Improving IT Governance Through Formal Change

Management

My Role at Marquette

Change Manager– ITIL Practitioner in release & control (change,

configuration & release management)

Head of the PMO– PMP certification

Why Did We Start?

Stabilize the infrastructure

Audit Questions

Change Management and Program Development Controls– Change Management policy and procedure documentation

(requirements for requesting, documenting, testing, approving, and migrating/implementing changes to the production environment).

– Emergency change procedure documentation.– List of all requested changes (development and configuration

changes) made to the financial reporting applications and underlying environment (between 6/1/06 – present).

Program development methodology (SDLC) and formal testing procedure documentation (if exist and different from Change Management Policy)

System generated evidence (access control list, etc) showing users that have access to modify system code or system configurations for the production environment

What is Governance

There is no universal definitionCOBIT

– The need for assurance about the value of IT, the management of IT-related risks and increased requirements for control over information are now understood as key elements of enterprise governance.

– Value, risk and control constitute the core of IT governance.

Gartner Definition

"The processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals." – This definition contains certain key concepts:

• ITG is composed of processes with the inputs, outputs, roles and responsibilities that are inherent in a process definition (however, the definition does not talk about how these processes might be implemented).

• The role of ITG "ensures," as opposed to "executes." • The goal of ITG is defined as a business goal, not just IT-

related. • Key performance measures, identified as effectiveness and

efficiency, together represent business value.

COBIT

Audit

Control

Management

Governance

1996 1998 2000 2005

Perspective of Frameworks and Standards

COSO, ISO 9001,King II, Sarbanes-Oxley, Industry BEE CharterWhat

COBIT Domains

Plan & Organize

Acquire & Implement

Deliver & Support

Monitor & Evaluate

What

Bus A

lignment

TO

GA

F

PM

BO

K

CM

MI

SD

LC

ITIL

ISO

17799

NIS

T 800

Balanced

Scorecard

IAS

CA

Audit

Standards

Board briefing

IT G

overnance

HowP

roject M

ethodology

COBIT Focus April 2007 Volume 1

Hype Cycle

http://www.gartner.com

Removed at Gartner’s Request

http://www.gartner.com

Hype Cycle

Removed at Gartner’s Request

ITIL

ITIL is not a temporary fashion – ISO20000It’s not about tests and certificationGoing from a technology focus – to a

customer service focusShort term costs will be balanced by long-

term gainsOther cultures have benefited from adopting

ITILIt is easier to sell a best practice than an idea

ITIL

Managing service levels from the customer’s perspective instead of insular technology or infrastructure perspective

Going beyond reactive break/fix – to proactive management of service requests and service support

Actively managing infrastructure components (assets) and systematically managing changes (planned and un-planned)

Remember ITIL concentrates on Continuous Improvement – Deming

A non-proprietary set of best practices – public domain

ITIL Service Management v2

Service Strategy

Service Design

Service Transition

Service Operation

Continual Service Improvement

Solutions

Policies Resource Constraints

Business Requirements

ArchitecturesStandards

Transition PlansTesting

Operational PlansOperational services

ITIL v3

Service

Services are a means of delivering value to customers by facilitating outcomes customers want to achieve, without the ownership of specific costs and risks.

ITILv3 Road show

Marquette IT Governance

We have a PMO that is based on PMBOK and we have our own Project Methodology

We also have begun to implement ITIL

Marquette Process

Incident– How incidents and requests are handled

Change– How changes to the production system are

handledConfig

– Components of the IT infrastructure – Data Center – Working on getting all university owned PCs in

the CMDB

Incident Management

The goal of Incident Management is to restore normal service operation as quickly as possible and minimize the adverse effect on business operations, thus ensuring that the best possible levels of service quality and availability are maintained.

Configuration Management

Configuration Management is a process that tracks all of the individual Configuration Items (CI) in a system.

A Configuration Item (CI) is an IT asset or a combination of IT assets that may depend and have relationships with other IT processes

Change Management

The goal of Change Management is to ensure that standardized methods and procedures are used for efficient handling of all changes, in order to minimize the impact of change-related incidents and to improve day-to-day operations.

What is a Change?

A service may become unavailable or degraded during service hours,

The functionality of a service to become different, or

The CMDB to require an update.

High-Level Change Process

Register the change

Complete R&I Work Orders

Develop Change Plan

Review Change Plan

Get Approval(s)

Assign Imp Work Orders

Change Coordinator Change Manager

Types of Change Templates

Application Mod– Develop mod, Test, Back-out, UAT, Move to

Prod, Verify, Update CMDBMAC (Move Add Change)

– Risk assessment, Service Provide, UAT, Move to Prod, Verify, Update CMDB

Emergency– Update capacity, Inform Service Provider, Update

CMDB

Change Metrics

Communications

In addition to the UATForward Schedule of Changes

What did we get?

More stable infrastructureMore proactive less reactiveBetter alignment with University needsBetter communication

– Internal IT– University units

Better support Finance audit

Lessons Learned

More of a culture change than technology change – Mostly IT, but functional users also

Objections– It will slow us down– More “paperwork”– Management doesn’t trust us

People may leave the organization

Lessons Learned

Adopt a best practice framework (ITIL)Attend local itSMF chapter and learn from

othersStart with an obtainable scopeMinimize the bureaucracyProcess first then tool, but with an eye

towards the tool

Questions?

References

http://www.itsmfusa.org

http://www.gartner.com/

http://www.isaca.org