LECTURE 1  The Problem  Solutions: Standards & Frameworks

The Problem … ? PROJECT & PRODUCE … … & then MANAGE ! Longer time (20+ years vs. 9 months) More & more complex relations (school/companions/b-g.friend/… vs. gynecologist) More expensive (… ask your father …) More risks (car/drugs/alcohol/depression/unemployment/… vs. abortion) … Less & weaker “instructions” !!!

Managing an ICT Factory … how much experience gained? The Heroic Years Becoming an Industry

ICT: exact science or still artistic handicraft ICT: exact science or still artistic handicraft? … in theory …… actually … An example: Capacity Planning … Trans. Rate DB W/R Ratio # Users RAM CPU Bandwidth Transactions? What kind? From where? When? How many? … Users? What channel through? What trend? What service? … DB access? How many records? How much big? What update frequency? … NOW … and tomorrow? … and next year? …

Ever-Increasing Complexity … … under a more and more easy skin, at everyone’s fingertips!

CMM (Capability Maturity Model): Maturity Levels 5. Optimizing. Continuous process improvement. 4. Managed. Detailed measures of the software process and product quality are collected. 3. Defined. Management and engineering activities are documented, standardized, institutionalized. 2. Repeatable. Basic project management tracks cost, schedule, and functionality. Successes can be repeated for similar projects. 1. Initial. Ad hoc. Success depends on individual effort and heroics.

The ICT Management Process Maturity Model (Gartner, 1999) … or “Trying to Run Before Walking” Reactive Proactive Analyze trends Set thresholds Predict problems Measure appli- cation availability Automate Mature problem, configuration, change, asset and performance mgt processes Fight fires Inventory Desktop SW distribution Initiate problem mgt process Alert and event mgt Measure component availability (up/down) IT as a service provider Define services, classes, pricing Understand costs Guarantee SLAs Measure & report service availability Integrate processes Capacity mgt Service Value IT as strategic business partner IT and business metric linkage IT/business collaboration improves business process Real-time infrastructure Business planning Level 2 Level 3 Level 4 Chaotic Ad hoc Undocumented Unpredictable Multiple help desks Minimal IT operations User call notification Level 1 Tool Leverage Manage IT as a Business Service Delivery Process Engineering Operational Process Engineering Service and Account Management Level 5

Approaches Currently In Use  Business As Usual - “Firefighting”  Legislation - “Forced”  Best Practice Focused

Confusing the 'Means' With the 'End' This Is Not the Goal! ITIL Six Sigma CMM-I Malcolm Baldrige "Certification" Etc. Certification Does Not Guarantee Good Outcomes! Beware of Process for Its Own Sake! Process Improvement Is About Better Outcomes and Experiences for Customers

Best Practices What is not defined cannot be controlledWhat is not defined cannot be controlled What is not controlled cannot be measuredWhat is not controlled cannot be measured What is not measured cannot be improvedWhat is not measured cannot be improved  Define -- Improve  Measure-- Control And Stabilize Quality & Control Models ISO 900x COBIT TQM EFQM Six Sigma COSO Deming etc.. Process Frameworks IT Infrastructure Library Application Service Library Gartner CSD IBM Processes EDS Digital Workflow Microsoft MOF Telecom Ops Map etc..

CobIT IT OPERATIONS Audit Models Quality Systems & Mgmt. Frameworks Service Mgmt. App. Dev. (SDLC) Project Mgmt. IT Planning IT Security Quality System IT Governance Model IT Governance Model COSO ISO PMI ISO Six Sigma TSO IS Strategy ASL CMMi Sarbanes- Oxley US Securities & Exchange Commission ITIL BS ISO CMMi ITIL BS ISO 20000

Look at the Regulatory Storm We All Face Missing: PCI FERPA Security breech reporting (CA SB 1386) CA SB 25 re SSN use Graham Leach Bliley DMCA CAN-SPAN Fed Privacy Act 1974 – RMP-8 Electronic Gov Act of 2002 OMP Circular A-130 NIST security standards – FIPS 200, A Cyber Security R&D Act

Relationship of Control Regimes OperationsApplicationsFinanceStrategy COCO COSO COBIT ITIL University control regimes are derived from frameworks originally developed for businesses and need tweaking to fit comfortably.

Committee of Sponsoring Organizations (COSO) – The Components Monitoring Assess control system performance over time Ongoing and separate evaluations Management and supervisory activities Control Activities Policies that ensure management directives are carried out Approval and authorizations, verifications, evaluations, safeguarding assets security and segregation of duties Control Environment Sets “tone at the top” Foundation for all other components of control Integrity, ethical values, competence, authority, responsibility Information and Communication Relevant information identified, captured and communicated timely Access to internal and externally generated information Information flow allows for management action Risk Assessment Identify and analyze relevant risks to achieving the entity’s objectives

COSO Enterprise Risk Management (ERM) Model

The COSO ERM Framework  Entity objectives can be viewed in the context of four categories  Strategic  Operations  Reporting  Compliance  ERM considers activities at all levels of the organization  Enterprise-level  Division or subsidiary  Business unit processes Source: COSO Enterprise Risk Management Framework; Draft Version, July 2003

CobIT: Control Objectives for IT  CobIT is an open standard control framework for IT Governance with a focus on IT Standards and Audit  Based on over 40 International standards and is supported by a network of 150 IT Governance Chapters operating in over 100 countries  CobIT describes standards, controls and maturity guidelines for four domains, and 34 control processes

The CobiT Cube 4 Domains 34 Processes 318 Control Objectives (Business Requirements)

Deliver & Support (DS Process Domain) Deliver & Support (DS Process Domain) Monitor (M Process Domain) Monitor (M Process Domain) Acquire & Implement (AI Process Domain) Acquire & Implement (AI Process Domain) Plan & Organize (PO Process Domain) Plan & Organize (PO Process Domain) CobiT Domains

CobiT Processes by Domain Delivery & Support Monitoring Planning & Organization Acquisition & Implementation

The 34 Defined CobiT Processes

The 7 CobiT Principles

Positioning the Frameworks Level of Abstraction HighLow IT Relevance Holistic Specific TCO ITIL CMMI CobiT Six Sigma ISO 9000 National Awards (e.g., Baldrige) People CMM Scorecards ISO CMM =capability maturity model CobiT =Control Objectives for Information and Related Technology ITIL =IT Infrastructure Library TCO =total cost of ownership IS = IT service mgt standard ISO 9000 =quality mgt standard Point solutions are useful, but a broader, holistic approach to process and quality improvement is POWERFUL.

Process Framework - ITIL  ITIL is a best-practice process framework.  Service delivery  Service support  Others (application management, security management)  Initiated by the U.K.'s government Central Computing and Telecommunication Agency (CCTA). CCTA is merged into the Office of Government Commerce.  Shows the goals, general activities, inputs and outputs of the various processes.  Does not "cast in stone" every action you should do on a day-to-day basis.  ITIL Refresh or "Version 3" is in delivered.

Hype Surrounding ITIL  ITIL makes the business love the IT group!  ITIL is easy!  Buy our tool and have ITIL!  Everybody is doing it …  What's next …  ITIL cures cancer!  ITIL solves world hunger! Technology Trigger Peak of Inflated Expectations Trough of Disillusionment Slope of Enlightenment Plateau of Productivity time visibility ITIL 2005 ITIL 2012 ITIL 2006 ITIL 2008 ITIL 2010 IT Operations Management Hype Cycle

Source: Audience polling survey at 2006 Gartner Data Center conference in November 2006 (n=171) Polling Results – ITIL Adoption

Polling Results – Primary Driver for ITIL Source: Audience polling survey at 2006 Gartner Data Center conference in November 2006 (n=180)

Polling Results Biggest Hurdle Implementing ITIL Source: Audience polling survey at 2006 Gartner Data Center conference in November 2006 (n=164)

ITIL: The Good and the Bad  Service Delivery:  Service-level management  Financial management  Capacity management  IT service continuity  Availability management  Service Support:  Incident management  Problem management  Change management  Configuration management  Release management  Service Desk Core Benefits: Standard process language Standard process language Emphasis on process vs. technology Emphasis on process vs. technology Process integration Process integration Standardization enables cost and quality improvements Standardization enables cost and quality improvements Focus on customer Focus on customerLimitations:  Not a process improvement methodology  Specifies "what" but not "how"  Doesn't cover all processes  Doesn't cover organization issues  Hype driving unrealistic expectations

Assuming Tools Will Solve Your Problems  Be wary of vendor hype  Focus on process first  Tools can be enablers or inhibitors  Assess capabilities of your current tools  Review new tools where they would pay significant dividends  Buy what you need, as you need it "Man is a tool-using animal. Nowhere do you find him without tools; without tools he is nothing, with tools he is all." (Thomas Carlyle)

The next lectures  Lect. # 2 – ITIL insight / part 1  Lect. # 3 – ITIL insight / part 2  Lect. # 4 & # 5 – complying to ITIL principles, a Primary IT Market Leader evidence Thank You