Using COBIT and ITIL To Implement IT Governance

Case Study
Using CobiT and

ITIL to Implement IT

Governance
Robert E Stroud
Director, Strategy
Business Service Optimization
CA, Inc.
Robert.Stroud@ca.com
Abstract
- Many organizations have been looking to Best Practices
to assist them with in aligning IT to the Business, whilst at
the same time achieving IT Governance.
- Using COBIT and ITIL, this session will deliver an
overview of how these best practices have been used
together by a major financial organization to deliver their
IT Governance requirements while meeting business
objectives.
2 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Trademark Notice
COBIT is a registered trademark of ISACA/ITGI - Information Systems Audit
and Control Association / IT Governance Institute
ITIL is a registered trademark of OGC - the Office of Government
Commerce.
DISCLAIMER
CA nor its speaker warrant or guarantee the concepts or the
accuracy of information provided herein.
All rights reserved
No part of this publication may be reproduced in any form by print, photo

print, microfilm or any other means without written permission by CA.
Agenda
- IT Governance
- IT Infrastructure Library (ITIL)
- The fastest introduction to COBIT ever
- Mapping ITIL to COBIT or is COBIT to ITIL
- The Role of ITIL and COBIT in addressing Compliance
a Case Study
- Summary
- Questions and Answers
IT Governance
Governance, a practical example
Governance
- IT must be managed and controlled from within itself as an
organizational entity with respect to the overall governance of a given
corporation.
- Governance manifests itself in the roles and responsibilities of its
staff resources through the definition of polices and processes it uses
to define its management and decision making of technology use,
and how the technology provides IT Services to the corporation with
which it belongs.
- Governance Is considered present only if it can be measured and
controlled with the means in place to provide metrics of both post fact
and pre-planning intelligence of, and for, the IT Services it Provides.
What is IT Governance?
IT governance is the term used to describe how those
persons entrusted with governance of an entity will
consider IT in their supervision, monitoring, control and
direction of the entity. How IT is applied will have an
immense impact on whether the entity will attain its vision,
mission or strategic goals
Why is IT Governance Important?
Why is IT more critical:
- Increasing risks (security, compliance, projects etc.)
- Critical business processes depend on information and
systems.
- Growing dependence on service providers.
- IT failures impact reputation.
- IT is dramatically changing organizations and business
practices to create new opportunities and reduce cost.
- IT knowledge is essential to sustain and grow the
business.
How Can IT Governance Help?
- Responsibilities:
- Ensures ownership by the Board
- Increases understanding of IT significance to the
business and the impact of potential risks
- IT no longer just the CIOs responsibility it is shared
by the whole of management
- Places CIOs role in a clearer corporate perspective
IT Governance Benefits
CobiT provide s the
business
c ommon languag e &
support
Aligned Framework
time
IT risks
Secure
Controlled
service
quality
Better
time
time stakeholder
value
delivery
time
service
Faster
cost
Cheaper
time
time
The Story So Far
- IT Governance is a key part of Corporate Governance,
and the way to ensure IT activities are aligned, managed
and measured to ensure business success
- IT Governance is important because IT is so critical to
business success, represents very significant
investments, and is complex and risky to manage
- COBIT provides the framework and resources to support
and enable IT Governance to be implemented
- ITIL is rapidly adopted framework for IT Operations
Infrastructure Library (ITIL)
ITIL?
- Information Technology Infrastructure Library (ITIL)
- A set of books detailing best practices for IT Service
Management
- Originally developed by the UK government to improve IT
Service Management
- Now becoming more globally accepted as a basis for IT
Service Management
The Magnificent NINE!
Planning to Implement Service Management T

T h
h e
e Service Management
Infrastructure
T
Management
Perspective
Service
Business
B e
Support
ICT
The
u c
s Service h
i Delivery n
Security
n o
Management
e l
s o
s Applications Management g
y
The Software Asset
Business
Perspective 2 Management
But only 2 of the 9 get used!
Service Support
Service Desk
Incident Management
Problem Management
Configuration Management
Change Management
Release Management
Service Delivery Service Level Management
Capacity Management
Availability Management
Service Continuity Management
Financial Management
Benefits?
- Improved quality service provision
- Cost justifiable service quality
- Services that meet Business, Customer and User
demands
- Integrated centralized processes
- Everyone knows their role and knows their responsibilities
in service provision
- Learn from previous experience
- Demonstrable performance indicators
- Common Terminology
ITIL Benefits from practitioners
- By streamlining our processes we improved our efficiency
- We reduced the time to deliver base services by 80% which higher

quality
- Reduction in re-work
- Understand what is impacted from a business perspective when a

component fails
- We reduced the number of people required to do stuff
Issues from the field?
- No measurement model
- No standard processes
- Doesnt follow Plan Do Check Act model
The fastest introduction to COBIT
..ever!
What is COBIT?
- Control OBjectives for Information and related Technology
- A framework for IT governance
- Bridges the gaps between business risks, control needs
and technical issues
- Documents good (best) practices
- Increasing Global 2000 adoption
- SOX increasing use..
COBIT Top Down Approach
4
Domains
34
Processes
220
Control Objectives
COBIT Activities/Tasks
Plan Do Check
Control
Act
Planning and Organization

Acquisition and Implementation
Delivery and support
Monitoring
Manage risks / Realize Benefits
Effective use of resources

Business/IT Alignment
Risk Management
COBIT Framework
Acquire and Implement
Plan and Organize
Monitor and Evaluate
Deliver and Support
" PO1 Define a strategic IT plan
PO2 Define the information architecture
PO3 Determine the technological direction
PO4 Define the IT processes, organisation and
relationships
PO5 Manage the IT investment
PO6 Communicate management aims & direction
PO7 Manage IT human resources
PO8 Manage quality
PO9 Assess and manage risks
ME1 Monitor & evaluate IT performance PO10 Manage projects
ME2 Monitor & evaluate internal control
ME3 Ensure regulatory compliance
ME4 Provide IT governance
! !& $ $
$
# $ $
% &
' $
DS1 Define service levels

# !& # $
DS2 Manage third-party services
DS3 Manage performance and capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and attribute costs &% $
DS7 Educate and train users AI1 Identify automated solutions
DS8 Manage service desk and incidents !! AI2 Acquire and maintain application software
DS9 Manage the configuration AI3 Acquire & maintain technology infrastructure
DS10 Manage problems AI4 Enable operation and use
DS11 Manage data AI5 Procure IT resources
DS12 Manage the physical environment AI6 Manage changes
DS13 Manage operations AI7 Install and accredit solutions and changes
COBIT Publications
Executive Summary
Framework Implementation Tool Set
Management Guidelines Detailed Control Objectives Audit Guidelines
Critical Key
Maturity Key Goal
Success Performance
Models Indicators
Factors Indicators
Key COBIT Concepts
- Information Criteria
- Key Goal Indicators (KGI)
- IT Resources\RACI
- Key Performance Indicators (KPI)
Key Definitions
- Maturity model
- Maturity models are an instrument to analyse the current position, the
position relative to a defined standard
- Critical Success Factors
- Critical success factors define the most important management-oriented
implementation guidelines to achieve control over and within the IT
processes.
- Key Goal Indicators
- Key goal indicators define measures that tell management after the fact
whether an IT process has achieved its business requirements.
- Key Performance Indicators
- Key performance indicators are lead indicators that define measures of
how well the IT process is performing in enabling the goal to be reached.
COBIT Maturity Model
0 Non-existent
1 Initial/Ad-hoc
2 Repeatable but Intuitive
3 Defined Process
4 Managed and Measurable
5 - Optimized
Mapping ITIL to COBIT
or is it
COBIT to ITIL
COBIT and ITIL compliment each other
ITIL COBIT
- Best Practice - Controls Audit
- Process - Requirements
- Relationships - Maturity Scale
PROCESS/PROCEDURE & RESULTS
COBIT & ITIL Mapping
PO: Assess Risk
DS: Define & Manage Service Levels
DS: Manage 3rd Party Services
DS: Manage Performance & Capacity
DS: Ensure Continuous Service
DS: Identify & Allocate Costs
DS: Ensure System Security AI: Manage Change
AI: Install & Accredit Systems
DS: Assist & Advise IT Customers
DS: Manage Problems & Incidents
DS: Manage Operations DS: Manage Configuration
DS: Manage Facilities
DS: Manage Data
AI: Acquire & Maintain Technology Infrastructure
AI: Acquire & Maintain Application Software
ITIL Books to COBIT Control Objectives
Mapping to ITIL Service Support and
Service Delivery
COBIT and ITIL used together
- Use the Cobit control objectives with the Cobit maturity
model and Key Performance indicators to manage and
measure performance of your ITIL processes.
ITIL and COBIT together
addressing Compliance
- a Case Study
Changes for IT
It is NOT sufficient for you to be in
compliance as you have to be able to
readily demonstrate (to prove) that youve
met the control objectives.
If you cant prove that youre doing it right,

the presumption is that you are not doing it
right and as such, you are deficient.
Case Study
- Large Bank founded almost 200 years ago
- Diversified provider of financial services
- Personal
- Commercial
- Corporate
- Institutional
- North America, Asia and Europe
Initially an ITIL implementation
May 2003 Nov 2003 May 2004 Nov 2004 May 2005 Nov 2005 May 2006 Nov 2006
Incident
Problem
Service Mgmt
ViaTIL Tool
Tool For For Inc/Prob
Incident/Problem
Service
ServiceLevel Management
Level Management
Change Management
Change Management
Capacity Management
IT Service Continuity Management
Release
Release Management Management
Availability Management (New)
Continuous Improvement
Process Management
!
"
#
#
$ "% % " & #

! #
'
$ " & #
Governance Team
- A small team of internal advisors accountable to the ITIL Executive
Team
- Ensure overall compliance and integration of the ITIL processes
- Ensures a coherent and comprehensive approach to design and
implementation of each process
- Balance program initiatives with service demands
- Monitor performance, KPI(s), Policy and programs
- Recommend changes to process, or services as needed
- Align policies, performance measures and process initiatives with
organizations strategic objectives
Governance
(
,&
( ( (
$ $ $
) ) )
*+ *+ *+
Process Design, Advocacy & Compliance
Process Dashboard & KPIs
Process Dashboard
DS9 Delivery & Support
Manage the Configuration
Control of the process of managing the DS9 Maturity Model
configuration that satisfies the business
to account for all IT components, prevent
unauthorized alterations, verify physical 0 Non-Existent
existence and provide a basis for sound
change management 1 Initial / Ad Hoc
Key Goal Indicators 2 Repeatable but Intuitive
Key Success Factors 3 Defined Process
4 Managed & Measurable

Key Performance Indicators
5 Optimized
Resources
COBIT/ITIL Mapping for DS9 Manage Configuration
COBITDS9 Manage Configuration ITIL Configuration Management
Critical
CriticalSuccess
SuccessFactors Critical
Factors CriticalSuccess
SuccessFactors
Factors
- - Control
Establish ControlofofITITassets
Establishowners
ownersofofall
allconfiguration
configurationelements
elements&&
assets
maintain
maintaininventory
inventoryand
andchange
changecontrol
control
- - Support,
Support,integration
integrationand
andinterfacing
interfacingtotoall
allITSM
ITSMprocesses
processes
Enforcement
Enforcementofofrelease
releasemanagement
managementpolicy
policy Key
KeyPerformance
PerformanceIndicators
Indicators
Integration
Integrationwith
withprocurement
procurement&&change
change - % reduction in number of configuration items (CI)
- % reduction in number of configuration items (CI)
management process
management process attributes
attributeserrors
errorsfound
foundininCMDB
CMDB
- - %%increase
increaseininthe
thenumber
numberofofCIs
CIssuccessfully
successfullyaudited.
Key
KeyGoal
Goal&&Performance
PerformanceIndicators
Indicators audited.
- - variances
variancesbetween
betweenaccounts
accountsand
andphysical
physicalsituations
situations
Reduction
Reductionininnumber
numberofofvariances
variancesbetween
between - - Reduce
Reduce%%ofofchange
changefailures
failuresand
andimprove
improveincident
accounts and physical situations
accounts and physical situations
incident
resolution
resolution time using accurate configurationdata
time using accurate configuration data
Usage
Usageindex
indexofofinformation
informationfor
forproactive
proactiveactions,
actions, - - %%reduction
reductionininHWHW&&SWSWcosts
costs
including preventive maintenance & upgrade
including preventive maintenance & upgrade
Quality
Qualityindex
indexofofinformation,
information,age,
age,changes
changesapplied,
applied,
status and related problem criteria
status and related problem criteria
DS9 Critical Success Factors
- Owners are established for all configuration elements and

are responsible for maintaining the inventory and
controlling change
- Information is maintained and accessible, based on up-to
date inventories, and naming conventions
- Integration with Procurement and Change Management
DS9 Information Criteria
- Primary:
- Effectiveness
- Efficiency
- Confidentiality and integrity
- Secondary:
- availability
- Compliance
- reliability
DS9 Key Goal Indicators
- % of IT Configuration identified
- % of IT Configuration accounted for
- Reduction in number of variances between accounts and physical
situations
- Quality index information, including the interrelationships, age,
changes applied, status and related problem criteria
- Usage index of information for proactive actions, including preventive
maintenance and upgrade criteria
DS9 Key Performance Indicators
- % of Configuration components [data] updated
automatically
- Frequency of physical verifications
- Frequency of exception analysis
- Time lag between modification to the configuration and
the update records
- Number of releases
- % of reactionary changes
DS9 Maturity Model
0 Non-existent
Management does not appreciate the need for a process to manage hardware or
software
1 Initial / Ad Hoc
Recognized need, basic inventories, no standard.
2 Repeatable:
But Intuitive: Implicit reliance on personal knowledge and expertise. Some tools. No
consistent working practices.
3 Defined Process:
Accuracy is enforced, documented practices, consistent tools, some automation,
information used by other processes.
4 Managed and Measurable
Implicit reliance on personal knowledge and expertise. Some tools. No consistent
working practices.
5 Optimized
All components are managed, interrelationships exist, audit reports, authorized
software installation, asset tracking.
Example of Process Maturity
AI2 Acquire/Maintain Software

5
PO9 Assess Risk 4 AI3 Acquire/Maintain Tech Infra
3
2
DS9 Configuration 1 DS1 Service Levels
0
DS6 Manage Change DS10 Problems and Incidents
DS13 Manage Operations DS12 Manage Facilities
Compliance Status at a glance
Summary
Summary
- IT Governance is important to most aspects of the
business not just the IT department
- The use of control frameworks (COBIT) provide the
guidelines to the controls needed to ensure good IT
Governance
- ITIL processes allow for automation and repeatability of
processes to deliver constantly
- Governance is not only mandatory it adds competitive
edge to your organisation
IT Governance Benefits
CobiT provide s the
business
c ommon languag e &
support
Aligned Framework
time
IT risks
Secure
Controlled
service
quality
Better
time
time stakeholder
value
delivery
time
service
Faster
cost
Cheaper
time
Ref: Price Waterhouse Coopers
time
Questions
Case Study
Using CobiT and
ITIL to Implement IT

Governance
Robert E Stroud
Director, Strategy
Business Service Optimization
CA, Inc.
Robert.Stroud@ca.com

Using COBIT and ITIL To Implement IT Governance

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Using COBIT and ITIL To Implement IT Governance

Uploaded by

Copyright:

Available Formats

Case Study

Using CobiT and

No part of this publication may be reproduced in any form by print, photo

Planning to Implement Service Management T

Service Continuity Management

- We reduced the time to deliver base services by 80% which higher

- Understand what is impacted from a business perspective when a

- We reduced the number of people required to do stuff

Planning and Organization

Manage risks / Realize Benefits

Effective use of resources

Acquire and Implement

Plan and Organize

Monitor and Evaluate

Deliver and Support

DS1 Define service levels

Framework Implementation Tool Set

Management Guidelines Detailed Control Objectives Audit Guidelines

PROCESS/PROCEDURE & RESULTS

AI: Acquire & Maintain Application Software

If you cant prove that youre doing it right,

IT Service Continuity Management

$ "% % " & #

Process Design, Advocacy & Compliance

Key Goal Indicators 2 Repeatable but Intuitive

Key Success Factors 3 Defined Process

4 Managed & Measurable

- Owners are established for all configuration elements and

AI2 Acquire/Maintain Software

DS6 Manage Change DS10 Problems and Incidents

DS13 Manage Operations DS12 Manage Facilities

You might also like