ITIL AND COBIT EXPLAINED

1
 AGENDA

 Overview of Frameworks
 Similarities and Differences

 Details on COBIT Framework (based on

version 4.1)
 Details on ITIL Framework, focused mainly
on version.2.
 Comparison of COBIT and ITIL v.2 sections.

 Maturity Capacity Models

 Q&A
2

© Copyright of Elevate Consulting LLC, All Rights Reserved

POSITIONING THE FRAMEWORKS

CMM = capability maturity model

Specific
CobiT = Control Objectives for
TCO Information and Related
Technology
ITIL CMMI
ITIL = IT Infrastructure Library
ISO 20000
TCO = total cost of ownership
CobiT IS0 20000 = IT service mgt standard
IT
Relevance People CMM ISO 9000 = quality mgt standard
Point solutions are Six Sigma
useful, but a broader,
holistic approach to ISO 9000
process and quality National Awards
improvement is (e.g., Baldrige)
POWERFUL.
Holistic
Scorecards
Low Level of Abstraction High 3
ITIL and COBIT can enable organizations to achieve
key objectives:

 Establish proven best practice IT service management processes

to manage IT from a business perspective and achieve business
goals, including that of compliance

 Put in place clear process goals, based on the organization’s

business goals, and provide a means of measuring progress
against them

 Ensure effective IT governance and control at the process level,

and enable IT to demonstrate that it meets or exceeds the
requirements set forth by government or external regulations

Frameworks are highly complementary, and together provide

greater value than using just one or the other. COBIT outlines what 4
you need to do to meet these challenges and ITIL shows you how to
get there.
Why is IT governance and best practices
implementation needed?

The effective management of information, information systems,

communication and IT services is of critical important and
survival of most enterprises. This criticality arises from:

- The pervasiveness of and dependence on information, the

services and the infrastructure that deliver the information

- The increasing scale and cost of current and future

technology- related investments

- The potential for technologies to enable transformation of

enterprises and business practices 5
Some Facts:

- ITIL strong in IT HOW to carry on processes (delivery and

support) , but limited in security and system development

 - COBIT is strong in IT controls and IT metrics, it concentrates

on WHAT should be achieved rather than how (e.g. process
flows) to achieve effective governance, management and
control.

– No contradictions or real overlaps, they complement

– No discussion on specific technologies or configuration
requirements (e.g. unlike PCI)

6
Control OBjectives for Information and related Technology

 Originally released in 1996 by the Information Systems Audit and

Control Foundation (ISACF) (1st Edition)
 Current primary publisher is the IT Governance Institute( ITGI) - formed
by the Information Systems Audit and Control Association (ISACA) in
1998 (2nd Edition)
 By 2000, ISACF and ITGI became one entity, and the 3 rd Edition was
issued.
 In 2005, 4th Edition was issued.
 COBIT was formed through research of sources such as the technical
standards from ISO, codes of conduct issued by the Council of Europe
and ISACA, professional standards for internal control and auditing
issued by COSO, AICPA, GAO, etc.
 The above sources were used to formulate COBIT to “be both
pragmatic and responsive to business needs while being
independent of the technical IT platforms adopted in an 7
organization.”
COBIT EDUCATION:

 The COBIT curriculum includes the following courses:

 COBIT Awareness Course (2 hours, self paced e-
learning)
 COBIT Foundation Course (8 hours, self paced e-
learning or 14 hours, classroom)
 COBIT Foundation Exam (1 hour, online 40 questions)
 IT Governance Implementation Course (14 hours,
classroom)
 COBIT for Sarbanes-Oxley Compliance (5 hours, self
paced e-learning)

8
COBIT ONLINE: WWW.ISACA.ORG/COBITONLINE

o Provides full browsing capabilities by enabling you to

download the selected COBIT content as either a Microsoft
Word or Access template, for subsequent use offline.

oAll or selected COBIT components can be accessed, and they

can be filtered based on several search criteria:

•Framework
•Control Objectives
•Inputs/Outputs
•RACI Charts
•Goals and Metrics
•Maturity Models
•Control Practices
9
•Assurance Steps
COBIT ON IT GOVERNANCE..

 IT governance is the responsibility of executives and the

board of directors, and consists of the leadership,
organizational structures and processes that ensure that the
enterprise’s IT sustains and extends the organization's
strategies and objectives.

 For IT to be successful in delivering against business

requirements, management should put an internal control
system or framework in place.

 The business orientation of COBIT consists of linking

business goals to IT goals, providing metrics and maturity
models to measure their achievement, and identifying the
associated responsibilities of business and IT process 10

owners.
COBIT Family of Products

11
COBIT IT Domains and Processes

12
COBIT COMPONENTS
4 Domains
•Planning & Organization (PO)
•Acquire & Implement (AI)
•Delivery & Support (DS)
•Monitor and Evaluate (ME)

34 Control Objectives
318 Detailed Control Activities

13
14
INTERRELATIONSHIPS WITH COBIT COMPONENTS

15
How Does Governance and the Business Drive IT?

16
How Does Governance and the Business Drive IT?

17
How Does Governance and the Business Drive IT?

IT Goals:

18
How Does Governance and the Business Drive IT?
COBIT information Criteria

19
How Does Governance and the Business Drive IT?

20
How Does Governance and the Business Drive IT?
COBIT information Criteria

21
COBIT FRAMEWORK NAVIGATION

22
COBIT FRAMEWORK NAVIGATION- EXAMPLE

23
COBIT FRAMEWORK NAVIGATION- EXAMPLE

24
CHANGE MANAGEMENT ITIL PROCESS FLOW SUMMARY

Change to: CMDB

Hardware
Software
Documentation
Infrastructure
Training
Assessments
Engineering specs
Tactical planning

Change Management Release Management

RFC

Reasons:
Fix a Problem
Changing business
requirements
Changing technology
Continuous SIP
Change Advisory Board
External forces (e.g.
Service Management
competition, legislations)
Technical Experts
Customers and Users
Interested Parties

25
 ITIL

Information Technology
Library
26
INTRODUCTION TO ITIL
 During the late 1980’s the Central Computer and
Telecommunication Agency (CCTA) in the United

27
Kingdom started to work on what is now known as
ITIL, the Information Technology Infrastructure
Library

 ITIL is a set of books that provides comprehensive

and interrelated codes of practice in achieving the
efficient support and delivery of high quality, cost
effective IT services

 Version 2 available in 2000

 Version 3 available in 2007

ITIL EDUCATION PATH

28
ITIL MYTH

As Jan Van Bon (author and editor of many IT Service Management

publications) notes:
There is a lot of confusion about ITIL, stemming from all kinds of
misunderstandings about its nature. ITIL is a set of best practices. The
there is no claim that ITIL’s best practices describe pure processes..
That is what most of its users make of it, probably because they have
such a great need for such a model

CIO Magazine columnist Dean Meyer has also presented some

cautionary views of ITIL, including five pitfalls such as "becoming a
slave to outdated definitions" and "Letting ITIL become religion." As he
notes, "...it doesn't describe the complete range of processes needed
to be world class. It's focused on ... managing ongoing services."

29
ITIL V.2 AND V.3
ITIL v2 , seven books with two main areas:

•Service Support
•Service Delivery

In ITIL v3 moves from a process approach to a service life cycle approach:

• Service strategy- which type of services, to which customers and

markets

• Service design- identifies service req’s, devices new service offerings

• Service transition- builds and deploys new or modified services

• Service operation- carries out operational tasks

• Continual service improvement- learns from the past, improve the

effectiveness and efficiencies of services and process
30
What is the difference between Version 2 and
Version 3?

V3 articulates the relationship between IT and the business far

more clearly than earlier versions of ITIL.

 Instead of focusing on processes as in V2, V3 considers a wider

view of IT by considering the Lifecycle of a service from its initial
planning, which should be aligned to the business need, through to
its final retirement.

V3 focuses more on the treatment of strategic options, functions,

roles and responsibilities as well as continual improvement.

The existing processes from earlier ITIL versions remain in V3 but

have been improved and added to. ITIL V3 also looks more closely 31
at alignment with other best practices and standards.
ITIL V.2 AND V.3 PROCESSES

32
 COBIT Control Objectives Linked with ITIL V.2
Plan and Organize Direct link with ITIL

Acquire and Implement

33
 COBIT Control Objectives Linked with ITIL
Define and Support
Direct link with ITIL

Monitor and Evaluate

34
ONE TO ONE COMPARISON COBIT 4.1 AND ITIL V.2

Process Description V.2 COBIT

Section Section
Financial Provides cost effective Service PO.5
Management stewardship of IT assets used in Delivery
providing IT services
Release Ensure that all technical and non Service AI.4
Management technical aspects of a release are Support
dealt with in a coordinated
approach.
Change Ensure standardized methods Service AI.6
Management and approaches are followed for Support
efficient, prompt and authorized
handling of all IT changes.
Incident Restore normal service Service DS.8
Management operations as quickly as possible Support
Configuration Provide a logical model of the IT Service DS.9
Management infrastructure by identifying, Support
verifying, maintaining and
controlling all version of IT 35
Configuration items (CIs)
ONE TO ONE COMPARISON COBIT 4.1 AND ITIL V.2
Process Description V.2 COBIT
Section Sectio
n
Problem Prevent and identify the business errors Service DS.10
Management in the IT infrastructure. Support

Service Level Maintain and improve IT service quality Service DS1. and
Management through a constant cycle of agreeing, Delivery some of
monitoring and reporting IT service DS.2
level agreements
Availability Optimize the capacity of the IT Service DS.3
Management infrastructure and supporting Delivery
organization to deliver cost effective
and sustained level of availability to
satisfy business objectives.
Capacity Ensure the capacity and performance Service DS.3
Management aspects of the business requirements Delivery
are provided timely and cost effectively.
IT Service Ensuring that the required IT services Service DS.4
Continuity and facilities can be recovered within Delivery 36
the agreed times
MATURITY MODELING
Maturity modeling for management and control over IT processes is
based on a method of self-evaluation by the organization.
In COBIT and ITIL a maturity model has been defined for each section,
providing an incremental measurement scale from 0, non-existent,
through 5, optimized.
Using the maturity models developed for each IT process, management
can identify:

• The actual performance of the enterprise—Where the enterprise is

today
• The current status of the industry— The comparison
• The enterprise’s target for improvement—Where the enterprise
wants to be
The maturity attributes list the characteristics of how IT processes are
managed and describes how they evolve from a non-existent to an
optimized process.
These attributes can be used for more comprehensive assessment,
gap analysis and improvement planning. 37
MATURITY LEVEL RANKING

38
Maturity Model- Where Does Your Organization Stack?
Optimization/ Value
Managed and
Defined Process Measurable
Repeatable/ Integration/ Service Level 5
Control/ Proactive
Intuitive
Awareness/ Reactive Level 4  IT as strategic
Initial/ Ad Hoc Level 3 business partner
 IT as a service
 IT and business
provider
Initiation/ Chaotic Level 2  Analyze trends metric linkage
 Define services,
 IT/business
 Set thresholds classes, pricing
Level 1  Fight fires collaboration
 Predict  Understand costs improves
 Inventory problems  Guarantee SLAs business
 Ad hoc  Initiate process
 Measure appli-  Measure & report
 Undocumented
problem mgt cation service availability  Real-time
process availability infrastructure
 Unpredictable  Integrate Manage IT as a Business
 Alert and  Automate processes  Business
 Multiple help event mgt planning
 Mature Service and Account
 Capacity Management
desks  Measure
problem, mgt
 Minimal IT
component configuration, Service Delivery Process Engineering
operations availability change, asset
(up/down)Operational
and Process Engineering
 User call 39
performance
notification Tool Leverage mgt processes
PROCESS MATURITY MODEL

40
IN SHORT- WHAT ARE SOME OF THE BENEFITS
oBetter alignment of IT environment based on business focus and
customer needs

oA view, understandable to management of what IT does

oClear ownership and responsibilities based on process orientation

oGeneral acceptability with third parties and regulators

oCommon language spoken by IT (specially for ITIL)

oIntegration of the processes

oImproved decision support by better management information

41
SO, HOW THEN DO WE IMPLEMENT A GOVERNANCE FRAMEWORK?

42
QUESTIONS & ANSWERS
Questions & Answers
THANK YOU!!!!

43
Contact Information:

Angela Polania, CPA, CISA

Elevate Consulting
5757 Blue Lagoon Drive
Suite 350
Miami FL 33126
C.305.975.5121
apolania@elevateconsult.com

Elevate Consulting is a premier South Florida based firm, specialized in: IT

Compliance and Governance, Internal Controls and IT Auditing, ITIL
Assessments and Implementations Project Management and IT Project
Management. 44