Managing Information Technology Service Delivery Greg Charles, Ph.D. Principal Consultant Computer Associates June 2005

Today’s Objective To provide information on the latest trends in service management as seen in government data centers around the country

Ever-Increasing Complexity

Approaches Currently In Use Business As Usual - “Firefighting” Legislation - “Forced” Best Practice Focused

The Legislation Minefield Privacy & Security Personal Information Protection Electronic Document Act (PIPEDA) US Patriot Act \ Homeland Security (Critical Infrastructure) Personal Health Information Protection Act (PHIPA) Health Insurance Portability and Accountability Act (HIPAA) SEC Rules 17a-3 & 17a-4 re: Securities Transaction Retention Gramm-Leach Bliley Act (GLBA) privacy of financial information Children’s Online Privacy Protection Act Clinger-Cohen Act (US Gov.) Federal Information Security Mgmt. Act (FISMA) Freedom of Information & Protection of Privacy (FOIPOP) BC Gov FDA Regulated IT Systems Freedom Of Information Act Americans with Disabilities Act, Sec. 508 (website accessibility) Finance Sarbanes Oxley (US) FFIEC US Banking Standards Basel II (World Bank) Turnbull Report (UK) Canadian Bill 198 (MI 52-109 & 52-111) Washington State Laws relating to IT Policy 403-R1, 400-P1, 401-S1, 402-G1; Executive Order 00-03; RCW 9A.52.110,120,130; RCW 9A.48.070, 080, 090; RCW 9A.105.041 and many more Other International IT Models Corporate Governance for ICT DR 04198 (Australia) Intragob Quality Effort (Mexico) Medical Information System Development (Medis-DC) (Japan) Authority for IT in the Public Administration (AIPA) (Italy) Principles of accurate data processing supported accounting systems (GDPdu & GoBS) (Germany) European Privacy Directive (Safe Harbor Framework)

Best Practices Quality & Control Models ISO 900x COBIT TQM EFQM Six Sigma COSO Deming etc.. Process Frameworks IT Infrastructure Library Application Service Library Gartner CSD IBM Processes EDS Digital Workflow Microsoft MOF Telecom Ops Map etc.. •What is not defined cannot be controlled •What is not controlled cannot be measured •What is not measured cannot be improved Define -- Improve Measure -- Control And Stabilize

Information Technology Infrastructure Library What Is ITIL? ITIL is a seven book series that guides business users through the planning, delivery and management of quality IT services Information Technology Infrastructure Library

The ITIL Books T Planning To Implement Service Management h T e h e T e c h n o l o g y Planning To Implement Service Management T h e B u s i n Service Management Service Support The Business Perspective ICT Infrastructure Management Service Delivery Security Management Application Management

Complete ITIL Process Model

ITIL Service Support Model The Business, Customers or Users Monitoring Tools Difficulties Queries Enquiries Communications Updates Work-arounds Incidents Incidents Service Desk Customer Survey reports Changes Incident Management Customer Survey reports Problem Management Releases Service reports Incident statistics Audit reports Change Management Problem statistics Problem reports Problem reviews Diagnostic aids Audit reports Change schedule CAB minutes Change statistics Change reviews Audit reports Release Management Release schedule Release statistics Release reviews Secure library’ Testing standards Audit reports Configuration Management CMDB reports CMDB statistics Policy standards Audit reports Problems Known Errors Cls Relationships Incidents Changes Releases CMDB

ITIL Service Delivery Model Business, Customers and Users Queries Enquiries Communications Updates Reports Availability Management Service Level Management Availability plan AMDB Design criteria Targets/Thresholds Reports Audit reports Capacity Management SLAs, SLRs OLAs Service reports Service catalogue SIP Exception reports Audit reports Requirements Targets Achievements Capacity plan CDV Targets/thresholds Capacity reports Schedules Audit reports Financial Management For IT Services Financial plan Types and models Costs and charges Reports Budgets and forecasts Audit reports IT Service Continuity Management IT continuity plans BIS and risk analysis Requirements def’n Control centers DR contracts Reports Audit reports Alerts and Exceptions Changes Management Tools

What Is ITIL All About? Aligning IT services with business requirements A set of best practices, not a methodology Providing guidance, not a step-by-step, how-to manual; the implementation of ITIL processes will vary from organization to organization Providing optimal service provision at a justifiable cost A non-proprietary, vendor-neutral, technology-agnostic set of best practices.

US Securities & Exchange Commission IT Governance Model CobIT Sarbanes- Oxley US Securities & Exchange Commission Audit Models COSO Service Mgmt. App. Dev. (SDLC) Project Mgmt. IT Planning IT Security Quality System Quality Systems & Mgmt. Frameworks ISO CMM Six Sigma ITIL BS 15000 AS 8018 ASL ISO 17799 PMI TSO IS Strategy IT OPERATIONS

CobIT CobIT is an open standard control framework for IT Governance with a focus on IT Standards and Audit Based on over 40 International standards and is supported by a network of 150 IT Governance Chapters operating in over 100 countries CobIT describes standards, controls and maturity guidelines for four domains, and 34 control processes

The CobiT Cube 4 Domains 34 Processes 318 Control Objectives (Business Requirements) 4 Domains 34 Processes 318 Control Objectives

CobiT Domains Plan & Acquire & Implement Organize Monitor (AI Process Domain) Plan & Organize (PO Process Domain) Monitor (M Process Domain) Deliver & Support (DS Process Domain)

Planning & Organization Plan & Organize Planning & Organization Acquire & Implement Define Strategic IT Plan Define IT Organization & Relationships Manage IT Investment Determine Technological Direction Communicate Aims & Manage Human Resource Ensure Compliance With External Standards Projects Quality Identify Automated Solutions Develop & Maintain IT Procedures Educate Train Users Monitor The Process Assess Internal Control Adequacy Obtain Independent Assurance Provide Audit Information Architecture Install & Accredit Systems Manage Change Assist & Advise IT Customers Configuration Problems & Incidents Acquire & Maintain Application Software Acquire & Maintain Technology Infrastructure Manage Data Facilities Operations Assess Risks Manage Performance & Capacity Ensure Continuous Service System Security Identify & Allocate Costs Third-Party Services Define & Levels Monitor Deliver & Support

Information and Communication COSO Components Monitoring Assess control system performance over time Ongoing and separate evaluations Management and supervisory activities Control Activities Policies that ensure management directives are carried out Approval and authorizations, verifications, evaluations, safeguarding assets security and segregation of duties Information and Communication Relevant information identified, captured and communicated timely Access to internal and externally generated information Information flow allows for management action Risk Assessment Identify and analyze relevant risks to achieving the entity’s objectives Control Environment Sets “tone at the top” Foundation for all other components of control Integrity, ethical values, competence, authority, responsibility

COSO, CobiT & SOX Components

Putting COSO, CobiT, and ITIL together COSO defines the high level policies of a well governed IT organization CobiT defines the control structures for evaluating the organization conforms to COSO policies. ITIL defines the practices that will satisfy the CobiT controls.

Theory – CobIT/ITIL/COSO Technology – CA and others How to Make it a Reality? Key Success Factors Theory – CobIT/ITIL/COSO Process Guidelines for Best Practices Provides the theory but not the process Education is an important component Convert theory to process that is applicable to the unique needs of the organization Training & Education Tool configuration Technology – CA and others Provide the technology that enables and automates the process Repeatability, compliance and notifications Implement processes impossible without technology

Making IT Easier Customer maturity isolates appropriate transition point, blueprint & ROI

Next Steps - Focus on Customer Needs EIM • Complete • Integrated • Open • Proven Best Practices • High Quality • Comprehensive • People Process • Technology • Partners Business Flows Solutions • Enabling • Evolutionary • Efficient Enabling Foundation = Integrated product strategy Deliver end-to-end (Product / Services & Education / Partner) solutions Maximize competitive differentiation through CA value add Evolutionary Integrate and enhance existing CATS processes and tools Project  engagement  lifecycle Leverage existing field skills, practice and brand domain expertise Logical ‘next-step’ to Q2 assessment focus Efficient Standards base (ITIL, etc) Reusable IP (Code / Architecture / Pkg Svcs) Flexibility to support strategic, tactical & operational campaigns

Typical Survey Section features… Respondent Scoring Proven Practice “Statements” CA offers free online surveys called CA Profilers to help you determine those areas where you have the greatest gap between your capabilities and those processes you believe to be most important for your environment. This is a capture of a typical screen from the ITIL Service Management survey. There are five sections in this survey including Service Support and Service Delivery. There are also more detailed surveys available for the processes included in Service Support and Service Delivery. Each section usually contains 5-7 Best Practice statements. You rate these statements on a scale of 1 (low) to 5 (high) in terms of how important they are to your organization and your capability to perform them. If you are interested in a free analysis, please make sure you indicate this on your post event seminar evaluation survey and CA will provide you with a login and password. Typical Survey Section features…

Comparison Charts 3 Sets of Scores Industry Comparison Role Overall Your Score One advantage of conducting the survey online is that you receive results immediately. Results are presented graphically so you can immediately recognize the areas of most importance, least capability, and therefore, the sections with the largest “gap” that are most likely your biggest concerns. If you are interested, results can be compared to others in your industry or with your same job title.

Meeting Customer Needs – Best Practices Industry and CA best practices are applied to all of our solutions to maximize standardization and quality Best Practices To this end, CA has developed an approach to defining each processes for each level of maturity and has created a methodology for customers to continually evolve through each phase. This approach includes a process where the customer assesses their current level, designs a target process, implements the process, and optimizes the processes of focus. To aid the customers in their journey CA has created “Blue Prints” which help to describe the entire solution required to evolve including but not limited to what the target process should look like. This method goes way beyond ITIL in that ITIL tells you what to do but does not focus at all on how you get there.

Thank You gregory.charles@ca.com Questions? Thank You gregory.charles@ca.com