#245 - CobiT and Software Development Debra Mallette, CISA, CSSBB Kaiser Permanente IT & Monica Jain, CSQA Convansys
2 Outline Business and IT performance improvement Maturity models and Six Sigma Software development improvement and SEI CMM IT improvement and Cobit Compare and contrast SEI CMM and Cobit How to improve performance with maturity model(s) Case study Conclusion
3 Performance Improvement
4 Improving Performance with Maturity Model(s) Process Technology People Maturity Models
5 Six Sigma and Maturity Models Ad Hoc Repeatable But Intuitive Defined Process Managed and Measurable Optimized Business Program XX Process Project XXX Statistical Tool(s) XXXX
6 Software Engineering Institute’s Capability Maturity Model (sm) for Software
7 SEI CMM (SM) Key Practice Areas
8
9
10 DS1 Define service levels DS2 Manage third party services DS3 Manage performance and capacity DS4 Ensure continuous service DS5 Ensure systems security DS6 Identify and attribute costs DS7 Educate and train users DS8 Assist and advise IT customers DS9 Manage the configuration DS10 Manage problems and incidents DS11 Manage data DS12 Manage facilities DS13 Manage Operations PO1 Define a strategic IT Plan PO2 Define the information architecture PO3 Determine the technological direction PO4 Define the IT organization and relationships PO5 Manage the IT investment PO6 Communicate management aims and direction PO7 Manage human resources PO8 Ensure compliance with external requirements PO9 Assess risks PO10 Manage Projects PO11 Manage Quality A I 1 Identify automated solutions A I 2 Acquire and maintain application software A I 3 Acquire and maintain technology infrastructure A I 4 Develop and maintain IT procedures A I 5 Install and accredit systems A I 6 Manage changes M1 Monitor the process M2 Assess internal control adequacy M3 Obtain independent assurance M4 Provide for independent audit IT RESOURCES IT RESOURCES data application systems technology facilities people data application systems technology facilities people PLANNING AND ORGANISATION PLANNING AND ORGANISATION ACQUISITION AND IMPLEMENTATION ACQUISITION AND IMPLEMENTATION DELIVERY AND SUPPORT MONITORING effectiveness efficiency confidentiality integrity availability compliance reliability effectiveness efficiency confidentiality integrity availability compliance reliability Criteria Business Objectives CobiT Framework
11 SEI CMM Vs. CobiT SEI CMMCobiT Improvement Focus Software Engineering IT Size of target Population and Model Complexity Portion of IT Complex Model Quality Language All of IT Clear, Concise Controls Language SynergiesIntegral and Functional KPA’s Internal Audit
12 CobiT and SEI CMM CobiT provides over-arching process (controls) framework for all IT activities. CobiT links SEI CMM KPA’s to business goals as follows: –CobiT processes link SEI CMM key practice areas to IT process owners and business goals –CobiT metrics help define SEI CMM goals and objectives –CobiT maturity models provide basis for assessing IT capability & planning improvements beyond SEI CMM KPAs SEI CMM provides software engineering detailed best practices, including functional and integral practices. SEI CMM provides guidance for CobiT’s acquisition and implementation domain processes.
13 CobiT vs. SEI CMM Goals CobiT for ITSEI CMM for Software Engineering Effectiveness Efficiency Confidentiality Compliance Reliability Improved control Effectiveness Efficiency Improved Software Quality
14 SEI CMM and CobiT
15 CobiT and SEI CMM
16 COBIT and SEI CMM Levels
17 Using a Maturity Model to improve Identify opportunities for improvement. Evaluate the expected benefit from the improvement. Choose for leverage: CobiT, SEI CMM, Both? Full SEI CMM assessment? Plan: –Desired improvement –IT-wide balanced Maturity Level. –Planning and Monitoring feedback loops
18 Case Study: Background Timeframe: Jan June 2003 IT organization providing Products and Services for around-the-clock, around-the-globe Engineering. Solid line reporting to Engineering/Sector, dotted Line to Corporate IT 300 +/- people serving more than engineers at 6 sites on 2 continents Cost reductions over 2 years: All contractors gone. 40% of headcount laid off. No capital spending approved. Computer rooms consolidated as leased space vacated. New CIO, new CFO. IT outsourcing looming.
19 Organization Background Corporate Six Sigma renewal initiative SEI CMM (and SEI CMMi) initiative active in Engineering (IT’s customers). SEI CMM usage required by IT Policy Another sector working on Baldrige Award (awarded). Security concerns - pre and post 9/11. Intellectual Property Concerns. Financial controls concerns (pre Sarbanes/Oxley)
20 14% 16% 66% 4% Planning & Organization Acquisition & Implementation Delivery & Support Monitoring Organizational Fit Resources to be Leveraged? IT Effort Expenditure Percentages Planning & Organization Delivery & Support Monitoring Acquisition & Implementation
21 IT Leadership Team: Reduce efforts to prep for audits (3500 man-hours for one site!) and “keep the lights on” Corporate Finance: Maintain Satisfactory compliance. Corporate IT Management: Mitigate Security vulnerabilities, reduce costs by minimum of 50% and continuously improve quality and maturity performance. Customer Management: TL/9000 and ISO 9001 compliance. Less “keep the lights on” investment, more availability to support product development and more “engagement” to increase productivity. Customer and Stakeholder Expectations for IT Organization’s Performance
22 Goal: “Defined” Level 3 Gap Analysis and Planning 14% L2 16% L2 66% L2 4% L2 Planning & Organization Acquisition & Implementation Delivery & Support Monitoring Self-Assessment “Repeatable”: Level 2 Planning & Organization Delivery & Support Monitoring Acquisition & Implementation
23 Performance Improvement Program PO1: Develop and deploy Strategic Planning Process including a strategic roadmap baseline, monthly alignment of strategy to projects and quarterly re- assessment of strategy. M1: Monitor performance against strategy using strategic roadmap and balanced score card goals. M2: Assess Internal audit readiness - improve just enough to sustain audit compliance at minimal cost.
24 PO1: Results Strategic roadmap baselined: top down with corporate data architecture (PO2) and bottom-up with IT project list in 3 months. Started with less than 10% project alignment and changed to greater than 80% alignment over period of 6 months. Stable strategy achieved in 3 review cycles. Continuous Improvement: –Strategy enhanced to include technology architecture (PO3) and customer alignment in 2nd year. –Roadmapping process not jettisoned in re-orgs!
25 M1: Results IT Staff reduced by >50% while customer staffing reduced by 40%. Capital equipment and leasing costs reduced by 80%. Site consolidations for floor space reductions including off-site storage reductions for approx. 40% reduction. Computer room construction upgrade projects funded as required to meet OSHA. Network availability maintained at average of 3.5 “9’s” over the year. SLA’s response rate sustained to target with “very satisfied” customer rating.
26 M2: Results 5 site reviews conducted. Reviews assessed the each site’s readiness for internal audit of compliance with Standards of Internal Control, Security, and Proprietary Information Protection practices. 100% “Satisfactory” findings for internal audits. Continuous Improvement: –Self-assessment Process, eliminating need for on-site visits of assessment teams, successfully deployed in 2nd year.
27 Improvement Investment Approximately 3% of organization’s resources over the year with the bulk of the investment in 3 FTE’s to sustain forward momentum on the program. Strong sponsorship and oversight by IT Director and Leadership Team including Site Managers. Travel expense budget to deploy readiness assessments.
28 Summary Performance Improvement is Business & IT imperative. Business is at risk if IT Performance not sustained with continuous improvements and controls (e.g. audits). Capability Maturity Level improvement is a step above continuous and requires investment and monitoring. Maturity Models can minimize risks to existing performance and reliably and predictably reproduce Performance Improvement results. CobiT and SEI CMM have compatible and synergistic strengths for optimal IT and Business results.
29 For More Information: Debra Mallette, CISA, CSSBB Kaiser Permanente IT Monica Jain, CSQA Convansys
Thank you!