ITIL & COBIT O6PLM Kevin Lisay – 1501147113 Rendy Winarta – 1501149226 Steven Ekaputranto - 1501148362 Stefani Trifosa – 1501158893 Gladys Natalia – 1501165476
Background Information Technology is a thing that can’t be missed in this modern world. Effectiveness and efficiency that IT offers are great and gives so much benefit. Any company especially the big one can’t endure to use IT nowadays. In order to make the structure of IT operates really well, many of company use ITIL (Information Technology Infrastructure Library), which is a set of document a set of documents which defines best practices and accepted techniques in Information Technology community. Also COBIT (Control objectives for information and related technology) that helps top tier user (managers, IT professionals and assurance professionals) develop IT itself.
Scope Implementation of Information Technology Infrastructure Library. Implementation of Control Objective for Information and Related Technology. Differences between Information Technology Infrastructure Library and Control Objective for Information and Related Technology.
What is ITIL (Information Technology Infrastructure Library) ITIL is the most widely adopted approach for IT Service Management in the world. It provides a practical, no-nonsense framework for identifying, planning, delivering and supporting IT services to the business.
COBIT? (Control objectives for information and related technology) A model designed to control the IT function. This model was originally developed by the Information System Audit and control foundation (ISACF). COBIT support IT governance by providing a comprehensive description of the control objectives for IT processes and by offering the possibility of examining the maturity of these processes.
Implementation of Information Technology Infrastructure Library.
1.Process Implementation Objective The objective of this document is to provide a template for developing process implementation plans that will be usable across a wide range of diverse organizations Program Management
2. Process Implementation Projects Process, People And Technology (The Integrated Project Plan) Project Timelines Expected Project Deliverables Implementation Roles Process Owner Core Process Team Stakeholder Groups And Subject Matter Experts Internal and External Process Advisors Pink Elephant Consulting Roles High Level Process Model Development
3. Process Embedding Strategy Process Workshops / Training Develop Lesson Plans Schedule Workshop And Process Embedding Date Coaching Period Initial Process Review And Adjustment Detailed Activities (Project Check List) People Involved Awareness Campaign Systems Implementation Activities Support Tools Post Implementation and Audit Other Considerations
4. Evaluationof The Project Post Project Review Auditing Using Quality Parameters Generic Quality Parameters for IT Service Management Process Specific Quality Parameters for IT Service Management
Implementation of Control Objective for Information and Related Technology.
1. Background The bank in the given case is a global conglomerate with operations in more than 50 countries and with more than 125,000 employees across the globe. The bank’s technology teams are located throughout the world to support global lines of business. The IT teams include development centers that are part of the bank and others that are outsourced to vendors, as well as technology back offices that support IT infrastructure and services. The bank had a history of multiple governance and assurance templates and processes followed by different teams, regions and locations. Hence, the key challenge was to create a common governance and assurance process across technology teams.
2. Use of COBIT Defining a framework to use—Control objective framework (COF) Identifying a standard definition of ‘entities’ against which risks and controls were to be evaluated—Key entity management model Identifying a risk management process— Risk and control assessment (RCA)
Defining COF It should act as a tool to facilitate the effective assessment of risks and controls within technology. It should act as a reporting framework to demonstrate how technology satisfies reporting regulatory requirements, including those of Sarbanes- Oxley. It should act as an aid to drive management assurance. The steps in implementing COF using COBIT included: Identify principal risks Identify level II risks Identify control objectives
Benefit of Defining COF Prior to implementing this framework, each entity, organization and location had its own set of controls. COBIT helped in developing and managing a single list of controls for each type of risk through the mapping of needed controls to COBIT. In turn, this assisted with the attestation of each type of risk, which provided confidence to senior executives on the reporting and attestation process. Subsequently, a risk assessment process was developed to define risks and controls. This helped in ensuring that adequate controls were deployed to cover the principal risks and level II risks.
Identifying Entities for Managing Risks and Controls Process entities Supporting services entities Technology entities Project entities
Defining and Implementing the RCA Process
Training Key Stakeholders One of the main challenges was to explain the entire process to all of the stakeholders with different backgrounds and understanding of risks and controls and at various locations. The challenge was managed by creating additional training programs at various levels.
Differences Between ITIL and COBIT
- ITIL - COBIT Control Focused Uses IT Metrics Used by auditors in SOX Critical Success Factors Includes a discussion of quality Includes a discussion of process maturity Strong concentration on processes Security is a very important component Focused on service delivery Has a broad base of adopting organizations with lessons learned Has an organization certification schema
Here is a table explaining COBIT, ITIL, and one other framework (CMMi) for SOX :
Another table describing COBIT, ITIL, another framework (CMMi) for non-SOX Objectives