mountainview Achieving IT Governance with COBIT, ITIL ... · Achieving IT Governance with COBIT,...

Page 1Copyright 2007, www.mountainview.ca – Presented by Jerry Kopan for DPI May 2007

IT G

over

nanc

emountainviewmountainview

Achieving IT Governance with COBIT, ITIL, ISO20000, CMM, ISO17799, etc.

Abstract:The need for regulatory compliance has become a cornerstone for most public and private corporations. Internal and external auditors are establishing this as a mandatory requirement in order to do business. The enforcement of IT controls and the implementation of accepted standards such as ITIL, ISO 20000 and COBIT are becoming new realities for IT organizations that face continuous legislative and IT governance pressures. We will discuss how these various frameworks fit together to help you implement a solid IT governance framework within your organization and successfully achieve compliance goals.


IT G

over

nanc


What is IT Governance


IT G

over

nanc


Fact

“IT is the businessand

the business is IT”

Introduction


IT G

over

nanc


Definition: Information Technology“The study, design, development, implementation, support or management of computer-based information systems, particularly software applications and computer hardware." In short, IT deals with the use of electronic computers and computer software to convert, store, protect, process, transmit and retrieve information, securely. www.itaa.orgIncludes all matters concerned with the furtherance of computer science and technology and with the design, development, installation, and implementation of information systems and applications [San Diego State University]. An information technology architecture is an integrated framework for acquiring and evolving IT to achieve strategic goals. It has both logical and technical components. ...www.ichnet.org/glossary.htmAny equipment or interconnected system or subsystem of equipment, that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. ...www.grc.nasa.gov/WWW/Purchase/Section_508_def.htma term that encompasses all forms of technology used to create, store, exchange and utilize information in its various forms including business data, conversations, still images, motion pictures and multimedia presentations.www.sciencecoalition.org/glossary/glossary_main.htmFiat is present in IT fields and in communications with ICT - Information & Communication Technology, Espin, Global Value, TeleClient, Atlanet.www.nationmaster.com/encyclopedia/FiatInformation technology provides the "engine" used to drive useful information systems. This includes computers, software, Internet/Intranet and telecommunications technology.www.southbend.tech.purdue.edu/academics/degrees/CPTHtml/cpt_terminology.htmlComputer and communications hardware and software used to automate and augment clerical, administrative, and management tasks in organizations.www.christlinks.com/glossary2.html(IT) The application of computer, communications and software technology to the management, processing and dissemination of information.www.mcca.mb.ca/4.training.3.htmThe term "IT" encompasses the methods and techniques used in information handling and retrieval by automatic means. The means include computers, telecommunications and office systems or any combination of these elements.www.nao.org.uk/intosai/edp/directory/misc/glossary.htmlEquipment, telecommunications, video telecommunications, proprietary software, and purchased services. It resources may also include personal services when OFM approvals are obtained and all reporting/approval requirements of OFM are followed.www.dis.wa.gov/portfolio/Definitions.htmIncludes both hardware and software. Use this term when the use of information technology is the underlying driver of the "interesting" feature or of the organization's profitability or productivity. This term can include computer modeling, simulation, innovative uses of AI, automated knowledge discovery, data mining, data warehousing. (Technology)ccs.mit.edu/21c/iokey.htmlThe hardware and software operated by an organization to accomplish a Federal function, regardless of the technology involved, whether computers, telecommunications, or other.www.gao.gov/policy/itguide/glossary.htmThe entire array of mechanical and electronic devices which aid in the storage, retrieval, communication, and management of information--from typewriters to computers to copying machines. Integrity of numberswww.sir.arizona.edu/resources/glossary.htmlthe hardware and software operated by a Federal agency or by a contractor of a Federal agency or other organization that processes information on behalf of the Federal Government to accomplish a Federal function (OMB Circular A-130).www.gils.net/gilsappb.htmlInformation Technology applies modern technologies to the creation, management and use of information. IT includes video recorders, CD-ROM, telephones, calculators, and electronic cash tills as well as computers.www.warwick.ac.uk/EAP/correcting_your_work/glossary.htmComputer Science Information Technology Programmingwww.qtac.edu.au/Statistical_Reports/Definitions_Used.htmhardware, software, telecommunications, database management, and other information processing technologies used in computer-based information systems; computer-based tools used to work with information and support the information needs of an organizationwww.321site.com/greg/courses/mis1/glossary.htmThe technology of computers, telecommunications, and other devices that integrate data, equipment, personnel, and problem-solving methods in planning and controlling business activities. Information technology provides the means for collecting, storing, encoding, processing, analyzing, transmitting, receiving, and printing text, audio, or video information. Hardware: In the context of information technology, the computer and its peripherals constitute the hardware. ...scrc.ncsu.edu/public/DEFINITIONS/G%20-%20I.htmlTelecommunications Lawyerswww.computerlaw.com.au/privacy.htmlApplied computer systems including: hardware-a computer and the associated physical equipment directly involved in the performance of data-processing or communications functions software-the programs, routines, and symbolic languages that control the functioning of the hardware and direct its operation and often including: network (also called a net)-a system of computers interconnected by telephone wires or other means (such as infra-red beam or fibre optic cable) in order to share ...education.qld.gov.au/curriculum/learning/literate-futures/glossary.htmlThe department that builds and maintains computer systems.it.csumb.edu/departments/data/glossary.htmlSometimes called Information Systems (IS) or Data Processing. Generic name for department or function that analyzes, creates, maintains and supports applications and databases used by an organization.www.bptrends.com/resources_glossary.cfmSubjects taught at all levels from school to university concerned with all aspects of programming and operating computers or using data and systems generated by the use of computers for business or technical developments.www.ceresconsult.demon.co.uk/html/glossary_of_terms.htmlTechnologies based on the use of computers and other integrated circuits to process data and produce information.www.globalfamilydoctor.com/aboutWonca/working_groups/write/itpolicy/ITPoli13.htmthe application of computer, audio, visual, and telecommunications technology to the acquisition, storage, manipulation, analysis, and display of information. Page 259www.ucs.mun.ca/~rsexty/business1000/glossary/I.htmThe use of computers and other electronic devices to acquire, store. process and distribute information.www.indiainfoline.com/bisc/acci.htmlthe branch of engineering that deals with the use of computers and telecommunications to retrieve and store and transmit information wordnet.princeton.edu/perl/webwnInformation technology (IT) or information and communication technology (ICT) is the technology required for information processing. In particular the use of electronic computers and computer software to convert, store, protect, process, transmit, and retrieve information from anywhere, anytime. en.wikipedia.org/wiki/Information_technology


IT G

over

nanc


Technology Management Strategies: TBStrategies and guidance for managing investments and activities

for information technology, information management, and service delivery:Accessibility Domain ArchitectureThe purpose of the Accessibility Domain Architecture is to facilitate the creation of a human-empowering infrastructure that recognizes that human beings are diverse and provides the opportunity for each of us to bring out our best.

Business Transformation Enablement Program (BTEP)The purpose of BTEP is to provide a business transformation toolkit enabling rigorous strategic planning and integrated strategic design across governments supporting interoperability and integration.

The Enhanced Management Framework (EMF)The Enhanced Management Framework (EMF) for Information Management and Information Technology (IM/IT) is an integrated management model comprised of principles, best practices, methodologies, tools and templates, designed to improve the Canadian Governments capability to manage its IM/IT investments, successfully deliver IM/IT projects, and minimize risks.

Federated Architecture ProgramThe purpose of the GOC FAP is to provide leadership, co-ordination, and broad direction in the planning, development, maintenance and use of a government-wide architecture for IM/IT infrastructure; comprised of the subset of the departmental infrastructure domains that are common or shared across government; in support of the government's renewal objectives and its service delivery agenda.

Information and Technology StandardsThis section encompasses all information and technology standards and applies to federal participation in all national and international information technology standards activities.

Information Technology SecurityThis section is intended to provide insight into the Chief Information Officer Branch's work on information technology security projects and issues. It is also intended to serve as a "one-stop-shop" for Treasury Board Secretariat -approved ITS standards. Here you will find information on the standards development process, on current and proposed standards, and links to other useful resources.

Open Source Software (OSS)Licensed software including OSS and methods are part of the corporate standards-based, IT infrastructure of the Government of Canada (GoC). Acquisition and usage decisions must align with the GOC Federated Architecture, while respecting federal legislation, agreements, guidelines and maximizing the GOC IT investments and opportunities.

http://www.tbs-sct.gc.ca/cio-dpi/techno_e.asp


IT G

over

nanc


Governance in Transportation


IT G

over

nanc


Financial and Accounting Governance

Financial Statement – Assets = Liabilities + S.E.Income StatementDebitCreditGeneral LedgerGAAPSOXSAS 70Accounting Standards Board "AcSB" www.acsbcanada.org


IT G

over

nanc


Definition of Governance - TB

Accountability is the obligation to demonstrate and take responsibility for performance in light of commitments and expected outcomes. An Authority – An Authority is the legislation, document or other venue that defines responsibilities within defined circumstance and empowers an individual or organization to deliver on them. Authority - Authority is delegated power to command and make final decisions within a particular domain with the expectation of being obeyed and held accountable for results. Governance – Governance is exercising authority to provide direction and to undertake, coordinate, and regulate activities in support of achieving this direction and desired outcomes. An Outcome is an event, occurrence or condition that occurs as adirect result of programs and activities. A Result is the impact or effect of a program or service.A Responsibility is something that one is required to do as part of a job, role or legal obligation.


IT G

over

nanc


Other IT Governance Definitions

“IT Governance specifies the decision-making authority and accountability to encourage desirable behaviors in the use of IT. IT Governance provides a framework in which the decisions made about IT issues are aligned with the overall business strategy and culture of the enterprise.”

“The Need for IT Governance: Now more than Ever”, Gartner Research note AV-21-4823, 2004

“A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.”

COBIT, ISACA

“Governance encompasses the roles, responsibilities and accountabilities of the Legislative Assembly representing the public, and the organizations and management of government. Governance is the structure and processes that support the realization of overall objectives and the strategies to achieve them. It is concerned with the development, communication and implementation of government policy, and in monitoring performance with respect to standards. Governance includes ongoing risk assessment and management in the general course of delivering programs andservices.”

Ministry of Finance, Government of B.C.

“Information Technology Governance, IT Governance or ICT Governance, is a subset discipline of Corporate Governance focused on information technology systems and their performance and risk management. The rising interest in IT governance is partly due to compliance initiatives (e.g. Sarbanes-Oxley (USA) and Basel II (Europe)), as well as the acknowledgement that IT projects can easily get out of control and profoundly affect the performance of an organization.”

Wikipedia

“IT Governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.”

ITGI, Board briefing in IT governance


IT G

over

nanc


The Reality of Information Technology

IT has moved from largely back-office support to becoming the prime enabler for business.

The confidentiality and integrity of financial management is in the control of IT systems.


IT G

over

nanc


Current Regulatory Compliance is Complex


IT G

over

nanc


Treasury Board Foundation Framework

Explains the purpose of Treasury Board policies and other instruments, such as directives and guidelines, and how they are structured;Summarizes general requirements common to all Treasury Board policy instruments; andBuilds on the Guidance for Deputy Ministers and Accountable Government: A Guide for Ministers (Privy Council Office) by explaining the general responsibilities, accountabilities and expectations of ministers and deputy heads in applying Treasury Board policy instruments.

Click for details

http://www.tbs-sct.gc.ca/prp-pep/ff-cp/ff-cp_e.asp


IT G

over

nanc


TB: Enhanced Management Framework (EMF)

An integrated management model that includes processes and key practices for executives, as well as for business and project managers. The framework is supported by a set of principles, best practices, methodologies, tools, templates, handbooks, guides, and standards.The conceptual model shows the components of the EMF, and the way in which they are related.EMF is based on four guiding principles:

– alignment of IM/IT investments with business strategies; – establishment of clear accountabilities for managing IM/IT investments; – development of corporate project management disciplines; – identification and management of risks on a continuous basis.

EMF addresses two broad areas: – portfolio management and – project management.

Click for details

http://www.tbs-sct.gc.ca/emf-cag/index_e.asp


IT G

over

nanc


FRAMEWORK FOR THE MANAGEMENT OF INFORMATION IN THE GOVERNMENT OF CANADA

information, results

Ensure Delivery Results

information,services

Prime Minister, Cabinet & Parliament

fundingplans & priorities

info

rmat

ion,

res

ults

Citizens & Business input,

feedback

Institutions

Central Agencies

legislation, priorities

23

1


Ensure Delivery Results

information,services

Prime Minister, Cabinet & Parliament

fundingplans & priorities

info

rmat

ion,

res

ults

Citizens & Business input,

feedback

Institutions

Central Agencies

legislation, priorities

2233

11

Common Service Institutions

Central Agencies

Provide Effective Management


Inter-institution

Committeesguidelines input, information

2direction, solutions

policies, standards, guidelines

1 common interests

3Institutions

Common Service Institutions

Central Agencies

Provide Effective Management


Inter-institution

Committeesguidelines input, information

22direction, solutions

policies, standards, guidelines

11 common interests

33Institutions

Institutions

Citizens & Business

Assure Information Rights

Independent Offices

complaintsresponses

appeals

1

2Federal Court

resolutions

recommendations

Institutions

Citizens & Business

Assure Information Rights

Independent Offices

complaintsresponses

appeals

11

22Federal Court

resolutions

recommendationsrecommendations

Information Governance and Accountability Overview Information Management DivisionTreasury Board of Canada Secretariat


IT G

over

nanc

emountainviewmountainview Control OBjectives for

Information and related Technology

an IT governance, control framework and maturity model

ensure IT resources are aligned with an enterprise's business objectives

ensure that services and information, when delivered, meet quality and security needs

originally an auditor's tool developed by the Information

Systems Audit and Control Association (www.isaca.org)

COBIT 4.1

Planning and OrganizationPO1 Define a Strategic IT Plan and directionPO2 Define the Information ArchitecturePO3 Determine Technological DirectionPO4 Define the IT Processes, Organization and RelationshipsPO5 Manage the IT InvestmentPO6 Communicate Management Aims and DirectionPO7 Manage IT Human ResourcesPO8 Manage QualityPO9 Access and Manage IT RisksPO10 Manage Projects

Acquisition and ImplementationAI1 Identify Automated SolutionsAI2 Acquire and Maintain Application SoftwareAI3 Acquire and Maintain Technology InfrastructureAI4 Enable Operation and UseAI5 Procure IT ResourcesAI6 Manage ChangesAI7 Install and Accredit Solutions and Changes

Delivery and SupportDS1 Define and Manage Service LevelsDS2 Manage Third-party ServicesDS3 Manage Performance and CapacityDS4 Ensure Continuous ServiceDS5 Ensure Systems SecurityDS6 Identify and Allocate CostsDS7 Educate and Train UsersDS8 Manage Service Desk and IncidentsDS9 Manage the ConfigurationDS10 Manage ProblemsDS11 Manage DataDS12 Manage the Physical EnvironmentDS13 Manage Operations

MonitoringME1 Monitor and Evaluate IT ProcessesME2 Monitor and Evaluate Internal ControlME3 Ensure Regulatory ComplianceME4 Provide IT Governance


IT G

over

nanc


ISO 17799ISO17799, is a detailed security standard. It is organized into

ten major sections. Their objectives are:1. Business Continuity Planning

To counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters.2. System Access Control

1) To control access to information 2) To prevent unauthorised access to information systems 3) To ensure the protection of networked services 4) To prevent unauthorized computer access 5) To detect unauthorised activities. 6) To ensure information security when using mobilecomputing and tele-networking facilities

3. System Development and Maintenance1) To ensure security is built into operational systems; 2) To prevent loss, modification or misuse of user data in application systems; 3) To protect the confidentiality, authenticity and integrity of information; 4) To ensure IT projects and support activities are conducted in a secure manner; 5) To maintain the security of application system software and data.

4. Physical and Environmental SecurityTo prevent unauthorised access, damage and interference to business premises and information; to prevent loss, damage or compromise of assets and interruption to business activities; to prevent compromise or theft of information and information processing facilities.

5. Compliance1) To avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements 2) To ensure compliance of systems with organizational security policies and standards 3) To maximize the effectiveness of and to minimize interference to/from the system audit process.

6. Personnel SecurityTo reduce risks of human error, theft, fraud or misuse of facilities; to ensure that users are aware of information security threats and concerns, and are equipped to support the corporate security policy in the course of their normal work; to minimise the damage from security incidents and malfunctions and learn from such incidents.

7. Security Organisation1) To manage information security within the Company; 2) To maintain the security of organizational information processing facilities and information assets accessed by third parties. 3) To maintain the security of information when the responsibility for information processing has been outsourced to another organization.

8. Computer & Network Management1) To ensure the correct and secure operation of information processing facilities; 2) To minimise the risk of systems failures; 3) To protect the integrity of software and information; 4) To maintain the integrity and availability of information processing and communication; 5) To ensure the safeguarding of information in networks and the protection of the supporting infrastructure; 6) To prevent damage to assets and interruptions to business activities; 7) To prevent loss, modification or misuse of information exchanged between organizations.

9. Asset Classification and ControlTo maintain appropriate protection of corporate assets and to ensure that information assets receive an appropriate level of protection.

10. Security PolicyTo provide management direction and support for information security.

Within each section are the detailed statements that comprise the standard.


IT G

over

nanc


BS 15000 (www.bsiglobal.com ) was the first standard for service management by the British Standards Institute

Established as ISO/IEC 20000 in 2005

Its eight sections form the basis for the assessment of a managed IT service and are based heavily upon the ITIL (IT Infrastructure Library) framework

Spec.BS15000-2

Code of Practice (PD0005)

ITIL

Proprietary ProcessesAnd procedures

Self-AssessmentWorkbookPD0015

Self-AssessmentWorkbookPD0015

ISO 20000 and BS 15000


IT G

over

nanc


PRINCE2PRojects IN Controlled Environments version 2Creates a management environment to achieve the stated aim of the projectBased on a project life cycle

PMBoKProject Management Body Of KnowledgeProject Management Institute (PMI) controls "The PMBOK™Guide" Identifies the subset of the PMBoK which is applicable to projectsNot all practices are applied uniformly on all projectsThe project team is always responsible for determining what is appropriate for any given project

PMBoK and PRINCE2


IT G

over

nanc


International Standards Organization (www.iso.org)

The ISO 9000 quality standard seeks to:Achieve and sustain product or service quality to continually meet the purchaser's needs Provide confidence to management that the intended quality is being achieved or sustained Provide confidence to purchasers that the intended quality is being, or will be, achieved

Comprising a set of five documents - ISO 9000-9004 - ISO 9000 is a set of guidelines for total quality management programs. ISO 9000 itself sets guidelines for determining whether enterprises should implement ISO 9001, ISO 9002 or ISO 9003 and provides a QA process for implementing the chosen standard.9001: the most comprehensive standard, defines all the quality elements required to demonstrate the supplier's ability to design

and deliver a quality product (see Figure 31). 9002: covers the QA activities associated with the supplier's ability to control the design and development activities only.9003: the least stringent standard, demonstrates the supplier's ability to detect and control product nonconformity during

inspection and testing. 9004: details the specific quality elements required by ISO 9001, ISO 9002 and ISO 9003, and it provides an unplanned but

effective checklist for QA.

International Standards Organization (www.iso.org)

The ISO 9000 quality standard seeks to:Achieve and sustain product or service quality to continually meet the purchaser's needs Provide confidence to management that the intended quality is being achieved or sustained Provide confidence to purchasers that the intended quality is being, or will be, achieved

Comprising a set of five documents - ISO 9000-9004 - ISO 9000 is a set of guidelines for total quality management programs. ISO 9000 itself sets guidelines for determining whether enterprises should implement ISO 9001, ISO 9002 or ISO 9003 and provides a QA process for implementing the chosen standard.9001: the most comprehensive standard, defines all the quality elements required to demonstrate the supplier's ability to design

and deliver a quality product (see Figure 31). 9002: covers the QA activities associated with the supplier's ability to control the design and development activities only.9003: the least stringent standard, demonstrates the supplier's ability to detect and control product nonconformity during

inspection and testing. 9004: details the specific quality elements required by ISO 9001, ISO 9002 and ISO 9003, and it provides an unplanned but

effective checklist for QA.

Design Production Inspection Installation Service

ISO 9001

ISO 9002

ISO 9003

ISO 9000


IT G

over

nanc


GMP

Good Manufacturing Practice Regulations initiated by the US Food and Drug Administration (FDA)Take proactive steps to ensure that their products are safe, pure, and effectiveApply a quality approach to minimize or eliminate instances of contamination, mixups, and errors. Protects the consumer from purchasing a product which is not effective or even dangerous. Failure of firms to comply can result in very serious consequences including recall, seizure, fines, and jail time.Addresses recordkeeping, sanitation, cleanliness, equipment verification, process validation, and complaint handlingMost GMP requirements are very general and open-ended Very flexibility, but requires that the manufacturer interpret the requirements which makes sense for each business.cGMP ensures that technologies are up-to-date to comply with regulations. The best systems and equipment 20 years ago, may be sub-par by today's standards.

Source: GMP Institute a division of the ISPE


IT G

over

nanc


GMP - The Ten Principles

Paying attention to the Ten Principles of GMP will help you to stay focused on the important issues of operating your business in a state-of-control.

1. Write detailed step-by-step procedures that provide a roadmap for controlled and consistent performance.

2. Carefully follow written procedures to prevent contamination, mix-ups and errors.

3. Promptly and accurately document work for compliance and traceability.4. Prove that systems do what they are designed to do by validating work.5. Integrate productivity, product quality, and employee safety into the

design and construction of facilities and equipment.6. Properly maintain facilities and equipment.7. Clearly define, develop and demonstrate job competence.8. Protect products against contamination by making cleanliness habit.9. Build quality into products by systematically controlling components and

product related processes such as manufacturing, packaging and labeling, testing, distribution, and marketing.

10. Conduct planned and periodic audits for compliance and performance.

Source: GMP Institute a division of the ISPE


IT G

over

nanc


GAMP

Good Automated Manufacturing Practice (www.ispe.org/gamp), founded in 1991 by pharmaceutical experts in the UKGoal was to meet evolving FDA expectations for GMP compliance of regulationsIn 1994, GAMP partnered with ISPE (www.ispe.org) to publish the first GAMP guidelinesValidation of Laboratory Computerized Systems in the life cycle from initiation to retirement

DomaProcess2 1 Infrastructure Elements Platform

2 2 Processes

2 3 Personnel

3 1 Quality Management System Quality Manual

3 2 Roles and Responsibilities

3 3 Rocord Management

3 4 Document Management

3 5 Testing

3 6 Standard Operating Procedures

3 7 Training

3 8 Periodic Review and Evaluation

3 9 Audit by QA

4 1 Applying Risk Management Identification and Assessment of Components

4 2 Implementation of Controls

4 3 Assessment of Changes to Qualitfied Components

4 4 Periodic Review and Evaluation

5 1 Qualification of Platforms Overview of Process

5 2 IT Infrastructure Life Cycle Model

5 3 Planning

5 4 Specification and Design Phase

5 5 Risk Assessment and Qualification Test Planning

5 6 Procurement, Installation and IQ

5 7 OQ and Acceptance

5 8 Reporting and Handover

6 1 Maintaining the Qualified State DuChange Management

6 2 Configuration Management

6 3 Security Management

6 4 Server Management

6 5 Client Management

6 6 Network Mangement

6 7 Problem Management

6 8 Help Desk

6 9 Backup, Restore and Archiving

6 10 Disaster Recovery

6 11 Performance Management

6 12 Supplier Management

6 13 Periodic Review

7 1 Retirement of Platforms


IT G

over

nanc


FCAPS

Fault ManagementConfiguration ManagementAccounting ManagementPerformance ManagementSecurity Management


IT G

over

nanc


What is ITIL?ITIL Version 2 Publication Framework

The TechnologyThe

Bus

ines

s

Planning to Implement Service Management

Application Management

TheBusiness

Perspective

ICTInfrastructureManagementService

Delivery

ServiceSupport

ITIL Publications

Cer

tific

atio

n

Service Management

SecurityManagement

http://www.ogc.gov.uk/


IT G

over

nanc


ITIL Version 3 Publication Framework

The Official Introduction to ITIL Service ManagementService StrategyService DesignService TransitionService OperationContinual Service Improvement


IT G

over

nanc


Information Services Procurement Library (ISPL)

A best practice library for the management of Information Technology related acquisition processesHelps both the customer and supplier organization to achieve thedesired quality using the corresponded amount of time and money by providing methods and best practices for risk management, contract management, and planning. Focuses on the relationship between the customer and supplier organizationFocuses purely on the procurement of information services. The target audience for ISPL is:– procurement managers, – acquisition managers, – program managers, – contract managers, – facilities managers, – service level managers, – and project managers in the IT area.


IT G

over

nanc


Release Release Approved Approved

ReviewReview

SLASLAReviewReview

OperationsOperationsReviewReview

Changing

OperatingSupporting

Optimizing

Release Release Readiness Readiness

ReviewReview

OptimisingService Level ManagementCapacity ManagementAvailability ManagementFinancial ManagementWorkforce ManagementService Continuity

Management

ChangingChange ManagementConfiguration ManagementRelease Management

OperatingSecurity AdministrationSystem AdministrationNetwork AdministrationService Monitoring and ControlDirectory Services

AdministrationStorage ManagementJob SchedulingPrint and Output Management

Operations Framework (MOF)

SupportingService DeskIncident ManagementProblem Management

http://www.microsoft.com/mof


IT G

over

nanc


Demand

Supply

CIO/IT Balanced Scorecard

Corporate PerspectiveObjectives Measures

Internal Perspective

Objectives Measures

User PerspectiveObjectives Measures

Learning and Growth Perspective

Objectives Measures

How do we look to management ?

How do we look to users ?

How effective, efficient, economic and equitable are we?

How are we positioned to meet future challenges ?


IT G

over

nanc


Six SigmaDefine

Measure

Analyze

Improve

Control

µ

Developed at Motorola, circa 1983

Sigma, or standard deviation, identifies the variability within a population

6σ = 3.4 defects per million

or 99.99966% free of defects

Developed at Motorola, circa 1983

Sigma, or standard deviation, identifies the variability within a population

6σ = 3.4 defects per million

or 99.99966% free of defects

UCLLCL


IT G

over

nanc


Sponsored by U.S. Department of Defense in the late 1980sInitially aimed at helping DoD identify qualified application development contractorsControlled by the Software Engineering Institute at Carnegie Melon University (www.sei.cmu.edu/cmm)It’s a process improvement approach

1. Initial2. Repeatable3. Defined4. Managed5. Optimizing

Capability Maturity Model (CMM)


IT G

over

nanc


Row 1 – Contextual: ScopeExternal Requirements and DriversBusiness Function Modeling

Row 2 – Conceptual: Enterprise ModelBusiness Process Models

Row 3 – Logical: System ModelLogical ModelsRequirements Definition

Row 4 – Physical: Technology ModelPhysical ModelsSolution Definition and Development

Row 5 – As Built: Deployment ModelAs BuiltDeployment

Row 6 – Functioning: Evaluation ModelFunctioning EnterpriseEvaluation

123456

Contextual

Conceptual

Logical

Physical

As Built

Functioning

Contextual

Conceptual

Logical

Physical

As Built

Functioning

Why

Why

Who

Who

When

When

Where

Where

What

What

How

How

Zachman Framework - Enterprise Architecture

Source: Zachman Enterprise Architecture Framework


IT G

over

nanc


When are Processes under Control?

n

xx

n

ii∑

== 1

( )

11

2

2

−

−=∑=

n

xxs

n

ii

x

2xx ss +=

Introduction

1 2 3 4

Mean ( µ )

Standard Deviation (σ = 68%, 2σ = 95%)

NormalDistribution

How do we know if the process is

improving?

How do we know if the process is

improving?


IT G

over

nanc


Summary of OGC Guidance (January 2003)

Best Practice Products – High-level Guides for top management in Departments Published Why IT Projects Fail Published – April 2001 Managing Partnering Relationships Published – July 2001 How Major Service Contracts Can Go Wrong Published – September 2001 Gateway to Success Published – December 2001 Value for Money Evaluation in Major Service Procurements

Published – March 2002

Risk Allocation in Long-term Contracts Published – December 2002 Forming Partnering relationships with the private sector in an uncertain world

Published – December 2002

Work in hand 2002/03 Work Programme Ensuring grant-aided bodies deliver value for money on procurements involving public money

Plan to publish January 2003

Why Construction Projects Fail Plan to publish before April 2003 Improving the efficiency and effectiveness of procurement to achieve faster delivery

Plan to publish before April 2003

Construction and Use of Public Sector Comparators

Plan to publish before April 2003

Guidance – Generic operational guidance for heads of procurement and their teams Published PG 10 Achieving Excellence through Health and Safety

Published – October 2001

Supplier Finance Appraisal – (replacing the financial aspects of CUP 60)

Published – October 2001

Dispute Resolution – (replacing CUP 50) Published – March 2002 Green Public Private Partnerships Published – July 2002 Smaller Supplier….Better Value Published – 2002 Revised General Guidance on Standardisation of PFI Contracts

Published – July 2002

OGC Guidance note – on calculation of the Authority’s share of a refinancing gain


OGC Guidance on certain financing issues in PFI contracts


OGC – PFI Contracts – Insurance costs Published – October 2002 Contract Management guidelines (replacing CUP 61) Published – November 2002 Business Case Published – 2002 Risk Management Published – 2002 Work in hand Supplier Debriefing (replacing CUP 56) Plan to publish January 2003

Ethics in Procurement (replacing CUP 55) Plan to publish before April 2003 Possibilities for 2003/04 Work Programme Specification Writing (replacing CUP 30) Plan to publish after March 2003 Quality Costs (replacing CUP 29) Plan to publish after March 2003 Quality Assurance (replacing CUP 46) Plan to publish after March 2003 Frameworks/Approved Supplier List (replacing CUP 27)

Plan to publish after March 2003

Effective Partnering (possible replacement for CUP 57)

Plan to publish after March 2003

Supplier Appraisal (replacing the non-financial aspects of CUP 60)

Plan to publish by end of March 2003

EC Guidance (updating CUP 1, 19 & 51) Plan to publish in 2003/04 Documentation (replacing CUP 59 a to d) Plan to publish in 2003/04 Procurement Training (replacing CUP 53) Plan to publish in 2003/04 Key Issues SRO Breifing Senior Responsible Owner briefing (links to SRIE briefing) Delivery Pocketbook Successful Delivery Pocketbook Faster procurement Taskforce executive report on faster procurement Current Gateway Issues The Gateway Process a Managers Checklist Workbooks Strategy Management Gateways Business Case Risk Management Programme Management Procurement Project Management Contract Management Performance Management Benefits Management Programme and Contract Management Managing Successful Projects with PRINCE2 Managing Successful Programmes Tailoring PRINCE People Issues and PRINCE PRINCE2 Pocketbook Passing the PRINCE2 exam Business Benefits through Project Management

Management of Risk Management of Risk: Guidance for Practitioners IT-enabled business change – Published Guidelines on Business Continuity Management Risk Guidelines Delivery Lifecycle Setting Direction Implementing plans Strategic Management Managing Services (See also guidance published commercially by OGC’s partners e.g ITIL below) ITIL Service Delivery Service Support Planning to Implement Service Management Security Management The Business Perspective ICT Infrastructure Management Application Management Related Ppublications itSMF Pocket Guide itSMF Dictionary of Terms, Abbreviations and and Acronyms Better value from software development Procurement Open Source Software Value for Money in Procurement – The Role of Auditors HM Treasury Procurement Guidance EC Procurement Thresholds EC Public Procurement State of Play Efficiency in Government Procurement Environmental Issues in Purchasing Framework Agreements Liability in Government Contracts Minimum number of Suppliers to Bid Ownership of IPR Scope for Flexibility Under the EC Rules Technical Specifications Supporting the Supplier Community Tendering for Government Contracts SMEs – Doing business with the Government (under development) PFI/PPP Guidance – Published unless otherwise stated

Generic guidance Partnerships for Prosperity (P4P) A Step-by-Step Guide to the PFI Procurement Process Public Private Partnerships: the Government's Approach Policy Statements, Technical Notes and other material PFI and Public Expenditure Allocations Public Sector Comparators and Value for Money PFI and Public Expenditure Allocations for NDPBs PFI Projects: Disclosure of Information and Consultation with Staff and Other Interested Parties Provision of Information to Parliament Technical Notes How to account for PFI Transactions How to follow EC Procurement Procedure and Advertise in the OJEC How to Appoint and Manage Advisers to PFI Projects How to Appoint and Work with a Preferred Bidder How to Construct a Public Sector Comparator How to Manage the Delivery of Long Term PFI Contracts Draft Competence Framework for Creating Effective PFI Project Teams – Draft Other Staff Transfers from Central Government – A Fair Deal for Staff Guidance on Standardisation of PFI Contracts including General Guidance, Information Technology and Local Authorities Case Studies Medium Support Helicopter Aircrew Training Facility – PFI Case Study Employment Service – IT Partnership Private Finance and IS/IT: case study TAFMIS and After Colfox School, Dorset – A Case Study on the First – DBFO School Project OSIRIS Private Finance and IS/IT Case Study for the Welsh Office Report on the Procurement of Custodial Services in DCMF prisons – 2 case studies DBFO – Value in Roads A Case study on the first Eight DBFO Roads The IND Caseworking Program Scottish Health Service Management Executive: Ferryfield House, Edinburgh Lewisham Extension to Docklands Light Railway Lowdham Grange Prison Services Other Guidance – None OGC Appraisal and Evaluation in Central Government (the HMT Green Book) Examining the Value for Money of deals under the Private Finance Initiative (NAO) Construction Guidance: The Achieving Excellence suite of briefings will replace the Construction Procurement Guidance series (Replaces the PG guides and CUP guides detailed in the right column below) Achieving Excellence – Constructing the Best Government Client

Achieving Sustainability in Construction Procurement

Achieving Excellence Action Plan Achieving Excellence Briefings (Target Procurement Guidance 1-10

Achieving Excellence Briefings (Target Date January 2003)

Procurement Guidance 1-10

Core Documents Essential requirements for construction procurement (PG No 1)

1. Achieving Excellence: Initiative into Action

Value for money in construction procurements (PG No 2)

2. Project organisation: roles and responsibilities

Appointment of consultants and contractors (PG No 3)

3. Project procurement lifecycle Teamworking, partnering and incentives (PG No 4) Procurement strategies (PG No 5) Financial aspects of projects (PG No 6) Whole life costs (PG No 7) Project evaluation and feedback (PG No 8) Benchmarking (PG No 9) Achieving Excellence Through Health and Safety (PG No 10) CUP Guides No 12 Contracts and Contract Management for Construction Works March 1989 No 48 Bonds and guarantees August 1994 No 52 Programming and progress monitoring for works projects September 1995

No 54 Value management January 1996 4. Risk and value management 5. The integrated team: teamworking, partnering and incentives 6. Procurement and contract strategies 7. Cost management: whole life costs and financial control 8. Improving performance: benchmarking and performance management 9. Quality in design 10. Health and safety: respect for people

Disposal of Property To be published by March 2003 Fraud Observance Guidance To be published by March 2003 Existing ex-PACE & PPD Guidance Guide to the Appointment of Consultants and Contractors (GACC) (1/99) Estates Services Guide (ESG) (2/00) Premises Management Guide (PMG) (9/99) Business Continuity Planning Guide (BCPG) (11/98) Fire Safety Guide (FSG) (7/00) Guide and Schedule to Requirements for Office Buildings (ROB) (3/98) Crown Fire Standards (CFS) (10/99) Deeds and Sealing Guide (8/00)

Code of Good Practice – for customers and suppliers The Government Procurement Code of Good Practice CUP Guidances: Current No 1 Post Tender Negotiation May 1986 No 12 Contracts and Contract Management for Construction Works

March 1989

No 19 PTN Update July 1989 No 27 Approved Suppliers (Vendors and Contractors) Lists

January 1991

No 29 Quality Costs June 1991 No 30 Specification Writing June 1991 No 35 Life Cycle Costing April 1992 No 46 Quality Assurance June 1994 No 48 Bonds & Guarantees August 1994 No 51 Introduction to the EC procurement rules

July 1995

No 52 Programming and progress monitoring for works projects

September 1995

No 53 Procurement Training January 1996 No 54 Value management January 1996 No 55 Ethics in Procurement April 1997 No 56 Debriefing April 1997 No 57 Strategic partnering in government

May 1997

No 59 a Model Appraisal Questionnaire May 1997 No 59 b Pre-Qualification May 1997 No 59 c Model Invitation to Tender May 1997 No 59 d Model Conditions of Contract July 1997

No 60 Supplier appraisal (non-financial) May 1997 CUP Guidances: Overtaken – no revision or replacement required – guidances arearchived. (Superseded guides are not shown) No 3 Supply and Service Agreements with the Agencies – January 1987 No 14 Measuring Performance in Purchasing – March 1989 No 17 Quality Assurance in Building and Construction – April 1989 No 20 The P&S Function and Works Projects – October 1989 No 22 Stock Management – May 1990 No 23 Model Forms of Contract – September 1990 No 24 a b c d e Vehicles: Contract Hire Schemes – November 1990 No 27 Approved Suppliers (Vendors and Contractors) Lists – January 1991 No 28 Contracts with a Private Sector Purchasing Agent – January 1991 No 31 Use of Travel Agents – October 1991 No 32 Catering Services – January 1992 No 35 Life Cycle Costing – April 1992 No 37 Managing Car Fleets – January 1993

eProcurement Guidance Government Overview eProcurement Market The Business Opportunity Planning Your Approach Implementation Appendix A: Tools and Techniques Appendix B: Standards and Security Appendix C: Risk Mitigation Appendix D: ePilots Project Overview and Case Studies A-Z of Terms Delivery Lifecycle Strategic Mangement Strategic Management Governance Quality management Policies and standards Property/workspace management Exploiting technology Information Management Risk management Benefits management Human Resources management Organisational learning Continuous Improvement Cost management Skills and competencies Managing performance Security & Privacy IS/IT management Joined-up Working Benchmarking/capability Setting Direction Overview Identifying direction Business requirements Business & supporting strategies Positioning for the future Customer focus Planning & estimating Enterprise architecture Implementing Plans Overview Managing change Business case Programme management Project management Procurement Requirements definition

source www.ogc.gov.uk/sdtoolkit/reference/ogc_library/guidesumm.html

Best Practices


IT G

over

nanc


$8,000

$6,000

$4,000

$2,000

$0

Complexity Factors:Application Type

Enterprise criticalWorkgroup critical

Personal productivity

TechnologyPlatform diversity

Platform complexityRefresh rateRedundancy

Mobile computingClient/server

SupportEnd-user dispersionService availability

Service levels

Job function Poorly defined roles

Misunderstood responsibilitiesLack of process

Unclear proceduresDisparate tools

CostPer

DesktopDevice

Complexity3 4 5 6 7 8 9 10 11 12 13

Source: Gartner Measurement

Longer resolution timeLonger deploymentLonger development

Poor servicePoor availability

Gartner Study: Cost of Increasing Complexity


IT G

over

nanc


Elements of IT Governance

IT Governance is subset of Corporate GovernanceControlProcessesStrategic Business alignment Deliver ValueOrganization Structure and ManagementAccountability ResponsibilityRisk ManagementPerformance Monitoring


IT G

over

nanc


IT Governance, People, Process, Products

People

Process Products

ITGovernance

Board

Org structure, Job security, cost cutting, outsourcing

procedures, instructions,

best practices, audit, CMM, Six

Sigma, ITIL, IEEE

Cisco, IBM, Nortel, Mitel,

HP, Dell

Battles over MOF, HP ITSM

Ref Model, IBM ITPM, Deloitte

CIO Framework

Common procedures horizontal –

product is not a priority

Banyan Vines, Novell Netware,

Microsoft Windows


IT G

over

nanc


What exactly are Processes

DRIVINGDo not exceed the speed limitLook before changing lanes e.g. blind spotCome to a complete stop at a stop signLook in your rear view mirror often2 second rule

ITILTest before and after you implement the ChangeEstablish the Risk/Impact to establish a Change modelCommunicate Changes to key stakeholders e.g. Service DeskPerform Problem Management to eradicate incidentsEstablish OLAs and Support Contracts based on signed SLAs

They are not:

DRIVING:Step by step instructions on how to get from Ottawa to

MontrealProcedures for how to service the Ford Yaris radio

ITILStep by step instructions on how to install the Redhat

Linux on a INTEL T2050 processor with 2GB of RAMProcedures for how to upgrade from XP Professional to

Vista Business.

THESE ARE OUTPUTS OF THE PROCESSES!


IT G

over

nanc


A Chain is only as Strong as its Weakest Link


IT G

over

nanc


Chaos vs Control

Too much Chaos? Too much Control?


IT G

over

nanc


Where are we?


IT G

over

nanc


Top 10 Business Priorities Top 10 Technology Priorities1 Business process improvement Business Intelligence applications2 Controlling enterprise operating costs Security technologies3 Attracting and growing customer

relationshipsMobile workforce enablement

4 Improving competitive advantage Collaboration technologies5 Improving competitiveness Customer sales and service6 Using intelligence in products and

servicesService Oriented Architectures (SOA)

7 Security breaches and disruptions Workflow management8 Revenue growth Networking, voice and data

communications9 Faster innovation Virtualization

10 Faster innovation and cycle times Legacy application modernizationSource: Gartner EXP (January 2006) survey of 1400 CIOs around the world.

CIO’s Business and Technology Priorities


IT G

over

nanc


More Security911

More functionality

Faster

Reduce Costs

Better

E-business, 24*7

Merger/Acquisition/Takeover

More Competition

Cheaper

B2B, B2C, SCM, CRM, ERP

IT ServiceProvider

More customers

Increasing Business Demands for IT Services


IT G

over

nanc


MIS(IM/IT)

Central ControlControlled processesControlled standards

Leveraged skills Goal congruence“Ivory Towers”

Too much control

HR Finance MarketingSales

ProductDevelopment

OtherDepartments

IT Governance in the Old Days


IT G

over

nanc


IM/IT

ITIT ITITIT

MIS

HR Finance MarketingSales

ProductDevelopment

OtherDepartments

Costs distributedDifferent ProcessesMultiple standards

Lack of goal congruenceMany skills needed

Lack of control

SAPFI

PeopleSoft

Siebel:CRM

Siebel:CRM

NetworksBanyan, AppleTalk,

TCP/IP, DECnet, Netware IPX, Apollo

TR. IBM TR

IBMMF

OSMVS, VM, OS/2,

Linux, AIXSolaris, HPUX

MicrosoftMOF

IBMITPM Deloitte

CIO Framework

HPITSM v3

RationalUML

IT Governance Today


IT G

over

nanc


Where do we want to go?


IT G

over

nanc


PeopleSkill rating

Attrition rateTraining

PerformanceCost

PeopleSkill rating

Attrition rateTraining

PerformanceCost

ProcessIncidents per daySLA exceptionsPortfolio costs

Production failureCost

ProcessIncidents per daySLA exceptionsPortfolio costs

Production failureCost

TechnologyServer utilization

Router MTBFTransactions / hour

AvailabilityCost

TechnologyServer utilization

Router MTBFTransactions / hour

AvailabilityCost

Aggregation and Correlation of KPIsAggregation and Correlation of KPIs

DashboardsMgmt InformationDecision Support

IT BalancedScorecard

IT BalancedScorecard


Objectives Measures



Objectives Measures

Business Value

Assessment

Evaluation to identify:

1.efficiencies2.cost savings

3.revenue generation

opportunities…

Business Value

Assessment

Evaluation to identify:

1.efficiencies2.cost savings

3.revenue generation

opportunities…

Right-size and Optimize – Create Business ValueIT service management, server consolidation, telecom, …

Right-size and Optimize – Create Business ValueIT service management, server consolidation, telecom, …

CorporateBalancedScorecard

CorporateBalancedScorecard


Objectives Measures



Objectives Measures

MarketingCustomer SupplierCxO PlantManager

DirectorManager Staff

Where do you wantTo be?


IT G

over

nanc


How can we get there?

IT GovernanceProcessPeople

Technology


IT G

over

nanc


IT DriversBusiness Vision, Mission, Objectives

Balanced Scorecard

Business StrategyMarketing/Sales, R&D, Finance

RegulationsSOX, GAAP, GAMP, HIPAA

Governance FrameworkCOBIT, ITIL, BS17799

StandardsPeople

MCSE, MBA, MD, ITIL, CCNA, CA, CGA, …

ProductsCisco, IBM, Ford, IEEE 802.3, SUN NFS, VOIP,

IP, Banyan Vines

InternalInterestsSuppliersVendorsExperts

PoliticsSocial

EconomicsGlobal-

Warming


IT G

over

nanc


Region 1 - IT

Region X -IT

HRIT

ServicesIT

FinanceIT

Prod Dev IT

IM/IT

Operations Help Desk

App Dev

Arch.Eng.

NT

Uni

x

MF

DB

Bac

kup

People

Process

Products

Typical Large Corporation

Governance

StrategyAA BB CC A

+C

A+C

XX YY

ZZ

KK LL MM

CHCH CH

CHCHCH

CHCHCHCH

CHCHCHCH

CHCHCH

CH

INFOMANINFOMAN

RemedyRemedyPaper Forms

Paper Forms

E-mailE-mailMarvalMarvalVisioVisio

Typically in a Large Organization


IT G

over

nanc


Region 1 - IT

Region X -IT

HRIT

ServicesIT

FinanceIT

Prod Dev IT

IM/IT


App Dev

Arch.Eng.

NT

Uni

x

MF

DB

Bac

kup

People

Process

Products


Governance

StrategyAA BB CC A

+C

A+C

XX YY

ZZ

KK LL MM

INFOMANINFOMAN

RemedyRemedyViaTILViaTIL

HP Service

Desk

HP Service

Desk

Service Center

Service CenterMarvalMarval

AssystAssyst HeatHeatMagicMagic

AllFusionAllFusion

Next Stage of IT Governance Maturity


IT G

over

nanc


Region 1 - IT

Region X -IT

HRIT

ServicesIT

FinanceIT

Prod Dev IT

IM/IT


App Dev

Arch.Eng.

NT

Uni

x

MF

DB

Bac

kup

Process

Products


Governance

Strategy

CH MgrCH Mgr

COE

CF MgrCF Mgr

SL MgrSL Mgr

Integrated Set of Service Management ToolsIntegrated Set of Service Management Tools

People

AA BB CC A+C

A+C

XX YY

ZZ

KK LL MMIT Governance Board, IT Strategy CommitteeIT Governance Board, IT Strategy Committee

IT Governance Vision


IT G

over

nanc


Document Processes


IT G

over

nanc


Deming: Plan, Do, Check, Act

Build a Foundation with measurable processes, consolidated documentation, simplified procedures, repeatable and reusable processes. (e.g. GMP, TQM, ISO 9000)

Continuous Service Improvement Program:A formal recurring project undertaken within an organization to identify and introduce measurable improvements within a specified work area or process

Mat

urity

Lev

el

Time

A P

C D

“In God we trust. All

others bring data”

“In God we trust. All

others bring data”

www.deming.org Businessto IT

Alignment


IT G

over

nanc


Communicate, Collaborate, Cooperate


IT G

over

nanc


Mountainview Training

ITIL ITSM Certification– Foundation - $995 private / $1295 public – Green badge– Practitioner – IPSR, IPRC, IPAD – Blue Badge– Service Manager – Red Badge

ISO/IEC 20000 Service Quality Management FoundationITIL / ISO / ITSM Workshops - including AwarenessAdvance Process Design and ImplementationCOBIT Foundationsand much more

Presented by:Jerry Kopan, CMC, ITSM, PrISM, B.Sc.

[email protected](613)596-5170

Questions?


IT G

over

nanc


The End

Date post:	05-Oct-2018
Category:	Documents
Upload:	trandat
View:	219 times
Download:	0 times