ITIL, Compliance And Risk
32
© 2005 Computer Associates International, Inc. (CA). ITIL, Compliance And Risk Brian Johnson Christopher Boswell Nancy Hinich
description
Transcript of ITIL, Compliance And Risk
© 2005 Computer Associates International, Inc. (CA).
ITIL, Compliance And RiskBrian Johnson
Christopher BoswellNancy Hinich
© 2006 CA. 2
Agenda
ITIL Concepts
Origins and evolution
Continuous Improvement
Measurement Framework
KPIs
Discussion Periods
IT Risk Management
Control Frameworks
Questions?
© 2006 CA. 3
ITIL Origins And Evolution
ITIL is all about which processes need to be realized within theorganization for management and operation of the IT infrastructure to promote optimal service provision to the customer of the services at justifiable costs.
• Late 1980sUK government project started
CCTA (OGC) involved in development as well as practitioner and consulting organizations
Organizations outside of government became interested
First books published
• Early 1990sThe library completed
• Late 1990sGenerally accepted as the de-facto standard for IT service management worldwide
© 2006 CA. 4
ITIL Books
© 2006 CA. 5
Systems Versus Service Management
Systems Management• Isolated systems• Technology and asset focused• Systems monitoring• IT perspective
Service Management• Service as experienced and/or consumed• Technology transparent to customer • From customer perspective
© 2006 CA. 6
ITIL & EITM: Continuous Improvement
People, Process & TechnologyWhere Are We Now?
Assessments
Where do we want to be?Goal Definition
How do we get there?Program Plan, DNA Roadmap
How do we measure that?
© 2006 CA. 7
Measurement Advice
“Measurements should induce the parts to do what is good for the whole, and measurements should direct managers to those parts that need their attention.”
E. Goldratt“What gets measured gets done, however be careful sometimes what you measure is the only thing that gets done”
Anonymous
“When developing management reports they should always be S.M.A.R.T” (Specific, Measurable, Achievable, Realistic, Time Bounded)
Anonymous
© 2006 CA. 8
Management Reporting & KPIs
To govern or manage any information based process it is necessary to establish a variety of reports and metrics to understand how the process is being executed. Newly engineered processes should limit this to less then half a dozen reports initially.From the list of defined management reports the process owner and management team will need to choose a limited amount of KPIsto provide information on health and relative maturity.In order to select which KPIs are most suited to provide a health and maturity reading, a
© 2006 CA. 9
Measurement Framework
Financial Customer
Innovation Internal
Improve Quality Of Service
Improve Management Control
Employ New Technology
Reduce Cost
ExampleExample
GoalsGoals
Process MeasuresProcess Measures
•• ValueValue•• QualityQuality•• ThroughputThroughput•• ComplianceCompliance
In order to understand something you must look at it more than one way
Balanced Score Card Approach – Kaplan & Norton
© 2006 CA. 10
Management Framework
Value: Reports or surveys to measure the effectiveness and perceived value of the process to the stakeholders and users Quality: Process quality indicators are typically activity based and are established to measure the quality of individual or key activities as they relate to the objective of the end-to-end processPerformance: Metrics established under this quadrant measure the average process throughput or cycle time. (E.g. Metrics to capture the speed and performance of the stated process objective and output). Compliance: Process compliance seeks to measure the percentage of process deployment across the IT organization. A process may have a good perceived value, good quality and speedy throughput but only be adhered to by a fraction of the ITorganization
The following four quadrants represent a dashboard by which the Process Owner can determine the health of a process. A minimum of one or two measurements should be determined for each quadrant to ensure a balanced perspective on the use and effectiveness of the process.
© 2006 CA. 11
KPI Categories
Getting the whole picture:Compliance: Are we doing it?Quality: How well are we doing it?Performance: How fast or slow are we doing it?Value: Is what we are doing making a difference?
A single measure may contain or cover more than one category. This in itself is not an issue, understand that when this occurs the
success criteria for this measure is more difficult to satisfy.
© 2006 CA. 12
Choosing KPIsIdeally to measure a process at least one KPI per category should be chosen to provide a balanced perspective. However, due to the difficulty of measurement or tool limitation a process management staff may find it necessary to limit what is measured according to what category is the most important to the objective of the process.
Establish the core objective of the process1. Evaluate which category is of the highest priority to
achieve the process objective2. Define measures according to the categories which are
appropriate to achieve the overall process objective
© 2006 CA. 13
Building A Measurement Grid
1. Define the measure2. Determine the KPI category3. Establish the policy and target (target will change with
process maturity)
4. Determine the tool or medium to realize the measure
5. Define the output format (graph, data, etc)6. Define distribution list and report frequency
Incident Module
90% of the time
All incidents to be resolved within SLA
# of incidents resolved outside of SLA
Value, Quality
ToolTargetPolicyMeasureCategory
© 2006 CA. 14
Service Support KPIs
QualityCompliance
# of releases by type that satisfy release management criteria when submitted to Change# of releases that bypass the process
Ensure production readiness, quality and authorization of new or modified CIs and their planned deployment
Release
QualityValue
% of CMDB data population and accuracy vs actual, according to scope% Growth or Change by CI type over an elapsed time period
Identify / control / manage IT resources within a Configuration Management Database
Config.
QualityValue
# of changes by type / category / Group / Customer. (emergency changes trending down)# of changes that have resulting incidents, or fail and have to be backed out
Handle changes efficiently while minimizing impact to service delivery
Change
QualityValue
# of problems identified & root cause determined with solution or workaround.# of Repeat incidents by category trending downwards
Identify systemic Infrastructure Errors and eliminate them to minimize impact and improve availability
Problem
QualityPerformance
# of Incident by category, priority and resolution type by LOB# of Incidents restored within SLA Targets
Restore service degradations to expected level ASAP
IncidentCategoryExample Core KPIsCore ObjectiveProcess
© 2006 CA. 15
Discussion Period
Discuss the differences between ‘managing’ and ‘controlling’ changes in the change processAgree the overall goals of a change processDiscuss performance indicators for the change processOutputs…..
White Board Session
© 2006 CA. 16
Service Delivery KPIs
Compliance% deviation of forecasted versus actual cost of IT services within defined tolerance limits(% of Deviation $ of Deviation)
Plan for and deliver IT Services within a forecasted budget against actual cost
Finance
QualityPerformance
% of systems that fail recovery testTime to execute test of plan and recover IT services in a contingency state against expected targets.
Recover IT systems to normal state in an alternate way after a disaster within an expected timeframe
ITSCM
Quality% of components the breach tolerance thresholds in correspondence to planned capacity levels for components and complete IT systems.
Current and future resources are greater than or equal to demand, but excess is planned
Capacity
Quality% of service availability within SLA negotiated requirements.
Define and plan for service availability to meet or exceed stated business requirements through process, technology and people resource planning and implementation
Avail.
Value% Score of customer satisfaction survey trends up over timei.e. Customer Satisfaction Survey
Define servicesAgree on level, scope, quality, performanceMonitor & Manage
SLMCategoryExample Core KPICore ObjectiveProcess
© 2006 CA. 17
Discuss the service levels management processAgree the overall goals of a SLM processDiscuss performance indicators for the SLMOutputs…..
White Board Session
Discussion Period
18 © 2006 CA. All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Information Risk Management in State & Local Governments
© 2006 CA. 19
Do State & Local Governments Care about Risk Management? Should they?
Any organization or institution which employs Information Technology can save money through an effective Risk Management program. The problem is determining how much of the organization’s resources should be deployed to mitigate identified threats.
Cost SavingsEffective risk management can reduce the overall number of service outages and minimize the impact of those outages that are unavoidable.
Inter/intra-agency collaboration will also pose challenges for those responsible for ensuring data and transactional integrity. The concept of “data owner” will certainly be an interesting discussion going forward…
Collaboration with business partners(integrated supply chains and delivery methods bring new business opportunity in a “federated” world; however, new risks are also being introduced)
No SOX, but HIPAA and other activities may be applicable depending on the nature of business state/local agency is engaging in.
Regulatory Mandates (Sarbanes Oxley, HIPAA, California SB 1386, etc.)
State/Local GovernmentCommercial EntitiesDrivers for Risk Management
© 2006 CA. 20
Continued…
In certain respects, this can be more of a challenge for state/local agencies, where budgets are more transparent to the public and resource allocation is highly scrutinized. “Keep me off the front page” is a top priority for most anyone in public service.
Brand/Image PreservationEffective Risk Management can help prevent highly publicized business disruptions, which could have a negative impact on stock price or critical customer relationships.
Organizations may effectively transfer certain operational risks through outsourcing agreements, however, they can not abdicate responsibility entirely.
Outsourcing State/Local GovernmentCommercial Entities
Drivers for Risk Management
White Board SessionList additional driversRank them in order of importance…
© 2006 CA. 21
Risk Theory
Numerous methodologies/approaches exist for analysis, assessment and evaluation of risk:
FMEA/FMECA (Failure Modes, Effects and Criticality Analysis)FTA (Fault Tree Analysis)CRAMM (UK Gvt. Risk Analysis method)ISO9000-14000 family of standardsCCA (Cause Consequence Analysis)MORT (Management Oversight Risk Tree)SMORT (Safety Management Organization Review Tree)CEA (Cost Effectiveness Analysis)CBA (Cost Benefit Analysis)COSO ERMOCTAVE (Carnegie Mellon’s Operationally Critical Threat, Asset, and Vulnerability Evaluation)ASSET (National Institute of Standards and Technology [NIST] Automated Security and Self Evaluation Tool)Monte Carlo…and hundreds more!!!
© 2006 CA. 22
A Few Definitions…
Risk Analysis, Assessment, Management, based on [1] AS/NZS 4360:1999 and [2] NS 5814
Risk Analysis [1]: A systematic use of available information to determine how often specified events may occur and the magnitude of their consequences. Risk Analysis [2]: A systematic approach for describing and/or calculating risk. Risk analysis involves the identification of undesired events, and the causes and consequences of these events.
Risk Evaluation [1]: The process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria. Risk Evaluation [2]: A comparison of the results of a risk analysis with the acceptance criteria for risk and other decision criteria.
Risk Assessment [1]: The overall process of risk analysis and risk evaluation
Risk Management [1]: The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects.
Risk Management Process [1]: The systematic application of management policies, procedures and practices to the tasks of establishing the context, identifying, analyzing, evaluating, treating, monitoring and communicating risk.
© 2006 CA. 23
Making Sense of It All
1. Identify undesirable events.2. Determine likelihood/frequency of
events.3. Determine impact from event.4. Prioritize undesirable events in terms of
importance.5. Develop/execute risk mitigation
strategies.6. Monitor for and communicate new risks.
Numerous methodologies/approaches exist for analysis, assessment and evaluation of risk:
FMEA/FMECA (Failure Modes, Effects and Criticality Analysis)FTA (Fault Tree Analysis)CRAMM (UK Gvt. Risk Analysis method)ISO9000-14000 family of standardsCCA (Cause Consequence Analysis)MORT (Management Oversight Risk Tree)SMORT (Safety Management Organization Review Tree)CEA (Cost Effectiveness Analysis)CBA (Cost Benefit Analysis)COSO ERMOCTAVE (Carnegie Mellon’s Operationally Critical Threat, Asset, and Vulnerability Evaluation)ASSET (National Institute of Standards and Technology [NIST] Automated Security and Self Evaluation Tool)Monte Carlo…and hundreds more!!!
© 2006 CA. 24
The Big Picture
Risk Management
Risk Assessment Risk Response/Treatment Risk Monitoring
Identification
Measurement
Prioritization
Control It
Share or Transfer It
Diversify/Avoid It
Process Level
Activity Level
Entity Level
© 2006 CA. 25
Building a Risk Portfolio
Risk Response OptionsAccept = monitorAvoid = eliminate (get out of situation)Reduce = institute controlsShare = partner with someone Transfer = insurance/outsourcing
Residual risk (unmitigated risk – e.g. shrinkage)
POP QUIZ: What would be an example of Risk Avoidance for a State/Local government agency?
© 2006 CA. 26
Establishing Controls Portfolio Can Prove Problematic
Understanding Quality of ControlsDeterrent vs. Preventative vs. Detective vs. CorrectiveAutomated vs. Manual vs. IT DependantIT General Control vs. Application Control
Understanding the Impact WindowEach risk has an impact window within which time a control must operate to avoid/minimize impact. Designing a system of controls to ensure events are managed within this timeframe requires carefulplanning and analysis (e.g. fire destroys more when allowed to burn longer)
Estimate the Total Cost of OwnershipCost of implementationCost of maintenanceCost of testing/auditing/monitoringAre secondary (back-up) controls required if primary controls fail?
© 2006 CA. 27
COBIT can help! [www.isaca.org]
Control Objectives for Information Technology (COBIT)
© 2006 CA. 28
Why is COBIT so great?Includes:
Control practicesKey Performance IndicatorsKey Goal IndicatorsMaturity ModelsAuditing guidelines
© 2006 CA. 29
You can leverage it in your ITIL implementation
© 2006 CA. 30
Another Framework—ISO17799
© 2006 CA. 31
Where Do I Start?
Risk Management
Risk Assessment Risk Response/Treatment Risk Monitoring
Identification
Measurement
Prioritization
Control It
Share or Transfer It
Diversify/Avoid It
Process Level
Activity Level
Entity Level
COSOERM
© 2005 Computer Associates International, Inc. (CA).
Question Period
