IT Governance –
®
Leveraging ITIL
v2/v3 for
Governance
Success
Greg Charles, Ph.D.
VP and Senior Advisor,
Global Customer Success Group
Western U.S. ITIL, Governance &
Best Practices Lead
CA, Inc.
May 2008
IT Governance
Defined as: The management of risk & compliance.
“The overall methodology by which IT is directed,
administered and controlled”
Governance
Compliance
July 28, 2017
Copyright © 2008 CA
Three Pillars of IT Governance
IT Governance
Infrastructure
Management
July 28, 2017
Copyright © 2008 CA
IT Use/Demand
Management
IT Project
Management
Managing Ever-Increasing Complexity
July 28, 2017
Copyright © 2008 CA
The Business World View
SAP
Identity
Manager
PSFT
Siebel
Network
Load
Balancer
Firewall
Router
End User
Switch
Portal
Mainframe
Black Box
Web
Servers
Database
Applications
Web Services
Databases
3rd Party
applications
July 28, 2017
Copyright © 2008 CA
The Cruel Reality
Application
Screen
Scrape
Application
Download
File
Application
Message
Queue
Sockets
Transaction
File
Application
Sockets
RPC
Application
Application
Transaction
File
Application
Source: Gartner
Copyright © 2008 CA
ORB
APPC
Message
ORB
July 28, 2017
Screen
Scrape
Screen
Scrape
Transaction
File
CICS Gateway
Download
File
Application
Application
Message
Queue
Application
Screen
Scrape
Transaction
File
CICS Gateway
Message
Download
File
Message
Queue
APPC
RPC
Addressing These Challenges:
Improving Engagement and Efficiency
WHAT IS ENGAGEMENT?
WHAT IS EFFICIENCY?
Doing the Right Things
Doing Things Right
IT’s ability to partner with the
business to maintain alignment
and maximize return from IT
investments
IT’s ability to make the best use
of its people, budgets and
assets
July 28, 2017
Copyright © 2008 CA
Obstacles Prevent Effective Engagement
$
$
$
Overwhelming Demand:
- Unstructured capture of requests and ideas
- No formal process for prioritization and
trade-offs
- Reactive vs. proactive
IT and Biz Divide
- Business thinks in IT services –
IT delivers in technology terms
- Costs disassociated with services
July 28, 2017
Copyright © 2008 CA
IT Seen as Black Box:
- Business lacks visibility
- Poor customer satisfaction
Disparate Systems Reduce Efficiency
- No Single System of Record for
Decision-Making
- IT Management systems siloed
- Relevant Metrics Hard
to Obtain
- Disparate Systems Costly to
Maintain and Upgrade
July 28, 2017
Copyright © 2008 CA
IT Governance Landscape
July 28, 2017
Copyright © 2008 CA
How to Improve Engagement?
Structured IT Governance Process
Integrated Demand Management
- Capture, catalog, and prioritize all demand
- Manage service requests from help desks
- Match resources to highest-value initiatives
Comprehensive Portfolio Management
- Services, projects, assets, applications
- Systematic evaluation and prioritization
- Map controls to compliance requirements
- 100% visibility into strategic initiatives
- A single invoice to the customer for all services
Business Intelligence for the BRM
- Visibility into all services that support LOB
- Detailed cost invoices
July 28, 2017
Copyright © 2008 CA
How to Improve Efficiency?
Comprehensive Management
Empower the PMO
- Automate, enforce, and report on
process compliance
World-Class Project Execution
- Leverage best practices across
entire project portfolio
- Rapid time to value
Comprehensive Resource Management
- Drive maximum utilization of in-house
and outsourced resources
- Capture time and allocate staff for any type of
investment
- Advance Resource Mgmt capabilities
Scalable, Transparent Status Capture
- Capture time and cost of all activities in a
single repository for charge-backs and reporting
- Capture asset costs through integration with Asset
Management Solution
July 28, 2017
Copyright © 2008 CA
Approaches Currently In Use
> Business As Usual - “Firefighting”
> Legislation - “Forced”
> Best Practice Focused
July 28, 2017
Copyright © 2008 CA
Best Practices
Quality & Control Models
• ISO 900x
• COBIT®
• TQM
• EFQM
• Six Sigma
• COSO
• Deming
• etc..
Process Frameworks
• ITIL®
• Application Service Library
• Gartner CSD
• IBM Processes
• EDS Digital Workflow
• Microsoft MOF
• Telecom Ops Map
• etc..
•What is not defined cannot be controlled
•What is not controlled cannot be measured
•What is not measured cannot be improved
July 28, 2017
Copyright © 2008 CA
ITIL® v2 to v3
Introduction to ITIL
T
h
e
Planning To Implement Service Management
Service Management
Service
B
The
ICT
Support
u
Business
Infrastructure
s Perspective
Management
i
Service
n Small-Scale
Delivery
Security
eImplementation
Management
s
s
Application Management
Software Asset Management
July 28, 2017
T
h
e
Copyright © 2008 CA
T
e
c
h
n
o
l
o
g
y
ITIL® v2 Service Support Model
The Business, Customers or Users
Monitoring
Tools
Difficulties
Queries
Enquiries
Communications
Updates
Work-arounds
Incidents
Incidents
Incident
Management
Problem
Management
Service reports
Incident statistics
Audit reports
Customer
Service
Desk
Survey reports
Changes
Customer
Survey
reports
Releases
Change
Problem statistics
Management
Problem reports
Problem reviews
Diagnostic aids
Change schedule
Audit reports
Release
CAB minutes
Management
Change statistics
Change reviews
Audit reports
Release schedule
Release statistics
Release reviews
Secure library’
Testing standards
Audit reports
Incidents
Problems
Known Errors
Changes
CMDB
July 28, 2017
Copyright © 2008 CA
Releases
Configuration
Management
CMDB reports
CMDB statistics
Policy standards
Audit reports
Cls
Relationships
ITIL® V2 Service Delivery Model
Business, Customers and Users
Communications
Updates
Reports
Queries
Enquiries
Availability
Management
Availability plan
AMDB
Design criteria
Targets/Thresholds
Reports
Audit reports
Service Level
Management
Capacity
Management
Capacity plan
CDV
Targets/thresholds
Capacity reports
Schedules
Audit reports
Requirements
Targets
Achievements
Financial
Management
For IT Services
Financial plan
Types and models
Costs and charges
Reports
Budgets and forecasts
Audit reports
Management
Tools
July 28, 2017
Alerts and
Exceptions
Changes
Copyright © 2008 CA
SLAs, SLRs OLAs
Service reports
Service catalogue
SIP
Exception reports
Audit reports
IT Service
Continuity
Management
IT continuity plans
BIS and risk analysis
Requirements defined
Control centers
DR contracts
Reports
Audit reports
IT Governance and ITIL® Version 3
July 28, 2017
Copyright © 2008 CA
Service Strategies
> Service Strategy Process

Strategy Generation

IT Financial Management

Service Portfolio
Management

Demand Management
> Organizational Development
& Design
> Implementing Service
Strategy
July 28, 2017
Copyright © 2008 CA
Service Design
Service Management Blueprint
> Service Design Principles
> Service Design Process

Service Portfolio Design

Service Catalogue Mgmt

Service Level Mgmt

Capacity Mgmt

Availability Mgmt

Service Continuity Mgmt

Information Security Mgmt

Supplier Mgmt
> Service Design Technology
> Service Design
Implementation
July 28, 2017
Copyright © 2008 CA
Service Transition
> Service Transition Principles
> Service Transition Process
July 28, 2017
Copyright © 2008 CA

Change Management

Service Asset &
Configuration Mgmt

Knowledge Management

Service Release Planning

Performance and Risk
evaluation

Acquire Assets, Build and
Test Release

Service Release Acceptance
Test and Pilot

Deployment, Decommission
and Transfer
Service Operation
>
Service Operation Principles
>
Service Operation Process





>
Common Service Operation Activities





Copyright © 2008 CA
IT Operations (Console, Job
Scheduling etc.)
Mainframe Support
Server Mgmt and Support
Desktop Support, Middleware Mgmt,
Internet/Web Mgmt
Application Mgmt Activities
>
IT Security
>
Organization Service Operation




July 28, 2017
Event Management
Incident Management
Request Fulfillment
Problem Management
Access Management
Service Desk
Technical Management
IT Operations Management
Application Management Service
Design Implementation
Continual Service Improvement
> Continual Service
Improvement Principles
> Continual Service
Improvement Process

Measurement and
Control

Service Measurement

Service Assessment and
Analysis

Service Level
Management
> Organizing for Service
Continual Improvement
July 28, 2017
Copyright © 2008 CA
The Business / Customers
Requirements
IT Governance
(Demand, Risk & Control, Service
Portfolio,
Objectives
from
Resource and
Requirements
Project Financial Mgmt, Business Relationship Mgmt,
Policies
constraints
Strategies
and Process Management)
Service
Strategy
IT Governance
(New Product Development, Project Mgmt,SDPs
Standards
Resource
Mgmt, Financial Mgmt,
Architectures
Solution
and Demand Mgmt)
Service Portfolio
Service Catalogue
Service
Design
Designs
Service
Transition
IT Governance
(Demand, Resource, Process
Mgmt,
SMKS
Tested
andsolutions
Project Mgmt)
Transition Plans
Service
Operation
IT Governance
Operational
(Resource Mgmt,
Project Mgmt,
Operational Plans
services
and Process Management)
Continual
Service
Improvement
July 28, 2017
Copyright © 2008 CA
IT Governance
(Process Mgmt,
Improvement
Project
Mgmt, and
actions
& plans
Bus Relationship Mgmt)
IT Governance Model
Audit Models
SarbanesOxley
COSO
US Securities &
Exchange
Commission
COBIT®
Quality System
IT Planning
Project Mgmt.
BS 15000
IT Security
ITIL®
App. Dev. (SDLC)
CMMi
Service Mgmt.
Quality Systems &
Mgmt. Frameworks
IT OPERATIONS
ASL
ISO 20000
July 28, 2017
Copyright © 2008 CA
ISO
17799
PMI
PMBOK
PRINCE2
TSO
IS
Strategy
ISO
Six
Sigma
COBIT® (Control Objectives for IT)
> Focused on IT Standards and Audit, COBIT® is jointly
“owned/maintained” by ITGI and ISACA (Information
Systems Audit and Control Association)
> Based on over 40 International standards
> Supported by over 150 IT Governance Chapters
– www.itgi.org
– www.isaca.org
Best Practices:
Industry and CA best practices are applied to all of our solutions to maximize standardization and quality
July 28, 2017
Copyright © 2008 CA
The COBIT® Cube
(Business
Requirements)
4 Domains
34
Processes
____
318
Control
Objectives
215 in
COBIT® 4.0
July 28, 2017
Copyright © 2008 CA
COBIT® Domains - Summary
Planning &
Organization
Acquisition & Implementation
(AI Process Domain)
(PO Process Domain)
Monitoring
(M Process Domain)
Delivery & Support
(DS Process Domain)
July 28, 2017
Copyright © 2008 CA
How to Make IT a Reality?
Key Success Factors
Theory – ITIL® / COBIT® / etc.
 Guidelines for Best Practices
 Provides the theory but not
always defines the process
 Education is an important
component
Process
 Convert theory to process that is
applicable to the unique needs
of the organization
 Training & Education
 Tool configuration
Technology – CA and others
 Provide the technology that enables &
automates the process
 Repeatability, compliance &
notifications
 Implement processes impossible
without technology
July 28, 2017
Copyright © 2008 CA
Making IT Easier
4-Business-Driven
Ability to
share your
IT resources
throughout
the supply
chain and
dynamically
reallocate
resources
based upon
changing
business
needs
3-Responsive
2-Efficient
1-Active
Ability to
manage
service levels
and provide
the services
that are
important to
the business
Ability to
automate
responses,
streamline
processes,
consolidate
resources
Ability to
respond to
problems
and faults
ROI
ROI
ROI
Quantitative
Metrics
NO
New Asset?
NO
New Asset?
NO
New Asset?
YES
YES
Agent Based
Scanning Initiated
Re-Test
Notification to User
Population
Ensure Backup of
Critical Assets
New
Incidents
Network Scan
Penetration Test
Define Policy In
Network Scanner
Detect
Vulnerabilities
Document Post
Scan Results
Define Standard
Builds
Assess Business
Impact
Network
Scan Group
(scheduled)
Assign Priority
Generate Report
Attack &
Penetration
Performed
Patch Needed?
YES
Discover Assets
Agent Based
Scanning Initiated
Ensure Backup of
Critical Assets
New
Incidents
Define Policy In
Network Scanner
Detect
Vulnerabilities
Re-Test
Notification to User
Population
Discover Assets
Discover Assets
Agent Based
Scanning Initiated
Re-Test
Notification to User
Population
Ensure Backup of
Critical Assets
New
Incidents
Network Scan
Penetration Test
Security To
Incident
Resolution
NO
Computer Incident
Response Team
Investigation In
Progress
Vulnerability
Identified?
IDS
Security
Incident
YES
Acceptable Use Violation
Denial Of Service
Information Theft
Probe
Social Engineering
Unauthorized Use
Resource Modification
Update
CMDB
Level 4
Software
Delivery
Define Policy In
Network Scanner
Detect
Vulnerabilities
Assess Business
Impact
Network
Scan Group
(scheduled)
Assign Priority
YES
YES
Patch
Available?
Patch Tested?
NO
Attack &
Penetration
Performed
Request
for
Change
Define Standard
Builds
Assess Business
Impact
Network
Scan Group
(scheduled)
Assign Priority
Attack &
Penetration
Performed
Patch Needed?
YES
Patch
Available?
Manual Process
To Remove
Vulnerabiliteis
Level 1
YES
YES
Patch Tested?
YES
YES
Patch Tested?
Manual Process
To Remove
Vulnerabiliteis
Document Post
Scan Results
Patches sent to
Vulnerability
Management
Group
NO
Manual Process
To Remove
Vulnerabiliteis
Generate Report
NO
Request
for
Change
Document
problems with
incident ticket
YES
Fixed?
Fixed?
Audit Asset
NO
Request
for
Change
Document
problems with
incident ticket
YES
Fixed?
Initiate Change
YES
Order and
complete Business
Impact Analysis
Systems
configuration
changed and
rebooted
Verification Rescan
Restore Image
NO
NO
Manual Process
To Remove
Vulnerabiliteis
Manual Process
To Remove
Vulnerabiliteis
NO
YES
YES
Config.Change
Needed?
Initiate Change
YES
Order and
complete Business
Impact Analysis
Systems
configuration
changed and
rebooted
Verification Rescan
Document
problems with
incident ticket
Restore Image
Level 1
NO
YES
NO
Audit Asset
NO
YES
Config.Change
Needed?
YES
Patch
Available?
Patches sent to
Vulnerability
Management
Group
NO
Manual Process
To Remove
Vulnerabiliteis
NO
NO
YES
NO
Document
problems with
incident ticket
Patch Needed?
Patches sent to
Vulnerability
Management
Group
YES
NO
Software
Delivery
Define Standard
Builds
Integrated Security
Event Priortization
YES
Config.Change
Needed?
Initiate Change
YES
Order and
complete Business
Impact Analysis
Systems
configuration
changed and
rebooted
Verification Rescan
Document
problems with
incident ticket
Restore Image
NO
Level 2
Level 3
NO
Level 2
Level 1
Level 2
Level 3
Customer maturity isolates appropriate transition point, blueprint & ROI
July 28, 2017
Copyright © 2008 CA
Tools to Aid Success
Maturity Model
Solution Sheets
4-Business-Driven
Ability to
share your
IT resources
throughout
the supply
chain and
dynamically
reallocate
resources
based upon
changing
business
needs
3-Responsive
2-Efficient
1-Active
Ability to
manage
service levels
and provide
the services
that are
important to
the business
Ability to
automate
responses,
streamline
processes,
consolidate
resources
Ability to
respond to
problems
and faults
ROI
ROI
ROI
Transitional Maturity
ROI Tool
Process Model
Customer /
Partner
Assessments
SPML
Request
From
Customer/
Partner
Delegated
User
Creation
Customer
Relationship
Manager
New
Customer
(or
Partner)
Customer
Defined
HR
Employee
Business
Manager
Incident
Manager
Facilities
Incident
Closed
Customer Entered in
Customer/Partner
Relationship
System
Obtain LAN/App
ID & Passwords
User Building
Access
Provisioned
Automatically
Efficient
Service Delivery
0
Application Mgmt
Infrastructure Mgmt
Importance
July 28, 2017
Capability
Copyright © 2008 CA
Services and Solutions
Implementing
IT Svc Mgmt
Technical Capabilities
Organizational
Characteristics
Active
Service Support
User Access
Reviewed /
Set-up
Incident Closed
Integration with Production
Directory & Security
Web Svcs
• Certified Security Staff
• Certified Security & IT Ops Staff
• CISSP Training
• Security Awareness Training (IT, HR, Dev)
• Security Awareness Training (IT, HR, Dev)
• Security Awareness Training
Identify & Classify
Assets
Anti-Virus
Scanning
Manual Load
OS Patches
Identify & Classify
Assets
Configuration
Management
Process
Tracking of
Vulnerability
Activities
IT Governance
Management
Compliance
Management &
Reporting
Integrated VM
And Helpdesk
CERT & Incident
Resolution
Process
Tracking of Threat
&
Forensics Events
Business
Impact Correlation
& Reporting
Integrated
Forensics
Investigation
Audit Collectors
Integrated
Security Event
Prioritization
Agent-based
Vulnerability
Management
BCP/DR
Management
Automated
Software Distribution
Patch Process
Periodic
Vulnerability
Assessments
Agent-based
Configuration
Management
ITIL Compliant IT
Operations
Process
Compliance
Management &
Reporting
Vulnerability
Assessment
CERT
Training
ISO17799
Program
Development
Security
Standards
Development
Compliance
Oriented
Architecture
Incident Response
Program
Development
Attack and
Penetration
Testing
Attack &
Penetration
Assessment
CISSP Training
Attack &
Penetration
Assessment
Security Roadmap
& Strategy
Development
Security
Business Portal
Development
Policy and
Process
Monitoring
Security Policies
&
Procedures
eTrust VM
Service
ITIL Training
Anti-Spyware
Malware
Solutions
Compliance
Architecture
Development
Business
Correlation Rule
Development
Forensic
Investigation
Training
eTrust VM
Service
Technology Design, Implementation,
and Integration Services
(AV, VM, etc.)
Technology, Design, Implementation
& Integration Services
(VM, Backup/Recovery, Service Desk, etc.)
Technology, Design, Implementation
& Integration Services
(Audit, SCC, Forensics, SCM, IDS, Pest Patrol.)
Technology, Design, Implementation
& Integration Services
(Compliance Oriented Architecture.)
Define Policies
& Stds for ID
Provisioning,
and Reporting
Define Corporate
Identity Directory
Entitlement Mgt, &
Security Web Services
Define Federated
Trust Stds
Workflow for
Security Review
of Application
User Access
Enabled
Automatically
Delegated
Request removal
of Access
Automated
Synchronization
Process Compares
Authoritative User & Role
List with LAN & App
User accounts
[Y]
Incident Opened
User Deprovisioned
Incident Closed
Employee
access
removed
Automated
Process to
Deprovision User
from Facilities
Access
Automated
Process to
Deprovision User
from Systems/Apps
Develop/Acquire
App
Validate App Using
Directory Services
Validate App
With Role Stds
Validate App with
Provisioning System
Validate with SPML
Periodic
Security Audit
Scheduled
Workflow to
Request
Remediation
Employee
Terminated/Retired
New
App
Validate App with
ID / Passwd Stds
Produce Operations
Manual for App
Excess
Entitlements /
Accounts
?
Incident
Closed
Use New
Password
Development
Manager
Periodic Policy
Review
Obtain Authoritative List of
All Users/Roles Automatically
Incident Opened
Password Reset
Employee removed
from HR System
Customer
access
removed
Define Role Mgt
Stds
Incident
Opened
Access New
App Resource
Self-serve
Set New Password
Use New
Password
Developed
Standard OS
Configuration
Backup/Recovery
Security
Road Map
Assessment
Workflow Approval
Change in
Application Access
• Staff trained in Threat Detection
Business Impact
Analysis
CISO
Define ID and
Password Stds
Manage
Application Security
User
Access
Changed
Incident
Closed
Self-serve
Reset Password
Customer/Partner
User No Longer
Needs Access
Identity and
Access
Automatically
Provisioned to
- LAN, - Email,
- Corporate
Directory,
- Authentication
Technology,
- Security Web
Services,
- Security
Infrastructure,
- Business Apps
- External
Federated Services
Approve Access
Request Change in
Application Access
for New Project
Delegated
Request Change in
Application Access
Access New
App Resource
• End User technology training in Anti-Spam
prevention
Basic Security
Policy
CMDB Change
Impacting App
deployment,
Ownership, Access
etc
Customer/Partner
Forgets Password
Business-Driven
Responsive
• Dedicated Security Staff
Approve Access
Incldent Opened (if
required by policy)
New Hire Has
Access to Business
Applications
Automatically
Provide List
of Employees
from HR System
Blueprints
Security
Manager
Define IAM Policies,
Processes,
Workflows & Owners
Authorized Customer /
Partner
Employees have
Access
Profilers
IT Operations
Manager
Incident
Opened
ID Allocated
Automatically
Identity verified &
Entered in HR
Customer/
Partner
Employee
Enters Data
Via Self-Serve
Register
Customer/Partner
Changes Business
Relationship
e.g. Buys New
Product/Service
Application
Manager
New
Hire
User Entitlements
Exceptions Report
Generated Automatically
Review
current
reports
[N]
Audit
Reports
Completed
Governance: Meeting Customer Needs
Leveraging Best Practices
Best Practices:
ITIL®, COBIT®,
COSO, ITAM, ITSM,
Six Sigma, etc.
Best Practices:
Industry and CA best practices are applied to all of our solutions to maximize standardization and quality
July 28, 2017
Copyright © 2008 CA
The Result
Business-IT Integration
Business
July 28, 2017
Copyright © 2008 CA
IT
IT Governance –
®
Leveraging ITIL
v2/v3 for
Governance
Success
Greg Charles, Ph.D.
VP and Senior Advisor,
Western U.S. ITIL, Governance &
Best Practices Lead,
Global Customer Success Group
CA, Inc.
May 2008