Unleash Your Potential - Namagunga Girls Coding Club
Using cobit to integrate build and run
1. Governing BUILD and RUN 11/17/2010
Harold Petersen
NUS ISS & Lucid IT Pte Ltd
Governing BUILD and RUN
12 November 2010
www.iss.nus.edu.sg
www.lucidit.com.sg 1
3. Governing BUILD and RUN 11/17/2010
Agenda
IT Governance
RUN, BUILD
Integrating governance of RUN and BUILD
Case studies : good, bad, ugly
Conclusion : Now let‘s get real
Agenda
IT Governance
RUN, BUILD
Integrating governance of RUN and BUILD
Case studies : good, bad, ugly
Conclusion : Now let‘s get real
www.iss.nus.edu.sg
www.lucidit.com.sg 3
4. Governing BUILD and RUN 11/17/2010
IT Governance
IT governance is the responsibility of executives and
the board of directors, and consists of the leadership,
organisational structures and processes that ensure that
the enterprise‘s IT sustains and extends the
organisation‘s strategies and objectives.
IT Governance specifies the decision rights and
creates an accountability framework that
encourages desirable use of IT - Weill and Ross
(IT Governance, 2004)
8
Control Framework
Corporate Objectives
Setting the
―tone at the top‖
Legislation, etc.
(e.g. SOX,
Privacy, Fin .Mgt)
Enterprise Governance
Framework
(e.g. COSO, AS8000)
IT Governance Framework
(e.g. COBIT, ISO/IEC 38500)
IT Best Practice Frameworks
(e.g. ITIL, CMMi, P3O, PRINCE2, ISO27002)
The Organisation‟s Management System
9
www.iss.nus.edu.sg
www.lucidit.com.sg 4
5. Governing BUILD and RUN 11/17/2010
Value….
‘…the enterprise’s IT sustains and extends the
organisation’s strategies and objectives…’
So what comprises ‗good‘ IT?
And how to achieve and enforce it?
ISO 38500
„Extend‟ „Sustain‟
„Build the IT services‟ „Run the IT services‟
www.iss.nus.edu.sg
www.lucidit.com.sg 5
6. Governing BUILD and RUN 11/17/2010
Governance:
the old-fashioned way
CobiT
CobiT
13
www.iss.nus.edu.sg
www.lucidit.com.sg 6
7. Governing BUILD and RUN 11/17/2010
CobiT
Control Objectives for Information and related
Technology (CobiT) provides an IT governance and
control framework to ensure alignment of IT to
organisational objectives
Plan and Organise (PO)—
Provides direction to solution
delivery (AI) and service delivery Plan and Organise
(DS)
Acquire and Implement (AI)—
Provides the solutions and passes Acquire Deliver
them to be turned into services and and
Deliver and Support (DS)— Implement Support
Receives the solutions and makes
them usable for end users
Monitor and Evaluate (ME)— Monitor and Evaluate
Monitors all processes to ensure
that the direction provided is
followed 14
The CobiT v4 framework
BUSINESS OBJECTIVES PO1 Define a strategic IT plan.
PO2 Define the information architecture.
GOVERNANCE OBJECTIVES PO3 Determine technological direction.
PO4 Define the IT processes,
ME1 Monitor and evaluate IT performance.
organisation and relationships.
ME2 Monitor and evaluate internal control.
PO5 Manage the IT investment.
ME3 Ensure regulatory compliance.
PO6 Communicate management aims
ME4 Provide IT governance. and direction.
INFORMATION PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
•Effectiveness
•Efficiency
•Confidentiality
•Integrity Domains
•Availability
•Compliance
•Reliability.
IT RESOURCES
•Applications
Processes
•Information
DS1 Define and manage service levels. •Infrastructure
DS2 Manage third-party services. •People
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
AI1 Identify automated solutions.
DS5 Ensure systems security.
AI2 Acquire and maintain application
DS6 Identify and allocate costs.
software.
DS7 Educate and train users.
AI3 Acquire and maintain technology
DS8 Manage service desk and incidents. infrastructure.
DS9 Manage the configuration. AI4 Enable operation and use.
DS10 Manage problems. AI5 Procure IT resources.
DS11 Manage data. AI6 Manage changes.
DS12 Manage the physical environment. AI7 Install and accredit solutions and
DS13 Manage operations. Adapted from: IT Governance Institute changes.
16
www.iss.nus.edu.sg
www.lucidit.com.sg 7
8. Governing BUILD and RUN 11/17/2010
Agenda
IT Governance
RUN, BUILD
Integrating governance of RUN and BUILD
Case studies : good, bad, ugly
Conclusion : Now let‘s get real
PLAN, (part of) BUILD, RUN and
IMPROVE:The ITIL Service Lifecycle
www.iss.nus.edu.sg
www.lucidit.com.sg 8
9. Governing BUILD and RUN 11/17/2010
CobiT ITIL
COSO
CobiT
ITIL
ITIL
ITIL
ITIL ITIL ITIL
ITIL
ITIL ITIL
ITIL
ITIL
ITIL
ITIL
ITIL ITIL
ITIL ITIL ITIL
ITIL
ITIL
ITIL
19
Detailed CobiT - ITIL Mapping 1/2
CobiT Process - ITIL Lifecycle and/or Process
PLAN AND ORGANISE
PO1 Define a Strategic Plan - Service Strategy
PO2 Define the Information Architecture - Service Design
PO3 Determine Technological Direction - Service Strategy
PO4 Define the IT Processes, Org & relation‘s - All lifecycle phases
PO5 Manage the IT Investment - Service Portfolio Management
PO9 Assess and manage IT risks - IT Service Continuity Management
ACQUIRE AND IMPLEMENT
AI4 Enable Operation and Use - Release Management
AI5 Procure IT Resources - Supplier Management
AI6 Manage Changes - Change Management
AI7 Install and Accredit Solutions and Changes - Change and Release Management
20
www.iss.nus.edu.sg
www.lucidit.com.sg 9
11. Governing BUILD and RUN 11/17/2010
Example portfolio
SPMI Regional
Symposium 2010
Example Prioritisation
Project Prioritisation Matrix
2
1.8
Alignment with Strategy
―Low Hanging Fruit‖ ―Hard-earned Value‖
1.6
1.4
1.2
1
0.8
0.6
0.4
―Join the Queue‖ ―Dogs‖
―No Go zone‖
0.2
0
0 5 10 15 20 25 30
Complexity Size of ‗bubble‘ in this model
indicates the size of the
Investment. This could be
tailored to NPV, IRR, etc.
SPMI Regional 27
Symposium 2010
www.iss.nus.edu.sg
www.lucidit.com.sg 11
13. Governing BUILD and RUN 11/17/2010
The PRINCE2 Journey
Initiation Subsequent Final delivery
Pre-project
stage delivery stage(s) stage
Mandate
Directing a Project
Directing
SU
SB SB CP
Managing
IP Controlling a Stage Controlling a Stage
Managing Managing
Delivering Product Delivery Product Delivery
Key
SU = Starting up a Project
IP = Initiating a Project
SB = Managing a Stage Boundary
CP = Closing a Project
Based on OGC PRINCE2® material. Reproduced under livcence from OGC 33
CobiT and PRINCE2
High Level Mapping of Prince2 with CobiT
COBIT 4.0 Processes and Domains
1 2 3 4 5 6 7 8 9 10 11 12 13
Plan and Organise - - - + + - - + + +
Acquire and Implement + + - - - - -
Deliver and Support - - - - - - - - - - - - -
Monitor and Evaluate + - - -
Index
(+) Frequently addresses
(-) Not or rarely addressed
( ) A COBIT IT process does not exist
34
www.iss.nus.edu.sg
www.lucidit.com.sg 13
15. Governing BUILD and RUN 11/17/2010
Agenda
IT Governance
RUN, BUILD
Integrating governance of RUN and BUILD
Case studies : good, bad, ugly
Conclusion : Now let‘s get real
Methodology Map
Customers
―Plan‖ ―Build ― ―Operate‖
IT Services IT Services IT Services
ISO38500
Framework of
Principles
Guiding Principles
Evaluate, Direct, Monitor
―WHAT‖
Plan and Acquire And Deliver And Monitor and
COBIT Organise Implement Support Evaluate
Continuous
ITIL Service
Strategy
Service
Design ―HOW‖
Service
Transition
Service
Operation
Service
Improvement
Val IT BSC PMBoK ISO27001
Specific TOGAF ―DETAILED
PRINCE2 ISO20000
Best Practices MSP
HOW‖ SDLC SAM
P3O SPICE ISO15504
39
www.iss.nus.edu.sg
www.lucidit.com.sg 15
17. Governing BUILD and RUN 11/17/2010
Agenda
IT Governance
RUN, BUILD
Integrating governance of RUN and BUILD
Case studies : good, bad, ugly
Conclusion : Now let‘s get real
ITIL and IT Service Management
- Dimensions to consider when
implementing it -
Effective implementation of IT
Service Management involves
a combination of:
Organisational Alignment
Effective IT Leadership &
Governance
People (skills, motivation,
training, culture)
Processes – ITIL and
PMO best practices
Technology (Applications,
infrastructure, tools)
Quality framework for
continuous improvement
44
www.iss.nus.edu.sg
www.lucidit.com.sg 17
18. www.lucidit.com.sg
www.iss.nus.edu.sg
Governance
Governing BUILD and RUN
0.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
5.0
Define a strategic IT plan
Define the information architecture
Determine Technological Direction
Define the IT processes
PLAN AND ORGANISE
Manage the IT investment
Plan
Vision
Drivers
Communicate management aims and direction
Business
Go/No Go
Objectives
(Roadmap)
Assessment
Manage IT human resources
Business Case
Manage quality
Assess and manage IT risks
Manage projects
PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10
Identify automated solutions
Acquire and maintain application software
Acquire / maintain technology infrastructure
Build
Enable operation and use
Go Live
Planning
Procure IT resources Transition
Implement
Process Design
Manage changes
ACQUIRE AND IMPLEMENT
Implementation
CobiT Domain
Install, Accredit Solutions / Changes
AI1 AI2 AI3 AI4 AI5 AI6 AI7
Case 1 (Good) Holistic
Define and manage service levels
Maturity Assessment
Manage third-party services
Manage performance and capacity
Tool
Implementation framework
Ensure continuous service
Communication and Training
Selection
Functional
Alignment
Ensure systems security
Maturity Target
Evaluation &
DELIVER AND SUPPORT
Specification
Organisational
Identify and allocate costs
Educate and train users
Manage service desk and incidents
Manage the configuration
Manage problems
Manage data
Manage the physical environment
Manage operations
DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10DS11DS12DS13
Optimise
Service
Maintain
Improvement
Monitor and evaluate IT performance
Monitor and evaluate internal control
EVALUATE
Ensure regulatory compliance
MONITOR AND
Provide IT governance
ME1 ME2 ME3 ME4
11/17/2010
18
19. Governing BUILD and RUN 11/17/2010
Real improvement : an ‗alive‘ process
RFC Report
Change Submit Intention
Originator RFC form
to Close
Stakeholders
(Operations Stakeholder
Applications Review & RFC
Security
Sign off form
SLA)
Approve Authorise Review &
Change
RFC & schedule accept
Manager (Minor) Implementation closure
Approve Authorise Review &
CAB RFC (Major & schedule accept
&Significant) Implementation Closure
Change Build &
Implement
Builders & Test
Implementers Change
Change
Stakeholders
(Operations Stakeholder
Applications Review &
Security
SLA)
Sign off
From a change mgt tool workflow
like this
48
www.iss.nus.edu.sg
www.lucidit.com.sg 19
20. Governing BUILD and RUN 11/17/2010
To something like:
49
Example KPIs : costs/benefits
Costs SGDccc
Costs SGDccc
50
www.iss.nus.edu.sg
www.lucidit.com.sg 20
21. 0.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
4.0
4.5
5.0
www.lucidit.com.sg
Define a strategic IT plan
www.iss.nus.edu.sg
Define the information architecture
Determine Technological Direction
Define the IT processes
Governing BUILD and RUN
Manage the IT investment
PLAN AND ORGANISE
Communicate management aims and direction
Manage IT human resources
Quality Management System
Assess and manage IT risks
Mood/Energy
Manage projects
PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10
Source: Kubler-Ross
Identify automated solutions
Acquire and maintain application software
Acquire / maintain technology infrastructure
Denial
Enable operation and use
Procure IT resources
Manage changes
The ‗journey‘
ACQUIRE AND IMPLEMENT
Install, Accredit Solutions / Changes
AI1 AI2 AI3 AI4 AI5 AI6 AI7
Anger
Define and manage service levels
Manage third-party services
Manage performance and capacity
Ensure continuous service
Negotiation
Time
Ensure systems security
DELIVER AND SUPPORT
Identify and allocate costs
Educate and train users
Stages of Acceptance
Manage service desk and incidents
Manage the configuration
Manage problems
DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10
Acceptance of the Inevitable
Manage data
DS11
Manage the physical environment
DS12
Manage operations
Post Implementation Maturity
DS13
Exploration
Monitor and evaluate IT performance
Monitor and evaluate internal control
of Possibilities
Integration
Low
Ensure regulatory compliance
High
EVALUATE
Importance
Medium
MONITOR AND
Provide IT governance
ME1 ME2 ME3 ME4
52
51
11/17/2010
21