2. 2
3
Section 1: The IT SpaceSection 1: The IT Space
Application
Development
Data and
Operations Center
Service
Desk
IT Strategy
IT-Enabled
Services
4
The StandardsThe Standards
Industry
Sponsor
Group
Parent
Org.
Standard
3. 3
5
Gartner’s Review of ModelsGartner’s Review of Models
6
CMMI
Domain
Application ManagementApplication Management
Application Management
Application
Development
Service
Management
Plan Design Build OperateDeploy Support OptimizeDefine
Source: ITIL: Application Management (2002, p.7)
4. 4
7
Section 2: COBITSection 2: COBIT
COBIT:
• Control OBjectives for Information and related Technology
• 3rd edition—July 2000
Sponsorship:
• Open standard of IT Governance Institute
• Published by ISACA – The Information Systems Audit and Control
Association & Foundation
• Certified Information Systems Auditor certification – 23,000+ auditors
Focus:
• IT Governance - How does executive management fulfill its
responsibilities with respect to IT?
• Audit of IT operations
Source: COBIT Management Guidelines (2000)
8
Approach to Using COBITApproach to Using COBIT
Manage IT-related business risks:
• base use on business objectives in the COBIT Framework
• select IT processes and controls appropriate for the organization
from the COBIT Control Objectives
• operate from the organization business plan
• assess procedures and results with COBIT Audit Guidelines
• assess status of the organization, identify critical success factors,
measure performance with the COBIT Management Guidelines
To develop a sound set of processes:
• choose Control Objectives that fit the business objectives
• identify industry models that provide guidance for supporting
processes (CMMI, People CMM, ITIL, …)
5. 5
9
COBIT ArchitectureCOBIT Architecture
34 Information Technology control objectives:
• 11 planning and organization
• 6 acquisition and implementation
• 13 delivery and support
• 4 monitoring
318 detailed control objectives & audit guidelines:
• 3-30 detailed control objectives per process
Each IT process is supported by:
• 8-10 Critical Success Factors
• 5-7 Key Goal Indicators
• 6-8 Key Performance Indicators
Source: COBIT Management Guidelines (2000)
10
Evaluating COBIT ProcessesEvaluating COBIT Processes
Critical Success Factors:
• Management’s key issues to control and actions to take
• Focused on implementing and controlling the right processes
Key Goal Indicators:
• Indicators of whether an IT process has achieved its goals
• Focused on monitoring achievement of goals
Key Performance Indicators:
• Measures of how well an IT process is performing
• Focused on monitoring performance to predict goal achievement
Source: COBIT Management Guidelines (2000)
6. 6
11
Architectural ComparisonArchitectural Comparison
Measures in Directing
Implementation
Key performance
indicators
CMMICOBIT
Process AreasControl objectives
Measures in Directing
Implementation
Key goal
indicators
Practice level goalsCritical success
factors
PracticesDetailed control objectives
Architectural comparison is suggestive of relationships, but the
mapping between these elements is not exact.
Font sizes indicate relative scope of the element between models.
12
COBIT’s Maturity ModelCOBIT’s Maturity Model
Level 0Level 0
NonNon--existentexistent
Complete lack of recognizable processes
No recognition of issues to be addressed
Level 1Level 1
InitialInitial
Ad hoc processes developed case by case
Recognition of issues to be addressed
Level 2Level 2
RepeatableRepeatable
Similar procedures followed by people
performing the same task, but no training
Level 3Level 3
DefinedDefined
Standard, documented procedures based on
existing practice with no process assurance
Level 4Level 4
ManagedManaged
Process compliance monitored & measured
Constant improvement, some automation
Level 5Level 5
OptimisedOptimised
Processes refined to level of best practice
Automation integrates workflow
Source: COBIT Management Guidelines (2000)
7. 7
13
Maturity Model TypesMaturity Model Types
OrganizationalSingle process
DescriptivePrescriptive
Models that provide a simple
scale for assigning a level of
maturity to a single process
based on a generalized
characterization of its
behavior or results without
requiring that any specific
attributes be implemented.
Processes are appraised
independently and can be
rated at different levels
Models that provide a simple
scale for appraising the
attributes of an organization
and assign it to a level of
maturity based on a
generalized characterization
of its behavior or results
without requiring that specific
processes be implemented
Models that assign a specific
set of process attributes to
each maturity level and
require that for a process to be
rated at a specific level, all the
attributes at that level and all
lower levels must be
implemented for that process.
Processes are appraised
independently and can be
rated at different levels
Models that assign a specific
set of process areas to each
maturity level and require that
for an organization to be rated
at a specific level, all process
areas at that level and all
lower levels must be
implemented. Each process
area usually contains a
collection of practices for
implementing that process.
Focus of the Transformation
LeveltoWhichBest
PracticesAreCharacterized
14
Maturity Model TypesMaturity Model Types
OrganizationalSingle process
DescriptivePrescriptive
Focus of the Transformation
LeveltoWhichBest
PracticesAreCharacterized
CMMI
Staged
CMMI
Continuous
COBIT
ITIL Org.
Growth
People
CMM
Crosby Quality
Maturity Grid
ITIL Maturity
Model
8. 8
15
COBIT Maturity EvaluationsCOBIT Maturity Evaluations
Maturity comparisons for each IT process:
• Status of organization’s current process
• Status of best in class industry process
• Status of current industry standard guidelines
• Strategic objective for organizational improvement
Source: COBIT Management Guidelines (2000)
Non-existent
Initial
Repeatable
Defined
Managed
Optimised
Company
status
Industry
status
Industry
guidelines
Company
objectiveAI7
16
COBIT-MM vs. CMMsCOBIT-MM vs. CMMs
Not mapped to CMM’s view of maturity:
• Level 2 uses local procedures
• Level 3 compliance is not left to individuals
• Level 4 measurement focused on compliance not stability or
predictability
• Weak focus on continual improvement
• COBIT-MM is evolving and will include an assessment method
COBIT uses the continuous approach
• Process focus, not organizational focus
• No roadmap for implementation
Confuses process maturity and auditability
9. 9
17
Planning & Organization—1Planning & Organization—1
CMMI L3—OEI
Level 3 issue
PO4—Define the IT organization
and relationships—deliver
the right IT services
CMMI—no clear referent
Level 3 issue
PO3—Determine technological
direction—exploit current and
emerging technology to achieve
business strategy
CMMI—no clear referent
Level 3 issue
PO2—Define the information
architecture—optimize the
organization and integration of
information systems
CMMI—no clear referent
Level 3 issue
PO1—Define a strategic IT
plan—align IT opportunities
with business requirements and
ensure accomplishment
Process Maturity FrameworkCOBIT
Source: COBIT Management Guidelines (2000)
18
Planning & Organization—2Planning & Organization—2
CMMI L2—REQM, PPQA
CMMI L3—RD, VAL
PO8—Ensure compliance with
external requirements—
meet legal, regulatory, and
contractual obligations
People CMM
CMMI—OT
Level 3 issue
PO7—Manage human
resources—sustain a
motivated, competent workforce
& ensure individual contributions
CMMI GP2.1—Policy
Level 2 issue
PO6—Communicate
management aims and
directions—ensure user
awareness of directions
CMMI—no clear referent
Level 3 issue
PO5—Manage the IT
investment—ensure funding
and control of financial
resources
Process Maturity FrameworkCOBIT
Source: COBIT Management Guidelines (2000)
10. 10
19
Planning & Organization—3Planning & Organization—3
CMMI L2—REQM
CMMI L3—RD, TS, VER, VAL
PO11—Manage quality—meet IT
customer requirements
CMMI L2—REQM, PP, PMC
CMMI L3—IPM, RSKM
PO10—Manage projects—set
priorities and deliver on time and
within budget
CMMI L2—PP
CMMI L3—RSKM
PO9—Assess risks—support
management decisions and
reduce threats
Process Maturity FrameworkCOBIT
Source: COBIT Management Guidelines (2000)
20
Acquisition & Implementation—1Acquisition & Implementation—1
CMMI L3—RD, TSAI4—Develop and maintain
procedures—ensure proper
use of applications and technical
solutions deployed
CMMI L2—CM
CMMI L3—RD, TS
AI3—Acquire and maintain
technology infrastructure—
provide appropriate platforms to
support business applications
CMMI L2—SAM
CMMI L3—RD, TS, VA, IPM, ISM
AI2—Acquire and maintain
application software—
provide automated functions to
support business processes
CMMI L2—REQM, SAM
CMMI L3—RD, TS, RM, DAR,
ISM
AI1—Identify automated
solutions—ensure effective,
efficient approach to satisfy user
requirements
Process Maturity FrameworkCOBIT
Source: COBIT Management Guidelines (2000)
11. 11
21
Acquisition & Implementation—2Acquisition & Implementation—2
CMMI L2—REQM, CMAI6—Manage changes—minimize
disruption, unauthorized
changes, and errors
CMMI L3—VER, VALAI5—Install and accredit
systems—confirm that solution
is fit for intended purpose
Process Maturity FrameworkCOBIT
Source: COBIT Management Guidelines (2000)
22
Delivery and Support—1Delivery and Support—1
CMMI—no clear referent
Level 2&3 issue
DS4—Ensure continuous
service—make IT services
available and minimize business
impact in case of disruption
CMMI L3—RD, TSDS3—Manage performance and
capacity—ensure that
adequate capacity is available
and used to best effect
CMMI L2—SAM
CMMI L3—ISM
DS2—Manage third party
services—ensure that third
party responsibilities are defined
and met
CMMI L2—REQM, PP, PMC
CMMI L3—IPM
DS1—Define and manage
service levels—establish a
common understanding of the
level of service required
Process Maturity FrameworkCOBIT
Source: COBIT Management Guidelines (2000)
12. 12
23
Delivery and Support—2Delivery and Support—2
CMMI—no clear referent
Level 3 issue
DS8—Assist and advise
customers—ensure problems
experienced by users are
resolved
People CMM
CMMI L3—OT
DS7—Educate and train users—
ensure users make effective use
of technology and are aware of
responsibilities
CMMI—no clear referent
Level 3 issue
DS6—Identify and allocate
costs—ensure awareness of
costs attributable to IT services
CMMI—no clear referent
Level 2&3 issue
DS5—Ensure system security—
safeguard information against
unauthorized use, disclosure,
modification, damage, or loss
Process Maturity FrameworkCOBIT
Source: COBIT Management Guidelines (2000)
24
Delivery and Support—3Delivery and Support—3
People CMM—WEDS12—Manage facilities—provide
physical environment that
protects people and equipment
against hazards
CMMI L2—PP, PMCDS11—Manage data—ensure data
remains complete, accurate, and
valid during input, update, and
storage
CMMI—no clear referent
Level 3 issue
DS10—Manage problems and
incidents—ensure problems
and incidents are resolved and
causes investigated
CMMI L2—CMDS9—Manage the
configuration—prevent
unauthorized alteration, verify
existence, provide change mgt.
Process Maturity FrameworkCOBIT
Source: COBIT Management Guidelines (2000)
13. 13
25
Delivery and Support—4Delivery and Support—4
CMMI—no clear referent
Level 3 issue
DS13—Manage operations—
ensure IT support functions are
performed regularly in an orderly
fashion
Process Maturity FrameworkCOBIT
Source: COBIT Management Guidelines (2000)
26
Monitoring—1Monitoring—1
CMMI L2—PPQAM4—Provide for an independent
audit—ensure proper use of
applications and technical
solutions deployed
CMMI L2—PPQAM3—Obtain independent
assurance—increase
confidence and trust among IT,
customers, and suppliers
CMMI L2—PMC
CMMI L3—IPM
M2—Assess internal control
adequacy—ensure
achievement of internal control
objectives for IT processes
CMMI L2—PMCM1—Monitor the processes—
ensure achievement of
performance objectives set for IT
processes
Process Maturity FrameworkCOBIT
Source: COBIT Management Guidelines (2000)
14. 14
27
CMMI-COBIT CoverageCMMI-COBIT Coverage
CMMICOBIT
CMMI provides for monitoring functions at the
project level, but does not involve audit controls
at the organizational level
Monitoring
CMMI’s management processes can be translated
to support the management of service levels,
third parties, capacity, problems, and data;
however continuous operation and user support
services are not well covered in CMMI
Delivery and
Support
CMMI provides excellent coverage for achieving
acquisition and implementation objectivesAcquisition and
Implementation
CMMI provides light support for achieving
organization-wide objectives, but better support
for objectives with greater project focus such as
requirements, risks, quality, and project mgt.
Planning and
Organization
28
CMMI-COBIT SummaryCMMI-COBIT Summary
CMMI and COBIT have different objectives:
• COBIT focuses on governance of all IT functions
• CMMI focuses on improving application development processes
CMMI and COBIT are complementary:
• Use COBIT to appraise overall management of IT
• Use CMMI to appraise the maturity of application development
Use CMMI to guide the implementation of
control processes for:
• acquisition and implementation processes
• project management processes
• some delivery and support processes
16. 16
31
ITIL Publication FrameworkITIL Publication Framework
Source: ITIL: Planning to Implement Service Management (2002, p.4)
T
h
e
B
u
s
i
n
e
s
s
T
h
e
T
e
c
h
n
o
l
o
g
y
Planning to Implement Service Management
Application Management
The
Business
Perspective
ICT
Infra-
structure
Management
Service
Management
Service
Support
Service
Delivery
Security
Management
32
ITIL Topic Areas—1ITIL Topic Areas—1
Service Delivery:
• Service level management
• Financial management for IT services
• Capacity management
• IT service continuity management
• Availability management
Service Support:
• Service desk
• Incident management
• Problem management
• Change management
• Release management
• Configuration management
17. 17
33
ITIL Topic Areas—2ITIL Topic Areas—2
ICT Infrastructure Management:
• Design and planning
• Deployment
• Operations
• Technical support
Applications Management:
• Managing business value
• Aligning delivery strategy with business drivers
• Application management lifecycle
• Organizing roles and functions
• Control methods and techniques
34
ITIL Topic Areas—3ITIL Topic Areas—3
Planning to Implement Service Mgt
Security Management
Software Asset Management
The Business Perspective
18. 18
35
ITIL-Related ModelsITIL-Related Models
ITIL
HP ITSM Reference Model
IBM IT Process Model
Microsoft MOF
Etc., etc., etc.
36
The ITIL ProcessesThe ITIL Processes
PP, PMC, SAM, ISM, SAMProject Management
Environmental Infrastructure
Security Management
RM, TS, PI, VE, VA, ISMApplication Management
Configuration ManagementConfiguration Management
Configuration ManagementChange Management
Configuration ManagementRelease Management
Incident Management
Verification, Causal Analysis & Res.Problem Management
Service Desk
Service Level Management
Capacity Management
Financial Mgt. for IT Services
Customer Relationship Management
ICT Infrastructure Management
CMMI PAITIL Process
Source: ITIL: Service Support (2002, p.11-16)
19. 19
37
Service management
CMMI
domain
Application development
Application Mgt. LifecycleApplication Mgt. Lifecycle
RequirementsRequirements
OperateOperate
DesignDesign
BuildBuild
DeployDeploy
OptimizeOptimize
Source: ITIL: Application Management (2002, p.7)
38
ITIL-AM: RequirementsITIL-AM: Requirements
RD-Analyze and validate requirements
• Establish operational concepts & scenarios
• Establish definition of required functionality
• Analyze requirements
• Analyze requirements to achieve balance
• Validate reqts with comprehensive models
RD-Develop product requirements
• Establish product & product-component reqts.
• Allocate product-component reqts.
• Identify interface requirements
RD-Develop customer requirements
• Elicit needs
• Develop the customer requirements
RM-Manage requirements:
• Obtain understanding of requirements
• Obtain commitment to requirements
• Manage requirements changes
• Maintain bi-directional traceability
• Identify inconsistencies between project work and
requirements
Functional requirements
Non-functional requirements
Usability requirements
Change cases
Testing requirements
Requirements management checklist
Organization of the requirements team
CMMIITIL Application Management
Source: ITIL: Application Management (2002), CMMI (2003)
20. 20
39
ITIL-AM: DesignITIL-AM: Design
TS-Implement the product design
•Implement the design
•Develop product support documentation
TS-Develop the design
•Design the product or product component
solution
•Establish a technical data package
•Design interfaces using criteria
•Perform make, buy, or reuse analyses
TS-Select product component
solutions
•Develop detailed alternatives and selection
criteria
•Evolve operational concepts & scenarios
•Select product component solutions
Design for non-functional
requirements/manageability
Risk-driven scheduling
Managing tradeoffs
Application-independent design
guidelines and application
frameworks
Design management checklist
Problems with design guidelines
Testing the requirements
Organization of the design team
CMMIITIL Application Management
Source: ITIL: Application Management (2002) ), CMMI (2003)
40
ITIL-AM: Build—1ITIL-AM: Build—1
PI-Assemble product deliver product
•confirm readiness for integration
•Assemble product components
•Evaluate assembled components
•Package and deliver the product or
component
PI-Ensure interface compatibility
•Review interface description for
completeness
•Manage interfaces
PI-Prepare for product integration
•Determine integration sequence
•Establish the integration environment
•Establish integration procedures and criteria
Consistent coding conventions
Application-independent building
guidelines
Operability testing
Build management checklist
Organization of the build team
CMMIITIL Application Management
Source: ITIL: Application Management (2002) ), CMMI (2003)
21. 21
41
ITIL-AM: Build—2ITIL-AM: Build—2
VE-Analyze selected work products
•Perform verification
•Analyze verification results and identify
corrective action
VE-Perform peer reviews
•Prepare for peer reviews
•Conduct peer reviews
•Analyze peer review data
VE-Prepare for verification
•Select work products for verification
•Establish the verification environment
•Establish verification procedures and criteria
Consistent coding conventions
Application-independent building
guidelines
Operability testing
Build management checklist
Organization of the build team
CMMIITIL Application Management
Source: ITIL: Application Management (2002) ), CMMI (2003)
42
ITIL-AM: DeployITIL-AM: Deploy
Organization of the deployment team
Deployment management checklists
Pilot deployments
Distributing applications
Approving the deployment
Planning the deployment
CMMIITIL Application Management
Source: ITIL: Application Management (2002)
22. 22
43
ITIL-AM: OperateITIL-AM: Operate
Organization of the operations team
Operations management checklist
Benefits of an application
Application state
Day-to-day maintenance activities to
maintain service levels
CMMIITIL Application Management
Source: ITIL: Application Management (2002)
44
ITIL-AM: OptimizeITIL-AM: Optimize
Organization of the optimization team
Optimization management checklist
Application review process
CMMIITIL Application Management
Source: ITIL: Application Management (2002)
23. 23
45
Service Delivery ProcessesService Delivery Processes
Source: ITIL: Planning to Implement Service Management (2002, p.7)
Availability
Management
Capacity
Management
Service Level
Management
Financial
Management
Continuity
Management
Alerts &
exceptions,
Changes
Requirements
Targets,
Achievements
46
ITIL-SD: Service Level Mgt.ITIL-SD: Service Level Mgt.
PP SG 3Service level agreement
OPF, OIDService improvement program
PMCMonitor and report service delivery
PP SG 3Operational level agreements
REQM, RDService level requirements
Service catalogue
PPPlanning service delivery
CMMIITIL Service Delivery
Source: ITIL: Service Delivery (2001)
24. 24
47
ITIL-SD: Financial Mgt.ITIL-SD: Financial Mgt.
Managing variances
Financial operation and reporting
Implementing IT financial mgt
Planning IT financial mgt
IT charging system
IT accounting system
Budgeting
CMMIITIL Service Delivery
Source: ITIL: Service Delivery (2001)
48
ITIL-SD: Capacity Mgt.ITIL-SD: Capacity Mgt.
Capacity planning
Application sizing
QPMModeling
Demand management
Implementation
OPP, OIDTuning
OPPAnalysis
PMC SG1Monitoring
Resource capacity management
Service capacity management
Business capacity management
CMMIITIL Service Delivery
Source: ITIL: Service Delivery (2001)
25. 25
49
ITIL-SD: Continuity Mgt.—1ITIL-SD: Continuity Mgt.—1
VERInitial testing
OPD, TSDevelop procedures
RSKMImplement risk reduction measures
PPDevelop recovery plans
Implement standby arrangements
PPOrg. and implementation planning
Business continuity strategy
RSKMRisk assessment
Business impact analysis
Initiate business continuity mgt.
CMMIITIL Service Delivery
Source: ITIL: Service Delivery (2001)
50
ITIL-SD: Continuity Mgt.—2ITIL-SD: Continuity Mgt.—2
VAL, PPQAAssurance
OTTraining
CMChange management
Tuning
VER, PPQAReview and audit
OTEducation and awareness
CMMIITIL Service Delivery
Source: ITIL: Service Delivery (2001)
26. 26
51
ITIL-SD: Availability Mgt.ITIL-SD: Availability Mgt.
PPAvailability planning
PMC SG2Availability problem prevention
PMC SG2Availability problem detection
PMC SG1Monitoring and trend analysis
MAAvailability measures and reporting
REQMAvailability targets
CARFailure impact analysis
REQM, RDAvailability requirements
CMMIITIL Service Delivery
Source: ITIL: Service Delivery (2001)
52
Service Support ProcessesService Support Processes
Source: ITIL: Planning to Implement Service Management (2002, p.6)
Incident
Management
Problem
Management
Change
Management
Release
Management
Configuration
Management
Incidents
Changes
Releases
Configuration
Management
Repository
27. 27
53
ITIL-SS: Incident Mgt.ITIL-SS: Incident Mgt.
Ownership, monitoring, tracking, and
communication
Incident closure
Resolution and recovery
Investigation and diagnosis
Classification and initial support
Incident detection and recording
CMMIITIL Service Support
Source: ITIL: Service Support (2000)
54
ITIL-SS: Problem Mgt.ITIL-SS: Problem Mgt.
Problem/error resolution recording
VER SP3.2Error closure
VER SP3.2Error resolution recording
VER SP3.2Error assessment
VER SP3.2Error identification and recording
VER SP3.2, CAR SP1.2Problem investigation and diagnosis
CAR SP1.1Problem classification
Problem identification and recording
CMMIITIL Service Support
Source: ITIL: Service Support (2000)
28. 28
55
ITIL-SS: Configuration Mgt.ITIL-SS: Configuration Mgt.
Configuration management service
CM SP1.2CMDB backups, archives, and
housekeeping
CM SP3.2Configuration verification and audit
CM SP3.1Configuration status accounting
CM SP1.2, SP2.2Control of configuration items
CM SP1.1Configuration identification
CM GP2.2Configuration management planning
CMMIITIL Service Support
Source: ITIL: Service Support (2000)
56
ITIL-SS: Change Mgt.—1ITIL-SS: Change Mgt.—1
CM SP2.2Change building, testing, and
implementation
CM SP2.2Change scheduling
CM SP2.2Change approval
CM SP2.1Impact and resource assessment
CM SP2.2Change Advisory Board meetings
CM SP2.1Change categorization
CM SP2.1Allocation of priorities
CM SP2.1Change logging and filtering
CM GP2.2Planning the implementing of
operational processes
CMMIITIL Service Support
Source: ITIL: Service Support (2000)
29. 29
57
ITIL-SS: Change Mgt.—2ITIL-SS: Change Mgt.—2
CM GP2.4Roles and responsibilities
CM GP2.8, GP2.9, P2.10Reviewing the change management
process for efficiency & effectiveness
CM SP2.2Change review
CM SP2.2Urgent change building, testing, and
implementation
CM SP2.2Urgent change scheduling
CMMIITIL Service Support
Source: ITIL: Service Support (2000)
58
ITIL-SS: Release Mgt.ITIL-SS: Release Mgt.
Distribution and installation
Communication, preparation, and
training
CM GP2.2Rollout planning
VE SP3.1Release acceptance
CM SP1.3Designing, building, and configuring a
release
CM GP2.2Release planning
CMMIITIL Service Support
Source: ITIL: Service Support (2000)
30. 30
59
ICT Infrastructure Mgt.ICT Infrastructure Mgt.
Source: ITIL: ICT Infrastructure Management (2002, p.9)
Design and planning Deployment Operation
Technical support
60
ITIL-ICT: Design & PlanningITIL-ICT: Design & Planning
Review progress of the plan
Design and implement a plan
Define desired state
Review current position
Strategic management
CMMIITIL ICT Infrastructure Mgt.
Source: ITIL: ICT Infrastructure Management (2002)
32. 32
63
ITIL-ICT: Technical SupportITIL-ICT: Technical Support
PP SG 2Document management
SAM, ISMSupplier management
Research and development
CMMIITIL ICT Infrastructure Mgt.
Source: ITIL: ICT Infrastructure Management (2002)
64
BS 15000 ProcessesBS 15000 Processes
Service Delivery Processes
Control Processes
Configuration Management
Change Management
Release
Process
Release Management
Resolution
Processes
Incident Management
Problem Management
Relationship
Processes
Business
Relationship
Management
Supplier Management
Capacity Management
Service Continuity
and Availability
Management
Information
Security
Management
Budgeting and
Accounting for
IT Services
Service Level
Management
Service Reporting
Source: BS 15000-2: Service Management (2003)
33. 33
65
Maturity of IT OrganizationsMaturity of IT Organizations
Technology Stage 1
Product/Service Stage 2
Customer focus Stage 3
Business focus Stage 4
Value chain Stage 5
high
low
Influenceonthebusiness
Organization Growth Model
Source: ITIL: Planning to Implement Service Management (2002, p.27)
66
ITIL’s Maturity ModelITIL’s Maturity Model
Process has strategic objectives that are
institutionalized, self-contained improvements
creating a pre-emptive capability.
5
Optimized
Process fully accepted in IT, with targets based on
business goals. Proactive and integrated with
other IT service management processes
4
Managed
Documented process with process owner, but no
formal recognition of its role in IT.
Clearly defined and occasionally proactive
3
Defined
Process activities are uncoordinated, without
direction, focused on process effectiveness.
Defined processes and procedures, largely reactive
2
Repeat-
able
Little process management activity.
Loosely defined processes and procedures, totally
reactive, irregular unplanned activities
1
Initial
CharacterizationLevel
Source: ITIL: Planning to Implement Service Management (2002, p.187-190)
34. 34
67
IT-Business AlignmentIT-Business Alignment
Business objectives should
be reflected in all levels of IT.Key Business
Drivers
Service Level
Requirements
Operational Level
Requirements
Process
Requirements
Skill
Requirements
Technology
Requirements
Application
Characteristics
Data
Characteristics
Infrastructure
Characteristics
Business
Function
IT Service
IT System
IT Processes
IT People
Technology
Applications
Data
Infrastructure
SLAs
OLAs
Strategic
Alignment
Objectives
Model
(SOAM)
Source: ITIL: Application Management (2002, p.14)
68
Rethinking Issues by LevelRethinking Issues by Level
Project level configuration management issues in
CMMI space may become organizational issues in IT
Transaction integrityNew
issue
Level 2 – local unit
Level 3 – service-wide
Level 2 - projectLevel
Not under local control
(different functional units)
Under local control
(project)
Control
Service components
(system components,
service processes, forms,
training, etc.)
System components,
documentation, tools,
environment, etc.
Content
ITCMMICM
35. 35
69
Using ITIL and CMMIUsing ITIL and CMMI
ITIL and CMMI best apply to different parts of
the IT organization:
• Use CMMI in application development
• Use CMMI in ICT Infrastructure projects
• Use ITIL in IT operations and services
The problem—service level application
activities:
• Option 1—treat each modification/enhancement as a project—
CMMI (may require translation)
• Option 2—treat the service level agreement as a project—CMMI
(requires translation)
• Option 3—treat the service level agreement as a service—ITIL
70
SummarySummary
CMMI, COBIT, and ITIL (BS 15000) provide
complementary models for different IT
functions:
• Use CMMI and ITIL to implement practices that support COBIT
control objectives
• Apply CMMI or ITIL to appropriate parts of the IT organization
• Select appraisal/certification methods based on appropriateness
of fit to the IT processes to be assessed
Draw from all standards when designing and
implementing processes to ensure a more
complete and robust implementation
36. 36
71
Relevant WebsitesRelevant Websites
www.itgi.org IT Governance Institute
www.isaca.org Information Systems Audit and Control Assoc.
www.itil.co.uk UK Office of Government Commerce
www.itsmf.com IT Service Management Forum
www.sei.cmu.edu Software Engineering Institute
www.ndia.org National Defense Industrial Assoc.
72
Dr. Bill CurtisDr. Bill Curtis
Bill Curtis is the Chief Process Officer of Borland Software Corp. Prior to its
acquisition by Borland, he was the Co-founder and Chief Scientist of
TeraQuest in Austin, Texas. He is a former Director of the Software
Process Program in the Software Engineering Institute at Carnegie Mellon
University. He is a co-author of the Capability Maturity Model for Software,
and is the principal architect of the People CMM. Prior to joining the SEI,
Dr. Curtis directed research on advanced user interface technologies and
the software design process at MCC, developed a global software
productivity and quality measurement system at ITT’s Programming
Technology Center, evaluated software development methods in GE Space
Division, and taught statistics at the University of Washington.
P.O. Box 126079
9108 Benview Court
Fort Worth, Texas 76126-0079
1-817-228-2994
curtis@borland.com