#325 - CobiT and Service Delivery Debra Mallette, CISA, CSSBB Kaiser Permanente IT
2 Outline Business, IT and IT Service Delivery ITIL best practices and CobiT overview How CobiT maps to ITIL best practices –Results of recent joint research between the ITGI and the OGC (the owners of ITIL) on harmonizing CobiT and ITIL and using them together effectively How to use CobiT and ITIL to: –focus on business and improve service definitions and SLA’s –apply metrics and maturity models assess performance –Develop and implement targeted process improvements Conclusion
3 Why is Improvement with Best Practices Important? Effective use of IT is critical to the success of enterprise strategy Best practices and standards help to enable effective governance of IT activities Big Benefits, reliably, implementable for organization
4 Aligning IT Services to the Business Business Strategy IT Strategy Specific IT Objectives IT Service Requirements Are they aligned?
5 IT Services need to be: Defined according to customer requirement Prioritized according to overall business needs Measurable in terms meaningful to the customer Specified in terms of operational requirements Capable of being delivered adequate resources and processes in place Managed and controlled so objectives are met and risks are managed Cost effective so scarce resources can be optimised, and service providers can be profitable
6 What’s needed to make this work? Business Strategy IT Strategy Specific IT Objectives IT Service Requirements Are they aligned? Clear and measurable statements of business’s operational requirement from IT Service Definitions Operational Level Agreements Service Level Agreements Best Practices
7 And... Business Strategy IT Strategy Specific IT Objectives IT Service Requirements Are they aligned? Clear and measurable statements of business’s operational requirement from IT Service Definitions Operational Level Agreements Service Level Agreements Best Practices Capability Assessment (make sure it is achievable) Governance and Control Framework (make sure it is managed)
8 CobiT and ITIL Business Strategy IT Strategy Specific IT Objectives IT Service Requirements Are they aligned? Clear and measurable statements of business’s operational requirement from IT Service Definitions Operational Level Agreements Service Level Agreements Best Practices Capability Assessment (make sure it is achievable) Governance and Control Framework (make sure it is managed) ITIL CobiT
9 Service Delivery –Capacity Management –Availability Management –Financial Mgt. for services –Service Level Management –Service Continuity Mgt. ITIL Best Practices Overview Service Support –Incident Management –Problem Management –Configuration Management –Change Management –Release Management Activities to Define and Develop IT Processes –Application and Software Asset Management –Design and planning ICT Infrastructure –Security Management –Business Perspective
10 Objectives of ITIL Holistic Service Management –Assure the consideration of functional and non- functional requirements –Ensure that Services are appropriately tested before live operational use –Assess the possible risks and impact on existing infrastructure caused by new or modified systems –Define future Service Requirements
11 Objectives of ITIL, cont. Customer orientation - IT services provided at a level of quality that allows permanent reliance on them. Responsibility is assigned to individuals who: –Consult the users, help them use services optimally –Collect and forward user opinions & recommendations –Resolve incidents –Monitor performance of the services delivered –Manage Change
12 Framework for IT governance aligning IT with business requirements An IT process classification scheme Generic control objectives for each IT process Management guidelines enabling management to align IT activities and priorities with business requirements: Set objectives and metrics (Goal Indicators- ‘KGIs’ and Performance Indicators – ‘KPIs’) Consider critical success factors Assess capability using maturity models – identify critical gaps CobiT Provides
13 u Premise: IT needs to deliver the information that the enterprise needs to achieve its objectives. u Promotes process focus and process ownership u Divides IT into 34 processes belonging to four domains, provides a high level control objective for each u Addresses fiduciary, quality and security needs of enterprises. u Seven information criteria to generically define what business requires from IT u 300+ detailed control objectives & control practices u Metrics for measuring goals and processes u Maturity models for gap analysis and benchmarking u Critical success factors for implementation u Effectiveness u Efficiency u Availability, u Integrity u Confidentiality u Reliability u Compliance. u Planning u Acquiring & Implementing u Delivery & Support u Monitoring What does CobiT consist of?
14 HOW DO THEY RELATE ? IT Processes IT Resources IT Resources Business Requirements Data Information Systems Technology Facilities Human Resources Planning and organisation Aquisition and implementation Delivery and Support Monitoring Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information Reliability How IT is organised to respond to the requirements What the stakeholders expect from IT The resources made available to - and built up by - IT
15 PO AI DS MO IT Governance Model IT Governance helps: --simplify operations --cut costs --increase revenue Needs an IT Control Framework
16 DS1 Define service levels DS2 Manage third party services DS3 Manage performance and capacity DS4 Ensure continuous service DS5 Ensure systems security DS6 Identify and attribute costs DS7 Educate and train users DS8 Assist and advise IT customers DS9 Manage the configuration DS10 Manage problems and incidents DS11 Manage data DS12 Manage facilities DS13 Manage Operations PO1 Define a strategic IT Plan PO2 Define the information architecture PO3 Determine the technological direction PO4 Define the IT organization and relationships PO5 Manage the IT investment PO6 Communicate management aims and direction PO7 Manage human resources PO8 Ensure compliance with external requirements PO9 Assess risks PO10 Manage Projects PO11 Manage Quality A I 1 Identify automated solutions A I 2 Acquire and maintain application software A I 3 Acquire and maintain technology infrastructure A I 4 Develop and maintain IT procedures A I 5 Install and accredit systems A I 6 Manage changes M1 Monitor the process M2 Assess internal control adequacy M3 Obtain independent assurance M4 Provide for independent audit IT RESOURCES IT RESOURCES data application systems technology facilities people data application systems technology facilities people PLANNING AND ORGANISATION PLANNING AND ORGANISATION ACQUISITION AND IMPLEMENTATION ACQUISITION AND IMPLEMENTATION DELIVERY AND SUPPORT MONITORING effectiveness efficiency confidentiality integrity availability compliance reliability effectiveness efficiency confidentiality integrity availability compliance reliability Criteria Business Objectives CobiT Framework
17 CobiT provides over-arching process framework covering all IT activities, linked to business requirements, that ITIL can fit into ITIL is focused mostly on service management (CobiT’s Delivery & Support domain) ITIL is more detailed and practices oriented CobiT helps link ITIL best practices to real business requirements and IT process owners CobiT’s Control Objectives provide a Control Framework CobiT’s metrics help define SLA & OLA criteria CobiT’s Maturity Models provide basis for assessing capability & planning improvements CobiT plus ITIL and other standards provide a more complete set of best practices CobiT and ITIL are complementary
18 Senior management more aware and involved – more direction Process focus enables process ownership - more accountability Common language and reference model - better communication Metrics and SLAs more business oriented, understandable to users, and therefore more realistic – stakeholder ownership IT more focused on what the user / business wants – prioritized ITIL best practices applied where they are most needed – effective Control framework conforms to SOX – easier compliance Necessary improvements will be easier to justify – better ROI Efficiencies should be gained – cost optimized Benefits of a combined approach
19 Research project between ITGI & OGC ITGI is IT Governance Institute: OGC is UK’s Office of Government Commerce: ogc.gov.uk Both ITGI & OGC would like to see greater harmonization between CobiT and ITIL We have agreement to initiate joint research Coming Soon: First deliverable: Executive summary aimed at management what’s needed, what’s provided, how they work together Appendix showing relationship between CobiT’s 34 Processes, Controls and ITIL This mapping from Work-in-progress Other deliverables likely to follow Results will be used in both CobiT and ITIL planned update projects
20 How CobiT maps to ITIIL ITIL best practice guidance for CobiT processes ITIL guidance by CobiT domain CobiT guidance beyond ITIL
21 CobiT Processes mapped to ITIL Best Practices
22 CobiT Guidance beyond ITIL
23 Using CobiT’s Maturity Models to improve Self-Assess Priorities and opportunities for improvement. Evaluate the expected benefit from the improvement - see metrics. Choose for leverage: CobiT, ITIL, Both? Plan: –Desired improvement –IT-wide balanced Maturity Level. –Planning and Monitoring feedback loops
24 Key Process Components Process Inputs Outputs IT Resource IT Resource Information Criteria Information Criteria Key Goal Indicators (KGIs) Key Goal Indicators (KGIs) Key Performance Indicators (KPIs) Key Performance Indicators (KPIs) Critical Success Factors (CSFs) Critical Success Factors (CSFs) Control Objectives Control Objectives Maturity Model Maturity Model Purpose
25 Assessing Maturity and Prioritizing Opportunities
26 Using Metrics to drive Improvement Plan: Use CobiT Online –Benchmark and/or Self Assess –Select Process(es) (look at Goals, Criteria and Resources) –Align with Business: Key Goal Indicator –IT Performance: Key Performance Indicator Implement –Select and implement best practices –Check Critical Success Factors Control: Monitor and Feedback –Monitor Key Goal Indicators & Key Performance Indicators –Assess Internal Control Adequacy Act
27 CobiT Maturity Levels Benchmark and/or Self-Assess Optimized: Best Practices Non-Existant: Management Processes not applied at all Ad Hoc: Ad hoc and disorganized Repeatable: Regular patterns Defined: Documented and communicated Managed: Monitored & Measured See CobiT Management Guidelines or CobiT Online
28 Assessing Maturity and Prioritizing Opportunities Selected DS3: Manage Performance and Capacity
29 Select DS3: Manage Performance and Capacity Key Goal Indicators to Align with Business
30 Select DS3: Manage Performance and Capacity IT Key Performance Indicators to Monitor
31 CobiT Processes mapped to ITIL Best Practices Selected DS3: Manage Performance and Capacity
32 Select and Implement CobiT DS3 maps to ITIL Best Practice: Service Delivery –Capacity Management –Availability Management –Financial Mgt. for services –Service Level Management –Service Continuity Mgt.
33 Select and Implement Address CobiT DS3 Critical Success Factors
34 DS3: Manage Performance and Capacity Implementation Critical Success Factors
35 Case Study: Monitored Results IT Staff reduced by >50% while customer staffing reduced by 40%. Capital equipment and leasing costs reduced by 80%. Site consolidations for floor space reductions including off-site storage reductions for approx. 40% reduction. Computer room construction upgrade projects funded as required to meet OSHA. Network availability maintained at average of 3.5 “9’s” over the year. SLA’s response rate sustained to target with “very satisfied” customer rating.
36 Summary Performance Improvement is Business & IT imperative. Business is at risk if IT Performance not sustained with continuous improvements and controls. CobiT and ITIL have compatible and synergistic strengths for optimal IT and Business results.
37 For More Information See:
38 And For Even More Information: Debra Mallette, CISA, CSSBB Kaiser Permanente IT Gary Hardy CobiT Steering Committee IT Winners
Thank you!