- Slides: 29
LECTURE 1 §The Problem §Solutions: Standards & Frameworks
The Problem PROJECT & REALIZE … …? … & then MANAGE ! • Longer time (20+ years vs. 9 months) • More & more complex relations (school/companions/b-g. friend/… vs. gynecologist) • More expensive (… ask your father …) • More risks (car/drugs/alcohol/depression/unemployment/… vs. abortion) • … • Less & weaker “instructions” !!!
CMM (Capability Maturity Model): Maturity Levels 5. Optimizing. Continuous process improvement. 4. Managed. Detailed measures of the software process and product quality are collected. 3. Defined. Management and engineering activities are documented, standardized, institutionalized. 2. Repeatable. Basic project management tracks cost, schedule, and functionality. Successes can be repeated for similar projects. 1. Initial. Ad hoc. Success depends on individual effort and heroics.
Trying to Run Before Walking Level 4 Level 5 Value IT as strategic Service business partner Level 3 n IT as a service n IT and business provider Proactive metric linkage Level 2 n Analyze trends n Define services, n IT/business classes, pricing n Set thresholds collaboration Reactive improves business Level 1 n Fight fires n Predict problems n Understand costs process n Guarantee SLAs n Inventory n Measure appli. Chaotic cation availability n Measure & report n Real-time n Desktop SW n Ad hoc infrastructure service availability distribution n Automate n Undocumented n Integrate processes n Business planning n Initiate n Mature problem, n Unpredictable problem mgt n Capacity configuration, Manage IT as a Business process mgt change, asset n Multiple help and performance n Alert and desks Service and Account Management mgt processes event mgt n Minimal IT n Measure component operations Service Delivery Process Engineering availability (up/down) n User call Operational Process Engineering notification Tool Leverage n
Approaches Currently In Use § Business As Usual - “Firefighting” § Legislation - “Forced” § Best Practice Focused
Confusing the 'Means' With the 'End' This Is Not the Goal! "Certification" ITIL Six Sigma CMM-I Malcolm Baldrige Etc. Beware of Process for Its Own Sake! Certification Does Not Guarantee Good Outcomes! Process Improvement Is About Better Outcomes and Experiences for Customers
Best Practices Quality & Control Models • ISO 900 x • COBIT • TQM • EFQM • Six Sigma • COSO • Deming • etc. . Process Frameworks • IT Infrastructure Library • Application Service Library • Gartner CSD • IBM Processes • EDS Digital Workflow • Microsoft MOF • Telecom Ops Map • etc. . • What is not defined cannot be controlled • What is not controlled cannot be measured • What is not measured cannot be improved § Define -- Improve § Measure -- Control And Stabilize
Look at the Regulatory Storm We All Face Missing: • PCI • FERPA • Security breech reporting (CA SB 1386) • CA SB 25 re SSN use • Graham Leach Bliley • DMCA • CAN-SPAN • Fed Privacy Act 1974 – RMP-8 • Electronic Gov Act of 2002 • OMP Circular A 130 • NIST security standards – FIPS 200, 800 -53 A • Cyber Security R&D Act
Relationship of Control Regimes COCO COSO COBIT ITIL Strategy Finance Applications Operations University control regimes are derived from frameworks originally developed for businesses and need tweaking to fit comfortably.
IT Governance Model Audit Models Sarbanes. Oxley COSO US Securities & Exchange Commission Cob. IT Quality System IT Planning ISO 20000 Project Mgmt. BS 15000 IT Security ITIL App. Dev. (SDLC) CMMi Service Mgmt. Quality Systems & Mgmt. Frameworks IT OPERATIONS ASL ISO 17799 PMI TSO IS Strategy ISO Six Sigma
Committee of Sponsoring Organizations (COSO) – The Components Control Activities Monitoring • Policies that ensure management directives are carried out • Approval and authorizations, verifications, evaluations, safeguarding assets security and segregation of duties • Assess control system performance over time • Ongoing and separate evaluations • Management and supervisory activities Information and Communication • Relevant information identified, captured and communicated timely • Access to internal and externally generated information • Information flow allows for management action Control Environment • Sets “tone at the top” • Foundation for all other components of control • Integrity, ethical values, competence, authority, responsibility Risk Assessment • Identify and analyze relevant risks to achieving the entity’s objectives
COSO Enterprise Risk Management (ERM) Model
The COSO ERM Framework § Entity objectives can be viewed in the context of four categories v v § Strategic Operations Reporting Compliance ERM considers activities at all levels of the organization v v v Enterprise-level Division or subsidiary Business unit processes Source: COSO Enterprise Risk Management Framework; Draft Version, July 2003
Cob. IT: Control Objectives for IT § Cob. IT is an open standard control framework for IT Governance with a focus on IT Standards and Audit § Based on over 40 International standards and is supported by a network of 150 IT Governance Chapters operating in over 100 countries § Cob. IT describes standards, controls and maturity guidelines for four domains, and 34 control processes
The Cobi. T Cube (Business Requirements) 4 Domains 34 Processes 318 Control Objectives
Cobi. T Domains Plan & Organize Acquire & Implement (AI Process Domain) (PO Process Domain) Monitor (M Process Domain) Deliver & Support (DS Process Domain)
Cobi. T Processes by Domain Monitoring Delivery & Support Planning & Organization Acquisition & Implementation
The 34 Defined Cobi. T Processes 1 2 3 4
The 7 Cobi. T Principles
Positioning the Frameworks CMM = capability maturity model Specific Cobi. T = Control Objectives for Information and Related Technology TCO ITIL CMMI ITIL = IT Infrastructure Library ISO 20000 TCO = total cost of ownership IS 0 20000 = IT service mgt standard Cobi. T IT Relevance ISO 9000 = quality mgt standard People CMM Point solutions are useful, but a broader, holistic approach to process and quality improvement is POWERFUL. Six Sigma ISO 9000 National Awards (e. g. , Baldrige) Scorecards Holistic Low Level of Abstraction High
Process Framework - ITIL § ITIL is a best-practice process framework. § § § Service delivery Service support Others (application management, security management) § Initiated by the U. K. 's government Central Computing and Telecommunication Agency (CCTA). CCTA is merged into the Office of Government Commerce. § Shows the goals, general activities, inputs and outputs of the various processes. § Does not "cast in stone" every action you should do on a day-to-day basis. § ITIL Refresh or "Version 3" is in delivered.
Hype Surrounding ITIL § ITIL makes the business love the IT group! § ITIL is easy! § Buy our tool and have ITIL! § Everybody is doing it … IT Operations Management Hype Cycle visibility ITIL 2005 ITIL 2012 ITIL 2006 ITIL 2010 ITIL 2008 § What's next … § ITIL cures cancer! § ITIL solves world hunger! Technology Trigger Peak of Inflated Expectations Trough of Disillusionment time Slope of Enlightenment Plateau of Productivity
Polling Results – ITIL Adoption Source: Audience polling survey at 2006 Gartner Data Center conference in November 2006 (n=171)
ITIL: The Good and the Bad § Service Delivery: § § § Service-level management Financial management Capacity management IT service continuity Availability management Core Benefits: ü ü Standard process language Emphasis on process vs. technology Process integration Standardization enables cost and quality improvements ü Focus on customer § Service Support: § § Incident management Problem management Change management Configuration management § Release management § Service Desk Limitations: § Not a process improvement methodology § Specifies "what" but not "how" § Doesn't cover all processes § Doesn't cover organization issues § Hype driving unrealistic expectations
Polling Results – Primary Driver for ITIL Source: Audience polling survey at 2006 Gartner Data Center conference in November 2006 (n=180)
Polling Results Biggest Hurdle Implementing ITIL Source: Audience polling survey at 2006 Gartner Data Center conference in November 2006 (n=164)
Assuming Tools Will Solve Your Problems "Man is a tool-using animal. Nowhere do you find him without tools; without tools he is nothing, with tools he is all. " (Thomas Carlyle) § § Be wary of vendor hype Focus on process first Tools can be enablers or inhibitors Assess capabilities of your current tools § Review new tools where they would pay significant dividends § Buy what you need, as you need it
The next lectures § Lect. # 2 (March 29 th) – ITIL insight / part 1 § Lect. # 3 (April 5 th) – ITIL insight / part 2 § Lect. # 4 (April 12 th) – ITIL in action, an example § Lect. # 5 (April 19 th) – complying to ITIL principles, a Primary IT Market Leader evidence You Thank