itil and cobit explained - ISACA South Florida Chapter

ITIL AND COBIT EXPLAINED
1
AGENDA
 Overview
of Frameworks
 Similarities and Differences
 Details on COBIT Framework (based on
version 4.1)
 Details on ITIL Framework, focused mainly
on version.2.
 Comparison of COBIT and ITIL v.2 sections.
 Maturity Capacity Models
 Q&A
© Copyright of Elevate Consulting LLC, All Rights Reserved
2
POSITIONING THE FRAMEWORKS
CMM = capability maturity model
Specific
CobiT = Control Objectives for
Information and Related
Technology
TCO
CMMI
ITIL
ISO 20000
ITIL = IT Infrastructure Library
TCO = total cost of ownership
CobiT
IT
Relevance
IS0 20000 = IT service mgt standard
People CMM ISO 9000 = quality mgt standard
Point solutions are
useful, but a broader,
holistic approach to
process and quality
improvement is
POWERFUL.
Six Sigma
ISO 9000
Holistic
Low
Level of Abstraction
National Awards
(e.g., Baldrige)
Scorecards
High
3
ITIL and COBIT can enable organizations to achieve
key objectives:

Establish proven best practice IT service management processes
to manage IT from a business perspective and achieve business
goals, including that of compliance

Put in place clear process goals, based on the organization’s
business goals, and provide a means of measuring progress
against them

Ensure effective IT governance and control at the process level,
and enable IT to demonstrate that it meets or exceeds the
requirements set forth by government or external regulations
Frameworks are highly complementary, and together provide
greater value than using just one or the other. COBIT outlines what 4
you need to do to meet these challenges and ITIL shows you how to
get there.
Why is IT governance and best practices
implementation needed?
The effective management of information, information systems,
communication and IT services is of critical important and
survival of most enterprises. This criticality arises from:
-
The pervasiveness of and dependence on information, the
services and the infrastructure that deliver the information
-
The increasing scale and cost of current and future
technology- related investments
-
The potential for technologies to enable transformation of
enterprises and business practices
5
Some Facts:
- ITIL strong in IT HOW to carry on processes (delivery and
support) , but limited in security and system development

- COBIT is strong in IT controls and IT metrics, it concentrates
on WHAT should be achieved rather than how (e.g. process
flows) to achieve effective governance, management and
control.
– No contradictions or real overlaps, they complement
– No discussion on specific technologies or configuration
requirements (e.g. unlike PCI)
6
Control OBjectives for Information and related Technology






Originally released in 1996 by the Information Systems Audit and
Control Foundation (ISACF) (1st Edition)
Current primary publisher is the IT Governance Institute( ITGI) - formed
by the Information Systems Audit and Control Association (ISACA) in
1998 (2nd Edition)
By 2000, ISACF and ITGI became one entity, and the 3 rd Edition was
issued.
In 2005, 4th Edition was issued.
COBIT was formed through research of sources such as the technical
standards from ISO, codes of conduct issued by the Council of Europe
and ISACA, professional standards for internal control and auditing
issued by COSO, AICPA, GAO, etc.
The above sources were used to formulate COBIT to “be both
pragmatic and responsive to business needs while being
7
independent of the technical IT platforms adopted in an
organization.”
COBIT EDUCATION:






The COBIT curriculum includes the following courses:
COBIT Awareness Course (2 hours, self paced elearning)
COBIT Foundation Course (8 hours, self paced elearning or 14 hours, classroom)
COBIT Foundation Exam (1 hour, online 40 questions)
IT Governance Implementation Course (14 hours,
classroom)
COBIT for Sarbanes-Oxley Compliance (5 hours, self
paced e-learning)
8
COBIT ONLINE: WWW.ISACA.ORG/COBITONLINE
o Provides full browsing capabilities by enabling you to
download the selected COBIT content as either a Microsoft
Word or Access template, for subsequent use offline.
oAll or selected COBIT components can be accessed, and they
can be filtered based on several search criteria:
•Framework
•Control Objectives
•Inputs/Outputs
•RACI Charts
•Goals and Metrics
•Maturity Models
•Control Practices
•Assurance Steps
9
COBIT ON IT GOVERNANCE..

IT governance is the responsibility of executives and the
board of directors, and consists of the leadership,
organizational structures and processes that ensure that the
enterprise’s IT sustains and extends the organization's
strategies and objectives.

For IT to be successful in delivering against business
requirements, management should put an internal control
system or framework in place.

The business orientation of COBIT consists of linking
business goals to IT goals, providing metrics and maturity
models to measure their achievement, and identifying the
10
associated responsibilities of business and IT process
owners.
COBIT Family of Products
11
COBIT IT Domains and Processes
12
COBIT COMPONENTS
4 Domains
•Planning & Organization (PO)
•Acquire & Implement (AI)
•Delivery & Support (DS)
•Monitor and Evaluate (ME)
34 Control Objectives
318 Detailed Control Activities
13
14
INTERRELATIONSHIPS WITH COBIT COMPONENTS
15
How Does Governance and the Business Drive IT?
16
How Does Governance and the Business Drive IT?
17
How Does Governance and the Business Drive IT?
IT Goals:
18
How Does Governance and the Business Drive IT?
COBIT information Criteria
19
How Does Governance and the Business Drive IT?
20
How Does Governance and the Business Drive IT?
COBIT information Criteria
21
COBIT FRAMEWORK NAVIGATION
22
COBIT FRAMEWORK NAVIGATION- EXAMPLE
23
COBIT FRAMEWORK NAVIGATION- EXAMPLE
24
CHANGE MANAGEMENT ITIL PROCESS FLOW SUMMARY
CMDB
Change to:
Hardware
Software
Documentation
Infrastructure
Training
Engineering specs
Tactical planning
Assessments
Change Management
Release Management
RFC
Reasons:
Fix a Problem
Changing business
requirements
Changing technology
Continuous SIP
External forces (e.g.
competition, legislations)
Change Advisory Board
Service Management
Technical Experts
Customers and Users
Interested Parties
25
ITIL
Information Technology
Library
26
INTRODUCTION TO ITIL
During the late 1980’s the Central Computer and
Telecommunication Agency (CCTA) in the United
Kingdom started to work on what is now known as
ITIL, the Information Technology Infrastructure
Library

ITIL is a set of books that provides comprehensive
and interrelated codes of practice in achieving the
efficient support and delivery of high quality, cost
effective IT services

Version 2 available in 2000

Version 3 available in 2007
27

ITIL EDUCATION PATH
28
ITIL MYTH
As Jan Van Bon (author and editor of many IT Service Management
publications) notes:
There is a lot of confusion about ITIL, stemming from all kinds of
misunderstandings about its nature. ITIL is a set of best practices. The
there is no claim that ITIL’s best practices describe pure processes..
That is what most of its users make of it, probably because they have
such a great need for such a model
CIO Magazine columnist Dean Meyer has also presented some
cautionary views of ITIL, including five pitfalls such as "becoming a
slave to outdated definitions" and "Letting ITIL become religion." As he
notes, "...it doesn't describe the complete range of processes needed
to be world class. It's focused on ... managing ongoing services."
29
ITIL V.2 AND V.3
ITIL v2 , seven books with two main areas:
•Service Support
•Service Delivery
In ITIL v3 moves from a process approach to a service life cycle approach:
• Service strategy- which type of services, to which customers and
markets
• Service design- identifies service req’s, devices new service offerings
• Service transition- builds and deploys new or modified services
• Service operation- carries out operational tasks
• Continual service improvement- learns from the past, improve the
effectiveness and efficiencies of services and process
30
What is the difference between Version 2 and
Version 3?
V3
articulates the relationship between IT and the business far
more clearly than earlier versions of ITIL.
Instead of focusing on processes as in V2, V3 considers a wider
view of IT by considering the Lifecycle of a service from its initial
planning, which should be aligned to the business need, through to
its final retirement.

V3
focuses more on the treatment of strategic options, functions,
roles and responsibilities as well as continual improvement.
The
existing processes from earlier ITIL versions remain in V3 but
have been improved and added to. ITIL V3 also looks more closely 31
at alignment with other best practices and standards.
ITIL V.2 AND V.3 PROCESSES
32
COBIT Control Objectives Linked with ITIL V.2
Plan and Organize
Direct link with ITIL
Acquire and Implement
33
COBIT Control Objectives Linked with ITIL
Define and Support
Direct link with ITIL
Monitor and Evaluate
34
ONE TO ONE COMPARISON COBIT 4.1 AND ITIL V.2
Process
Description
V.2
Section
COBIT
Section
Financial
Management
Provides cost effective
stewardship of IT assets used in
providing IT services
Service
Delivery
PO.5
Release
Management
Ensure that all technical and non
technical aspects of a release are
dealt with in a coordinated
approach.
Service
Support
AI.4
Change
Management
Ensure standardized methods
and approaches are followed for
efficient, prompt and authorized
handling of all IT changes.
Service
Support
AI.6
Incident
Management
Restore normal service
operations as quickly as possible
Service
Support
DS.8
Configuration
Management
Provide a logical model of the IT
infrastructure by identifying,
verifying, maintaining and
controlling all version of IT
Configuration items (CIs)
Service
Support
DS.9
35
ONE TO ONE COMPARISON COBIT 4.1 AND ITIL V.2
Process
Description
V.2
Section
COBIT
Sectio
n
Problem
Management
Prevent and identify the business errors
in the IT infrastructure.
Service
Support
DS.10
Service Level
Management
Maintain and improve IT service quality
through a constant cycle of agreeing,
monitoring and reporting IT service
level agreements
Service
Delivery
DS1. and
some of
DS.2
Availability
Management
Optimize the capacity of the IT
infrastructure and supporting
organization to deliver cost effective
and sustained level of availability to
satisfy business objectives.
Service
Delivery
DS.3
Capacity
Management
Ensure the capacity and performance
aspects of the business requirements
are provided timely and cost effectively.
Service
Delivery
DS.3
IT Service
Continuity
Ensuring that the required IT services
and facilities can be recovered within
the agreed times
Service
Delivery
DS.4
36
MATURITY MODELING
Maturity modeling for management and control over IT processes is
based on a method of self-evaluation by the organization.
In COBIT and ITIL a maturity model has been defined for each section,
providing an incremental measurement scale from 0, non-existent,
through 5, optimized.
Using the maturity models developed for each IT process, management
can identify:
• The actual performance of the enterprise—Where the enterprise is
today
• The current status of the industry— The comparison
• The enterprise’s target for improvement—Where the enterprise
wants to be
The maturity attributes list the characteristics of how IT processes are
managed and describes how they evolve from a non-existent to an
optimized process.
These attributes can be used for more comprehensive assessment,
gap analysis and improvement planning.
37
MATURITY LEVEL RANKING
38
Maturity Model- Where Does Your Organization Stack?
Defined Process
Repeatable/
Intuitive
Control/ Proactive
Awareness/ Reactive
Managed and
Measurable
Integration/ Service
Level 4
Optimization/ Value
Level 5
IT as strategic
business partner
Initial/ Ad Hoc
Level 3
 IT as a service
 IT and business
provider
metric linkage
Initiation/ Chaotic Level 2
 Analyze trends
 Define services,
 IT/business
 Set thresholds
classes, pricing
Level 1
collaboration
 Fight fires
 Understand costs
 Predict
improves
 Inventory
problems
 Guarantee SLAs
business
 Ad hoc
 Initiate
process
 Measure appli-  Measure & report
problem
mgt
cation
 Undocumented
service availability  Real-time
process
availability
infrastructure
 Integrate
Manage
IT as a Business
 Unpredictable
 Alert and
 Automate
processes
 Business
event mgt
 Multiple help
planning
Service and Account
Management
 Mature
 Capacity
desks
 Measure
problem,
mgt
component
Service
Delivery
Process Engineering
configuration,
 Minimal IT
availability
change, asset
operations
(up/down)Operational
Process Engineering
and
39
 User call
performance
notification Tool Leverage
mgt processes

PROCESS MATURITY MODEL
40
IN SHORT- WHAT ARE SOME OF THE BENEFITS
oBetter alignment of IT environment based on business focus and
customer needs
oA view, understandable to management of what IT does
oClear ownership and responsibilities based on process orientation
oGeneral acceptability with third parties and regulators
oCommon language spoken by IT (specially for ITIL)
oIntegration of the processes
oImproved decision support by better management information
41
SO, HOW THEN DO WE IMPLEMENT A GOVERNANCE FRAMEWORK?
42
QUESTIONS & ANSWERS
Questions & Answers
THANK YOU!!!!
43
Contact Information:
Angela Polania, CPA, CISA
Elevate Consulting
5757 Blue Lagoon Drive
Suite 350
Miami FL 33126
C.305.975.5121
[email protected]
Elevate Consulting is a premier South Florida based firm, specialized in: IT
Compliance and Governance, Internal Controls and IT Auditing, ITIL
Assessments and Implementations Project Management and IT Project
Management.
44