and external landscape enterprise branded portal, search to down-select on SaaS options,
elements (e.g. Cloud Elements). for and select the services they and identifies how the
All SaaS services are automatically desire, and the corporation organisation will expect to report
registered in the CMDB brokers access to those integrated and track the services. This helps
System protection and availability services, complete with enterprise both providers and users.
designs and mechanisms are SSO. The broker function may be
known and are aligned to the provided internally, externally, or
business transaction criticality and by a selected provider (i.e. it is not
compliance requirements, and are mandatory to have the enterprise
monitored and managed across branding part applied).
participating internal and external Additionally the authorization and
SaaS and other systems procurement process is integrated
into the company's formal
processes.
Complex SaaS integration exists
between cloud services located
on-premises and off-premises
(e.g. Salesforce.com to SAP HANA)
Updates and renewal of existing Continuous evaluation of Replacing internal code with SaaS
code are always tested against the competing SaaS based functions is code helps reduce the
organisation's defined SaaS performed, evaluating features, Enterprise's maintenance burden,
solutions - with replacement by functions, development plans, development costs, and increases
SaaS as the first option ("Cloud and costs. Replacement is based access to new features and
first") on critical mass, impacts and functions (without needing
improved integration interfaces internal development)
(e.g. on-premises CRM and
Salesforce)
Developers
Enterprise Architects
Business Process Management
IT Management
IT Operations
0 0
Business, Developers, IT,
Operations, Compliance
0 0
Data Management, Legal
Department, Service
Management
0 0
Enterprise Architecture, Cloud
architecture, Cloud Operations,
Procurement and Legal
0 0
Enterprise Architecture, Cloud
Architecture, Cloud Operations,
Procurement and Legal
0 0
Operations, Architecture,
Business representatives
0 0
Total 0 0
Data

• Information stored in data lake architecture or a storage as a service model that is a highly scalable, high performance, easily accessible, cost effective shared repository
• Enables data virtualization of structured and unstructured data
• Promotes a shift from ETL (Extract, Transform, Load) to ELT (Extract Load Transform) of data.
Is this domain • Enables Insight and Foresight reporting based on aggregated unstructured and structured data versus conventional Hindsight reporting based on structured data alone
relevant? Yes/ No
CMM 0 CMM 1 CMM 2 CMM 3 CMM 4 CMM 5
Control Question Benefit Analysis Stakeholders Current State Future State
(None) (initial, ad-hoc) (repeatable, opportunistic) (defined, systematic) (managed & measurable) (optimized)
Are employees trained on Big Employees are not familiar with Employees are aware of big data Some employees are trained on All employees are trained on big The organization's Human
The enterprise maintains a
Data technologies? nor do they have training on big technologies that have no formal Big Data technologies such as data technologies. Employees are Resources and Talent teams
mapping of employees, business
data technologies. training. Hadoop, Vertica, Cloudera, building applications using Big review developer skills, ensuring
objectives, and technical
Autonomy. Data technologies such as that all developers or DevOps are
capabilities. Individual learning
Hadoop, Vertica, Cloudera, trained and adequately skilled in
plans are automatically
Autonomy. Big Data technologies and on
generated, tailored to addressing
canonical data messages, API
skill gaps in ensuring an
accessibility, data encryption
adequately skilled workforce. Solid data management minimizes
technology and API service the potential for errors and the
brokerage technology. damage caused by errors
Establish Controls so Data will not
be a mess.
Establish a set of business rules
that will determine who has
access to your data.
Determine what 0 0
Our employees trained on data Employees are not trained on Employees are aware of data Some employees receive training All employees receive training on The enterprise's Human The enterprise maintains a changes/additions/actions can be
services offered by public/private data services (public or private). services, but have no formal on data services such as Amazon data services such as Amazon Resources and Talent teams mapping of employees, business taken by which personnel
cloud providers and inherent to training. Kinesis, S3, DynamoDB and Kinesis, S3, DynamoDB and review employee skills, ensuring objectives, and technical Determine Database will be the
People cloud platforms? Redshift / Google's BigQuery, Redshift / Google's BigQuery, that all developers or DevOps are capabilities. Individual learning master database
Cloud Data Flow and Cloud Cloud Data Flow and Cloud trained and adequately skilled in plans are automatically Enforces the creation and
Pub/Sub / Azure's SQL DB, Pub/Sub / Azure's SQL DB, the use of cloud data services. generated, tailored to addressing maintenance of a sound complete
Recommendations, etc. Recommendations, etc. Employee skill gaps in ensuring an Data map, so data can be found
are building applications using adequately skilled workforce. quickly and easily
cloud data services. Enables the Segmentation of data.
This is the process of “sectioning”
your data so that you can use it
more efficiently
Establish a Regular Data Hygiene
Process
0 0
Does the enterprise have an No information value is Information value is determined The business value of information The business value of information Information storage and Information is continually
enterprise perspective on the determined. All information on an ad hoc basis. When groups is assessed in more cases. Groups is consistently assessed. Metrics protection criteria are regularly assessed in the course of doing
value of data? objects treated as equal. do perform valuation, each group begin valuing information in a for measuring information re-assessed based on the business business. Governance and
performs it differently. Most more consistent manner. business value are defined. value of information. validation of business value result
information objects are treated as inconsistent valuation results.
equal.
0 0
Are data access and availability No data access or availability Limited data access and Information sharing policies are Data access and availability Information access and sharing Information access, data security Control gives one guaranteed
controls in place? controls are in place. availability controls exist. defined, laying out specific data controls are consistently applied policies are defined regularly controls and availability compliance, lack of it will result in
Implementation of controls is access and availability controls. to information across the reviewed on all managed assurances are encapsulated costly remedial action later
inconsistent and varies across enterprise. Information is shared information objects. within the enterprise's data
groups. across the enterprise within the ecosystem. Access and
boundaries of appropriate availability are continually
controls. reviewed in the course of doing
business.
0 0
Do applications leverage cloud- Applications do not leverage A limited number of applications More applications use cloud- Applications systematically use The enterprise has achieved full Data services in support of Native cloud capabilities can be
based data services? cloud-based data services. use of cloud-based data services. based data services. Groups cloud-based data services. use of cloud-based data services applications are fully realized when data access is
Use of this services is done ad hoc opportunistically drive Service usage standards are for its applications. encapsulated behind access APIs. managed and monitored.
without consistency or standards. consistency and standardization in broadly deployed and used by Data services can be scaled and
the use of the services. most groups. changed without impact to the
consuming applications.
0 0
Does the enterprise have a No criteria and controls exist for Criteria and controls for managing A standard set of criteria and The enterprise consistently The enterprise has implemented Criteria and controls for data Having established criteria and
defined set of criteria and managing data. data are used on an ad hoc basis. controls for managing data utilizes criteria and controls for enterprise-wide governance for management are seamlessly controls is critical in large
controls” for managing data? Data management is inconsistent emerges. Groups opportunistically managing data. Data data management. integrated into enterprise enterprises in order to establish
across groups. drive consistency and management standards are processes. Data management standards and consistency with
standardization in data defined and published. governance exceptions are rare. outside providers.
management.
0 0
Are data management processes No data management processes Data management requires Data management processes are Data management policies are Data management is realized by Data management is automated
automated? exist human knowledge of data and documented. Processes are enforced based on correlated automated, policy-based as part of a closed loop system
location, management processes manual, but used in more and metadata. Manual processes are processes. Feedback and (no human intervention required).
are manual and inconsistent. more cases. still required for management of correction is manual. Data
data based on business metrics. management processes are based
on storage and business
Processes metadata.
Engineering, Application 0 0
Development, Legal, Business unit
Managers
Solid data management minimizes

the potential for errors and the
damage caused by errors
Establish Controls so Data will not
be a mess.
Establish a set of Access business
rules that will determine who has
Determine what
changes/additions/actions can be
taken by which personnel
Processes Cloud Architecture, Cloud
Development, Legal, Business unit
Does the enterprise have a The enterprise does not have a The enterprise has a documented The enterprise has a published The enterprise has a published The enterprise has a published The enterprise's data Managers
published data management published data management data management framework. A data management framework. A data management framework. data management framework. management framework is an
framework that covers data at framework. basic set of data is collected for non-formal set of employees Data stewards are defined for Data stewards ensure that data integral part of its overall
service providers or on cloud data housed on or processed by emerge who take responsibility data housed on or processed by management metadata is operating model. Monitoring of
platforms? cloud platforms. Data for collections of data housed on cloud platforms. Data encoded within a CMDB/CMS, data management and
management metadata is or processed by cloud platforms. stakeholders review data data warehouse, or location withcompliance to rules and policies Solid data management minimizes
collected manually, by various These self-named stewards are management reports and take Data-aaS ecosystem. This is integrated. Data triggers the potential for errors and the
methods across groups and responsible for collecting and corrective action within the integrated set of metadata is automated events when data damage caused by errors
departments. providing information about boundaries of defined data encompassing of data house on management attribute thresholds Establish Controls so Data will not
data. management processes. or processed by cloud and are reached, triggering be a mess.
traditional platforms. automated corrective action or Establish a set of Access business
alerting. rules that will determine who has
Determine what
changes/additions/actions can be
taken by which personnel 0 0
Does the enterprise's information No data management processes Data management processes exist The enterprise introduces service The enterprise adds a storage The enterprise adds storage Information management is highly
management processes span all exist. but the enterprise lacks a storage design processes and functions service catalog, and service service portfolio and catalog to integrated with all relevant
domains i.e. Business, service strategy, lacks a service into its information management transition capacity management. Configuration & Asset business, technology and data
applications, Information/Data, lifecycle process, lacks service processes. Event/fault monitoring Information lifecycle management Management. These and previous management processes, providing
Storage? levels, and lacks service metrics. and tracking for configuration reporting is defined and capabilities are integrated into the the enterprise a view of the entire
management is manual. implemented across many groups. tools, processes, data sources operation at any given point in
Information management (CMDB) and storage platforms. All time. Automated processes are
processes management emerges. associated configuration items are instantiated when threshold
in a central CMDB or are levels are reached, managing data
consistent across a federated set in accordance with organizational
of CMDB's. policies.
0 0
How is your information The enterprise does not care how Information is stored by each The enterprise identifies an Multiple Business Intelligence, big The enterprise defines canonical A single enterprise-wide logical
organized, accessed, available information is organized, application separately, creating enterprise data management data or data warehouse systems messages for use with a shared, data lake repository has been
and managed? accessed, available or managed. data duplication and function. This function identifies are implemented, providing a central enterprise message implemented for structured and
inconsistencies. and opportunistically manages defined and consistent view to capability. In addition to direct unstructured data. Data is
key master-data sources. critical business data. A central set data access, data object access is accessible via API's and
of database technologies are enabled through API's. discoverable through API calls to a
implemented to support a scale service brokerage catalog. Data is
out database architecture. defined in a master data record
catalog. Clear responsibility and
ownership of all data objects is
assigned and managed by data
stewards.
Determine which Data base will

be the master database
Enforces the creation and
maintenance of a complete Data
map, so data can be found quickly 0 0
How has the enterprise enabled Data repositories are not accessed Ad hoc SQL queries are issued The enterprise has achieved Standard SQL Search capability Real time access to data is The enterprise has reached a and easily
search and extract of data from or searched beyond the directly to data repositories. Data standardized SQL access to data have been implemented that available through standard, state where on-premises data and Enables the the process of
Technology your data repositories? application that creates, modifies file are copied around the repositories. Data files are still access collections of data managed access points. Semantic data at public/private cloud “sectioning” or naming your data
and deletes data directly (sole enterprise. Some groups utilize transferred around the enterprise, repositories - i.e. mini data lakes / search engine capabilities are providers are integrated for a so that you can use it more
application access). ETL/ELT tools to extract data. some common file shares emerge data ponds. Standard and shared operational to support structured seamless end user experience. efficiently
as standard locations. ETL/ELT ETL/ELT capabilities are utilized in and unstructured data analysis. Data animation capabilities, Establishes a Regular Data
tools are used on a group by 50% or greater of cases. 50%+ of Standard ETL/ELT tools are used advanced analytics and Hygiene Process
group basis. file transfer happens to and from to access data through data API's. forecasting interface to a data
sanctioned and pre-configured lake through data service API's.
data sinks. All data access is automatically
tracked for data residency, data
quality, compliance and
information lifecycle management
in accordance to corporate
requirements and policies.
0 0
IaaS

• Provision processing, storage, networks, and other fund
• Enabling a consumer to be able to deploy and run arbit
• The subscriber does not manage or control the underly
Is this domain • The subscriber may also have possibly limited control o
relevant? Yes/ No
CMM 0
Control Question
(None)
Are the infrastructure teams using The infrastructure teams are not
virtualized services to support using virtualized services to
cloud computing? support cloud computing.
Are Network Engineers able to Network Engineers are not

utilize virtualized networking implementing virtualized
services such as SDN (Software networks.
Defined Networking) and
administrate virtualized
networks?
Are the storage and data Storage and Data administrators

People administrators utilizing virtualized are not currently using any
infrastructure capabilities such as virtualized infrastructure
compute and storage services? capabilities.
Are the Dev-Ops teams working There is no work being done by
with the Infrastructure Teams to either the Dev-Ops or
develop a container-native Infrastructure Teams to develop a
infrastructure? container-native infrastructure.
Has IaaS been clearly defined for There is no current

the enterprise? understanding of IaaS across the
enterprise.
Is there a clear IaaS cloud No clear IaaS architecture is in use

architecture defined to support to support the business.
the business?
Are there any virtualized No virtualized computing

computing resources being used components are being used to by
to defined infrastructure the current infrastructure
components? environments.
Do infrastructure virtualized Currently infrastructure
services support Identity virtualized services do not support
Management Capabilities? identity management capabilities.
Do infrastructure virtualized infrastructure virtualized services

services provide an Orchestration do not exist and or currently do
Capability? not support any orchestration
Processes capabilities.
Does IaaS support the automated There is no IaaS support for

platform as a service selection and automation and there is no
is it mapped according to business mapping according to the
needs? business needs.
Do development teams employ No.
scripting/tooling/Infrastructure-
as-Code practices for
management of cloud resources?
Is containerization part of service No use of containers is used for

delivery for virtualized any infrastructure service
infrastructure services? delivery.
Is Management & Monitoring No virtualized infrastructure

enabled for Cloud based services? services exist that support
management and monitoring of
cloud services.
Does virtualized infrastructure No virtualized infrastructure

components exist to support components exist to support
shared applications and the shared applications or services
technology needs of the business? that are needed by the business.
Technology
Does an IaaS framework available No IaaS framework exist that
for the business to leverage for support the needs of the business
effective cloud application to realize cloud capabilities and
development? services.
Technology
Do the services offered by IaaS No IaaS services are available to

support interoperable design support interoperable design
elements to call external security elements nor is there any ability
providers and message busses, to call external providers.
enabling cross-cloud application
design and development?
Is container-based virtualization There is no container-based

part of the infrastructure virtualization on the infrastructure
technology roadmap? technology roadmap.
ed to:
rage, networks, and other fundamental computing resources
be able to deploy and run arbitrary software, which can include operating systems and applications.
manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications.
have possibly limited control of select networking components (such as host firewalls).
CMM 1 CMM 2
Infrastructure teams are starting Infrastructure teams are able to

initial use of virtualized services implement virtualized computing
but only in an "ad-hoc" way, i.e. components consistently and as
specific use for a specific request. opportunities present themselves.
Network Engineers are testing the Network Engineers are able to

capabilities of virtualized implement virtualized networks
networks and implementing PoC as the opportunities arise.
projects to validate their
capabilities.
Initial use by data and storage Use of virtualized storage and

administrators of virtualized data services by data and storage
storage and management of data administrators now support
services are limited and centralized storage services and
inconsistent in their use. are administrated via a
centralized portal.
Dev-Ops begins to develop some The infrastructure teams begin to
instances that utilize container- architect the virtualized
native infrastructure but it is ad- infrastructure services to support
hoc and there is no existing global containerization. There is no
architecture to support it. widespread use of containers as
they used only as the
opportunities arises.
There is an initial understanding IaaS is beginning to be

of IaaS and there are ad-hoc implemented consistently across
instances beginning to emerge. the enterprise opportunistically.
The first use of IaaS is de-coupled IaaS is now integrated and

from the traditional infrastructure interoperable as an infrastructure
and resides in ad-hoc pools. service that is a repeatable and
opportunistic response to the
needs of the business.
There is some initial collection of infrastructure virtualized services

data about infrastructure are available and used repeatedly
virtualized services but it is ad-hoc to align with business processes
and typically collected manually, that leverage the capabilities
with different methods, by offered by IaaS.
different departments.
Infrastructure virtualized services Infrastructure virtualized services
are used initially to create users now define a responsible role for
however they are created credential management however
manually by different processes. it is used optimistically and not as
Although there is no responsible an enterprise solution.
role to manage user creation
there are instances of ad-hoc
automation. Currently every
application handles its own users,
no synchronization between cloud
service and enterprise.
Infrastructure virtualized services Infrastructure virtualized services

support separate request are made available to external
triggered via a separate tool or provider portals for opportunistic
portal of the specific provider. orchestration processes that are
linked via a common portal, with
LDAP integration.
The business consumes virtualized A standard set of interfaces and

infrastructure services directly to specifications are defined for
their preferred IaaS provider, and virtualized infrastructure services
have access directly to that to enable interoperability and
cloud's portal to select, configure, avoidance of lock-in to the
and deploy their own services. provider.
Some development teams have All development teams working
begun experimenting with on cloud-based projects have
scripting for provisioning of cloud adopted IaC methodologies for
resources. provisioning of infrastructure
resources as a regular practice.
However, it is not used to
manage deployed resources (e.g.,
account for configuration "drift",
etc.).
Some use of Hyper-Visor to Container management systems

deliver initial ad-hoc use of (such as Docker) is used to
infrastructure services, i.e. using automates the process of creating
containers to deploy OS within a containers to run applications and
single Hyper-Visor. components shared across
multiple Hyper-Visor
environments.
Some IaaS ad-hoc reporting exist Virtualized infrastructure services

however it is based on providers' exist to allow for a standard
shared monitoring data. interface to receive agreed
monitoring and alerting data from
selected providers.
There is limited virtualized There is repeatable standardized

infrastructure providing virtual server technology and
virtualized components as a operating systems using
service being made available to standardized shared storage and
limited applications on an ad-hoc network technology that support
basis. a virtualized infrastructure system
that can be made available if
needed.
Virtualized infrastructure ad-hoc IaaS frameworks are able to allow
development of components exist for repeatable and opportunistic
but is limited to opportunistic instances that align with defined
implementations and is not widely security providers, messaging
available. facilities and limited data services.
IaaS services are available for ad- IaaS services are able to support
hoc support of interoperable interoperable design however
design and there is initial calls to only for limited design elements
external providers for limited that align with available services.
services (e.g. Microsoft Azure). Calls to providers for services is
opportunistic.
Container-based virtualization is Container-based virtualization is

introduced on some implemented on infrastructure
infrastructure technology technology that enables
roadmaps but is siloed to specific container-native infrastructure
ad-hoc implementations. roadmaps to develop for specific
ad-hoc implementations.
stems and applications.
operating systems, storage, and deployed applications.
firewalls).
CMM 3 CMM 4
Infrastructure teams are defining Infrastructure teams are using

the use of virtualized "managed services", such as
components, i.e. virtual storage, System Integration Services and
networking and compute and are Cloud Infrastructure Services, as a
able to systematically repeat the way to manage virtualized
process as needed. infrastructure components.
Measurement and logging are
now services based.
Network Engineers are Network Engineers are working

implementing defined virtual with Infrastructure teams to
networks that are deployed manage and measure virtual
systematically across the networks.
application layer.
Data and Storage administrators Data and storage administrators

are now utilizing defined and are using managed services that
systematic virtualization of measurable usage and throughput
data to aggregate heterogeneous to address business needs and
data from disparate sources requirements.
across the technology ecosystem.
Dev-Ops and Infrastructure teams Container-Native Infrastructure is
no longer develop "Monolithic" managed by the infrastructure
applications or run dedicated teams to support DevOps
VM's to support single application systematic use of
instances. Container-Native containerization.
Infrastructure is being used for
applications based on SOA/REST
componentization principles
which leads to more agile and
highly portable services.
IaaS is now defined and IaaS is managed and measurable

implemented in a systematic way across the enterprise and can be
across the enterprise. Examples used to validate and enforce
of this are "compute, network SLA's and meet defined KPI
and storage services are readily requirements.
available for consumption by
subscription.
IaaS is implemented with well IaaS is managed and measured to

defined standards and interfaces meet the demands to match the
and aligns with performance specific business system and
definitions which meets the needs service requirements.
of the business.
IaaS has a defined capability to infrastructure virtualized services

deliver and validate data to use a centralized CMDB/CMS
defined processes within the (data warehouse) that leverages
enterprise. The processes are the DaaS ecosystem where all
centrally documented and cloud reporting and metadata is
provided data which can be used collected and used to represent a
to address affected systems. single source in order to have
consistent and valid data. The
data is collected automatically.
There is a common system for infrastructure virtualized services
credential management now manage and measure a
(authentication, e.g. SSO) common system for credential
credential management is and rights management
performed as a self service (authorization, e.g. SSO with
centralized rights management).
Infrastructure virtualized services The virtualized infrastructure

are defined and electronically services process is defined and
integrated into a service automated for adding new
cataloged transparently, enabling cataloged entries to consumer
services providers access for ease interfaces, and retiring/restricting
of management. use of products which are
suspended from further
deployment or similar, with clear
rules about when and how such
restrictions can be bypassed (e.g.
adding another Win 2003 server
to a Server 2003 cluster).
A standard service Orchestration Virtualized infrastructure services

process is defined, with standard provide for a centralized security
interfaces, for deploying work service provider which is defined
packages and workflows, as part and available for all cloud service
of a IaaS deployment. infrastructure elements to
leverage security requirements.
All development teams working All development teams working
on cloud-based projects have on cloud-based projects have
adopted IaC methodologies for adopted IaC methodologies for
provisioning of infrastructure provisioning of infrastructure
resources as a regular practice, as resources as a regular practice, as
well as for maintaining the well as for maintaining the
infrastructure configuration. infrastructure configuration. IaC
However, it is independent of the tooling is enhanced to
organization's Configuration automatically update the CMS as
Management process (e.g., changes are made to the
resources provisioned via IaC are environment, however there is no
not added to the central CMS auditing for compliance.
repository, etc.).
The use of containers grows as a Container-Native Infrastructure is

defined process to deliver small, managed enabling the systematic
agile operating environments, use of containerization to meet
making them ideal for dynamic on-demand business
applications that scale with load requirements.
as well as add and remove
features on demand.
Virtualized infrastructure supports Virtualized infrastructure is

automated deployment of and managed and measurable
triggering of event monitoring and according to defined lifecycles
management and is bound to and policies.
each IaaS service, extending to
SIEM services (e.g. IBM Security
Qradar)
Virtualized infrastructure Internal Cloud systems are

components are defined to managed using components from
support a standardized a measurable virtualized
automation virtualization system infrastructure that leverages DaaS
integrated into CMDB common with automatic tiring and a
across data center, storage with Software Defined Network.
automatic tiering.
Resilient design blueprints for Virtualized infrastructure supports
defined IaaS implementations are auto-scaling and uses pre-built or
available for systematic re-use for scripted elements like web
all key application elements. services, message buses, etc. to
manage and measure
infrastructure services.
IaaS services are well defined and IaaS services are managed and
are implemented systematically measurable in the support of
to support interoperable designs interoperable cross-cloud
with all for the systematic calls to development and design. Calls to
providers that enable cross-cloud providers are managed and
application design and measurable (e.g. between Google
development. Cloud Platform and Amazon
AWS).
A defined standard container Standardized use of containers

management layer is developing are used by development teams
that will enable the systematic to develop managed utilization of
use of Container-Native- containers across a multitude of
Infrastructure to build highly agile platforms.
and scalable applications that can
be spun up quickly to respond to
changes in application
requirements.
CMM 5
Benefit Analysis
(optimized)
Infrastructure teams now use IaaS Enabling infrastructure teams to

as an optimized and integrated support virtualized capabilities is
service to meet the needs of the critical in aligning the needs of the
consumers and the businesses business to leverage
they support. infrastructure services that meet
the demands of the business.
Network Engineers are optimized Network Engineers use of virtual

in their approach to utilizing networking tools and
virtual networks and are using environments will be an
such tools as the Cisco Virtual important part of utilizing the
Network Management Center. capabilities of the SDN (Software
Defined Network) improving
speed of deployment and
centralized management of virtual
networks.
Data and Storage Administrators Data and Storage administrators

utilize optimized services to utilizing data and storage
administrative the virtual virtualization services to enable
environments that utilize data and native cloud capabilities will
storage services. enable the realization of those
capabilities.
Container-Native Infrastructure Supporting a container-native
has dedicated teams that infrastructure has a tremendous
optimize operating system benefit to resource utilization and
virtualization utilizing containers agility. Enabling container-based
to run on bare metal instead of virtualization reduces the
inside of VM's. dependency on conventional
hypervisors to support
independent VM instances.
Container-based virtualization can
also offer greater efficiency and
performance over a wide variety
of operating system helping to
provide a diverse platform of
operating systems.
IaaS is optimized to meet the Having IaaS well defined brings

needs of the enterprise and the continuity and direction to the
businesses it supports. processes that depend on them to
meet the needs of the business.
Infrastructure is now optimized to When there is a clear architecture

automatically scale to meet to support the infrastructure
infrastructure demands as defined needs of the business the
by the business. optimizations realized will provide
cost savings and increase time to
market to meet consumer
demands.
infrastructure virtualized services Having virtualized computing

now optimize monitoring of data resources that are defined to
management and compliance to meet specific requirements to
rules and policies which are sustain the optimization
integrated and automated to capabilities offered by IaaS will
triggered in the event of non- enable the utilization of highly
compliance. agile and versatile resources that
will deliver on high available
needed to sustain business
requirements.
infrastructure virtualized services infrastructure virtualized services
are now optimized to Integrate the support identity management
with identity management to will leverage automation and
reacts to changes in HR systems orchestration capabilities helping
and automatically manage access to reduce the workload to
and rights on all services. manage accounts manually.
Virtualized infrastructure services Having virtualized infrastructure

are optimized allowing for a Cloud services provide orchestration
Service Broker to select (based on while supporting automation will
the Consumers' defined demand) greatly reduce the workload and
from available pre-selected cloud allow for policies and brokerage
services and platforms, and to optimize service capabilities to
presents a shortlisted result to the the business.
consumer, to enable them to
make a final choice on
provider/platform/service.
Virtualized infrastructure services Having IaaS support automation is

are optimized to host and migrate critical to the realization and
virtualized infrastructure adoption of native cloud
resources according to business capabilities. Having these services
objectives for cost, quality and mapped in accordance with
capability. business needs is critical to the
realization of the value the
capabilities have to the business.
IaC methodologies are fully Organizations can realize the
adopted across the organization benefits of rapid infrastructure
for provisioning and management deployment & configuration while
of cloud resources. These still maintaining IT operational
practices are fully aligned and discipline.
measured as compliant with the
organization's Configuration
Management process.
Container-Native Infrastructure is Container infrastructure

provided to support container- automation provides a container-
native cloud services to optimize native infrastructure which
containers which run on bare supports the needs of the
metal with no little or VMs. business to implement utility
based solutions that are cost
effective and lowers resource
utilization.
IaaS is optimized to support all Enabling virtualized infrastructure

data in the landscape and is services to manage and monitor
managed according to a single set both services and capabilities will
of policies and rules. allow for the enforcement of
polices and the standardized
creation of SLA's.
Virtualized infrastructure Making virtualized infrastructure

components are optimized to components available to support
support on-premises systems shared applications and support
capable of delivering IaaS, PaaS, the technology needs of the
Iaas, DaaS and capable of business is a benefit of IaaS.
seamless bursting to public cloud
providers. Optimized Software
Defined Network.
IaaS is optimized to support the Having an IaaS framework enable
needed framework that meets the components to be implemented
needs of the business technology in a standardized and consistent
requirements and delivers an process that leverages the
effective cloud development capabilities that enable
platform. applications and services to be
available for the businesses they
support.
Optimized IaaS services are built Having the services that are native
with interoperable design to IaaS available for interoperable
elements that call external design is critical for leveraging the
security providers and message capabilities to enable cross-cloud
busses, enabling cross-cloud features and reliability when
application design and meeting the needs of the
development. business.
Use of standard container Since containers include the

management tools is in daily use application and all of its
(such as Docker which uses dependencies, but share the
containers to roll up a piece of kernel with other containers, they
software into a complete run as an isolated process in user
filesystem that contains space on the host operating
everything it needs to run: code, system. Therefore they are not
runtime, system tools, system tied to any specific infrastructure
libraries). Consistent deployment and can run on any computer or
models that promise to always on any infrastructure and in any
run the same, regardless of the cloud.
environment it is running in, are
the standard objective.
Infrastructure teams, DevOps

Teams, Enterprise Architects,
Network Engineers and
Architects, Cloud Architects, Data
Architecture, Infrastructure
Engineering, Cloud Engineering
0 0
0 0
0 0
Architects, Cloud Architects,
Infrastructure Engineering, Cloud
Engineering
0 0
0 0
Cloud Architects, Data
Architecture
0 0
Infrastructure teams, Enterprise
Engineering
0 0
Identity Management
0 0
Cloud Architects, Cloud
Engineering
0 0
Architecture, Data Governance,
Engineering
0 0
Processes such as Configuration
Management seen as a
hinderance to agile
methodologies.
0 0
Engineering
0 0
Cloud Engineering
0 0
Identity Management,
Engineering, Cloud Product &
Portfolio
0 0
Portfolio
0 0
Cloud Architects, Cloud
Portfolio
0 0
Portfolio
0 0
Total 0 0
Storage as a Service

Storage as a service (STaaS) is a cloud service that provides a platform to support users, applications, and data projects with Storage
• Storage services include Elastic:
• Object storage
• Block storage
• File storage
• Off-premises "Dropbox" services
• One location for all data across the enterprise using a global file system
• Ability to sync files across any device, PC, server
Is this domain • Data Encryption at rest and in transit
relevant? Yes/ No
CMM 0 CMM 1 CMM 2 CMM 3 CMM 4 CMM 5
Control Question Benefit Analysis Stakeholders
(None) (initial, ad-hoc) (repeatable, opportunistic) (defined, systematic) (managed & measurable) (optimized)
Is there a “Storage Service” No storage "service" capabilities Storage "service" capabilities exist A greater number of teams The enterprise adopts a storage Full storage "service" capabilities The enterprise has seamlessly Storage service capabilities Cloud Architecture, Cloud
capability available? exist. but are utilized on an ad hoc utilized storage "service" strategy, identifying a common exist. Monitoring, reporting and integrated storage capabilities provide agility and extendibility in Engineering, Application
basis. capabilities; utilization is storage capability; teams utilize governance ensure that teams into its single, shared cloud cloud capable environments. Development
opportunistic, not consistent. the capability consistently. across the enterprise utilize the computing or cloud brokerage
shared storage capability. solution.
Is there a “Storage Platform” No mappings of storage platforms Mapping of business needs to A greater number of mappings An enterprise-wide effort The enterprise leverages and All storage platforms are mapped Having a mapping of the storage Cloud Architecture, Cloud
mapped according to business to business needs does not exist. storage platforms is performed on emerge as teams opportunistically emerges to map business needs measures compliance to the to business needs. This happens in platforms to the business needs Engineering, Application
needs? an ad hoc basis. map business needs to storage to storage platforms. mapping of business needs to the course of onboarding new will help in identifying waste and Development
platforms. storage platforms. storage services, increases in redundancy within the service
storage capacity and addition of environment.
or changes to business services.
Do processes exist to ensure a No steps have been taken to Teams adopt STaaS and cloud- Teams begin consolidating on The enterprise has a defined and The enterprise has established a Adoption of cloud storage is Consistency in STaaS adoption will Enterprise Architecture, Cloud
consistent adoption of STaaS and identify a consistent method of based storage on an ad hoc, non- processes to ensure consistent implemented enterprise-wide storage governance function that transparent and takes place as reduce the time of adoption and architecture, Cloud Operations,
cloud-based storage? STaaS or cloud-based storage coordinated fashion. adoption of STaaS and cloud- process(s) for adopting STaaS and manages adoption of STaaS and part of the natural cycle of accelerate the benefits that STaaS Procurement and Legal
People adoption. based storage. cloud-based storage solutions. all cloud-based storage. business. Cloud/non-cloud is no has to offer.
longer a question.
Is security monitoring and Security monitoring and reporting Security monitoring and reporting Security monitoring and reporting The enterprise has a defined The enterprise has defined and Security monitoring and reporting Having security reporting and Compliance Team, Security,
reporting integrated to measure is not integrated to measure and is integrated on an ad hoc basis is integrated to cover backup security monitoring for storage, implemented an enterprise-wide is seamlessly integrated into all monitoring in place to measure Policy, Cloud Architecture, Cloud
and monitor storage services? monitor storage services. for backup services; addressing service and data storage services. addressing backup, data storage security monitoring of backups, storage services, ensuring the and monitor storage services is Product & Portfolio
applications, and data deduplication services. data storage, data deduplication enterprise has point in visibility critical to service sustainability
services and workstations (laptops and record retention into all data, at rest and resiliency.
and PC's). management services. and in transit.
Does a STaaS framework exist for No STaaS framework is available Several STaaS frameworks exist Teams begin consolidating on a The enterprise has defined an Teams consistently utilize STaaS is seamlessly integrated Speed of cloud adoption is critical Cloud Architecture, Cloud
teams to efficiently leverage for teams to leverage in but have ad hoc adoption. handful of STaaS frameworks. enterprise-wide STaaS standard STaaS framework for into the application development for time to market and availability Engineering, Application
cloud-based storage in application application development. More and more teams leverage framework(s) for use when developing applications. platform. of services. A STaaS framework Development
development? these frameworks when developing applications. can help ensure optimization of
developing applications. services across and optimized
infrastructure.
Is data and network secured to No support exists to secure data Limited support exist to secure Data transport and network The enterprise defines data Use of standard data and Data transport and network Data and network security is Compliance Team, Security,
support STaaS for both public and and network needed to support data and network needed to connectivity is established on a transport and storage and a set network connectivity is ensured connectivity configurations are paramount in availability. It also Policy, Cloud Architecture, Cloud
private services? STaaS for both public and private support STaaS for both public team by team basis to support of standard network connectivity through governance ensuring transparent to end users. These aids in the compliance with Product & Portfolio
services. and private services. STaaS for both public and private methods in support of STaaS for effective and secure use of STaaS capabilities have been integrated standards and best practices for
services. both public and private services. (on-premises and off-premises). with the enterprise's single, both public and private services.
shared cloud management or
broker capability.
Has the enterprise implemented a No cloud storage solutions are in Limited and ad hoc use of cloud Application development teams Standard STaaS solutions are The enterprise has defined and Elastic object, block and file All types of data classifications are Cloud Architecture, Cloud
full suite of cloud storage use. storage is in use. Mainly for file begin utilizing object, block and defined. Teams across the implemented standards for STaaS storage have been seamless critical to include in storage Engineering, Application
solutions? sharing. file storage cloud solutions. enterprise coalesce on a standard solutions Teams consistently integrated into the enterprise's service availability and support. Development
set of solutions (elastic block, file utilize these. Exceptions are single, shared cloud management
and object). reported, giving management the or broker capability. Technology
opportunity to address and drive choice and configuration is
Processes further consistency. transparent to the end user.
Are there process steps identified No steps have been taken to Limited adoption STaaS Moderate adoption STaaS Extensive adoption STaaS Full adoption STaaS methodology. All steps have been taken to Consistency in STaaS adoption will Enterprise Architecture, Cloud
to be ensure a consistent method identify a consistent method of methodology. methodology. methodology. implement a consistent method reduce the time of adoption and architecture, Cloud Operations,
of STaaS adoption? STaaS adoption. of STaaS adoption. accelerate the benefits that STaaS Procurement and Legal
has to offer.
Is your storage accessible through No accessibility exist to storage Limited accessibility exist to Moderate accessibility exist to Extensive accessibility exist to Full accessibility exist to storage Complete integration and Having a service interface will Cloud Architecture, Cloud
a “Service Interface”? sites through a “Service storage sites through a “Service storage sites through a “Service storage sites through a “Service sites through a “Service accessibility exist to storage sites help tremendously in Engineering, Application
Interface”. Interface”. Interface”. Interface”. Interface”. through a “Service Interface”. consolidating the access point Development
needed to attain management of
services and availability.
Is there Security Reporting and No cloud Backup services for Data Archiving Deduplication services Record Retention Data Encryption at rest Having security reporting and Compliance Team, Security,
Monitoring in place to measure Storage applications, services Management and in transit monitoring in place to measure Policy, Cloud Architecture, Cloud
and monitor storage services? services services and PCs services and monitor storage services is Product & Portfolio
critical to service sustainability
and resiliency.
Is your storage accessible through All storage is directly accessible Team implement RESTFul API A greater number of RESTFul API The enterprise defines a standard Governance ensures that all Storage service interfaces are Having a service interface will Cloud Architecture, Cloud
a “Service Interface”? via the native storage interfaces interfaces to storage on an ad hoc storage interfaces exist, teams set of RESTFul storage API's. storage implementations include integrated into the enterprise's help tremendously in Engineering, Application
no decoupled service interfaces or basis. begin leveraging these in more Teams begin to systematically a RESTFul API interface and that single, shared cloud management consolidating the access point Development
storage API's exist. and more cases. utilized these interfaces. teams utilize these interfaces or cloud broker capability. needed to attain management of
when accessing storage. services and availability.
Exceptions are managed and
addressed.
How is the infrastructure No optimizations exist to support Limited optimizations exist to Moderate optimizations exist to Extensive optimizations exist to Full optimizations exist to support Complete infrastructure Optimization of infrastructure is Cloud Architecture, Cloud
optimized to support STaaS, i.e. STaaS. support STaaS. support STaaS. support STaaS. STaaS. optimization exist to support critical in optimizing services and Engineering, Application
file sync across multiple devices, STaaS, e.g. file sync across applications that support business Development
support a global file system? multiple devices, support a global functionality.
Technology file system.
Is a STaaS framework available for No STaaS framework is available Limited STaaS framework is Moderate STaaS framework is Extensive STaaS framework is Full STaaS framework is available Complete integration of the STaaS Speed of cloud adoption is critical Cloud Architecture, Cloud
the business to leverage for for the business to leverage available for the business to available for the business to available for the business to for the business to leverage framework is available for the for time to market and availability Engineering, Application
effective cloud application effective cloud application leverage effective cloud leverage effective cloud leverage effective cloud effective cloud application business to leverage for effective of services. A STaaS framework Development
development? development. application development. application development. application development. development. cloud application development. can help ensure optimization of
services across and optimized
infrastructure.
How is your data and network No support exist to secure data Limited support exist to secure Moderate support exist to secure Extensive support exist to secure Full support exist to secure data Fully secured data and network Data and network security is Compliance Team, Security,
secured to support STaaS for both and network needed to support data and network needed to data and network needed to data and network needed to and network needed to support services are in place to support paramount in availability. It also Policy, Cloud Architecture, Cloud
public and private services? STaaS for both public and private support STaaS for both public support STaaS for both public support STaaS for both public STaaS for both public and private STaaS for both public and private aids in the compliance with Product & Portfolio
services. and private services. and private services. and private services. services. services. standards and best practices for
both public and private services.
Are the following storage services None of the following storage Limited STaaS exist for Elastic Moderate level of STaaS exist for Extensive level of STaaS exist for Full services for STaaS exist for Fully integrated STaaS solution All types of data classifications are Cloud Architecture, Cloud
included, Elastic Object, Block or services are included, Elastic Object, Block and or file storage Elastic Object, Block and or file Elastic Object, Block and or file Elastic Object, Block and or file that includes Elastic Object, Block critical to include in storage Engineering, Application
file storage? Object, Block or file storage in a services. storage services. storage services. storage services. and file storage. service availability and support. Development
STaaS offering.
Networking
Control Question
Is the network team aligned with

the business and its cloud
strategy?
Does the network team have any

cloud training?
People
Is the network team trained on

cloud connectivity architecture
and planning?
Are the network teams procuring
cloud services that satisfy the
current and future needs of the
business?
Is there a network service

notification plan in place that
maps business function (with
criticality impacts) to the
technology service disruption?
Processes
Is network performance and
availability reporting, as it relates
to support of business
applications and services, being
reported to the business?
Has the network been architected

to support services in a hybrid-IT
operating model, cloud,
internal/external?
Has the network been
instrumented to support cloud
operations?
Is there a network strategy to
utilize cloud networking for
mobile devices?
Is the network compliant with the
organizational and/or legal
requirements?
Technology
Is the network capable of
automation, self-
provisioning, self-healing?
Technology
Is IP Management in place to
support the hybrid model?
Is network monitoring integrated
into a unified end-to-end solution?
Is there a Cloud based Network
Security Model?
Is the network highly available?

Networking for cloud access. Providing consistent, reliable and highly available network access to IaaS, SaaS, PaaS environmen
Compliant, secure and predictable network services.
Cost effectiveness, aligned with business requirements.
Managed with timely performance reporting and monitoring.
Network adaptability.
CMM 0 CMM 1 CMM 2
(None) (initial, ad-hoc) (repeatable, opportunistic)
Network teams are not aligned Participation in ad-hoc meetings Participate in most meetings
with the businesses cloud about cloud services when where network architecture is
strategy. invited. Resistant to change. required to support cloud.
Indifferent to corporate cloud Generally involved in outcomes
strategy. and strategy for cloud service
integration. An initial network
strategy to enable cloud services
exists and the people reference it
Cloud training has not been Can explain the basic concepts of Some working knowledge along
provided to the network teams. cloud. No hands-on experience. with some basic hands-on
experience. Can build a basic
cloud environment.
Cloud connectivity training has The network team has basic Basic online training as well as
not been proviced to the network understanding through web simple practical experience.
teams. materials and self-learning. No Direction and requirements are
planning, services are provisioned obtained through internal
as required. requests.
Network teams are not procuring Services procured as required No formal procurement process
cloud services. and typically based on vendor exists. Services are procured as
recommendations. needed or based on basic
business needs. Blueprint and
standards exist but are not fully
enforced. Availability is not being
measured.
No network service notification Service disruption notification is a Network Service disruption

plan exists. manual, best-effort basis. No notification is a triggered event
escalation plan exists and there is and is documented and tracked to
no defined criticality mapped to business function. Escalation is
the business function. Response based on business impact and
to disruptions are random, KPI’s are defined but no SLA’s are
individual and not in place to ensure consistency of
institutionalised - they are network services.
addressed on a case-by-case
basis.
No network performance metrics Basic performance reporting is Generic application performance
are being collected done per element and availability and availability reporting is
reporting is provided on an as available, typically by cloud
needed basis, however it is flat provider, and has increasing
with no business objective network component granularity
alignment. but still lacks business service
impact.
The are no network plans in place Connectivity to public cloud Network architecture is being
to support operations in the cloud providers is only available via developed, however deployments
or to develop a hybrid-IT internet access. No readiness based on currently available
operating model. assessment exists and services are services are achieved through
provided “as-is”. The hybrid-IT existing equipment. The hybrid-IT
operating model is now being operating model is being built but
developed. no production deployment is in
place.
The network has not been Network instrumentation does As virtual cloud networking
instrumented to support cloud not currently measure network develops operational support is
operations. performance is not aligned with starting to look at provider and
business requirements. Issues 3rd party tools to utilize network
such as latency, jitter, packet loss instrumentation. As a result
are not seen as impactful for the measurement of performance
on-prem environments and metrics are beginning to be
therefore are also not considered utilized as challenges arise. The
as disruptive for the off-prem hybrid model is beginning to form
environments as well. As virtual and off-prem/on-prem
networking is beginning to environments are beginning to be
emerge these become more seen more holistically.
prominent.
There is no network strategy for Cloud networking supports Mobile applications are deployed
building or deploying a virtual mobile devices but lacks a manually via cloud virtual
network in the cloud to support strategic alignment with cloud networks but lack cloud
mobile devices. networking capabilities and the automation capabilities. MDM is
user experience is not optimized. still managed via internal
management tools. Some cloud
provider and 3rd party tools are
being tested and evaluated. Use
of QoS is being evaluated and
mobile traffic is beginning to be
distinguished on the network to
support the end user experience.
There is no network compliance There is a lack of measurement Some policies exist to account for
strategy for building or deploying between the "off-prem" Cloud the external network perimeter
virtual networks in the cloud. environment and the "on-prem" and controls that address the
environment and therefore are hybrid model are in process of
managed differently. Data access implementation. Providers and
between the two environments is 3rd party vendors are considered
partially managed and consistent in the compliance and legal
control systems for both are responsibilities needed to support
under evaluation. the hybrid environment. The need
for measurement and
management of services is
considered critical in support of
business KPI’s and SLA’s. Security
teams, (which traditionally relied
on visibility to the environment
via the network), have
transitioned to an application
based view of risk and
vulnerabilities.
There is no network automation Currently all provisioning is Visibility of the network is
or provisioning of virtual manual and done on an “as possible as access points have
networks. needed” basis. The network been created to connect to
topology is legacy and has been provider services. Self-
built in layers. Infrastructure does provisioning is enabled via API’s,
not support automation and self- and provider services are
provisioning. The network layers consumed as and when needed.
are abstracted in order to create The network teams provide a
access points to “off-prem” public hybrid network model to support
providers. both on-prem consumption and
off-prem builds.Designs for
needed availability are in place
with automated service failover.
IP Management does not support IP Access Management (IPAM) is IP management in the hybrid
the hybrid model. in use for internal “on-prem” model is a high concern and
deployments however due to the implementation of IPAM is
ethereal nature of the cloud it is proving a complex and resource
not utilized for “off-prem” intensive process to manage.
deployments. VLAN/Vnet’s exist Management is siloed and there
but there is no management of IP is no cohesive strategy in place.
ranges, most use the default Cloud provider and 3rd party
settings over-subscribing the tools are leveraged considered
number of IPV4 addresses being but lack support for the hybrid
used. Due to the rapid growth model and the network teams
and complexity of utilizing legacy have to manage IP via multiple
IPV4 addressing there is concern tools. IPV6 is part of the long-term
over the number and usage of strategy but has not been
IPV4 addresses being used. implemented.
Network monitoring is siloed and Network monitoring is split Network monitoring is driven by
is not enabled for end-to-end between on-prem and off-prem business cost and Memorandums
application overview. environments. Off-prem is of Understanding (MoU) between
monitored via provider GUI and or the network teams, providers and
3rd party tools. There is limited business consumers. The need for
monitoring of traffic to and from business to control cost and
provider environments. manage resources is critical to
enable capabilities such as “cloud
bursting” and “auto-scaling”.
Integration between silo's is
sought from 3rd party tools.
Demand is placed on Network
Operations Centers (NOC) and
Security/Operations (SecOp)
teams to implement solutions
that holistically view the
application ecosystem.
There is no cloud network security There are some ad-hoc and Due to application portability and
model. individual based cloud networking distribution cloud based security
security related policies that services are partially migrated
address some risk management away from dedicated hardware
concerns, based on provider solutions to cloud-based security
shared security requirements, services such as Software as a
however they are inconsistent Service (SAAS) model. This model
and do not reflect business needs provides defined policy based
or requirements. orchestration, applied in new
service automation opportunities.
High Availability is not in use There are some ad-hoc backup High availability has shifted to the
across the network. services running however they are application layer (built for failure
inconsistent and do not reflect paradigm) enabling the
business needs or requirements. application to utilize high
availability patterns in the design
phase by implementing “cloud
design patterns”, such as “Circuit
Breaker and “Retry Patterns” to
leverage increased availability
opportunities. The network
partially supports these designs
and automation of network
resources is part of each service
design.
SaaS, PaaS environments.
CMM 3 CMM 4 CMM 5
(defined, systematic) (managed & measurable) (optimized)
Network team members are Network team members are part All network team members are
included in networking of strategic workgroups and fully aligned and engaged with the
workgroups related to cloud provide direction related to business cloud strategies.
strategy. Provide input and are networking for cloud access. Participate in all meetings and
engaged in finding solutions to Engaged in architecture, security workgroups and build plans to
achieve the business objectives and corporate policies. optimize the strategies.
which cloud enable.
Network team has a solid working Clearly understands cloud services Formal training and certification
understanding of cloud principals and can easily participate. on cloud services obtained. Can
and use cases. Network team Formalized cloud training has easily participate in DevOps and
understands corporate cloud been completed. help optimize infrastructure
strategies and follows standards. deployments.
Some formal training and practical Attended formal training and can Formal education and certification
experience with cloud test demonstrate advanced testing on cloud networking
environments. Network connectivity solutions. Lab/test achieved. Standard education
connectivity planning is driven environments available and curriculum defined for the
from business requirements. utilized. Network team networking team. Cloud
connectivity planning forms part connectivity planning forms part
of the strategic network of all strategic IT planning,
procedures and policies. Input including cloud access. Network
from the business units forms part performance reporting and
of the detailed requirements. utilization are part of all reporting.
RFI & RFP processes used to Procurement criteria is managed Criteria for detailed network
obtain network services and and documented to provide services are established and
produce systematic results. metric for measurement of updated regularly. Procurement
Network services are measured network services. Network of network services is optimized
against defined business goals. services are in line with business to align with business
Bandwidth and capacity are used requirements, security and requirements, security and
to define requirements. compliancy regulations. RFI/RFP compliancy regulations. RFI/RFP
processes managed to utilize processes are documented and
network services with predefined measured against requirements.
catalogues, sharing network NFV (Network Functions
services across platforms. Virtualization) is preferred, SDN
(Software Defined Network) and
virtualized appliance functions,
policy and cost requirements
(NLB, WAF, WAN Connections)
are optimized to meet business
needs, security and compliance
with network services.
Network Service disruption Network services are well Network services are optimized
notification has automated documented and align with and designed for failure.
triggers that are escalated based business requirements defined by Predictive modeling and
on mapped business function as KPI’s and tested regularly. notifications on failure as well as
described in SLA’s based on Disruptions are managed and service restoration are used to
defined KPI’s which ensure measured to ensure availability meet business functions and fully
availability requirements are met. requirements and ensure SLA support defined KPI’s to ensure
adherence which include vendor availability and consistency of
plans for escalation. services. Disruptions are
responded to through triggered
events which utilized automation
to ensure business function
maintained according to defined
SLA’s. Accumulative impacts and
events are measured over time
and are responded to by adaptive
SLA’s.
Application performance and Network availability and The network is now optimized to
availability reporting is defined performance reporting services align with defined business KPI’s
appropriate to the business align with business KPI’s and SLA’s that are regularly tested and
function and business impact and are available in real-time to reported to the business. Network
analysis is routinely performed. the business. Business function automation continually monitors
Automation is beginning to be mapping now overlays network for new services to enhance
utilized in response to network services enabling measured availability and performance
performance and availability impact to business objectives. while proactively identifying
requirements as defined by potential impacts and deficiencies
business SLA's and KIP's. bringing greater value to the
business which enable strategic
assessments to drive proactive
resolution to unforeseen
deficiencies before they occur.
Business requirements have been Network architecture has been Network architecture is optimized
defined and captured in the fully implemented to support the to enable operational support of
network architecture which hybrid-IT operating model. The the hybrid model to rapidly
supports operational needs and is network equipment needed to identify performance and
supporting services for the hybrid- support WAN optimization, availability, as well as, support
IT operating model for both utilizing such tools as caching, de- security dependencies, service
internal traditional and external duplication, compression and management and business
cloud environments. WAN broadband bonding are in place continuity. Current and
Optimization is now recognized as and performance is measured “predicted” future network
an important factor in the hybrid against business defined KPI’s. requirements needed to support
model. Equipment (inventory) and “real-time” business needs are
services are known and deployed through automation.
documented. Network Provisioning is managed through
assessment plan is complete and policies that align with cost
updated regularly to support benefit analysis. WAN traffic
ongoing business and cloud management
adoption. Plans include all is fully optimized to interact with
aspects of performance, both the on-prem and off-prem
compliance, availability and environments holistically enabling
automation. visibility of the hybrid operating
model.
The hybrid model is in place and Operational support teams now Network instrumentation is
instrumentation is being utilized manage and monitor transactional optimized to enable real-time
by operations to support the performance through network access to analytical data and
hybrid model. Cloud provider and instrumentation tools to enable automation to respond to
3rd party supplied tools are continually monitor and measure events in real-time. Network
measuring network performance network performance against pre- instrumentation optimizes unified
while providing continually defined metrics. WAN networks and automated
monitored services. Advancement optimization strategies such as provisioning enabling seamless
in instrumentation is allowing caching, de-duplication, migration of services and
operational support of security compression and broadband applications from one
intelligence to shift from a bonding are used to enable environment to another with no
network centric security model to services such as QoS and measure constraints. Network traffic is
an application centric security application performance against instrumented to support “always
model. business KPI’s. encrypted” traffic and ethereal
networks are managed through
the CI/CD processes. Operations
now supports the network
through the application layer with
open API’s for centralized
software control, traffic
analysis/analytics, traffic steering,
and security.
Cloud virtual networks now Average response times between Mobile Cloud Computing (MCC) is
consistently support mobile mobile apps and end-points are optimized for mobile device
devices utilizing traffic measured to identify latency and management, provisioning is fully
prioritization measurements, such meet performance expectations. automated and leverages cloud
as QoS to mobile applications, and Cloud virtual networking is fully virtual networking to enforce
leveraging cloud managed utilized and supports hosted cloud security, policy management and
authentication. Views of network provider and 3rd party tools for business process orchestration.
traffic are being utilized to enable seamless app distribution, Network performance is managed
end-to-end bandwidth shaping. automation and provisioning. to optimize peak performance to
Latency and performance are now Packet Shaping is used to improve support end users using edge
being measured and managed to user experience by measuring caching and mobile device
meet demand. bandwidth to latency-sensitive detection for redirect of mobile
applications which need to optimized websites. Real-time
operate in real-time. Front-end Optimization (FEO) to
HTML pages is optimized for
rendering. Adaptive image
compression compresses images
based on real-time intelligence
about network conditions.
Enhanced Mobile Protocol (EMP)
is implemented to accelerate
mobile users web experience
implementing protocol
optimization (such as real-time
TCP parameter tuning and HTTP
pipelining)
Organizational policies and legal The network is continuously Compliance is applied and
requirements are adhered to by monitored and tested against all validated via automation in the
well-defined controls which utilize compliance and regulatory Continuous Integration and
automation and orchestration to policies. Controls are Contentious Deployment (CI/CD)
align with environmental implemented as new threats and pipeline. All code is scanned
conditions. There are new vulnerabilities are identified. during development and network
boundaries defined between Configurations are tested for and infrastructure is templated
providers and subscribers and written to support environmental against the latest builds, policies,
regulatory compliance is weaknesses. All end-points and regulatory compliance and legal
environmentally driven, i.e. the access-points are monitored for requirements. Models, which
provider enables controls to not vulnerabilities and security groups provide scaling up/down use
allow a subscriber to implement a tightly control access. platforms such as Cloud
non-regulatory compliant Application Management Platform
environment. The Network is fully (CAMP) and Tosca CI, to
documented and is regularly seamlessly integrate functional
tested for compliance and tests into the continuous
regulatory policies. New services integration environment. Network
are tested against requirements functions, such as firewalls,
prior to being deployed. gateways, load-balancers, etc.,
are available for use by catalog in
a library for use by automation/
orchestration and are controlled
by security groups.
Network services align with the to which the The network is The network is directly
hybrid model and Software continuously monitored and programmable, control functions
Defined Networking tested against service availability are decoupled from forwarding
(SDN) enables network engineers and performance requirements functions, which enables the
and administrators to respond and stated business KPI’s. QoS is network to be programmatically
quickly to changing business in place and managed though configured by proprietary or open
requirements via a centralized business SLA requirements. source automation tools,
control console. Problem Network teams are designing, including OpenStack, Puppet, and
detection and recovery triggers building, and managing networks Chef. Centralized Management is
and processes are defined and in that separate the network’s implemented to enable network
use. Roadmaps and control and forwarding planes, intelligence that maintains a
budgets include elements to make enabling the network control to global view of the network. The
the network more flexible and be programmable and the network delivers agility and
agile to support the virtualized underlying infrastructure to be flexibility enabling rapid
server and storage infrastructure abstracted for applications and deployment of new applications,
of the modern data center. network services. Applications services, and infrastructure to
Automated re-routing around relay performance and quickly meet changing business
performance problems is availability requirements to the goals and objectives. The network
implemented switches and routers respond. is architected to support “self
healing” which enable
weaknesses and vulnerabilities in
the network to align with
changing business requirements
and demand.
IP Management is a backend IP Management is centralized IPAM data is fully integrated into
service and is part of API access with integration of IPV4 and IPV6 DNS Zone/Record generation,
and management in public cloud address ranges. Network policies DHCP scope deployment, Peering
provider environments. exist to control and manage IPV4 data and Asset data. Automation
Provisioning and infrastructure addresses while IPV6 is adopted in of subnets are tracked and
services are managed based on the development and deployment assigned to manage address
IAM role/user, and can be used to pipeline. IP addressing is utilization. Orchestration manages
monitor and manage events and managed and is strictly controlled IP subnet allocations and static
logging within the cloud through provisioning polices and assignments for both internal and
environment, but lack a total compliance controls. DNS and external networks. IP tagging is in
hybrid solution. Solutions, such as DHCP strategies exist to support use to include required metadata
IPV6, are being implemented for protocols such as IPV6 as the and other custom fields. IPAM
large enterprises as part of IP standard for cloud deployments. manages and administrates
management strategies for cloud overlapping/duplicate IP subnets
environments. integrating with device
management for additional
automation. IPAM adopts API’s
for integration into third party
DNS providers, enterprise
managed service providers, third
party CRM and ERP SaaS
solutions, and the ARIN RESTful
Web Services and utilizes RIPE
(RPSL) APIs as part of the
management strategy.
The strategy for monitoring the Application performance Monitoring of cloud and on-prem
technology ecosystem is moving monitoring is a commodity and infrastructure is from a single
towards including all providers as Application Performance platform. Monitoring is focused
well as on-prem and off-prem Management (APM) is on trends and alerts on cloud
environments. The “single-pane- implemented to help manage the resource consumption. The end-
of-glass” is the goal of all support resources and cost of user-experience is the core focus,
and admin teams. Consolidation applications. Monitoring and methods such as synthetic
and integration of monitoring Serverless Architectures is an transaction monitoring are used
data for historical trend analysis identified new Use Case. to ensure brand and Intellectual
as well as predictive analysis is Function-as-a-Service (FaaS) or Property (IP) are protected.
adopted as part of the hybrid Serverless Architectures are Metrics are integrated with flows
model. Network and application standardized and IaaS is deployed and logs to provide an end-to-end
monitoring rely heavily on vendor through scripts (such as Terraform view of the whole technology
supported tools and services. and Lambda). Monitoring cloud ecosystem. Monitoring is focused
application dependencies at the on the application layer and is
application layer is now the fully deployed across all
standard. environments that includes on
and off prem as well as cloud-to-
cloud across all providers.
Network and application events
are seen holistically across all
provider environments.
Cloud based network security Cloud network security policies Networking in the cloud is fully
solutions are introduced to include the hybrid model and are optimized to meet the needs of
address the increase in virtualized based on the "shared security the business. Network security is
deployments in public cloud responsibility model". Network fully automated to be deployed in
provider environments. Cloud security is measured and real-time to support fully secured
deployed networks need to monitored to ensure networks that have all of the most
support this demand for cloud orchestration and implementation recent and up-to-date policies and
based security. Therefore, in of risk management is based on vulnerabilities in place. Risk
order to deliver comprehensive business risk which is measured management is consistent with
protection, security is written into against business policy and the shared responsibility model
the architecture of a cloud compliance requirements. and supports proactive and
deployed network to support the Implementing cloud-network continuous deployment
"shared security responsibility based security has provided methodologies.
model". consistent control and visibility
across varying domains across
public, private and hybrid cloud-
based services.
Application design patterns have High availability has been fully All networking high availability
off-loaded some of the high defined to support the business requirements have been met and
availability requirements needed model and is implemented the network is fully diverse and
in order to meet business through defined pipelines that fault tolerant. The network is
requirements, however respond to real-time business self-healing and will automatically
networking patterns are partially opportunities and security reroute traffic with no human
implemented leveraging IAC vulnerabilities. Policy based intervention. There is no
(Infrastructure as Code) in the orchestration and implementation performance degradation due to
form of Terraform Models, Chef of risk management based on analytics that capture SLA
Recipes and Puppet Enterprise business risk are well defined and requirements and ensure they are
builds. As network deployment standardized, as well as all policy met prior to demand being
becomes more standardized, and compliance requirements. reached. All network
models are available to support Automation is a fully implementations are scanned and
highly available networks, and are implemented deployment adhere to vulnerability and
being systematically adopted into methodology. compliance policies prior to
the application environment. deployments. Deployments are
continuous to meet business
demand.
Benefit Analysis Who
Current Future
State State
Aligning with the business ensures Network Engineering, Enterprise 0 0

that the network team is engaged Architecture, Cloud Architecture,
with the cloud adoption desires Cloud Engineering.
and strategies.
Network team members who Network Engineering, Enterprise 0 0

attain cloud training will have a Architecture, Cloud Architecture,
much easier integration and be Cloud Engineering.
able to contribute to the greater
team.
Each public cloud implements Network Engineering, Enterprise 0 0

their network with differences Architecture, Cloud Architecture,
and complexities. Training will Cloud Engineering.
enhance the success of projects as
well as provide the most cost
effective solutions. Network
planning is crucial for the success
of any public cloud adoption and
continued operation.
Network teams need to procure Enterprise Architecture, Cloud 0 0
cloud services that proactively Architecture, Cloud Operations,
align with the business and satisfy Procurement and Legal, Network
both the current and future needs Engineering
of the enterprise through network
services being offered through
cloud network service adoption.
Network service disruptions can Enterprise Architecture, Network 0 0

have a severe impact to the Engineering, Cloud
business. Utilizing cloud services Architecture, Cloud Operations.
and tools will enable business
function availability and
continuity. Disruption plans
should utilize automation and
architecture of DR and Recovery
services to minimize or eliminate
outages.
Network performance Network Engineering, Cloud 0 0
(utilization/latency, etc) are key Engineering, Enterprise
indicators for potential cloud Architecture, Operations.
operational issues.
A network assessment plan Network Engineering, Enterprise 0 0

should be performed to Architecture, Cloud Architecture,
understand if any limitations or Cloud Engineering, Security
obstacles exist for cloud adoption Engineering and Architeture.
or network expansion. Cost
benefit analysis is also needed to
prevent oversubscription or
underutilization of network
services. Considerations should
include IP Management,
Provisioning through Automation
and Policy Driven Orchestration to
ensure full optimization of cloud
environments.
Network instrumentation impacts Network Engineering, Enterprise 0 0
performance in both the cloud Architecture, Cloud Architecture,
environment and on-prem Cloud Engineering, Security
environment. It is crucial to the Engineering and Architecture.
ongoing usability of enterprise
applications, SaaS and all other as-
a-service services. The interaction
between on and off prem
environments can be critical in
overall performance and
continuity. Optimizing network
instrumentation to measure and
monitor both environments
holistically is an important
consideration in overall
performance and sustainability.
MDM utilization of Network Engineering, Enterprise 0 0
containerization for securing and Architecture, Cloud Architecture,
encrypting company data on Cloud Engineering, Application
mobile devices. Enablement of Development, Security
simultaneous and automated Engineering and Architecture.
enrollment for multiple devices,
automated configuration of
profiles to enact policies such as
Wi-Fi, VPN and other parameters.
Less complex overview of the
entire device ecosystem enabling
tracking of all the devices on the
network. Application adaptation
based on environmental changes
managed by business policy
orchestration.
All corporate and legal Compliance Team, Security, 0 0
requirements for data in transit Policy, Enterprise Architecture,
must be considered and built into Cloud Architecture, Cloud
the network topology. Engineering, Application
Development, Network
Engineering.
While self provisioning is Cloud Architecture, Enterprise 0 0
achievable, network bandwidth is Architecture, Cloud Engineering,
still limited to physical Application Development,
constraints. Self provisioning will DevOps, Network Entering
increase business usability and
can be incorporated into DevOps.
IPV4 addresses are limited and Cloud Architecture, Enterprise 0 0
present issues such as IP overlap Architecture, Cloud Engineering,
and loss of address ownership. Application Development,
Utilizing IPV6 will change the DevOps, Network Entering,
management from IP addresses to Security Architects.
instance management and Secure
Software Lifecycle Development
instance management.
Utilize dashboards, forecasting, Cloud Architecture, Enterprise 0 0
alerting, & reporting to elevate Architecture, Cloud Engineering,
visibility into IT performance. Application Development,
Break down monitoring silos to DevOps, Network Entering,
solve problems faster and Security Architects.
proactively administrate your
environment.
Defining the network security Cloud Architecture, Enterprise 0 0
requirements for the cloud will Architecture, Cloud Engineering,
enable business growth and Application Development,
enable continuity in the public DevOps, Network Engineering,
provider environment. An Security Architects.
undefined implementation of a
network within a provider
environment could also lead to a
provider to cease services and
disconnect access to protect other
tenants.
High availability is critical to Cloud Architecture, Enterprise 0 0

enterprise workloads running in Architecture, Cloud Engineering,
the cloud and is needed in order Application Development,
to align with business DevOps, Network Engineering,
requirements and agility. Cloud Security Architects, SecOps.
now represents a new business
paradigm where “availability” is
the standard and leveraged as a
core capability of public cloud
provider environments.
Total 0 0
Barrier
Network teams lack the

leadership to fully engage in
partnership with cloud
development teams.
Network teams lack the

skills and or knowledge to
fully leverage cloud native
networking capabilities.
Lack of awareness of
available options to provide
network connectivity across
multiple providers. Often
vendors will provide
solutions that are specific to
their implementation and
can distract from adopting
solutions that are agnostic
and work across multiple
providers.
The business lacks concepts
in cloud capabilities and has
a tendency to either
oversubscribe or under-
utilize network service
capabilities.
Having multiple escalation

and detection processes
that are segregated by cost
and function can add
additional complexity and
convolute speed to
resolution.
Not having a good
understanding of the
business performance
metrics can lead to
inaccurate indicators which
will lead to misrepresented
data and analytics and will
eventually impact decision
making.
Not having a good

representation of the
network could lead to
inaccurate planning and
impact implementation in
meeting business
requirements. Lack of
network KPI’s and analytics
will also lead to a network
that is either
underperforming or lacks
the ability to support
business continuity and or
HA.
Not having optimized
network instrumentation to
measured business KPI’s or
defined SLA’s will impact
business performance and
objectives. Not having a way
to optimize application
availability will impact
performance objectives and
cause disruption in front-
end performance, as well as,
back-end availability. The
introduction of latency and
lack of real-time network
metrics can lead to a loss of
business agility which will
decrease business
opportunity in the market
place.
Adoption of virtual cloud
networking to manage
mobile devices can be
challenging. Not having a
cloud network strategy in
place to support mobile
devices could impede
responsiveness to market
opportunities and increase
time to market. It can also
increase the complexity of
policy management which
could impair deployment
and device management.
Policies must be maintained
and kept up to date in order
to be valid and align with
changes in policy, regulatory
requirements and business
objectives.
Business may incur
unforeseen financial impact
if automation and
provisioning does not align
with budget limits.
Many DevOps teams will
want to continue to utilize
IPV4 and not embrace cloud
native tools for supporting
and managing instances and
their environments with
cloud native and third party
tools.
Silo environments may have
business requirements that
preclude access to every
environment. Also,
monitoring and scanning of
networks could have
impacts to performance of
outward facing applications
possibly interrupting the
end-user experience.
Not having a defined
network security strategy
for the cloud will expose
unknown vulnerabilities and
could cause limited access
to resources and networking
environments.
Traditional networking will

preclude the native
capabilities that cloud
networking provides. High
availability is built into the
cloud environment and is
made available through
service tiring and support
agreements. Applications
which are architected to be
highly available will need to
utilize cloud networking
capabilities in order to
achieve their designed level
of availability needed in
order to meet business
demand.
Artificial Intelligence
Control Question
Is Executive Management
supporting investments and
objectives relating to the use of
AI/ML/DL in current and future
cloud operations?
People
People
Do IT/Ops personnel and
developers have training and/or
experience in AI concepts, tools,
and appropriate use cases?
Alternatively: Are AI consultants
available to supplement in house
capabilities?
How does IT/Ops use data in

decision-making related to cloud
management, infrastructure
utilization, capacity forecasting,
and/or operations practices?
How does the organization assess
the quality of data and the
algorithms used to create useful
information and results from it?
Processes
How are machine learning
systems developed, deployed to
production, and standardized
across the business?
Are AI, ML, and automation

routines leveraging data from
systems and platforms across the
organization?
To what degree has the company
adopted and deployed
automation and machine learning
capabiltiies?
Technology
To what extent are AI/ML

capabilities being appled to Cloud
Management, Operations
Intelligence, and/or Application
Performance?
Is the deployment of AI projects
and machine learning models in
cloud aligned with data in cloud
and/or on-premises?
• The ability to apply Artificial Intelligence (AI) and Machine Learning (ML) to disciplines of Cloud Operations, Hybrid IT, and clo
• Enabling greater effectiveness and efficiency in managing on-premises and off-premises cloud environments
• Mitigating risk in cloud environments
• Using AI for detecting atypical patterns of behavior and performance in Cloud infrastructure, its operators, and external thre
• Improving decision making as it relates to IT/Operations management and procurement
• Making AI/ML/DL training/learning platforms available as a service (AIaaS / MLaaS / DLaaS)
CMM 0 CMM 1 CMM 2
No priority has been given to Awareness of the value of AI and Management is able to see
applying AI/ML/DL. ML has led to Management's examples of AI/ML based
support of efforts to achieve capabilities on top of defined and
CMM Level 3 or greater in the systematic Operations
Data and DevOps domains to capabilities. IT/Ops is able to
establish a solid foundation of demonstrate applied AI/ML in
data access, automation and proof of concept environments.
processes to ensure AI/ML Management is supporting
capabilities can be layered on top further implementation and
of a solid foundation in the future. inclusion of AI/ML capabilities in
the IT/Ops roadmap.
Conceptual AI experience is Some staff members are known to AI subject matter expertise and
unknown or non-existent. have basic conceptual AI use of appropriate algorthims has
knowledge. There is an been demonstrated in a small
understanding of which use cases number of projects and use cases.
are appropriate for various
machine learning algorithms and
neural network architectures.
No processes exist to plan for Logging of some notable Infrastructure utilization and
cloud consumption or capacity demand/utilization events capacity requirements can be
needs based on data or analytics. and corresponding cloud forecast for cloud resources
infrastucture utilization is supporting a specific project or
occuring. Visuals, such as graphs, workload.
can be constructed for operators
to estimate possible correlation of One or more methods for
factors. applying statistical analysis on
historical utilization data exist and
forecast results can be
automated, scripted, or visualized
proactively (not necessarily in
real-time)
No basis for data quality Institutional knowledge of which A Data Management System is
measurement exists. data sets are accessible and used as the system of record
suitably structured for use with noting attributes that describe the
algorithms is limited. structure, accessibility, and type
Measurements of data and of data available to the
algorithm quality are not organization. AI algorithm
quantitative. Examples may developers update the system of
include anecdotal outcomes of record noting attributes useful for
projects or experiments. their AI projects. The system can
be queried to reveal sets of data
that match the requirements
and/or capabilities of algorithms
that are being developed.
No common or shared process Early adopters (typically Data More predictive systems are
exists. Scientists) are independently being deployed, but each
using various AI/ML frameworks requires unique handling. Some
and tools to create predictive groups have well documented
models. IT/Ops is starting to processes, and they are
create deployment systems to collaborating with IT/Ops to help
facilitate deployment of standardize. Working groups are
predictive models, but there is no bringing best practices together
standard system in place. with new tooling and systems to
facilitate deployment of
predictive models.
AI, ML, and automation do not AI/ML tools and automation have AI/ML tools and automation have
exist or have little to no access to access to single systems or limited access to some key data sets
application, system, or respositories of data. E.g. across the organization.
organizational data. predictive analysis has access to
the central log respository only. Integration of data labeling tools
is able to tag or capture data sets
Tools to generate and label useful through data pipelines tied to a
training data sets (features and data lake, data warehouse, or
corresponding results) are being external data repositories.
explored.
AI/ML routines mostly depend on
structured data sets.
No automation, ML or AI is Teams are employing automation Automation is common. AI and
present within the orgnaization. utilizing Chef, Python, and other ML have been introduced to
scripting to automate application detect changes and build simple
deployment, infrastructure models. Some predictive
management, and testing. automation is possible and
Intelligent automation efforts rely enables classification of data
on explicit rules and conditions. and/or detection of anomalies in
No predictive learning capabilities quantitative operations
are in use. measurements.
E.g. physical environmentals
cluster analysis, baseline
audio/visual recordings,
temperature regression analysis.
No capabilities have been Experimentation with various Algortihms are processing a mix of
demonstrated. AI/ML approaches is occuring, but inputs, such as ops events (CIs),
few substantive results have infrastructure logs, or application
surfaced. performance data, and human
operators are using
recommendations from AI or ML
based systems to make decisions
more quickly and more
accurately.
No consideration. AI projects are developed in The data that is available for AI
isolation and exist mostly on local projects is generally non-
workstations with some use of production data, and it is isolated
public cloud or on-premises from production environments.
environments. There is little The data can be readily
consistency in making training transferred into the cloud. Real-
data readily available to those time data from production
experimenting with machine systems has not been
learning. instrumented for use by AI
projects.
ations, Hybrid IT, and cloud-native Software Development
nments
ators, and external threats
CMM 3 CMM 4 CMM 5
AI/ML intiatives are included in Management has recognized Thought leadership, technical
IT/Ops roadmaps. IT/Ops is improvements in cloud innovation, and contribution to
delivering capabilities on the automation and operations due to FOSS projects are considered
roadmap and adding AI/ML the investments in applying valuable to the business.
capabilities to the IT/Ops service AI/ML. IT/Ops is capturing Executive Management
catalogue. Goals for operations quantitative metrics that evangelizes the modern
improvement are defined. demonstrate the business value of capabilities internally and to
of AI/ML. Roadmaps now include investors, and advocates
the application of DL on continued investments as the ROI
operational data/logs to find from the application of AI/ML/DL
valuable correlations for further is effectively self-funding.
improvement.
Several projects have successfully Multiple teams and multiple Technical training focused on AI
demonstrated successful projects are consistently disciplines and use cases is
application of general AI, Machine demonstrating subject matter incorporated into training aimed
Learning (ML), and/or Deep expertise and appropriate use at the entire company's technical
Learning (DL) in appropriate use case application across multiple AI and technology management
cases. disciplines. employees. The company's
challenges and successes with
A larger center of excellence Training and certification applying AI to innovative use
compentency has developed in programs are available to cases are evangelized internally
the team. employees across multiple and shared publically (blogs,
organizations. presentations, books, etc.)
This team is sharing its expertise
with other organizations seeking Metrics track employee usage of
to implement AI/ML. Data and AI platforms.
Automated processes correlate Metrics focusing on the accuracy Most cloud operations change
active cloud resource utilization of AI/ML generated events are initiated by automated
data and a few external change recommendations for cloud systems and processes. Prediction
events in near real-time. capacity decisions (adjustments) and detection of over-load or
are in place. Some cloud capacity over-allocation conditions helps
More advanced ML regression allocation events are automated the business optimize on cloud
capabilites are applied to logged based on confidence in the spending, and the use of least
utilization and change event data. predictive utilization and cost cloud resources across
Ops staff are alerted to make consumption patterns. multiple providers (hybrid cloud)
capacity decisions when forecast is providing additional value.
resources are expected to be
over- or under-subscribed.
Most data sources and their There is widespread adoption of The data quality assessment
associated attribute metadata are the data quality assessment framework has been extended to
catalogued in the data framework in the organization. measure costs and benefits of
management system. The Metrics relating to data accuracy, data processing algorithms
organization tracks AI algorithm accessibility, availability, and including the measurement of
usage in the system and can adherence to data model real-time data processing
measure the utilization of standards are defined and capabilities and the
different data sets. Management included in KPIs and management improvements that algorithms
has adopted a data quality objectives for key stakeholders. produce including risk mitigation,
assessment framework and set attributable increases in revenue,
quantitative objectives for data and reductions in cost. The
quality based on reporting output organization can compare the
from the data management effectiveness and efficiency of
system. different algorithms.
Cross-functional teams have A platform providing shared Data pipelines are largely shared
adopted common tools. IT/Ops training data pipelines is and feature labeling in training
has provided a deployment accessible to multiple teams. data sets is normalized and
workflow and supporting Multiple data sources (including shared across different
compliance frameworks to structured data and data lakes) organizations.
enable development, staging, are instrumented in the platform
and production deployment of and features can be defined and Model development and
predictive models. Results of labeled for new and existing deployment systems are
training data have a standard training models. providing rapid access for
repository where results can be organizations to quickly iterate
compared. Qualitative metrics track data on new ideas and experiments.
quality, platform usage, and
predictive model accuracy. ML capabilities are instrumented
to perform experiments, design,
and select the best fitting models
and types of ML used on the
machine learning platform. (i.e.
ML is being used to improve the
fit of models deployed on the ML
platform)
AI/ML tools are integrated into an The AI/ML automation platform is Data management processes
automation platform and several instrumented into a majority of themselves are leveraging AI to
teams are processing data the organization's data maintain data quality and produce
through the system. Access is repositories. Useful training data higher quality training data sets
through defined API's, data sets are available to multiple for use on the platform.
interfaces, and integration tools teams for experimentation and
(RESTFul API, database views, ML/DL training.
iPaaS, ETL, Service Bus)
Data pipelines are specialized into
Exploration to identify high value near term/future predictive use
sets of features and algorithms cases and batch-oriented
requires significant iteration and workflows. AI/ML algorithms are
experimentation. able to process unstructured data
sets.
ML-based automation is revealed Sophisticated AI/ML systems are Automation of increasingly
interesting correlations between able to outperform human complex tasks has driven the
multiple, disparate sets of data. operators (as measured by innovation of deep neural
accuracy and/or speed) in networks (DNNs) and other ML
Examples in data center identifying root causes of systems which continuously
operations include identification anomalies or forecasting future update the training models from
of infratructure threats or needs or outcomes. the data the system is observing
anomalies based on changes or acting in.
detected in monitors captures Examples in data center
data from the physical world (e.g. operations include prediction of
on-premises audio recordings, mechanical equipment failure
cameras, thermometers, and/or (server fans, hard drives, HVAC).
vibration sensors).
Examples in business outcomes
include real-time targeted
advertising individually suited to
detailed consumer profiles
and supply chain optimization.
Some workload Several complex workload Pervasive analysis of workload

interdependencies have been interdependencies have been performance, infrastructure costs,
correlated by ML, and intelligence "machine learned" and correlated log infomation, and utilization
algorithms are able to specify to typical / expected patterns of trends is continuously performed
causal events and diagnose root workload demand (e.g. seasonal, by ML or DL neural networks.
causes of atypical performance time of day or week). Threatening Increasingly automated cloud
and operations malfunctions. operational conditions are operations [capacity, cost-
Human operators have gained anticipated, and corrective actions optimization, infrastructure
confidence in relying on are automatically initated to optimization] are handled by
conclusions offered by AI/ML. prevent failure or undesirable ML/DL algorithms.
performance. Uptime metrics and Price/performance optimization
related KPIs show marked objectives are top priority.
improvement that is attributable
to the use of AI/ML.
The data needed by AI projects is The data needed by AI projects is The relationships between AI,
categorized and identified in categorized and identified in data, and data processing systems
CMDB. The relationships between CMS/CMDB. Performance are well understood. Systems and
data, data storage and productive requirements (network and AI projects with strong/heavy data
systems are clearly identified. processing power) across interactions and dependencies
Approaches are defined to connections between on-premises are designed cohesively and are
evaluate the impact of data data and data in the cloud are architected to be deployed
transformation on other critical simulated. Analysis of the impacts together with data storage co-
production systems and support of data transfer between on- and resident with the system.
of decision making of AI project off-premises systems is
deployment. performed. The AI deployment
decisions are made based on the
results of those analyses.
Current Future
State State
Leadership support of initiatives is Executive Management, 0 0

a critical contributor to successful Technology/Engineering
projects. Leadership, Operations
Leadership
Artificial Intelligence and Machine Developers, Engineering 0 0
Learning methodologies are Management, IT/Operations Staff,
complex. Determining how AI & IT/Operations Management
ML fit into the needs of the
business is best supported by a
shared base of knowledge about
the underlying mathematical
concepts and understanding of
use cases that are suitable to the
different types of AI/ML
techniques.
Many ML methodologies are ideal IT/Operations Staff, IT/Operations 0 0

for pattern analysis, and modeling Management, Engineering
the right data about external Management, Marketing
change factors into measurable
and actionable automation will
provide significant return on
investments.
Failure to establish robust data Data Architects, IT/Operations 0 0
quality and accessibility Management, Engineering
capabilities will stifle the ability Management
for AI-development efforts to
succeed. Investing in
standardization of data models,
quality assessment frameworks,
and metrics definitions will
provide clear and actionable
telemetry for continuous
improvement.
Managing machine learning Data Architects, IT/Operations 0 0
platforms as "products" is a useful Management, Engineering
approach to ensuring that IT Management
consumers have a consistent
experience adopting and
deploying these capabilities.
Investments in well instrumented Data Architects, IT/Operations 0 0

(accessible) data pipelines Management, Engineering
provides the greatest returns to Management, Information Secirity
the adoption and implementation (SecOps)
of artificial intelligence and
machine learning.
Using AI, ML, and DL techniques in Data Scientists, IT/Operations 0 0
automation can provide benefits Management, DevOps Engineers,
which are easily measured as Developers
compared to systems with little to
no AI sophistication.
Organizations can choose to
optimize on speed, costs, and/or
quality and with experimentation
find valuable methods to achieve
desired results.
Achieving greater improvements IT/Operations Management, 0 0

in uptime and cost-optimization Engineering Management
are increasingly expensive when
your organization is already
performing exceptionally well.
Further application of AI and ML
provides new footholds for
Operations and Performance
Management teams to close
remaining gaps in operational
excellence.
Comprehensive analysis of the Data Architects, Network 0 0
relationships between AI Architects, IT/Operations
deployment, data, and data Management, Engineering
processing systems is essential to Management
support organizatonal decision
making, avoid negative impact on
current production systems, and
balance the performance of AI
and performance of current
critical production systems.
Total 0 0
Barrier
Executive Management
does not know what AI is or
how it can be used to
improve business outcomes.
The organization does not
recognize the complexity of
AI implementations and
therefore doesn't support
their personnel in getting
appropriate training or
utilizing consultants.
IT/Ops lacks institutional

knowledge about what
business activities or
external factors influence
demand on the resources
they manage.
Long Term Managers tend
to believe that they can read
the business and trends
based on their experience,
and counter/undermine
algorithm driven
information results when
they vary from their own
beliefs, stifling the effective
evolution of the business to
higher maturity levels. If
such lack of trust continues,
then investment in the
automated optimisation of
the business processes and
systems may be stifled.
Data quality is a hard

problem along with model
bias and data bias. Many
companies have tried and
failed to implement master
data management and
similar practices. Machine
learning adoption can be a
positive driver in this
direction, but the level of
effort required may cause it
to stall. Likewise, using
machine learning today is a
very manual and iterative
practice. so early efforts to
manage algorithms and
their quality can establish a
Technology Leadership has
not mandated development
of standard release
processes.
Information Security will not

support initiatives to make
data available for use by AI
initiatives.
Lack of proficient staff or
motivation to deploy
automated solutions. AI
expertise is difficult to find
given its being new and in
increasing demand.
The maturity of the cloud

operations practice is low
and not yet suitable for
enhancement with AI
capabilities.
Data Scientists are unable to
experiment beyond their
local workstations and lack
executive sponsorship to
obtain more access to useful
data.
Internet of Things (IOT)
Control Question
Is the company training the

business users on IOT and the use
of the data that it generates, and
the impact of IOT on the IT
operating model?
What is the level of data visibility

People to business users?
(Move to Process) What is the

model to identify business
opportunities where IOT can be
applied to solve problems? How
has the business identified IOT
opportunities
Has the enterprise developed /
identified a reference
architecture for their IOT
adoption, with specific functions
for their different business
organisations?
Is there a development
environment where ideas can be
tested, also worked into the SDLC?
Are monitoring capabilities and

processes in place to maintain IoT
capabilities, detect and remediate
hardware failures, and identify
anomalies and rogue devices?
(What is there, what is not there,
what should not be there?)
Processes
Is there a provisioning process?
Are the IT objectives aligned to

support the business objectives?
Are standards (incl Security)

defined for the various IOT device
layers?
Are specific IOT capabilities
implemented?
Are specific services available to

the organization, based on IOT?
Technology
Are the various IOT technology
elements implemented according
to the selected reference
architecture /plan of the
organization?
Are appropriate secure interaction

technologies defined and
integrated (according to the
selected reference
model/architecture /plan of the
organization)?
Knowledge Pyramid
Description http://www.ioti.com/strategy/iot-market-research-which-industries-are-leading-curv
IOT use, skills and implementation in an organization
Being able to map and report business objectives against specific metrics
Having services defined in the IOT space
CMM 0 CMM 1 CMM 2
The business users have no formal Some areas of business are Some business units have defined
information about IOT or how it educated about using data some Business Scenario Use cases
can be applied. No roles are feedback from IOT services. requirements for IOT data, and
assigned to it. Teams operate independently and are implementing it as new
are disconnected at this level. opportunities arise via parallel
projects. Demand is identified
which is greater than the existing
projects can satisfy. IT has
identified the IT operating Model
changes that will be required to
implement IoT technologies.
No visibility of data exists from The IT team can see data from Data sets from sensor based
any sensor technology. various sensors, but do not sources are available to selected
expose it to the business. business users.
No understanding exists of the People read articles and A business group is trained on IoT
opportunitiies IOT presents. individuals apply IoT to a process and identifies process
they own improvement projects which will
exploit the new technology
No reference architecture is Some teams have identified IOT A common architecture reference
identified. systems and implemented them model for IOT is identified for the
in silo's, without central co- organisation defining processing
ordination. locations, communication
protocols and security layers, as
well as tooling and data.
No central environment exists, A test environment is stood up A test environment is available,

with any test facilities. "on demand". There is no SDLC but not integrated into the SDLC
process. process.
IoT equipment and systems are Development teams have Monitoring is more systematic,
being tested and/or deployed into implemented monitoring systems and a shared support organization
production, but no effort is made for their own devices using has been established for
to monitor their health or activity. bespoke tooling or manual responding to outages and
No effort is made to identify scanning and physical anomalies. Adoption of a common
rogue devices. observation. This monitoring IoT platform provides more
targets known devices and may consistent visibility across
turn up a rogue device, but not by applications and deployments.
design. Registration in a hardware
provisioning portal supports quick
lookups of failed devices for
location and type of replacement
equipment. Periodic scanning is
done in key ares to detect rogue
devices.
No IOT Provisioning process exists No process exists. Individuals Companies include IoT
implement IoT to solve problems technologies as a possible
in their area technology in their arsenal of
technologies and design systems
using this approach.
There is no relationship between Any business value is incidental Market pressure drives business
Business and IT objectives. and not measured or reported. to leverage IOT, based on industry
results where sensor derived
information is leveraged.
IoT Business scenario Use Cases
are developed to support business
goals.
No standards exist. Different teams use different Specific common elements are
technology and approaches implemented with standard
independently, motivated by interfaces, to enable re-use and
"their special process ease the IOT implementations at
environment". the edge. Initial Patterns of use
that define Business Scenario use
cases that are best served by edge
processing and those that should
be implemented sing Data Center
or cloud IOT processes.
No implementation exists Capability: Capability:
1. Near time data collection 1. Real time data monitoring from
2. Independent business units IoT devices
select and deploy IOT solutions 2. Individual IOT implementations
individually, and without central are aligned to justify individual
co-ordination or integration objectives and not those of the
Technology Implemented: company.
Simple dumb sensors 3. Efficiency on central systems
Data Center or cloud analtics and effective use of shared
resources is ignored
Technology implemented:
Smart Sensors
Edge Processing
No defined services are orderable Some teams advertise capability IT offer a range of available IOT
to deliver selected services, based Services that define patterns of
on their own implementations use, sensor selection, data
aggregation, LoRa network
capability for data collection from
sensors, MQTT Platform and Data
aggregation and access to
aggregated and summarized data
based on the deployment of the
central reference architecture and
some central elements of it
No IoT technology or Applications Some basic sensors such as RFID Advanced SMART sensors and
exist exist functions are deployed and
Siloed inter-system integration is supported. Connectivity is secure
deployed without a common and robust. LoRa® networks are
reference architecture being implemented in some
underpinning the implementation areas. Edge Processing
implemented to support data
aggregation and basic reporting.
A reference Architecture exists
No concept exists Systems are not configured to be Some Basic manageability is

manageable. configured and implemented.
Examples: Simple c4-20 mA Examples: UART sensors, MQTT
Current Loop sensors, RFID Tool sensor protocol, LoRa networks,
kits such as Fosstrack , Impinj, XMPP, Extensible Messaging and
Intermec, Transcends and Presence Protocol and Zigbee
OpenPCD. communication protocol
Aruba, and OpenBeacon Blue Open Source IoT Plaforms: Contiki
tooth beacon technologies ,AllJoyn, KAA, ThingSpeak
Unique IoT Hardware Platforms:
mangOH™
Data
Monitoring. This stage enables Control. At this stage, connected
devices to gather data through products can be controlled remotely
sensors. This is the baseline for the with basic conditionals, such as if X
next steps of the continuum. occurs, Y is performed.
CMM 3 CMM 4 CMM 5
All business units have identified The business have adopted IOT as Data Science is the operating
Business scenario use cases and critical part of their Business model in use by the business, well
have defined appropriate Strategy and are implementing understood and integrated into
comprehensive data changes to their products and business logic, and the teams look
requirements for IOT, and an services to exploit IoT for new opportunities to leverage
overall implementation plan exists technologies. Business scenario data learning in developing new
with prioritized areas for all data data triggers from the IOT feeds, products, services, and
that could have monetary impact automatically adjust services and eliminating unneeded cost
on the business. IT has define trends to respond to, as drivers. IOT data enables
implemented the IT operating well as the agility / urgency potential value determination for
Model changes required to needed. Proactive analytics are in the teams, on various work.
implement IoT projects. place that foresee actions based
on IoT driven transformation.
Integrated views are shared on The business derives monetary The products and services of the
sensor derived data between value from the use of sensor business are evolved based on
business and IT. IT has derived data. Business users are analysis feedback from IOT based
implemented a cross business able to develop their own IoT data.
data catalog of all IoT Data. applications using data that is
available from IT Data Lakes.
A company considers IoT A Corporation utilizes real-time An enterprise integrates IoT data
technology in it's strategic data analytics based on IoT data from suppliers and customers
product planning and includes it to predict future trends in their with their data and identifies
and in new products operating model trends and foresees future
opportunities based on collected
IoT data
IOT interfaces are defined for all The Reference architecture is Based on results of the reference
relevant business products and continually evolved to exploit architecture implementation, the
processes, and implementation new technologies and use cases. architecture is adapted and
prioritized based on business It contains guidance and IOT updated to include elements of
objectives and value. patterns of use for business high business value, and
IoT Data Lake is implemented. users. The architecture contains optimized to increase simplicity
Architectural directions are governance policies on IoT data of operation and maintenance.
published to guide users on what usage The IoT solutions enable Industry
uses cases and data requirements 4.0 Business Scenario use cases
should be processed at the edge, and coordinate the activities of
and what should be processed in all businesses involved based on
the cloud. proactive incident identification
A central development Specific use cases and models are based on the business unit
environment is available to the selectable from the development wanting to test, a number of
organisation environment shaped around the proposed scenarios are listed for
business units needs, to enable the unit, with the ones they have
rapid concept prototyping not yet adopted being highlighted
An IoT device monitoring and IoT devices and systems are Self Healing is implemented to
support structure has been constantly monitored for address device failures, leveraging
defined within the hardware availability and non-responsive redundant deployments.
support and/or security units. The digital twin capabilities Autoscaling is enabled through
organizations to holistically of the IoT platform provides the smart devices that are in use,
respond to device fault and rogue dashboards and alerts for quick responding to changing workloads
device detection indicators. remediation. Statistics are automatically. Redundantly
Systematic rogue device detection captured and reports are provided implemented devices ensure
is performed at applicable for uptime, failure rates, suspect continuous availability.
locations. Action is taken equipment, expected devices not
automatically to address reporting in, etc. Automated
anomolies. network and RF scans are
Provisioning information for failed performed continuously, alerting
devices is automatically delivered when rogue devices are detected.
to field support staff that they can Other company assets like cell
efficiently replace or repair the phones run scanning applications
affected hardware. that detect rogues even in
uninstrumented locales.
Corporations implement a Corporations provide an open Enterprises develop integrated
foundational data collection data exchange from their devices data repositories of data sets to
platform and expose IoT data as (products) to customers to utilize rapidly integrate data from
sets of data to users to support data collected from devices to everyone’s IoT platforms to solve
citizen integration within their support their own IoT initiatives. enterprise issues and foresee
Corporation. trends
Business scenario use cases New products and services are IOT and the resulting data derived
support Business objectives that developed leveraging IoT trends are leveraged to re-shape
support business partners. These technologies and Data, so as to the enterprise and focus
Business Scenario use cases support Business Revenue growth innovation initiatives and
support an Industry 4.0 Operating goals. transform the market and
model. The results of IOT data are used to customer expectations of the
help prioritise investments. Enterprise.
IOT data is used to help optimize
investment planning and
operations efficiency.
Specific standards and Technology and systems are Highly specialized technology is
technologies are defined and selected based on their replaced in favour of re-usable
implemented, based on the compliance to specific company multi-functional technology, so
defined Use Cases of the business standards and ability to support that the IOT systems can be
unit, as supported by the the defined use cases of the dynamically re-organized and re-
reference architecture adopted. organization. Standardization on positioned within the eco-system,
Comprehensive Patterns of use technology enable efficiency on as needed.
that define Business Scenario use spares and support. Standardized
cases that are best served by edge Patterns of use are enforced
processing and those that should through governance, across the
be implemented using Data enterprise.
Center or cloud IOT processes.
Capabilities: Capability: Capability:
1. Ability to real time process 1. Ability to do Real time 1. Ability to integrate the efforts
control based on Realtime data Predictive Analytics is across busineses to faciliate the
collection of IoT data implemented based on IoT data response efforts of multiple
2. Deployment according to a enable business efficiency along enterprises based on monitored
defined secure architecture, with the business processes. IoT data.
existing central shared control 2. Product innovation funnels are 2. Ability to collect data and
and management elements, fed from IoT analytics results. resulting analytics reports from
enables rapid edge deployment Technology implemented: every step of the business process
and scaling. Scene recognition technology via IOT enable real-time
3. Stable scalable control, implemented. adjustment and correction to
management and governance Conventional process control ensure achievement of the
systems provide predictable systems data integrated into IOT business objectives.
performance and capacity. Predictive analytics capabilities. 3. Highly specialized technology is
Technology implemented: replaced in favour of re-usable
Consistent underpinning multi-functional technology with
infrastructure such as LoRa® high learning capability, so that
networks are implemented in the the IOT systems can dynamically
enterprise. RFID technology and re-organize and re-position within
Smart shelving technologies the eco-system, as needed around
enabled to provide real time data business hot-spots and priorities.
collection of inventory and assets. Technology Implemented:
Sensor technologies are Augmented reality for
standardized and published for Maintenance and inventory
consistent use by businesses. applications in production.
Drones exploited for hazardous or
complex inspection activities.
Appropriate data collection and
resulting analytics reports from
every step of the business process
via IOT enable real-time
adjustment and correction to
ensure achievement of the
business objectives.
Managed IOT Services exist IoT Data is integrated into In addition to the requirements of
Secured Remote Management of corporate data lakes and is CMM 4, CMM 5 requires that
IOT is offered available to all business users to customer and supplier data is
Quality of Service is offered, enable advanced analytics that integrated into the data lake with
ensuring reliability exploit data from production , a standardised common data
IOT advisory and Pilot project customers, smart products to model, and is available to all
identification and implementation support business revenue business users (and to support an
Consulting services forecast and business planning Industrie 4.0) to enable advanced
analytics with AI that exploit data
from production , customers,
smart products to support
business revenue forecast and
business planning
Mobile and remote connectivity is Management, Monitoring and IoT applications and data are
available. LoRa® networks Analytics tooling provide integrated into/from all available
implemented across enterprise Dashboards, Visualization, Mining sources (such as Social Media,
Use is made of cloud based and Modelling capability. Mobile, Analytics, Cloud
services where appropriate and IoT technologies managed and applications, Virtual Reality,
available monitored by IT system Augmented Reality, A.I ( Artificial
Integration exists into business management tools. Intelligence), Quantum
systems such as CRM/ERP/PLM IoT Technologies integrated into Computing, and Massively
IoT data available to all IT Change and configuration Distributed grid Computing
applications via Restful API access management systems and process approaches) to support product
Machine leaning technologies development and achievement of
operational Business goals.
The IOT Reference Architecture
and the IT reference Architecture
are integrated
Systems are deployed accoridng The deployed solutions include Proactive modelling and
to defined enterprise standards, detection a capability for security prediction capability is configured
and images are applied to them, compliance. supporting security, analytics, and
which include hardening in of Examples include Scene planning functions.
security as the tech has capbility Recognition technology that Examples of sources include Social
and functions to support this. enables both visual and non visual Media, Mobile, Analytics, Cloud
Example: Smart sensors with data capability such as infrared. applications, Virtual Reality,
preprocessing, Data Lake technology: Hadoop, Augmented Reality, A.I ( Artificial
Open Source Middle wear: Statiscal Analytics: R, ThingWorx, Intelligence), Quantum
OpenRemote, IBI, Apache Spark Computing, and Massively
Proprietary Middleware: Data Process Engines: Distributed grid Computing
ThingWorx ApacheStorm
IoT Visualization tools: Freeboard, Cloud IoT Platforms: Microsoft
MQTT Platform for data IoT, GE Predix, Cloudera and
aggregation Talend
Information Knowledge Wisdom

Optimization. Product performance Autonomy. At this stage, a product System autonomy. At the most
is optimized automatically by is able to work independently; it advanced stage, each autonomous
implementing analytics. adapts and learns from the asset communicates and
environment (machine learning). synchronizes with one another to
Data is used predict the future. create a network of connected
things. Automated response to
predicted events
Current Future
State State
By educating the organizational Business users, data scientists, IT
units about what is possible, they Architects
can innovate and select
appropriate technologies and
services to measure, report and
enable the business objectives for
which they are responsible.
0 0
Where business can see results Business users, data scientists, IT
more quickly, they are also able to Architects
respond to opportunities or
threats more dynamically.
0 0
ONce the business leverage IOT Enterprise Architecture, Business
data to solve problems, they are Analysts
able to focus their solutions much
more explicitly at the aspect that
represents business value, based
on real statistical data now
available to them
0 0
Leveraging a common Enterprise Architecture, Business
architecture model enables Analysts
business and IT to align and re-use
common elements, as well as to
govern and secure the
environment more effectively.
0 0
By enabling concept testing in a Enterprise Architecture, Business
Lab, the business is able to model Analysts
the opportunities and benefits, to
help make their case and analyse
what impacts the use of IOT in
that dimension may have
0 0
Theis ensures the ongoing Technical Architects, Security,
availablility of information Compliance
through defined service levels,
and Security levels are
maximised / security breaches are
minimised. Device reliability is
increased through the use of
redundant senro technologies
A consistent process expands Technical Architects &
from an individual to an Operations / Support / DevOps
enterprise to provide data for all
to use. It quickly eliminates the
need for custom integration and
data models
By bringing a reporting and Executives, Enterprise Architects,

measuring dimension into Business Managers
business objectives, tracking and
adjusting the business units
behind those objectives is more
easily enabled. It also ensures that
all IoT projects have clear
business reason and
measurement before they are
implemented
0 0
There are millions of potential IT Architects, Security, IT
devices and technologies available Operations, Networks, Business
- by having standards in place, Analysts
security, re-use, and maintenance
are significantly improved.
0 0
When appropriate capabilities are Service Management, IT
defined for the business specific Operations
Use Cases, then technology
selection, governance, and
support are much easier and
more cost effective. Mis-informed
buying can also be reduced
0 0
By defining shared services and Service Management, Enterprise
advertising them to the business, Architects, Business Users
improved economy of scale is
achieved. Standards are also
easier to manage and govern.
The Citizen Integrator is enabled
through pilot programme
opportunities
0 0
Implementing according to a IT Architects, Security
defined reference architecture
generally makes troubleshooting
and planning much easier. It also
enables coordinated negotiations,
and improved investment
planning
0 0
By defining the compliance and IT Architects, Security
security requirements up front,
technology selection and
integration is significantly
simplified.
0 0
Total 0 0
Barrier
Some teams may want to

remain invisible, and not want
the ability to isolate
responsibility for certain
trends, which IOT can enable.
Having to respond and witness

consequences of actions in
near real-time can disturb
comfort zones which certain
units may currently relax in
Many of the business memebr

still believe in their personal
feedback from trusted parties,
and do not have visibility of
the invisible clients at the
remote end of their services
and out on the internet.
Missing this dimension can
cause significant opportunity
impact.
Independent business units
may want their own autonomy
and may not want to share
their environment with others
Business often do not really

understand the IOT scope and
potential, and so battle to
understand the Use Cases on
offer to them
The cost of rogue device

detection capability can be
perceived as prohibitive, but
potential brand impact when
things go wrong must also be
considered!
Random installations may be
easier to perform, and
business may like the
flexibility, but compliance and
security and risk management
may lose control
Defining measurable business

objectives can require more
effort and work from
executives
Where very diverse processes,

priorities and objectives exist
in an organization, common
standards may be difficult to
agree
Teams may want to manage
and control their services
independently, and only
leverage some shared
infrastructure
Vendors may want to secure

services to themselves and
create long term lock-in for the
organization
Local customization and
environmental requirements
or existing infrastructure may
drive constant localization,
away from the defined
reference model, which the
IOT budget cannot address
Security makes access more

complex, and can cause delays
on support or problem solving,
as more elements exist in the
solution chain, also driving
costs up.
API's
Control Question
Is there a defined product owner at

an API level?
Who is responsible for identifying

and defining new API
requirements? (redundant)
People
Has API specific training been
performed for the different API
involved roles?
Are API's within the organization

actively managed as a
product/service?
How is access granted to APIs for

both internal and external users?
Has an application lifecycle
management process been
defined for API Creation / Lifecycle
Management?
Do standard architectural
designs/patterns exist to guide
API creation / management?
Processes
Have BCP/DR plans been created

at the API level?
Has a secure development
lifecycle been defined for API
Creation / Management?
Does the creation of APIs align

with the business and IT strategy
requirements?
Is there a communication strategy

for API updates?
How are APIs monitored for

security, compliance,
performance, availability etc?
Is there a central catalogue of
APIs?
Technology
How are APIs monitored for
usage, billing, etc?
How are APIs deployed into the

various environments?
- How the organization consumes and uses API's,
- How API management focuses on the planning, design, implementation, publication, operation, consumption, maintenance,
- Associated API services.
The overall goal is to make use of API's easy, cost effective, secure, and sustainable to allow organizations to drive value from
CMM 0 CMM 1 CMM 2
No identified owner or The resource who The team who created/introduced

responsible role assigned created/introduced the API acts the API, act as the API owner.
as the API owner Roles and responsibilities are
assigned within the team.
Anyone and Everyone can suggest End-users of an API provide input A Business Analyst is assigned to
API introductions and for new requirements. help accumulate requirements for
development Input tends to be specific to a API's.
functional requirement, without These requirements are vetted
an understanding or definitiion of across the user base to make
all use cases for the use of the changes more strategic
function
No formal training has been Individual developers experiment Training on various API
performed leveraging their existing dimensions is performed where
programing skills, and some new application development
online learning occurs
API's are not seen or managed as API's are created as required by A process exists to create APIs.
a product or service individual units. In general, acceptable interop
Interoperability is limited to the formats are defined up front, and
initial use cases, no standard some standard tooling exists for
tooling exists, and no registration, co-ordination and
owner/maintainer is defined governance of API's.
Owners are defined, but
changes/updates are done as
requests come in
No control exists API access is managed Access to APIs are tied to a central
individually, and access is granted authority (for example: AD
on a once-off basis by the project groups) where basic user
team. management happens.
Identity management is not
centralized, and is granted for the
specific API only.
No process is in place One or two key API's are A CI is created in the CMS for each
identified and commonly tracked API that is officially used by the
and used in the organisation. enterprize
Information on functions, updates
and changes to the API is retained
within individual teams
No designs exist Design patterns only address the Use of functions is defined via
use of common platforms, and design principles and patterns, so
how the API's may be accessed as to create common ways of
doing things, making
maintenance, support and
operations easier
API's are not considered for The Availability of the API is linked API is classified according to
business continuity to the system availability of the existing BCP/DR strategies and
system it ties to processes of the application it
interfaces with most
No secure development lifecycle It is assumed that all internal All new functions and API's are
evident development is trustworthy, and released to Production through a
that all authorised vendor change and risk analysis and
provided API's are trustworthy control process
No alignment is documented Developers develop what they All new development effort is
need for their function, with no justified based on how it enables
clear alignment to business the business and IT strategy and
objectives requirements
No communication exists Whoever introduces a new API or Change management co-ordinates

function sends out an ad-hoc communication to all known users
memorandum to known users of of an API, when a change is
the API. planned
No monitoring occurs Application logs are used to A standard logging toolset /

determine crude metrics methodology is used that gathers
a set of data that is used for
offline analysis when required
No catalogue exists Different teams have their API's Internally developed API's are
identified that they work with, recorded as CI's in the CMS, with
and record them individually for attributes describing their various
the use of their team functions.
Vendor API's are not recorded
No monitoring occurs Reporting is performed on an ad- Existing management and

hoc basis manually to determine monitoring tools are used to try
who should contribute towards and determine metrics against
development and management selected API's
costs
There is no deployment concept Each developer deploys or DevOps deploy API's and
registers the API manually functions for own applications,
registered in defined tools, via
their own change or release
processes
umption, maintenance, and retirement for APIs
ons to drive value from the API's they use.
CMM 3 CMM 4 CMM 5
API's are assigned to a A product owner is assigned, and A steering committe supports a
Solution/Enterprise architect who the API is assigned to a process gatekeeping function which
acts as API and standards owner, for evolution and development. determines if and when new API's
and assigns and prioritises new The owners is responsible for and functions are introduced,
function development. standards and processes around depending on what already exists,
This is aligned to business access, use, and effectiveness of what can then be retired, and
objectives and needs. Product the API functions in regards what can be consolidated.
owner makes build vs buy business enablement.
decisions around feature Tooling is leveraged to track and
enhancements. report the API function use
A solution/enterprise architect Changes requested to APIs are A funnel of new requirements is

manages the API's and creates a planned at the portfolio level. reviewed by the gatekeeping
minimum roadmap of potential Product managers and architects committee, prioritised by them,
API evolution and changes. collaborate on where to and this includes the exit planning
This roadmap is reviewed among strategically position changes or disablement of un-used
peers and users for prioritisation amongst the in-scope API's functions so as to maintain
efficient control and operations
Company specific training is All relevant roles have a skills Specialist functions are identified
performed based on defined development aspect in API and specialist training is
standards, methodologies, use- identified in their performance performed for individuals
cases and selected API providers / agreements, and annual involved in those parts of the API
concepts prevalent within the measurement targets development - e.g. security &
organisation authentication, function
advertising, inter-system and
inter-API calls, etc)
A secured and standard process Product owners utilize a standard Policy driven automation of
exists for creating/managing set of metrics to determine the changes are implemented.
APIs. future roadmap of a particular API function use is tracked and
A product owner is selected who API. reported regularly, so as to
plans a roadmap for the API use is tracked and reported optimise, analyse and switch off
evolution (or de-evolution) of a regularly, and goals are unused functions
service or product relating to a established for using Standard
particular API . industry foundational API
The API is advertised to the sources. Options such as FOSS,
target users in a standard way, are leveraged to reduce own
via an API management platform. development and maintenance
effort
Access to APIs is granted at a A community portal exists where No standing access to end APIs
more granular level than group users can manage their access and exists, and access requests are
membership, usually via claims. owners can approve access. granted in a "just-in-time" fashion
APIs have facilities for machine- Roles within the API are well- for the required duration of the
to-machine identity management defined based on measured usage request/process.
(e.g. service principles). patterns. Machine-to-machine interactions
Access aligns with applicable data Usage of those APIs is tracked take place with managed service
security policies. closely and reported on. accounts that have built-in
Access requests are generally password rotation/certificate
serviced via existing IT helpdesk rotation mechanisms.
or ticketing systems, and can be
tracked for offboarding.
All functions available via the API Use of each of the API functions is Based on API function criticality
are catalogued and attributes are tracked and reported and use, common functions are
defined in the CMS for each of automatically, so as to identify consolidated, and unused ones
them, against the CI for the API. critical and non-critical API's, are removed from the API and
Dependencies on the functions dependencies and functions from the API library, so as to
are registered, so as to enable reduce maintenance, risk, and any
change management and impact unneeded integration work
analysis
Design guidelines exist specifying Specification exists for defining A common funnel of new
the definition and naming of hooks into API's for monitoring, functions for API's is mapped, and
variables, functions and objects, management, measurement and prioritisation and co-ordination
as well as the security and access reporting purposes, as well as for their development is
controls for the function. troubleshooting. channlled to DevOps via the Agile
Re-usability is a key dimension of Error Code definitions are defined processes.
the specification. and applied, so as to enable ease
Self healing is also considered in of troubleshooting
the blueprint
Standard designs identify that the Self-healing is a standard part of All API's are stored in an API
API is designed to deal with the design blueprint, dealing with library, which is considered as a
failure, and to find and connect to element failures. critical system, and included in
the next available relevant Error handling and automatic fault the BCP / DR process and strategy
resource wherever that may be, correction is catered for in the
so as to ensure service continuity design.
All developers work according to
this process and design
A process exists whereby API's are API Management and Governance Due to all API's being registered
carefully analysed, and only tools manage exactly which API and controlled by means of an API
authorised acceptable functions functions are used by each user or management toolset, DevOps
are enabled or used. user group based on a tracking align tigthly to registering /
The API library contains the and registration porcess, and deregistering all development
secured API code, and the where they may be used, by releases via this toolset
function is called / loaded from means of policies.
this secure library in each instance The governance tool also tracks
the API version/s and reports
anomalies
All new and existing functions are All weighted functions are If development does not enable
weighted and prioritised based on prioritised based on their use and the business strategy or
the degree to which they enable their role in terms of business objectives, it is not done.
business and IT strategy and value and business enablement.
objectives. Based on being core Investment in further
or non-core, the non-core development is assigned
functions are slowly worked out accordingly
or de-prioritised while the core
functions are invested in and
prioritised
A roadmap of changes for all API's Monitoring and reporting Users of API's and functions
is registered so that all users of provides information about new receive automatic notifications of
API's are able to synchronise their API's features and functions, and changes, and have to accept the
plannning with DevOps their timely releases, illustrating notfication in order to proceed
the business value impact of any
delays
A standard and centralized logging Metrics are captured as part of Logging/Monitoring is

toolset / methodology is used that standard processes and shown in implemented in an Aspect-
produces real-time metrics visible the organization's dashboards for Orientated way, all APIs added to
by dashboard business processes the platform are automatically
monitored at the required levels
An API management tool is in All API's across the organisation The API governance tool provides
operation, and all used API are enrolled and governed by the usage reports, identifies
functions are recorded as API management toolset. dependencies, users and systems
attributes of a CI for the API, in Dependencies are mapped and involved, and this is categorised
the CMS roadmaps for development are according to business objectives
published. API's are called from a that must be enabled
central Library which is carefully
protected and version controlled
An API management tool is in Usage reports and consumption Usage reports and consumption
operation, and all API Functions of API's from the API tools is of API's from the API tools is
usage is recorded against defined automatically reported to the automatically assigned to the
metrics users' cost centre users' cost centre
Enterprise Change Management The Agile tooling interfaces with All new functions as needed to
process uses the API Governance the API governance tooling, and support predicted business
tools to register and release API's updates are planned and released capability are synchronised into
and updates across the enterprise via sprint releases release dates, and their
development and integration is
synchronised to these key
business targets
Current Future
State State
Assiging API ownership at the Development team, Solutions

correct level ensures that the API Architects, Product Managers, C-
has the correct visibility, is Level
assigned the correct resources,
and grows according to a defined
roadmap. The resulting co-
ordination also reduces the
impacts of changes on
participating business areas
0 0
APIs managed at the correct level Development Team, Business
lead to an optimal balance Analyst, Architects, Product
between strategic decisions vs Managers, Portfolio Managers
point decisions
0 0
Co-ordinated development along
common paradigms helps make
maintenance and evolution
withing the orgaisation much
easier and simple to maintain
0 0
By defining API's as products and Development Team, Business
services, their value and impact Analyst, Architects, Product
on / to the organisation can be Managers, Portfolio Managers
recognised and managed
accordingly
0 0
Knowing who use an API, and Development Team, Business
being able to report that ensures Analyst, Architects, Product
compliance and that anomalies Managers, Portfolio Managers
can be detected and resolved
quickly
0 0
Knowing what part of an API is Development Team, Business
used enables the DevOps Analyst, Architects, Product
organisation to focus their efforts Managers, Portfolio Managers
efficiently
0 0
The existence of common Development Team, Business
guidelines and supporting Analyst, Architects, Product
governance provide for effective Managers, Portfolio Managers
use, and enable compliance
management and risk
manageemnt
0 0
Feature and function availability Development Team, Business
can be guaranteed and depended Analyst, Architects, Product
on by the system owners and Managers, Portfolio Managers
users who leverage the API's
0 0
Being able to have a complete list Development Team, Business
of API's, functions, and access Analyst, Architects, Product
enables an organisation to quickly Managers, Portfolio Managers
address any issues that may
occur, and to secure their multi-
cloud perimeters much more
effectively. (Cloud today is driven
by API access and network access
- network is usually well-
managed, but API discipline is
new)
0 0
Focussing expensive resources on Development Team, Business
functions that add value to the Analyst, Architects, Product
business enables a higher return Managers, Portfolio Managers
on investment. If they are not co-
ordinated, much effort can be
spent on non-value generating
work.
0 0
By ensuring that all affected users Development Team, Business
are informed, impacts of change Analyst, Architects, Product
on the organisation can be Managers, Portfolio Managers
minimimsied, and expectations
can be managed more effectively
0 0
Being able to identify that all Development Team, Business
access to and use of API functions Analyst, Architects, Product
is accroding to the company Managers, Portfolio Managers
poliicies, ensures ongoing
compliance, and reduction of risk
0 0
Central co-ordination of API's Development Team, Business
provides security and control of Analyst, Architects, Product
the organisations key functions Managers, Portfolio Managers
and services
0 0
By being able to assign costs for Development Team, Business
the lifecycle management of an Analyst, Architects, Product
API based on usage, the Managers, Portfolio Managers
organisation can fairly determine
production costs of each business
product
0 0
Knowing that the business Development Team, Business
capability will be underpinned by Analyst, Architects, Product
key API functionality ties IT and Managers, Portfolio Managers
business tightly together, linking
dependencies directly, and
enabling effectivey opportunity
cost management
0 0
Total 0 0
Barrier
APIs tend to start small-scale,

and most times do not warrent
full scale management.
Product Managers / Solution
Architects chosen to own an
API must also act as the
visionary for that API and
understand how the API can
have profound impact on the
business.
There are two main barriers.

The first is focused around the
types of resources and their
workload. It is difficult to give
all APIs the desired attention.
Secondly, the higher up the
scale you go, the longer
decisions could potentially
take around API direction. This
can kill some of the agility that
APIs are supposed to have.
Without proper training, many
erroneous asumptions arise
about the use and scope and
management of API's, driving
politics
When not considered as a

service by which clients and
users access or produce
products of the organisation,
lower prioritisation is applied
to API's, which then have the
ability to totally restrict
business
Where access is not

consistently managed, the
business can lose control of
key controls and services,
resulting in need for difficult
remediation
Not managing API's accroding
to a defined lifecycle allows
units to move out of sync with
each other, with changes
constantly bringing the
business to a halt - and each
team defending their territory
and release schedules
Where organisations argue to

just adopt whatever they
acquire from vendors, they
usually are behind in having
control and are unable to plan
ahead for application feature
releases. Often vendors are
not prepared to comit features
of new releases until release
date, for competitive
purposes.
Resistance to defining BCP /

DR plans for API's enables
teams to skirt responsibility, to
the detriment of the
organisation.
Transferring responsibility to
other group or entities measn
that the organisation is not in
control of their specific
requirements. Many work on
assumptions, and don't want
the extra work that API
requirements bring
The business objectives,

priorities and goals must be
defined up front
Many communication
strategies do not accomodate
API's yet, and consider them as
too low a level for formal
inclusion and broadcast
Often the existing tools do not

have the capability to monitor
at API level
The existing catalogues do not
accomodate API's or their
functions
The exsiting reporting and

billing systems are not able to
deal with API use and cost
allocation / showback
The existing enterprise

deployment systems do not
support co-ordinated release
managemeent at API level
Configuration Management Systems
Control Question
Are development and operations

teams aligned to the
organization's Configuration
Management (CM) process when
it comes to cloud-based systems?
(V2)
People
Do you have a process for tracking
cloud resources?
Processes
Are cloud resources tracked as

Configuration Items (CIs) in the
CMS?
Do you use an integrated
repository for CMS data related to
cloud resources representing a
single point of truth?
Technology
Do you use automated tools for
identifying and relating cloud-
based CIs?
Technology
Do you manage configuration
consistency of the application
stack?
• Ensuring use of the cloud aligns with the organization's Configuration Management process while still enabling the organizati
CMM 0 CMM 1 CMM 2
No. Cloud is treated as Some groups and/or projects pilot All groups and/or projects have
"different". adoption of CM practices for adopted some level of CM
cloud-based systems. This practices for cloud projects. These
adoption is inconsistent and is practices are generally similar, but
generally seen as being low as a whole the approach
priority by the majority of teams. is informal with no prescriptive
adherence to an organizational
standard nor communication on
best practices.
No effort is made to track cloud Cloud resources are manually Cloud resources are manually
resources. inventoried restrospectively as inventoried at time of
discrete entities, but not on a deployment. Relationships
consistent schedule. between components are also
recorded and maintained
manually. Monitoring tooling
runs daily to report systems and
configurations, and base system
information and location is
recorded into a CMS.
Cloud resources are not tracked Some development and/or All development and/or project
with any formal configuration project teams are tracking cloud teams are tracking cloud
management process. resources using disparate manual resources using a consistent
processes. This information is manual process. This information
siloed from the CMS and its is siloed from the CMS and its
component CMDB's (e.g. in component CMDBs (e.g., in
manually-maintained separate spreadsheets, etc.).
spreadsheets, etc.).
Teams are experimenting with
configuration data from cloud
vendor tooling (e.g., AWS Config,
etc.).
No integrated repository exists Some groups store CMS data for All groups are tracking CMS
cloud resources in disparate information for cloud resources,
repositories (spreadsheets, simple in disparate repositories which
RDBMS, etc.). are not connected.
The information being captured is A common data model is

inconsistent. generally used for CI's and
Attributes.
No automated tooling exists for Governance and policies exist Cloud resources deployed via
this purpose identifying that all cloud service orchestration tooling are
deployments must be registered automatically registered in a CMS
and approved via authorisation repository as CIs in arrears via
and workflows (e.g. finance, scheduled scans (based on
purchasing and IT) defined policy).
Cloud resources (in alignment Relationships/dependencies
with authorised providers) between CIs are created and
deployed via service orchestration maintained manually in selected
tooling are manually registered in areas.
a CMS repository as CIs. Configuration changes trigger
Configuration changes to these events via the orchestration
components are handled tooling, which automatically
manually. updates the CM repository.
Manual changes are not tracked,
resulting in configuration drift.
No consistent approach to Cloud infrastructure configuration Cloud projects have adopted a
managing the is managed, but application practice of managing the
configuration/lifecycle of the software and middleware releases middleware and/or infrastructure
software, middleware or are handled independently and as part of the application stack,
infrastructure. manually without capturing this where orchestration tooling and
information as part of any CMS. scripting is employed to deploy
new applications as a single
logical service.
Configuration and application
updates are made manually to the
in-place application environment,
resulting in unpredictable
configuration drift. While
predictability of configuration
consistency is improved at initial
deployment, manual changes in
production lead to configuration
drift.
l enabling the organization to realize the benefits of the cloud.
CMM 3 CMM 4 CMM 5
All groups and/or projects for All groups and/or projects for All groups and/or projects for
cloud systems are following a cloud systems are following a cloud systems are following a
common, documented CM common, documented CM common, documented CM
process, including any relevant process. Training on the CM process. Relevant training and
training. There is no auditing to process is part of each cloud team process compliance are
confirm compliance. member's development plan. monitored and tracked. Team
Adherence to the process is members regularly provide input
monitored for compliance to continuous improvement
and corrective action taken when activities related to the process.
required.
Attributes about cloud resources Organization focuses on "high Cloud resource components are
(e.g., CPU and memory capacity of value" config data (business inventoried via automation,
VMs, configuration settings, etc.) critical apps, regulatory including component attribute
are being captured as part of the requirements, etc.), and data and component dependency
inventory of record. optimized data to manage cost relationships. Process no longer
and simplify processes. depends on manual intervention.
New deployments or changes Service chains (dependencies Cloud resource inventory data
cause "event triggered" updates between infr. and software) used as input to business decision
to CI records. identified via automated means making (e.g. understanding
(e.g. system scanning identified dependencies and lifecycles
Automated tooling for software, network connectivity within application portfolio,
infrastructure map to identify component inter- predictive budgeting for cost
component discovery exists to dependencies, etc.). associated with
improve configuration accuracy. CMS data regularly audited for maintenance/licensing/support,
accuracy and corrective measures maintaining capability roadmaps
implemented. in response to business demand,
CMS data used as input to other etc.)
ITSM processes (e.g., analysis of
service chain dependencies to
assess Change Management
decisions, etc.).
Cloud resources are tracked in Cloud-based functions are Combining cloud and on-
more formal CMDBs (vs. reported from one CMS, based premises assets in a single CMS
spreadsheets, bespoke on federated CMDBs, (shared provides a holistic view of the
databases, etc.) which are with other IT resources), and the Hybrid IT estate. This "single
integrated into a single logical dependency mappings identify point of truth" enables
CMS . These are managed as the service chains and associated optimization of the estate (e.g.,
independent CIs with no dependencies to other CIs. removing duplicative or
relationship and dependencies overlapping functions and
identified to other CIs. capabilities, identifying assets
which can be eliminated or
phased out from support and
operational processes, etc.).
An integrated CMS environment All CI's & Attributes are Duplicate data and data stores are
exists with different automatically captured and eliminated. Consistent tooling is
data elements located in different updated into the "single point of leveraged by all teams for defined
data stores, but as a cohesive truth" CMS, based on specialist functions.
federated CMS. Real CI orchestrated events.
information is beginnning to All groups register CI & attribute Predictive analysis of problem
migrate into this CMS. information for cloud resources, areas exists and leverages access
ITSM processes are being adapted and automated tooling raises to and analysis of the federated
to use the federated CMS for events where a bypass or CMS.
managing cloud based services in unauthorised item is noted.
context of the entire IT estate. Attributes are defined for Automated responses to
Regulatory related CI elements additional layers representing problems are invoked based on
are identified and managed cloud service integration, (e.g. the trend analysis.
accordingly API's,) and for dealing with
containers and microservices.
Additional functional layers are
accomodated in the CMS which
are important for cloud services
including IaaS levels, Application
Levels, and Integration elements
such as API's and Message
Services
Orchestration Events trigger the Automated discovery is used to Predictive analysis is integrated to
creation and updates of CI's and map dependency relationships the CMS for annalysing CI's and
attributes / changes between CIs into application- attributes, so as to identify
Automated discovery scans for specific service chains. potential problems and focus
existing cloud resources and is This is accomplished by scanning areas for attention.
used to improve accuracy of CMS installed software, and analysis of Unused systems and overused
data captured at deployment network connections between systems are identified, as well as
time. CIs, etc. areas for system optimization.
Updates resulting from manual All changes to systems occur via Trends are also identified for the
change events are logged by the service orchestration system, systems and components,
automated tools resulting in event driven triggers enabling predictive planning and
Relationships/dependencies automatically updating all CI's and budgeting for cloud resource use
between CIs are manually attributes without exception. and integration.
maintained. Discovery is used to audit the CM
process by identifying any
resources deployed outside
approved orchestration or
procurement procedures, and
escalated to risk management.
Tooling/scripting is standardized All existing physical and cloud The application stack is reported
across the organization and all based application stacks are as a single service entity.
projects manage and report the recorded in the CMS consistently. Shared and individual elements
configuration of new application are identified, re-use/no-use is
stacks, leading to improved Integration elements are tracked and reported.
predictability of full-stack recorded, and non-standard Deployment of elements or
consistency at deployment. configurations or elements updates for applications are
Configuration and application marked for correction. synchronised, based on
updates are detected in existing Objectives have been set for CI dependencies on common
environments by daily scans, record compliance and overall elements.
reducing configuration drift of the system alignment to defined (e.g. API function updates,
records. standards. messaging service updates,
Some manual changes still occur, A dashboard illustrates the integration platform updates, data
which are not all recorded, current status of application stack model updates etc.)
especially in the context of older configuration compliance with the Visibility of the stack enables
existing systems. defined standards. alignment to policy and regulatory
Alll changes result in an event compliance for the business
triggered update to the CMS function.
Event driven changes update the
CMS, which then supports pro-
active preventative maintenance
via the CIC/CD pipeline.
Current Future
State State
Cloud teams recognize that in Developers, Infrastructure teams,

adhering to a consistent Compliance
Configuration Management
process, the reporting,
troubleshooting, management,
and operation of cloud-delivered
solutions can be improved.
0 0
The IT organization is better able Capacity Managers,
to respond to business demand Risk & Compliance Managers
when it has a clear picture of CIO
what it has and how it is all
interconnected.
0 0
Cloud resources captured as CIs Procurement
support ITSM processes such as IT Management, Compliance
Change Management, Asset Officer
Management, Financial
Management, etc.
0 0
Elimnation of duplicated systems ITSM teams, DevOps teams,
and data flows reduces costs and Capacity & Risk managers
administration.
0 0
Removing the need for humans to Software development and
capture details and replacing this infrastructure services teams.
function with automated tooling ITSM teams
generally increases accuracy and DevOps teams
minimises errors. It also bring the
data up to a standard and level
that meaningful analysis can be
performed to enable predictive
actioning.
0 0
New and revised applications are Software development and
deployed and managed infrastructure services teams.
consistently as a single logical
entity, ensuring more predictably
functioning applications while
minimizing the impact of
unintended change.
0 0
Total 0 0
Barrier
Staff who are unaware of

the benefits of CM, or not
knowlegeable of how to
effectively transition
traditional on-premsise CM
will undermine the
organization's ability to
provide scalable, and
available services in the
cloud or hybrid
envionrments.
Existing processes and
capabilities for IT service
management are not cloud
ready.
Cloud is seen as separate or

different from on-premises
with regard to ITSM
processes.
Manual inventory processes
seen as "good enough" for
Configuration Management.

OACA CMM Analysis Questionaire v4

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OACA CMM Analysis Questionaire v4

Uploaded by

Copyright:

Available Formats

Business Name:

Acronym Full Name

3. Perform assessment: The following step is to assess the environment

4. Identify Barriers: When planning a roadmap to enable Hybrid IT, the

7. Create report incl. assessment results, suggested roadmap and actions:

Agree interview schedule

Review existing documentation, processes, methods, strategies and

Consolidate result documentation

Reconcile draft results with stakeholders and interviewees (if required)

Develop closure requirements / actions between current and target

High level resource estimation and action timing

Create report including:

· Assessment results

· Roadmap of actions

· Draft Project charter

Domain Today 2 Years

28. IoT 5. Skills

25. STaaS 8. Business Process

23. Data 10. Commercial

22. SaaS 11. Portfolio Mgnt

21. Applications 12. Projects

20. IT Architecture 13. Operations (IT) Processes

7. Governance & Controls

11. Portfolio Mgnt

perations (IT) Processes

Enterprise Strategy Domain

Governance & Controls Domain

Business Process Domain

Portfolio Management Domain

Management Tools Domain

Operations (IT) Processes Domain

Information Lifecycle Management

Config Mgt Domain

Config Mgt Domain

Law: publish yearly financial statement

Contains capabilities related to:

Contains the capability of:

Contains the capability of:

Contains the capability of:

Contains the capability of:

Common use cases

Customer Specific Use cases

Server Management: Service Request/Ordering, Power features ( reboot, reset, shutdown,

Performance: Better performance and up-time can result from

Is cloud awareness Training and No cloud awareness training done

People Has the organizational structure Non cloud-aware structure exists

Are the costs of a service billed to Each unit has independent

Do Key Performance Indicators No cloud related KPI's exist

Is there an Incentive Scheme for There is no incentive scheme in

Is Project Funding biased towards Funding criteria do not consider

Is there a formal migration of IT There is no active management of

Is Financial Reporting and Financial reporting ignores cloud

Finance team understand the Finance team are trained about

Whoever encounters a cloud Responsibility for cloud

IT Costs are handled by a Yes, costs are billed to the main

Success of cloud services is Financial KPI's are used to

General innovation framework Ideas are mailed to and evaluated

Constant drives exist for overall Focus is defined on selected cost

CAPEX investments are collected, Defined interfaces for data supply

Team is incentivized based on Real-time authorization and

Real-time authorization and Teams are measured by KPI's.

IT Costs are billed on a IT Costs are billed per use to the

Financial KPI's are used to All cloud based investments are