290 likes | 297 Views
This lecture discusses the problem of project realization and management, including longer time frames, complex relations, higher costs, and increased risks. It also explores the Capability Maturity Model and the value of IT as a strategic business partner. The lecture covers various approaches currently in use, as well as the importance of process improvement and the use of best practices. It concludes with an examination of control regimes, such as COSO and CobIT, and the COSO Enterprise Risk Management model.
E N D
LECTURE 1 The Problem Solutions: Standards & Frameworks
The Problem PROJECT & REALIZE … … ? … & then MANAGE ! • Longer time (20+ years vs. 9 months) • More & more complex relations (school/companions/b-g.friend/… vs. gynecologist) • More expensive (… ask your father …) • More risks (car/drugs/alcohol/depression/unemployment/… vs. abortion) • … • Less & weaker “instructions” !!!
CMM (Capability Maturity Model): Maturity Levels 5. Optimizing. Continuous process improvement. 4. Managed. Detailed measures of the software process and product quality are collected. 3. Defined. Management and engineering activities are documented, standardized, institutionalized. 2. Repeatable. Basic project management tracks cost, schedule, and functionality. Successes can be repeated for similar projects. 1. Initial.Ad hoc. Success depends on individual effort and heroics.
Level 5 Value Level 4 • IT as strategic business partner • IT and business metric linkage • IT/business collaboration improves business process • Real-time infrastructure • Business planning Service Level 3 • IT as a service provider • Define services, classes, pricing • Understand costs • Guarantee SLAs • Measure & report service availability • Integrate processes • Capacity mgt Proactive Level 2 • Analyze trends • Set thresholds • Predict problems • Measure appli-cation availability • Automate • Mature problem, configuration, change, asset and performance mgt processes Reactive Level 1 • Fight fires • Inventory • Desktop SW distribution • Initiate problem mgt process • Alert and event mgt • Measure component availability (up/down) Chaotic • Ad hoc • Undocumented • Unpredictable • Multiple help desks • Minimal IToperations • User call notification Manage IT as a Business Service and Account Management Service Delivery Process Engineering Operational Process Engineering Tool Leverage Trying to Run Before Walking
Approaches Currently In Use • Business As Usual - “Firefighting” • Legislation - “Forced” • Best Practice Focused
This Is Not the Goal! "Certification" ITIL Six Sigma Beware of Process for Its Own Sake! CMM-I Malcolm Baldrige Certification Does Not Guarantee Good Outcomes! Etc. Process Improvement Is About Better Outcomes and Experiences for Customers Confusing the 'Means' With the 'End'
Best Practices • Process Frameworks • IT Infrastructure Library • Application Service Library • Gartner CSD • IBM Processes • EDS Digital Workflow • Microsoft MOF • Telecom Ops Map • etc.. • Quality & Control Models • ISO 900x • COBIT • TQM • EFQM • Six Sigma • COSO • Deming • etc.. •What is not defined cannot be controlled •What is not controlled cannot be measured •What is not measured cannot be improved • Define -- Improve • Measure -- Control And Stabilize
Look at the Regulatory Storm We All Face • Missing: • PCI • FERPA • Security breech reporting (CA SB 1386) • CA SB 25 re SSN use • Graham Leach Bliley • DMCA • CAN-SPAN • Fed Privacy Act 1974 – RMP-8 • Electronic Gov Act of 2002 • OMP Circular A-130 • NIST security standards – FIPS 200, 800-53A • Cyber Security R&D Act
Relationship of Control Regimes Strategy Finance Applications Operations COCO COSO COBIT ITIL University control regimes are derived from frameworks originally developed for businesses and need tweaking to fit comfortably.
Sarbanes- Oxley US Securities & Exchange Commission COSO CobIT Service Mgmt. App. Dev. (SDLC) Project Mgmt. IT Planning IT Security Quality System ISO CMMi CMMi Six Sigma ITIL ITIL ASL BS 15000 ISO 20000 BS 15000 ISO 20000 ISO 17799 PMI TSO IS Strategy IT Governance Model Audit Models Quality Systems & Mgmt. Frameworks IT OPERATIONS
Committee of Sponsoring Organizations (COSO) – The Components • Control Activities • Policies that ensure management directives are carried out • Approval and authorizations, verifications, evaluations, safeguarding assets security and segregation of duties • Monitoring • Assess control system performance over time • Ongoing and separate evaluations • Management and supervisory activities • Information and Communication • Relevant information identified, captured and communicated timely • Access to internal and externally generated information • Information flow allows for management action • Risk Assessment • Identify and analyze relevant risks to achieving the entity’s objectives • Control Environment • Sets “tone at the top” • Foundation for all other components of control • Integrity, ethical values, competence, authority, responsibility
The COSO ERM Framework • Entity objectives can be viewed in the context of four categories • Strategic • Operations • Reporting • Compliance • ERM considers activities at all levels of the organization • Enterprise-level • Division or subsidiary • Business unit processes Source: COSO Enterprise Risk Management Framework; Draft Version, July 2003
CobIT:Control Objectives for IT • CobIT is an open standard control framework for IT Governance with a focus on IT Standards and Audit • Based on over 40 International standards and is supported by a network of 150 IT Governance Chapters operating in over 100 countries • CobIT describes standards, controls and maturity guidelines for four domains, and 34 control processes
The CobiT Cube (Business Requirements) 4 Domains 34 Processes 318 Control Objectives
CobiT Domains Acquire & Implement (AI Process Domain) Plan & Organize (PO Process Domain) Monitor (M Process Domain) Deliver & Support (DS Process Domain)
CobiT Processes by Domain Monitoring Planning & Organization Delivery & Support Acquisition & Implementation
The 34 Defined CobiT Processes 1 3 2 4
CMM = capability maturity model CobiT = Control Objectives for Information and Related Technology ITIL = IT Infrastructure Library TCO = total cost of ownership IS0 20000 = IT service mgt standard ISO 9000 = quality mgt standard Specific TCO CMMI ITIL ISO 20000 CobiT ITRelevance People CMM Six Sigma Point solutions are useful, but a broader, holistic approach to process and quality improvement is POWERFUL. ISO 9000 National Awards(e.g., Baldrige) Scorecards Holistic Low Level of Abstraction High Positioning the Frameworks
Process Framework - ITIL • ITIL is a best-practice process framework. • Service delivery • Service support • Others (application management, security management) • Initiated by the U.K.'s government Central Computing and Telecommunication Agency (CCTA). CCTA is merged into the Office of Government Commerce. • Shows the goals, general activities, inputs and outputs of the various processes. • Does not "cast in stone" every action you should do on a day-to-day basis. • ITIL Refresh or "Version 3" is in delivered.
visibility IT Operations Management Hype Cycle ITIL 2005 ITIL 2012 ITIL 2006 ITIL 2010 ITIL 2008 Peak of Inflated Expectations Trough of Disillusionment Plateau of Productivity Technology Trigger Slope of Enlightenment time Hype Surrounding ITIL • ITIL makes the business love the IT group! • ITIL is easy! • Buy our tool and have ITIL! • Everybody is doing it … • What's next … • ITIL cures cancer! • ITIL solves world hunger!
Polling Results – ITIL Adoption Source: Audience polling survey at 2006 Gartner Data Center conference in November 2006 (n=171)
Service Delivery: Service-level management Financial management Capacity management IT service continuity Availability management Service Support: Incident management Problem management Change management Configuration management Release management Service Desk ITIL: The Good and the Bad Core Benefits: • Standard process language • Emphasis on process vs. technology • Process integration • Standardization enables cost and quality improvements • Focus on customer Limitations: • Not a process improvement methodology • Specifies "what" but not "how" • Doesn't cover all processes • Doesn't cover organization issues • Hype driving unrealistic expectations
Polling Results – Primary Driver for ITIL Source: Audience polling survey at 2006 Gartner Data Center conference in November 2006 (n=180)
Polling Results Biggest Hurdle Implementing ITIL Source: Audience polling survey at 2006 Gartner Data Center conference in November 2006 (n=164)
Assuming Tools Will Solve Your Problems "Man is a tool-using animal. Nowhere do you find him without tools; without tools he is nothing, with tools he is all." (Thomas Carlyle) • Be wary of vendor hype • Focus on process first • Tools can be enablers or inhibitors • Assess capabilities of yourcurrent tools • Review new tools where they would pay significant dividends • Buy what you need, as you need it
The next lectures • Lect. # 2 (March 29th) – ITIL insight / part 1 • Lect. # 3 (April 5th) – ITIL insight / part 2 • Lect. # 4 (April 12th) – ITIL in action, an example • Lect. # 5 (April 19th) – complying to ITIL principles, a Primary IT Market Leader evidence Thank You