Managing Information Technology Service Delivery Greg Charles Ph

Managing Information Technology Service Delivery Greg Charles, Ph. D. Principal Consultant Computer Associates June 2005

Today’s Objective § To provide information on the latest trends in service management as seen in government data centers around the country

Ever-Increasing Complexity

Approaches Currently In Use § Business As Usual - “Firefighting” § Legislation - “Forced” § Best Practice Focused

The Legislation Minefield § Privacy & Security – Personal Information Protection – – – § Electronic Document Act (PIPEDA) US Patriot Act Homeland Security (Critical Infrastructure) Personal Health Information Protection Act (PHIPA) Health Insurance Portability and § Accountability Act (HIPAA) SEC Rules 17 a-3 & 17 a-4 re: Securities Transaction Retention Gramm-Leach Bliley Act (GLBA) privacy of financial information Children’s Online Privacy Protection Act § Clinger-Cohen Act (US Gov. ) Federal Information Security Mgmt. Act (FISMA) Freedom of Information & Protection of Privacy (FOIPOP) BC Gov FDA Regulated IT Systems Freedom Of Information Act Americans with Disabilities Act, Sec. 508 (website accessibility) Finance – – – Sarbanes Oxley (US) FFIEC US Banking Standards Basel II (World Bank) Turnbull Report (UK) Canadian Bill 198 (MI 52 -109 & 52 -111) Washington State Laws relating to IT – Policy 403 -R 1, 400 -P 1, 401 -S 1, 402 -G 1; Executive Order 00 -03; RCW 9 A. 52. 110, 120, 130; RCW 9 A. 48. 070, 080, 090; RCW 9 A. 105. 041 and many more Other International IT Models – Corporate Governance for ICT DR 04198 (Australia) – Intragob Quality Effort (Mexico) – Medical Information System Development (Medis -DC) (Japan) – Authority for IT in the Public Administration (AIPA) (Italy) – Principles of accurate data processing supported accounting systems (GDPdu & Go. BS) (Germany) – European Privacy Directive (Safe Harbor Framework)

Best Practices Quality & Control Models • ISO 900 x • COBIT • TQM • EFQM • Six Sigma • COSO • Deming • etc. . Process Frameworks • IT Infrastructure Library • Application Service Library • Gartner CSD • IBM Processes • EDS Digital Workflow • Microsoft MOF • Telecom Ops Map • etc. . • What is not defined cannot be controlled • What is not controlled cannot be measured • What is not measured cannot be improved – Define -- Improve – Measure -- Control And Stabilize

What Is ITIL? – ITIL is a seven book series that guides business users through the planning, delivery and management of quality IT services Information Technology Infrastructure Library

The ITIL Books T h e B u s i n e s s Planning To Implement Service Management T h e Service Management Service Support The Business Perspective Service Delivery Application Management ICT Infrastructure Management Security Management T e c h n o l o g y

Complete ITIL Process Model

ITIL Service Support Model The Business, Customers or Users Monitoring Tools Difficulties Queries Enquiries Communications Updates Work-arounds Incidents Customer Service Desk Survey reports Incident Management Customer Survey reports Problem Management Service reports Incident statistics Audit reports Problem statistics Problem reports Problem reviews Diagnostic aids Audit reports Incidents Changes Releases Change Management Change schedule CAB minutes Change statistics Change reviews Audit reports Problems Known Errors Release Management Release schedule Release statistics Release reviews Secure library’ Testing standards Audit reports Changes CMDB Releases Configuration Management CMDB reports CMDB statistics Policy standards Audit reports Cls Relationships

ITIL Service Delivery Model Business, Customers and Users Communications Updates Reports Queries Enquiries Availability Management Availability plan AMDB Design criteria Targets/Thresholds Reports Audit reports Service Level Management Capacity plan CDV Targets/thresholds Capacity reports Schedules Audit reports Requirements Targets Achievements Financial Management For IT Services Financial plan Types and models Costs and charges Reports Budgets and forecasts Audit reports Management Tools Alerts and Exceptions Changes SLAs, SLRs OLAs Service reports Service catalogue SIP Exception reports Audit reports IT Service Continuity Management IT continuity plans BIS and risk analysis Requirements def’n Control centers DR contracts Reports Audit reports

What Is ITIL All About? § Aligning IT services with business requirements § A set of best practices, not a methodology § Providing guidance, not a step-by-step, how-to manual; the implementation of ITIL processes will vary from organization to organization § Providing optimal service provision at a justifiable cost § A non-proprietary, vendor-neutral, technologyagnostic set of best practices.

IT Governance Model Audit Models Sarbanes. Oxley COSO US Securities & Exchange Commission Cob. IT Quality System IT Planning Project Mgmt. BS 15000 AS 8018 IT Security ITIL App. Dev. (SDLC) CMM Service Mgmt. Quality Systems & Mgmt. Frameworks IT OPERATIONS ASL ISO 17799 PMI TSO IS Strategy ISO Six Sigma

Cob. IT § Cob. IT is an open standard control framework for IT Governance with a focus on IT Standards and Audit § Based on over 40 International standards and is supported by a network of 150 IT Governance Chapters operating in over 100 countries § Cob. IT describes standards, controls and maturity guidelines for four domains, and 34 control processes

The Cobi. T Cube (Business Requirements) 4 Domains 34 Processes 318 Control Objectives

Cobi. T Domains Plan & Organize Acquire & Implement (AI Process Domain) (PO Process Domain) Monitor (M Process Domain) Deliver & Support (DS Process Domain)

Acquire & Implement Plan & Organize Define Strategic IT Plan Determine Define Information Technological Direction Architecture Define IT Organization & Relationships Manage IT Investment Manage Human Resource Ensure Compliance With External Standards Identify Automated Solutions Acquire & Maintain Application Software Acquire & Maintain Technology Infrastructure Develop & Maintain IT Procedures Assess Risks Manage Quality Monitor Obtain Independent Assurance Manage Change Communicate Aims & Direction Manage Projects Monitor The Process Install & Accredit Systems Assess Internal Control Adequacy Provide Independent Audit Deliver & Support Define & Manage Service Levels Manage Third-Party Services Manage Performance & Capacity Ensure Continuous Service Ensure System Security Identify & Allocate Costs Educate & Train Users Assist & Advise IT Customers Manage Configuration Manage Problems & Incidents Manage Data Manage Facilities Manage Operations

COSO Components Control Activities Monitoring • Policies that ensure management directives are carried out • Approval and authorizations, verifications, evaluations, safeguarding assets security and segregation of duties • Assess control system performance over time • Ongoing and separate evaluations • Management and supervisory activities Information and Communication • Relevant information identified, captured and communicated timely • Access to internal and externally generated information • Information flow allows for management action Control Environment • Sets “tone at the top” • Foundation for all other components of control • Integrity, ethical values, competence, authority, responsibility Risk Assessment • Identify and analyze relevant risks to achieving the entity’s objectives

COSO, Cobi. T & SOX Components

Putting COSO, Cobi. T, and ITIL together § COSO defines the high level policies of a well governed IT organization § Cobi. T defines the control structures for evaluating the organization conforms to COSO policies. § ITIL defines the practices that will satisfy the Cobi. T controls.

How to Make it a Reality? Key Success Factors Theory – Cob. IT/ITIL/COSO § Guidelines for Best Practices § Provides theory but not the process § Education is an important component Process § Convert theory to process that is applicable to the unique needs of the organization § Training & Education § Tool configuration Technology – CA and others § Provide the technology that enables and automates the process § Repeatability, compliance and notifications § Implement processes impossible without technology

Making IT Easier Customer maturity isolates appropriate transition point, blueprint & ROI

Next Steps - Focus on Customer Needs EIM • Complete • Integrated • Open • Proven Best Practices Business Flows • People • Process • Technology • Partners • High Quality • Comprehensive • Enabling • Evolutionary • Efficient Solutions

Respondent Scoring Proven Practice “Statements” Typical Survey Section features…

Comparison Charts 3 Sets of Scores Industry Comparison Role Comparison Overall Comparison Your Score

Meeting Customer Needs – Best Practices: Industry and CA best practices are applied to all of our solutions to maximize standardization and quality

Questions? Thank You gregory. charles@ca. com