Implementing IT Governance

Similar documents
Certified Information Security Manager (CISM) Course Overview

Annexure 08 (Profile of the Project Team)

Foundation. Become a ITIL Foundation Certified Professional from our exclusive 2 full day. conducted by authorized faculties from APMG.

The ITIL Foundation Examination

BCS Specialist Certificate in Service Desk and Incident Management Syllabus

ITIL V3 Service Lifecycle - Continual Service Improvement (CSI)

The Presentation Will Begin At 12PM EST

Digital Service Management (DSM)

Configuration Management Databases (CMDBs) and Configuration Management System (CMS) are both elements of what larger entity?

ITIL Foundation. Processexam.com. Exam Summary Syllabus Questions

ITIL Foundation. PeopleCert ITIL Foundation. Processexam.com. Exam Summary Syllabus Questions

"Charting the Course... ITIL 2011 Managing Across the Lifecycle ( MALC ) Course Summary

Integrating ITIL and COBIT 5 to optimize IT Process and service delivery. Johan Muliadi Kerta

Determining Best Fit for ITIL Implementation

ITIL 2011 Overview - 1 Day (English and French)

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

1. You should attempt all 40 questions. Each question is worth one mark.

EX0-101_ITIL V3. Number: Passing Score: 800 Time Limit: 120 min File Version: 1.0. Exin EX0-101

ITIL Foundation Program Certification Program. The Minimum number of students per session is 6 where the maximum is 25.

Exam Requirements v4.1

EXIN BCS SIAM Foundation. Sample Exam. Edition

Don t You Just Care that Your Food Tastes Good...and that you can afford it! ITIL

The Experience of Generali Group in Implementing COBIT 5. Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA

ITIL 2 or ITIL 3? Barry Corless

Information Technology Infrastructure Library (ITIL) V3 for the Database Administrator. Timothy McAliley

Achieving ICT Service Management Excellence with ITIL and ISO20000 Frameworks

BCS Specialist Certificate in Change Management Syllabus

SABSA. Title / definition. Type. Owner. Brief history and description SHERWOOD APPLIED BUSINESS SECURITY ARCHITECTURE (SABSA )

Getting Started with ITIL

ITIL. Change Manager. ITSM Academy

Professional Qualifications for ITIL PRACTICES FOR SERVICE MANAGEMENT. The ITIL Foundation Certificate in IT Service Management SYLLABUS

San Francisco Chapter. Cassius Downs Network Edge LLC

The ITIL v.3. Foundation Examination

Course # 55011A. The ITIL Foundation Certificate in IT Service Management

Using ITIL to Measure Your BCP

CISM Certified Information Security Manager

Getting Started with IT Service Management

Position Description IT Auditor

WELCOME TO ITIL FOUNDATIONS PREP CLASS AUBREY KAIGLER

ITSM20F_Umang. Number: ITSM20F Passing Score: 800 Time Limit: 120 min File Version: 4.0. Exin ITSM20F

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

REPORT 2015/186 INTERNAL AUDIT DIVISION

Bilgi Teknolojileri Yönetişim ve Denetim Konferansı BTYD 2010

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Module 6: Functions. ITIL Foundation v V1. Reader s Note QAI India Ltd. I

REPORT 2015/149 INTERNAL AUDIT DIVISION

Ric Mims, itsmf Houston LIG and HDI Houston

WHO SHOULD ATTEND? ITIL Foundation is suitable for anyone working in IT services requiring more information about the ITIL best practice framework.

Revisit the Foundations of ITSM SMSG

BCS EXIN ITAMOrg Software Asset Management Specialist Syllabus Version 1.1 December 2016

itsmf ITIL V3: Accelerate Success with Tools Maria A Medvedeva, PMP, ITIL Regional Director CA, Inc. itsmf Middle East Board of Directors

ITIL Project Management for Project Managers

Implementing ITIL v3 Service Lifecycle

Goals for Today s Presentation

Frameworks and Standards

Getting Started with IT Service Management

Planning and Implementing ITIL in ICT Organisations

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

Author: Łukasz Wrześniewski. IT4IT TM REFERENCE ARCHITECTURE, VERSION 2.0 The Overview of the Standard

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Six Sigma in the datacenter drives a zero-defects culture

COBIT 5 Assessor Certification Course

ITIL Foundation Exam Study Guide

ON-DEMAND TRAINING FOR PROFESSIONALS

Symantec Data Center Transformation

Navigating through the Risks and Challenges of implementing Green IT Projects

ISO/IEC overview

SERVICE TRANSITION ITIL INTERMEDIATE TRAINING & CERTIFICATION

Contents. List of figures. List of tables. 5 Managing people through service transitions 197. Preface. Acknowledgements.

itsm003 v.3.0 NISTCSF.COM NICE Training Curriculum & Workforce Planning Program

SERVICE DESIGN ITIL INTERMEDIATE TRAINING & CERTIFICATION

ITIL 2011 Foundation Lesson Plan

EXIN Specialist in IT Service Management based on ISO/IEC Preparation Guide

COBIT Maturity Assessment and Continual e-health Governance Improvement at NHS Fife By Elena Beratarbide, CISA, Pablo Borges and Donald Wilson

Wl Welcome. Service Operation Where Value is Realized

Manchester Metropolitan University Information Security Strategy

ITIL 2011 Foundation Course

ROLE DESCRIPTION IT SPECIALIST

Digital Service Management (DSM)

Problem Management MANDATORY CRITERIA

ITIL Service Lifecycle Strategy

WELCOME TO ITIL FOUNDATIONS PREP CLASS AUBREY KAIGLER

locuz.com SOC Services

ITIL Managing Across the Lifecycle Course

ITIL Operational Support and Analysis Capability

ITSM Training Solution

COBIT 5 Implementation

IT Service Management based on ITIL

COURSE BROCHURE. ITIL - Intermediate Service Transition. Training & Certification

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

Supporting the Cloud Transformation of Agencies across the Public Sector

Table of Contents. Preface xiii PART I: IT GOVERNANCE CONCEPTS. Chapter 1: Importance of IT Governance for All Enterprises 3

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

Information Security Architecture Gap Assessment and Prioritization

The Value of Migrating from Cisco Tidal Horizon to Cisco Process Orchestrator

COURSE BROCHURE. COBIT5 FOUNDATION Training & Certification

IT infrastructure Library

NCSF Foundation Certification

COBIT 5 With COSO 2013

Transcription:

Implementing IT Governance Using COBI C OBIT, ITIL & Six Sigma Peter T. Davis, CISA, CISSP, CDP, CMA, CSP, I.S.P., CNA, CMC, CCNA, CWNA, CISM, COBIT Foundation Certificate, ITIL Foundation Certificate, ISSPCS, PMP, SSGB ptdavis@pdaconsulting.com www.pdaconsulting.com (v) 416-907-4041 (f) 416-907-4851 2007-9 Peter Davis+Associates 1

Peter T. Davis IT Governance consulting CISA, CISSP, CSP, CMA, ISP, CNA, CMC, CCNA, CWNA, CISM, COBIT Foundation, ITIL Foundation, Accredited COBIT Trainer, PMP, SSGB 27 years IT security and audit experience Authored/co-authored 12 books International Who s Who of Professionals COBIT, ITIL, CISM and CISSP trainer 2007-9 Peter Davis+Associates 2

Agenda What is IT Governance? What are the various methodologies? How do they fit in? How do we use them? 2007-9 Peter Davis+Associates 3

IT Governance Process Processes Stakeholder Value Drivers Strategy Resources Knowledge Capability Information... Results Outcome Performance Risk Assets ISACA/ITGI 2007-9 Peter Davis+Associates 4

Enterprise Strategy IT Supporting Strategic Objectives Business Functions Application Architecture Technical Infrastructure Sourcing/ Staffing Funding ISACA/ITGI 2007-9 Peter Davis+Associates 5

Focus Areas of IT Governance IT Resource M anagement IT Value Delivery IT Strategic Alignment Stakeholder Value Drivers Risk Management Performance Measurement aka Scope of IT Governance ISACA/ITGI 2007-9 Peter Davis+Associates 6

IT Governance Ensures: Joint responsibility for planning and executing IT in the business Clearer understanding by all of objectives and expectations Clearer visibility of issues and priorities Transparency and better comprehension of IT activities and performance 2007-9 Peter Davis+Associates 7

IT Governance Delivers Alignment of IT with business needs Improved value delivery (operational and project) Optimized costs Management of IT-related risks Improved Quality of Service 2007-9 Peter Davis+Associates 8

Enterprise Governance Models COSO ISO 9000 IT Governance Fiduciary Governance Other Governance COBIT ISO 27001 ISO 20000 ISO 15504 ISO 9126 ITIL CMM ISO 12207 And other best practices InfoSec Management TickIT 2007-9 Peter Davis+Associates 9

2007-9 Peter Davis+Associates 10

E2AF, TOGAF and Zachman 2007-9 Peter Davis+Associates 11

Security Architecture Models ISO 7498-2: http://www.iso.ch/iso/en/cataloguedetailpage.catalogu edetail?csnumber=14256 Moriconi, Xiaolei and Riemenschneider Methodology: http://citeseer.ist.psu.edu/moriconi97secure.html NIST Special Publication 800-27: http://csrc.nist.gov/publications/nistpubs/ SABSA: http://www.sabsa.org/ Whitman & Mattford Methodology: http://www.amazon.com/principles-information- Security-Michael-Whitman/dp/0619216255/sr=8-1/qid=1168271358/ref=sr_1_1/105-8440691- 5565264?ie=UTF8&s=books 2007-9 Peter Davis+Associates 12

Frameworks Compared Category Type Examples IT Governance Information Management Quality Management Quality Improvement Project Management Risk Management Focus on how to manage information and information and communications technology efficiently and effectively Focus on how to perform and organize IT management, such service delivery and support Focus on quality standards, applied to specific IT domains Focus on improvement of processes or performance Focus on portfolio, program and project management Focus on identifying and managing risk COBIT, Val IT Generic Framework for Information Management, ITIL ISO 9000, ISO 20000, ISO 27001 IT BSC, ITS-CMM, Six Sigma MSP, PMBOK, PRINCE2 M_o_R, OCTAVE, FIRM Let s focus here, and here, and here 2007-9 Peter Davis+Associates 13

COBI OBIT T 4.1 Focus Business Requirements Governance Requirements require influence require Information Services imply Business Goals for IT Information Criteria IT Goals deliver Information IT Processes run Applications ISACA/ITGI need Enterprise Architecture for IT Infrastructure & People 2007-9 Peter Davis+Associates 14

COBI OBIT T Structure Four DOMAINS: Plan & Organize Acquire & Implement Deliver & Support Monitor & Evaluate The DOMAINS consist of 34 IT processes Domains Processes Activities and Tasks Copyright Information Systems Audit and Control Foundation 2007-9 Peter Davis+Associates 15

Process Standard Measurement & Control Activities Policy Input Output A process is a logically related series of activities intended to contribute towards reaching a defined objective Process Owner responsible for process results Process Manager responsible for realization and structure of the process and reports to PO Process Operatives responsible for defined activities and reports to PM Standards = KPI Processes described using procedures and work instructions 2007-9 Peter Davis+Associates 16

COBIT Domains Plan and Organize Deliver and Support PO1 Define a strategic IT plan DS1 Define and manage service levels PO2 Define the information architecture DS2 Manage third-party services PO3 Determine technological direction DS3 Manage performance and capacity PO4 Define the IT processes, organization and relationships DS4 Ensure continuous service PO5 Manage the IT investment DS5 Ensure systems security PO6 Communicate management aims and directions DS6 Identify and allocate costs PO7 Manage IT human resources DS7 Educate and train users PO8 Manage quality DS8 Manage service desk and incidents PO9 Assess and manage risks DS9 Manage the configuration PO10 Manage projects DS10 Manage problems Acquire and Implement DS11 Manage data AI1 Identify automated solutions DS12 Manage the physical environment AI2 Acquire and maintain application software DS13 Manage operations AI3 Acquire and maintain technology infrastructure Monitor and Evaluate AI4 Enable operation and use ME1 Monitor and evaluate IT performance AI5 Procure IT resources ME2 Monitor and evaluate internal control AI6 Manage changes ME3 Ensure regulatory compliance AI7 Install and accredit solutions and changes ME4 Provide IT Governance Let s focus here 2007-9 Peter Davis+Associates 17

KGIs Amount of user satisfaction with firstline support (service desk or knowledge base) Percent of incidents resolved within an agreed-upon/acceptable period of time 2007-9 Peter Davis+Associates 18

ITIL v3 Model Service Strategy The Technology Service Transition Service Lifecycle Service Design Service Operation Continuous Service Improvement (CSI) Source: TAOS 2007-9 Peter Davis+Associates 19 The Business

Generic ITIL Model Process Owner Process Goal Quality Parameters and KPIs Input and Input Specifications Activities and Sub-processes Output and Output Specifications Resources Roles 2007-9 Peter Davis+Associates 20

ITIL v3 Service Lifecycle Let s focus here 2007-9 Peter Davis+Associates 21

Incident Management Process Service Request Input: Incidents Output: Resolutions & workarounds Routing & Monitoring Incident data Service Desk Problem Computer Operations Networking Detection & recording Classification & first-line support Matching Investigation & diagnosis Resolution & recovery Incident closure Incident ownership, monitoring, tracking and communication Workarounds RFCs Resolutions Reports Change Procedures Availability Other Sources of Incidents Reports Capacity Reports Service Level SLA parameters Configuration details CMDB 2007-9 Peter Davis+Associates 22

Benefits Reduction in volume of Incidents Improved IT service quality Better first time fix rate at service desk Permanent solutions Improved organization learning and awareness 2007-9 Peter Davis+Associates 23

KPIs # of incidents per time period / category / priority level Incident resolution performance against service levels # of closed incidents per time period # incidents resolved without visiting the user # of incidents resolved within SLA targets # of incidents resolved by 1 st line support Average support cost/incident Total number of Incidents Percentage of Incidents resolved within SLA Percentage of Incidents resolved first call 2007-9 Peter Davis+Associates 24

Eighty-five percent of the reasons for failure to meet customer expectations are related to deficiencies in systems and processes W. Edwards Deming 2007-9 Peter Davis+Associates 25

If you can t measure it, you can t manage it If you can t measure it, you can t manage it; and you can t manage it if you are not measuring it. Rudy Giuliani, former NYC Mayor You ve got to be very careful if you don t know where you re going, because you might not get there. Yogi Berra, former NY Yankee 2007-9 Peter Davis+Associates 26

Processes Everything we do can be considered a process or part of a process Every process can be characterized by: Average performance Variation Processes are performing optimally when the result of the process is at the expected value (meaning there is minimal variation) 2007-9 Peter Davis+Associates 27

Process Improvement You must measure and monitor IT activities, otherwise it s not possible to govern IT and ensure alignment, value delivery, risk management, and effective use of resources Effective metrics should be defined and approved by stakeholders Metrics can then be tracked by using performance scorecards 2007-9 Peter Davis+Associates 28

Stages of Process Improvement Starting with chaos (or ad hoc) First a process must be put in place Then the process must be controlled (made stable) Finally the process must be improved (reduce variation) Need to know where you are: different tools at each stage 2007-9 Peter Davis+Associates 29

What is Six Sigma? A statistical measure of variation Full Six Sigma equals 99.9997% accuracy (3.4 DPMO) Methodology for improving key processes A tool box of quality and management tools for problem resolution A business philosophy focusing on continuous improvement An organized process (DMAIC) for structured analysis of data 2007-9 Peter Davis+Associates 30

Service incident Incident Management Process Map Update status Service feedback Escalate (SLA) Receive incident KE DB Proactive incident handling Interrogate CMDB Classify/ Prioritize Increment repeat counter Diagnose Known error? N Diagnose for solution Y N Y Provide work around Implement Solution Update CMDB Communicate Status Crosses threshold for repeat incident? Y User accepts? N Close incident Resolved upon escalation? Y Update KE DB N Diagnose & resolve Problem Management Notification Change Management Six Sigma Projects 2007-9 Peter Davis+Associates 31

Stable Process When only normal (common cause) variation is present in a process, it is said to be stable (its entitlement) Stable processes are predictable: predict future based on past for a stable process Stable processes are in (statistical) control Stable processes have a known process capability (sigma level) Process capability is made up of people, process and technology 2007-9 Peter Davis+Associates 32

IT Governance Action Plan 1. Adopt a governance organizational framework 2. Align IT strategy with business goals 3. Understand/define the risks 4. Define target areas 5. Analyze current capability and identify gaps 6. Develop improvement strategies 7. Measure results 8. Repeat on a regular basis 2007-9 Peter Davis+Associates 33

Summary To combat entropy, implement an IT Governance framework Standards overlap Use tools like the CCI (previously the UCP) Work on processes not solutions Develop an action plan 2007-9 Peter Davis+Associates 34

Contact Information Peter T. Davis Principal Peter Davis+Associates ptdavis@pdaconsulting.com http://www.pdaconsulting.com Voice: 416-907-4041 Fax: 416-907-4851 Skype: ptdavis416 2007-9 Peter Davis+Associates 35

Additional Resources http://www.goal-setting-guide.com/smart-goals.html http://www.hhs.gov/ocr/hipaa/ http://www.iec.org/ http://www.isaca.org/cobit http://www.iso.org http://www.itcinstitute.com/cci/ http://www.itgi.org http://www.itpi.org http://www.itsmf.com http://www.oceg.org http://www.pdaconsulting.com http://www.sse-cmm.org http://survey.cxo.com/surveys/csoec_kk_raci_12_02.htm 2007-9 Peter Davis+Associates 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback