March 3, 2009

COBIT – Deliver & Support (DS)

Posted in COBIT tagged , at 3:04 pm by Molly

There are some basic but informative drawings in the ‘ITSM Library – IT Governance based on COBIT 4.1’ on page 32 of this small handbook, which explains in some visual descriptions the process steps. This book has proved very useful in giving me an overview so far, and I would recommend to anyone new to COBIT, it was also just £11.

The DS domain focuses on the delivery aspects of the information technology. It covers areas such as the execution of the applications within the IT system and its results, as well as, the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training.

(3) Deliver & Support (DS)

PROCESSES

DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations

Let’s now approach it in more detail and include other processes and activities that are involved.

(1) Business Requirements, External Requirements, PO and AI domain are important inputs into the strategic cluster or ‘heart’ as I shall refer to it here.

(2) Within the ‘heart’ of this domain lies a few interesting clusters: The Service Level Cluster made up of processes DS1 (which is the key process here) and DS2. Related to the DS1 & DS2 (define & manage service levels AND manage 3rd party services) is the related DS6 ‘identify and allocate costs’ because we want to know about the financial implications.

(3) Feed down to the next important cluster – The Operations Cluster (DS11, DS12 & DS13 – managing data, managing the operational environment and managing operations respectively)

(4) As side ‘organs’ to the ‘heart’ we have the delivery cluster, or as I will refer to as the ‘brains’, which include the following processes (DS3 through to DS7), or in plain English, maaging or ensuring the performance and capacity, ITSCM (a reference to ITIL there), security, education and training.

(5) On the other side assisting the ‘heart’ we have the usual suspects for the general resources cluster, or ‘organs’, PO8, PO9, PO10 & ME1-4 (managing quality, IT risk and projects and all that monitoring and evalutation stuff that we shall cover shortly). You see you always have to keep an eye on the IT risks as a matter of principle, probably best to have a Risk Register.

(6) Before we come to the outputs of this domain, let’s take a look at two further processes that have their roots in ITIL, namely those of DS8 (Managing Service Desk and Incidents) which feed out to DS10 (Managing Problems).

(7) So what are the outputs of DS. We have AI and PO as outputs from DS.

SUMMARY

Inputs = Requirements, PO and AI.

Outputs = AI and PO.

Acitivities of the ‘heart’ = SLM Cluster, a bit of financial management, Operational Cluster, Service Desk, Incident and Problem Management.

Activities of the ‘organs’ = Quality, IT risks, projects & lots of monitoring and evaluation.

Activities of the ‘brain’ = Performance and Capacity management, Continuity management, security management, education and training management.

Advertisements

COBIT – Acquire & Implement (AI)

Posted in COBIT tagged , at 2:53 pm by Molly

There are some basic but informative drawings in the ‘ITSM Library – IT Governance based on COBIT 4.1’ on page 30 of this small handbook, which explains in some visual descriptions the process steps. This book has proved very useful in giving me an overview so far, and I would recommend to anyone new to COBIT, it was also just £11.

We’ve already discussed the PO domain, and now we shall turn the attention to the AI domain, its processes and activities.

The AI domain covers identifying IT requirements, acquiring the technology, and implementing it within the company’s current business processes. This domain also addresses the development of a maintenance plan that a company should adopt in order to prolong the life of an IT system and its components.

(2) Acquire & Implement (AI)

PROCESSES

AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes
AI7 Install and Accredit Solutions and Changes

Let’s now approach it in more detail and include other processes and activities that are involved.

(1) Business Requirements, External Requirements, PO and DS domain are important inputs into the strategic cluster or ‘heart’ as I shall refer to it here.

(2) The ‘heart’ of this domain includes processes AI1, AI2, AI3, AI4, AI6 & AI7, identifying the automated solutions, managing changes, and the additional DS9 managing the configuration. AI2 – AI4 are described as the development cluster and are all about maintaining the software, infrastructure and use.

(3) as a input to the ‘heart’ we have some additional ‘organs’ which keeps our ‘heart’ pumping away regularly. They are PO8 to P10 and ME1 to ME4 that we use again from the PO domain (managing quality, IT risks and projects, as well as regular monitoring and evaluation). The other ‘organ’ is AI5 which is the procure IT resouces activity.

(5) our last two outputs from our ‘heart’ are the DS domain and the PO domain. Which leads us nicely to the COBIT DS (Deliver and Support) domain.

SUMMARY

Inputs = Requirements and PO activities;

Outputs = DS and PO;

Activities of the ‘heart’ = identifying the solution, maintaining software & infrastructure, change and configuration management, enabling its use, and implementing the result into the operational environment;

Activities of the ‘organs’ = managing quality, IT risks and projects and lots of monitoring & evaluation techniques and finally procuring those IT resources

COBIT – Plan & Organise (PO)

Posted in COBIT tagged , at 1:57 pm by Molly

There are some basic but informative drawings in the ‘ITSM Library – IT Governance based on COBIT 4.1’ on page 29 of this small handbook, which explains in some visual descriptions the process steps. This book has proved very useful in giving me an overview so far, and I would recommend to anyone new to COBIT, it was also just £11.

The PO domain covers the use of information & technology and how best it can be used in a company to help achieve the company’s goals and objectives. It also highlights the organizational and infrastructural form IT is to take in order to achieve the optimal results and to generate the most benefits from the use of IT.

(1) Plan & Organise (PO)

PROCESSES

PO1 Define a Strategic IT Plan and direction
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organization and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects

Let’s now approach it in more detail and include other processes and activities that are involved.

(1) Business Requirements, External Requirements, AI and DS domain are important inputs into the strategic cluster or ‘heart’ as I shall refer to it here.

(2) The ‘heart’ of this domain includes processes PO1 to PO4, because they are all about defining something. Why is it iterative? Defining a strategic IT plan, the information architecture, technological direction, the IT processes, organisation and relationships will involve some form of iterative exercise to tweak and finally come to some form of operational definition if you like, but it is all about these processes working in harmony.

(3) the second part of this ‘heart’ cluster which can be referred to as the ‘arteries’ are the manage and communication tasks, processes PO5 to PO7, managing the financial and people resources, as well as communication.

(4) as a input to the ‘heart’ we have some additional ‘organs’ which keeps our ‘heart’ pumping away regularly. They are PO8 to P10 and ME1 to ME4. In other words, managing the quality, the IT risks and the projects, as well as regular monitoring and evaluation techniques to make sure it is all aligning correctly.

(5) our last two outputs from our ‘heart’ are the DS domain and the AI domain. Which leads us nicely to the COBIT AI (Acquire and Implement) domain.

SUMMARY

Inputs = Requirements;

Outputs = DS and AI;

Activities of the ‘heart’ = iterative strategic definition stage;

Acitivities of the ‘arteries’ = managing the purse strings, people and communication;

Activities of the ‘organs’ = managing the quality, IT risks and projects and lots of monitoring & evaluation techniques

March 1, 2009

SOX

Posted in Frameworks, SOX tagged at 6:47 pm by Molly

SOX Compliance Roadmap

1) Plan and Scope IT Controls

Assign accountability and responsibility.
Statement on Auditing Standards (SAS) 70 reports are traditionally performed for service organisations.

2) Assess IT Risk

Assess the likelihood and impact of IT systems causing financial statement error or fraud.
Inherent risk rather than residual risk.
Access controls, without them, there is a risk to someone accessing and falsifying transactions into the system.
Perform the following risk assessment:-
* nature of technology
* nature of people
* nature of processes
* past experience
* significance to the financial reports

3) Document Controls

Document application controls.
Document IT general controls.
Identify IT entity-level controls.
Identify application controls – automated controls & IT-dependent manual controls.
Identify IT general controls.
Identify which controls are relevant controls
Consider IT-based antifraud controls
Control documentation (document controls over financial reporting and perform an assessment of their design and operating effectiveness).

4) Evaluate Control Design & Operating Effectiveness

All key controls are documented.
Test controls to confirm their operating effectiveness.
Consider the nature of evidence required.
Forms of evidence:-
* inquiry – seeking info of knowledgeable persons;
* inspection of documentation – inspect reports;
* observation;
* reperformance – independently run exception reports;
Consider the timing of control testing.
Roll-forward testing.

5) Prioritise and Remediate Deficiencies

Impact assessment.
Consider whether compensating controls exist and can be relied upon.
Consider guidance from the SEC and PCAOB
* application-level deficiencies;
* control environment deficiencies;
* failing to remediate a deficiency for an unreasonable period of time;
Identify and assess IT general control deficiencies
* design deficiencies;
* operating effectiveness deficiencies;

6) Build Sustainability

Consider automated controls.
Rationalise to eliminate redundant and duplicate controls.

February 28, 2009

CMDB/CI Relationship Types

Posted in CMDB, Configuration Management tagged at 2:31 pm by Molly

Here are some relationship types:-

parent descriptor
Connects to
Contains
Depends on
DR provided by
Exchanges data with
Hosted on
In rack
Instantiates
IP Connection
Located in Zone
Located in
Members
Powers
Received data from
Runs on
Virtualised by

child descriptor
Connected by
Contained by
Used by
Provides DR for
Exchanges data with
Hosts
Rack contains
Instances of
IP Connection
Zone contains
Contains Room / Houses
Member of
Powered by
Sends data to
Runs
Virtualises

Six Sigma for Dummies

Posted in Frameworks, Six Sigma tagged at 11:34 am by Molly

Is it karate? So what is this Black Belt and Yellow Belt then? In short, they are the certifications you receive when you attend training and pass the exams.

Six Sigma (SS) is a business management strategy. SS targets three main areas:

    * Improving customer satisfaction
    * Reducing cycle time;
    * Reducing defects.

SS is a total management commitment and philosophy of excellence, customer focus, process improvement, and the rule of measurement.

SS is about making every area of the organisation better meet the changing needs of customers, markets and technologies, along with benefits for employees, customers and shareholders.

Six Sigma is customer focused;
Six Sigma project produce major returns on investment;
Six Sigma changes how management operates;
Six Sigma is a statistical measure of the performance of a process or a product;
Six Sigma is a goal that reaches near perfection for performance improvement;
Six Sigma is a system of management to achieve lasting business leadership and world-class performance.

METHOD

DMAIC – (Define, Measure, Analyse, Improve, Control)

* Define high-level project goals and the current process. Covers process mapping and flowcharting, project charter development, problem solving tools.

* Measure key aspects of the current process and collect relevant data. Covers the principles of measurement, continuous and discrete data, scales of measurement, an overview of the principles of variation, and repeatability and reproducibility studies for continuous and discrete data.

* Analyse the data to verify cause-and-effect relationships. Determine what the relationships are, and attempt to ensure that all factors have been considered. Covers establishing a process baseline, how to determine process improvement goals, knowledge discovery, including descriptive and exploratory data analysis and data mining tools, the basic principles of statistical process control, specialised control charts, process capability analysis, correlation and regression analysis, analysis of categorical data, and non-parametric statistical methods.

* Improve or optimize the process based upon data analysis using techniques like Design of experiments. Covers project management, risk assessment, process simulation, design of experiments, robust design concepts and process optimisation.

* Control to ensure that any deviations from target are corrected before they result in defects. Set up pilot runs to establish process capability, move on to production, set up control mechanisms and continuously monitor the process. Covers process control planning, using SPC (statistical process control) for operational control.

Six Sigma is a rigorous, focused and highly effective implementation of proven quality principles and techniques. SS relies on tried and tested methods that have been around and in many of the large world-wide organisations for decades.

Since Six Sigma has been tried and implemented in the big cat companies, what are you waiting for? Get identifying those Six Sigma projects now and start saving the company money.

More coming later, stay tuned to the blog.

February 27, 2009

COBIT for Dummies – A quick introduction

Posted in COBIT tagged at 6:10 pm by Molly

COBIT stands for “Control OBjectives for Information and related Technology”.

COBIT is just one of the frameworks from ISACA (Information Systems Audit and Control Association), an international professional association, affiliated member of (IFAC) International Federation of Accountants and (ITGI) IT Governance Institute. ISACA has more than 86,000 members in 160 countries and is a recognized worldwide leader in IT governance, control, security and assurance which was founded back in 1969.

COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework. [from ISACA website]

COBIT uses a maturity model as a means of assessing the maturity of the processes described in the domains (see below for a full description of Domains). The model encompasses the following levels:

1) non-existent
2) initial / ad hoc
3) repeatable but intuitive
4) defined process
5) managed and measurable
6) optimised

COBIT is made up of a number of ‘domains’, ‘processes’ & ‘activities’. Here they are:

DOMAIN

1) Plan & Organise (PO)

PROCESSES

PO1 Define a Strategic IT Plan and direction
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organization and Relationships
PO5 Manage the IT Investment (ITIL related: Financial Management for IT Services)
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects

DOMAIN

2) Acquire & Implement (AI)

PROCESSES

AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes (ITIL related: Change Management)
AI7 Install and Accredit Solutions and Changes (ITIL related: Release Management)

DOMAIN

3) Deliver & Support (DS)

PROCESSES

DS1 Define and Manage Service Levels (ITIL related: Service Level Management)
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity (ITIL related: Capacity Management)
DS4 Ensure Continuous Service (ITIL related: IT Service Continuity Management)
DS5 Ensure Systems Security (ITIL related: Security Management)
DS6 Identify and Allocate Costs (ITIL related: Financial Management for IT Services)
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents (ITIL related: Incident Management)
DS9 Manage the Configuration (ITIL related: Configuration Management)
DS10 Manage Problems (ITIL related: Problem Management)
DS11 Manage Data (ITIL related: Availability Management)
DS12 Manage the Physical Environment
DS13 Manage Operations

DOMAIN

4) Monitor & Evaluate (ME)

PROCESSES

ME1 Monitor and Evaluate IT Processes
ME2 Monitor and Evaluate Internal Control
ME3 Ensure Regulatory Compliance
ME4 Provide IT Governance

COBIT identifies four classes of IT resources:

1) people
2) applications
3) information
4) infrastructure

SUMMARY

COBIT is intended for management, business users of IT and auditors:-

* managers = to balance risk and control investment, since these are the people who control and direct;
* users = who require assurances on security and control of IT services;
* auditors = structure and substantiate opinions as well as provide advice to managers to improve controls;

Although ITIL is the dominant framework with regards to ITSM (IT Service Management), COBIT assists to further improve ITSM;

Primary reason for COBIT benefiting management is to help balance risk and control investment decisions;

COBIT’s main aim is to address the business objectives;

Control of the IT process is intended to satisfy those business requirements, you can’t have one without the other existing, but the processes are the result of those requirements, because you need to have a certain knowledge level first;

February 4, 2009

ICTIM (Information & Communications Technology) Infrastructure Management

Posted in Infrastructure Management at 5:27 pm by Molly

ICTIM aims to provide a stable IT and communication infrastructure. Basically, it is the foundation for ITIL’s Service Delivery and Service Support processes. The resources of ICT underpins IS, helps out with all the decision making processes too.

So how exactly will it help?

Instead of the focus of Service Delivery processes being geared towards the business and the organisation’s management structure, and the focus of Service Support processes being geared towards those of the users, ICT sits in the middle of the bull fighting ring, giving benefits to both the business and the users at the same time. The benefits we are talking about are the usual suspects that we have discussed in many other posts, but let’s give you examples again:

    service availability;
    quality;
    capacity requirements;
    efficiency;
    lowering costs;
    reducing risks

… all through reducing, monitoring, anticipating, and initiating corrective actions.

Let’s take a quick look at the processes of ICTIM:

Design & Planning (creation)
Deployment (implementation & rollout)
Operations (day to day management)
Technical Support (guarantee the delivery of services)

Policy > Strategy > Plan >> Prove >> Deploy >> Operate >> Obsolete

(Design & Planning) >> (Tech Supp) >> (Deployment) >> (Operation) >> (Admin)

ICTIM is the operational arm of the Service Delivery and Support processes. Planning and control will always fall under the jurisdiction of the process owner though, so when we talk about introducing a change management process, its owned by the Change Management process (owner) but operationally is implemented via ICTIM. A further example, would be to undertake the recovery actions (as stated within the Incident Management process and ITSCM process. In fact, the ICTIM act as the mediators between Delivery and Support, bearing in mind the requirements of the users and the business, delivering ICT strategies and plans, keeping their hand in new technologies in the marketplace, building relationships with suppliers, application management (the design, gathering requirements, developing them within projects etc.).

January 23, 2009

Service Desk or Incident Analyst – which hat am I wearing today?

Posted in ITIL at 5:40 pm by Molly

In the previous post we discussed the differences between Call Centres, Help Desks and Service Desks. Now let’s discuss the differences between being a Service Desk Analyst and an Incident Management Analyst.

Since we know all about what a Service Desk function includes, let’s look at what the Incident Management ITIL aims are:

“to restore normal service operation (the quality aspect) as quickly as possible (the time & money aspect) within minimum disruption to business (the cost aspect) so continue revenue earning activities”

Well isn’t this kinda what the Service Desk do already? Indeed, but only to some degree. Remember the Service Desk provide that initial support, if they can’t resolve the error in a suitable timeframe, before SLA starts ringing its alarm bells, what are they going to do, call the user back and say “sorry mate, can’t help you with that error you reported”. In real life, they won’t do that, they would infact pass the error onto Incident Management who are the 2nd line support Service Desk if you like, but they are attached to the Incident Management process, they will be the people who investigate and diagnose this incident further. Do they contact the user directly if they require more information or if they restore ‘normal operation service’ back to the user. Sure why not, it saves time doing it this way, but if we want to stick to the ITIL process, this incident analyst will return the incident back to the Service Desk operator or analyst and give the resolution details so that they can contact the user and close off the call correctly with the correct closure codes and comments. Note that the Service Desk contacts and closes the call. What if the Incident analyst contacted and closed the call. Wouldn’t this confuse the user a little bit too much, here is another person taking the ownership of his call, maybe asking more questions etc … You’re right, so according to ITIL, OMCT (Ownership, Monitoring, Communication & Tracking) remains with the Service Desk. The Service Desk tracks all incidents, even incidents that turn into problems, why? We’ve mentioned it before, it’s because the Service Desk is a ‘one stop shop’ a SPoC (Single Point of Contact) and let’s not forget that the Service Desk can produce all the management information on each and every incident, service request, question, query, that could kick off further improvements of services, can identify where incidents are constantly occurring (and pass them to Problem Mgt directly), may even identify that users need additional training or education in weak areas. If we let Incident Management start to be a ‘one stop shop’ aren’t we duplicating the process, duplicating the management metrics, wimply pass the information back to the Service Desk and let them deal with it, because they have been trained in their roles.

So when implementing Incident Management in your organisation, pay close consideration to the boundaries of responsibilities, avoid duplications of roles and responsibilities, stick to the good practices of ITIL, they have been proven in many of the top global industries, why would you need to re-invent the wheel.

Consider this too, you have 12 Service Desk analysts, and you need to implement an Incident Management process and team. Will you (a) employ new staff (b) use the existing skills within your Service Desk, but allow them to change their hats every now and again. In the Middle Ages, farmers in the UK and maybe around the world used crop rotation methods in their fields, this was to allow the soil to recover and rejuvenate its good qualities, cows and sheep pastured allowing nutrients to enter the exhausted crop soil from the previous year. Can we use this technique in our modern world but for people. Would you not see a more motivated staff force, if you rotated them on a 8 on the Service Desk at all times, but took 4 out of the loop to work on Incident Management, each member of staff would gain valuable information from dealing with incidents to take back to the Service Desk. It would give each and every person another skillset so that the organisation would retain them further (maybe even pay them better). Staff morale may invariably rise, you’d hope so, because the Service Desk analyst wouldn’t just be answering calls day in day out, but knowing that next month he or she may be doing more technical monitoring and investigations AND bringing that knowledge gained within Incident Management back into the fold (“oh yes I had that error last month, now I know I put the resolution into the Incidnet Record and the Knowledge Base too, ….. here it is”) and something as simple as that, reduces the time to resolution, gives great user satisfaction and reduces the cost to the business of further investigations, monitoring time, diagnostic tweaking and researching etc. because it has been recorded not only in the incident record itself, but in a Knowledge Base (very useful things these KBs).

So go ahead, wear your hats, but know the boundaries of your roles and responsibilities, unless you are a very small organisation and you can wear two hats in the office.

Call Centre, Help Desk or Service Desk – I’m confused!

Posted in ITIL tagged , , , , , at 4:53 pm by Molly

What are the differences between these, which one do I implement in my organisation?

Let’s tackle the last question first. Which one do I implement in my organisation? That is the 10 million dollar question. The simple answer is the one that is fit for purpose for your organisation. There is no real advantage to having a Help Desk in a fully ITIL conformant organisation is there, so pick the most suitable ‘function’.

What is a Call Centre?

A call centre handles large call volumes, like a telesales company. Look at what it’s called, Call Centre, so that means calls are centralised here, but does this call centre improve or extend the overall services of a typical organisation?

What is a Help Desk?

Now we are getting a little warmer to the ITIL meaning, but again, we haven’t hit the mark yet. A Help Desk manages, coordinates and resolves incidents fast. Great I hear you say, precisely what I need. Hmm, Umm again slightly missing the point, after all, does this Help Desk interface with all other IT activities? Well if it does, then you should be calling it by its proper name – a Service Desk.

What is a Service Desk?

A global focused approach to handle not only incidents, problems and questions, but also, interfaces with and for the other operational activities within your organisation e.g. Change Requests, Maintenance Contracts, SLM, Availability Mgt, ITSCM. How cool!

Let’s look at the primary aims of this Service Desk, especially in terms of how ITIL describe it:

    to facilitate the restoration of normal operational service;
    to act as the central point of contact (SPoC – Single Point of Contact) between the user and ITSM;
    to handle incidents and requests, and provide an interface for other activities
    “.

So in terms of what a Service Desk provides to the business, it identifies and lowers the cost of ownership, supports management of changes, reduces costs via efficiency, supports investments and management of business support services (the ones we mentioned above already Change Mgt, Availability Mgt, IT Service Continuity Mgt, Financial Mgt etc..), it improves customer retention and satisfaction, and it identifies business opportunities.

How does it do all these things, a little word called metrics, or management information or reporting or whatever you wish to call it. Remember we said that the Service Desk is the SINGLE POINT OF CONTACT for users. Well because it is the single place where information flows into and out of, isn’t it great then to have all this user information to hand. It’s how you handle this information that is also a major part of the benefits that the Service Desk can provide for the whole business.

Just because you have a Call Centre or a Help Desk now, doesn’t mean that those functions can’t evolve into a more extendable service and provide the benefits we have already discussed.

Previous page · Next page