ITIL : 6 The IT Infrastructure Library ITIL is a high level….

ITILITIL : 6 The IT Infrastructure Library ITIL is a high level….

Corporate governance of information technology After the widely reported collapse of Enron in 2000 and the alleged problems within Arthur Andersen and WorldCom, the duties and responsibilities of auditors and the boards of directors for public and privately held corporations were questioned.

As a response to this, and to attempt to prevent similar problems from happening again, the US Sarbanes-Oxley Act was written to stress the importance of business control and auditing.

Although not directly related to IT governance, Sarbanes-Oxley and Basel-II in Europe have influenced the development of information technology governance since the early 2000s.

Following corporate collapses in Australia around the same time, working groups were established to develop standards for corporate governance.

A series of Australian Standards for Corporate Governance were published in 2003, these were: • • • • • Good Governance Principles (AS8000) Fraud and Corruption Control (AS8001) Organisational Codes of Conduct (AS8002) Corporate Social Responsibility (AS8003) Whistle Blower protection programs (AS8004) 7 AS8015 Corporate Governance of ICT was published in January 2005.

It was fast-track adopted as ISO/IEC 38500 in May 2008.Introduction to ISO 38500 [3] Problems with IT governance Is IT governance different from IT management and IT controls? The problem with IT governance is that often it is confused with good management practices and IT control frameworks.

ISO 38500 has helped clarify IT governance by describing it as the management system used by directors.

In other words, IT governance is about the stewardship of IT resources on behalf of the stakeholders who expect a return from their investment.

The directors responsible for this stewardship will look to the management to implement the necessary systems and IT controls.

Whilst managing risk and ensuring compliance are essential components of good governance, it is more important to be focused on delivering value and measuring performance.

Frameworks There are quite a few supporting references that may be useful guides to the implementation of information technology governance.

Some of them are: • AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology.

AS8015 was adopted as ISO/IEC 38500 in May 2008 • ISO/IEC 38500:2008 Corporate governance of information technology [4], (very closely based on AS8015-2005) provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT.

ISO/IEC 38500 is applicable to organizations from all sizes, including public and private companies, government entities, and not-for-profit organizations.

This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.

• Control Objectives for Information and related Technology (COBIT) is regarded as the world’s leading IT governance and control framework.

CobiT provides a reference model of 34 IT processes typically found in an organization.

Each process is defined together with process inputs and outputs, key process activities, process objectives, performance measures and an elementary maturity model.

Originally created by ISACA, COBIT is [5] now the responsibility of the ITGI (IT Governance Institute).

[6] • The IT Infrastructure Library (ITIL) is a high-level framework with information on how to achieve a successful operational Service management of IT, developed and maintained by the United Kingdom’s Office of Government Commerce, in partnership with the IT Service Management Forum.

While not specifically focused Corporate governance of information technology on IT governance, the process related information is a useful reference source for tackling the improvement of the service management function.

Others include: • ISO27001 – focus on IT security • CMM – The Capability Maturity Model – focus on software engineering • TickIT is a quality-management certification program for software development Non-IT specific frameworks of use include: • The Balanced Scorecard (BSC) – method to assess an organization’s performance in many different areas.

• Six Sigma – focus on quality assurance • TOGAF – The Open Group Architectural Framework – methodology to align business and IT, resulting in useful projects and effective governance.

8 Professional certification Certified in the Governance of Enterprise Information Technology (CGEIT) is an advanced certification created in 2007 by the Information Systems Audit and Control Association (ISACA).

It is designed for experienced professionals, who can demonstrate 5 or more years experience, serving in a managing or advisory role focused on the governance and control of IT at an enterprise level.

It also requires passing a 4-hour test, designed to evaluate an applicant’s understanding of enterprise IT management.

The first examination was held in December 2008.

Footnotes [1] Weill, P.

& Ross, J.

W., 2004, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results”, Harvard Business School Press, Boston.

[2] IT Governance Institute 2003, “Board Briefing on IT Governance, 2nd Edition”.

Retrieved January 18, 2006 from http:/ / www.


org/ Content/ ContentGroups/ ITGI3/ Resources1/ Board_Briefing_on_IT_Governance/ 26904_Board_Briefing_final.

pdf [3] http:/ / www.


nl/ imagesfile/ PRESENTATIES%20JC%2008%20tbv%20publicatie/ Christophe%20Feltus%20Introduction%20to%20ISO%2038500%20v1_0.

pdf [4] http:/ / www.


org/ iso/ pressrelease.

htm?refid=Ref1135 [5] http:/ / www.


org [6] http:/ / www.



uk/ Further reading • Lutchen, M.


Managing IT as a business : a survival guide for CEOs.

Hoboken, N.J., J.

Wiley., ISBN 0-471-47104-6 • Van Grembergen W., Strategies for Information technology Governance, IDEA Group Publishing, 2004, ISBN 1-59140-284-0 • Van Grembergen, W., and S.

De Haes, Enterprise Governance of IT: Achieving Strategic Alignment and Value, Springer, 2009.

• W.

Van Grembergen, and S.

De Haes, “A Research Journey into Enterprise Governance of IT, Business/IT Alignment and Value Creation”, International Journal of IT/Business Alignment and Governance, Vol.


1, 2010, pp.


• S.

De Haes, and W.

Van Grembergen, “An Exploratory Study into the Design of an IT Governance Minimum Baseline through Delphi Research”, Communications of AIS, No.

22, 2008, pp.443–458.

• S.

De Haes, and W.

Van Grembergen, “An Exploratory Study into IT Governance Implementations and its Impact on Business/IT Alignment”, Information Systems Management, Vol.

26, 2009, pp.123–137.

• S.

De Haes, and W.

Van Grembergen, “Exploring the relationship between IT governance practices and business/IT alignment through extreme case analysis in Belgian mid-to-large size financial enterprises”, Journal of Enterprise Information Management, Vol.

22, No.

5, 2009, pp.


Corporate governance of information technology • Georgel F., IT Gouvernance : Maitrise d’un systeme d’information, Dunod, 2004(Ed1) 2006(Ed2), 2009(Ed3), ISBN 2-10-052574-3.

“Gouvernance, audit et securite des TI”, CCH, 2008(Ed1) ISBN 978-289366577-1 See also the bibliography sections of IT Portfolio Management and IT Service Management • Renz, Patrick S.


“Project Governance.” Heidelberg, Physica-Verl.

(Contributions to Economics) ISBN 978-3-7908-1926-7 • Wood, David J., 2011.

“Assessing IT Governance Maturity: The Case of San Marcos, Texas”.

Applied Research Projects, Texas State University-San Marcos. (This paper applies a modified COBIT framework to a medium sized city.) 9 External links Institutes and associations • The IT Governance Institute ( • Informations Systems Audit and Control Association ( • International Association of Information Technology Asset Managers, Inc.

– IAITAM ( Corp_Bios.htm) • Australian Computer Society Governance of ICT Committee ( • IT Governance Network ( • ( • IT Governance Portal ( AS 8015 The AS 8015-2005 standard for corporate governance of information and communication technology was published in 2005 by Standards Australia.

The standard provides principles, a model and vocabulary as a basic framework for implementing effective corporate governance of ICT within any organisation.

The committee which drafted and recommended the publication included representatives from the Australian Computer Society [1], The Australian Bankers Association, the Australian Institute of Company Directors, Academia and Government Agencies.

AS8015 was submitted for fast track ISO adoption and published largely unchanged, in May 2008 as ISO/IEC standard for corporate governance of information technology [4].

External links — 17 COBIT COBIT is a framework created by ISACA for information technology (IT) management and IT Governance.

It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.

Overview COBIT was first released in 1996, the current version, COBIT 4.1 was published in 2007 and is currently being updated (COBIT 5 [1]).

Its mission is “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers, IT professionals and assurance professionals.”.

[2] COBIT defines 34 generic processes to manage IT.

Each process is defined together with process inputs and outputs, key process activities, process objectives, performance measures and an elementary maturity model.

The framework supports governance of IT by defining and aligning business goals with IT goals and IT processes.

COBIT Framework The framework provides good practices across a domain and process framework.

The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners.

The process focus of COBIT is illustrated by a process model that subdivides IT into four domains (Plan and Organize, Acquire and Implement, Deliver and Support and Monitor and Evaluate) and 34 processes in line with the responsibility areas of plan, build, run and monitor.

It is positioned at a high level and has been aligned and harmonized with other, more detailed, IT standards and good practices as COSO, ITIL, ISO 27000, CMMI, TOGAF and PMBOK.

COBIT acts as an integrator of these different guidance materials, summarizing key objectives under one umbrella framework that link the good practice models with governance and business requirements.

Releases COBIT has had four major releases: • In 1996, the first edition of COBIT was released.

• In 1998, the second edition added “Management Guidelines”.

• In 2000, the third edition was released.

• In 2003, an on-line version became available.

• In December 2005, the fourth edition was initially released.

• In May 2007, the current 4.1 revision was released.

Components The COBIT components include:: • Framework: Organise IT governance objectives and good practices by IT domains and processes, and links them to business requirements • Process descriptions: A reference process model and common language for everyone in an organisation.

The processes map to responsibility areas of plan, build, run and monitor.

• Control objectives: Provide a complete set of high-level requirements to be considered by management for effective control of each IT process.

COBIT • Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes • Maturity models: Assess maturity and capability per process and helps to address gaps.

Other ISACA Publications [3] based on the COBIT framework include: • • • • • • • • • • • • Board Briefing for IT Governances, 2nd Edition COBIT and Application Controls COBIT Control Practices, 2nd Edition IT Assurance Guide: Using COBIT Implementing and Continually Improving IT Governance COBIT Quickstart, 2nd Edition COBIT Security Baseline, 2nd Edition IT Control Objectives for Sarbanes-Oxley, 2nd Edition IT Control Objectives for Basel II COBIT User Guide for Service Managers COBIT Mappings (to ISO/IEC 27002, CMMI, ITIL, TOGAF, PMBOK etc.) COBIT Online 18 COBIT and Sarbanes Oxley Companies that are publicly traded in the US are subject to the Sarbanes-Oxley Act of 2002.

COBIT is the framework used by most companies to comply with Sarbanes-Oxley.

References • • • • • ISACA [4] Custodians of COBIT COBITCampus [5] COBIT education provided by ISACA ISO/IEC 20000 international standard for IT Service Management ISO/IEC 27000 Information Security Management Systems standards Wood, David J.


“Assessing IT Governance Maturity: The Case of San Marcos, Texas”.

Applied Research Projects, Texas State University-San Marcos. (This paper applies a modified COBIT framework to a medium sized city).

Notes [1] http:/ / www.


org/ cobit5 [2] ITGI.

“COBIT 4.1 Executive Summary” (http:/ / www.


org/ Knowledge-Center/ cobit/ Documents/ COBIT4.


COBIT 4.1 Executive Summary.



[3] http:/ / www.


org/ Knowledge-Center/ cobit/ Pages/ Products.

aspx [4] http:/ / www.


org/ [5] http:/ / cobitcampus.


org/ Data custodian — References [1] Paolo Malinverno, Gartner Research Service-Oriented Architecture Craves Governance, January 2006 [2] Philip J.

Windley, SOA Governance: Rules of the Game (http:/ / akamai.


com/ pdf/ special_report/ 2006/ 04SRsoagov.

pdf),, 23 January 2006 [3] Frank Kenney, Daryl Plummer, Magic Quadrant for Integrated SOA Governance Technology Sets, 2007, January 2007 [4] http:/ / www.


com/ hpinfo/ abouthp/ 1.

Paolo Malinverno, Gartner Research Service-Oriented Architecture Craves Governance, January 2006 2.

Philip J.

Windley, SOA Governance: Rules of the Game ( 2006/04SRsoagov.pdf),, 23 January 2006 3.

Frank Kenney, Daryl Plummer, Magic Quadrant for Integrated SOA Governance Technology Sets, January 2007 External links Information about the Governance Interoperability Framework (https:/ / h10078.



com/ cda/ hpms/ display/main/hpms_content.jsp?zn=bto&cp=1-11-130-27^2804_4000_100__) IBM Tivoli Unified Process (ITUP) IBM Tivoli Unified Process (ITUP) is a knowledge base of widely accepted industry best practices and the accumulated experience from IBM’s client engagements.

The knowledge base comprises detailed, industry-wide IT service management processes, and is an integral part of the IBM Service Management solution family.[1] The knowledge base is structured on the IBM Process Reference Model for IT[2] (PRM-IT).

PRM-IT[3] describes the processes for exploiting IT in support of a business or enterprise.

ITUP is a free offering from IBM.[4] Its purpose is to make the benefits of service management best practice frameworks, like Information Technology Infrastructure Library (ITIL), more attainable for organizations through integrated process modeling.

Thus ITUP is closely aligned with ITIL (a series of books outlining a set of concepts for managing IT) and provides the guidance on how to implement IT service management using proven, predefined solutions.

Detailed process diagrams and descriptions provide further explanations of IT processes, the relationships between processes, and the roles and tools involved in an efficient process implementation.

ITUP is also mapped to [5] other leading process models.

Context IT service management represents an evolution from managing IT as a technology to managing IT as a business.[6] As businesses move toward on-demand environments, IT organizations are faced with the challenge of increasing the quality of services provided to business, while simultaneously addressing faster rates of change, rising technical complexity, cost pressures, and compliance issues.

With traditional resource and system management approaches, providing effective support for business and efficient use of IT resources is proving impossible.

IT service management provides for the effective and efficient delivery of IT services in support of changing business needs.

Implementing IT service management requires the optimal intersection of people, process, information and technology.

When all of these components come together, they can make IT more efficient and effective.

IBM Tivoli Unified Process (ITUP) 31 Tivoli Unified Process tooling IBM Tivoli Unified Process (ITUP) Composer is the tool used to create tailored method libraries* using the ITUP knowledge base content.[7] Customization includes creating or modifying process definitions to extend and publish content to document an organization’s operational processes.

The Composer tool provides the option to select and deploy a comprehensive project, or only the process components needed for each stage of a project, so that those processes are consistently applied by all IT staff.

(See ITUP Composer for development, this article.) • A method library is a container for method plug-ins and method configuration definitions.

A method library has one or more method configurations that filter the library and provide smaller working sets of library content.

All method elements are stored in a method library.

Structure of the ITUP content knowledge database The knowledge base includes descriptions of and relationships between five significant elements: 1.

Process descriptions – detailed process diagrams and explicates to better understand processes and their relationships, making ITIL best-practice recommendations easier to implement.

This category also maps processes to other leading process models, such as Control Objectives for Information and related Technology (COBIT) and the enhanced Telecom Operations Map (eTOM).


Work products – artifacts produced as outputs or required as inputs by processes.

Includes information such as definitions for key terms and concepts.


Roles – as associated with the execution of specific tasks by IT staff typically responsible for one or more roles.

Roles and job responsibilities are described in detail and cross-referenced to guidance on how staff can use tools to perform their roles more efficiently and effectively.


Tools – in the form of tool mentors.

This category identifies products and solutions from IBM that can be used to automate or complete specific process activities.


Scenarios, or real-life examples – are provided as catalysts to make process content more comprehendible.

A scenario can relate to specific issues, such as deploying a new server or responding to an outage.

Scenarios describe, in a step-by-step format, the process workflow, roles, work products and tools involved in solving a specific problem.

The ITUP framework of process categories Governance and Management System The Governance and Management System process category ensures that a framework is in place to integrate processes, technologies, people, and data in a manner consistent with the IT goals.

This category also monitors the framework against the broader enterprise goals and quality metrics.

When specific goals and quality metrics are consistently unmet, decisions are made regarding the overall framework: whether it will be modified or restructured to ensure future success.

Governance considers and sets the fundamental direction for the management framework.

Governance is a decision rights and accountability framework for directing, controlling, and executing IT endeavors in order to determine and achieve desired behaviors and results.

Governance involves defining the management model and creating the governing or guiding principles.

Processes: • • • • IT Governance and Management System Framework IT Governance and Management System Capabilities IT Governance and Management Operation IT Governance and Management Evaluation Customer Relationships The Customer Relationships process category gives IT service providers a mechanism to understand, monitor, perform and compete effectively in the marketplace they serve.

Through active communication IBM Tivoli Unified Process (ITUP) and interaction with customers, this process category provides the IT enterprise with valuable, current information concerning customer wants, needs, and requirements.

Once these requirements are captured and understood, the process category ensures that an effective market plan is created to bring the various IT services and capabilities to the marketplace.

Further, customer satisfaction data is gathered and reported in order to find areas of the IT services that require improvement.

Overall, this process provides a means for the IT enterprise to understand customer requirements, market IT services to customers, ensure and monitor the quality of the delivered IT services, and contribute to the maximization of business value from technology usage.

Processes: • • • • • • • Stakeholder Requirements Management Service Marketing and Sales Service Catalog Management Service Level Management Demand Management IT Customer Transformation Management Customer Satisfaction Management 32 Direction The Direction process category provides guidance on the external technology marketplace, aligns the IT outcomes to support the business strategy, minimizes risk exposures, and manages the IT Architecture and IT Portfolio.

Using the business strategy, related business requirements, and overall technology trends as key inputs, this process category creates an IT Strategy within the manageable constraints of the existing architecture and portfolio.

In addition to the IT strategy, the IT Portfolio and IT Architecture are planned, created, implemented, monitored, and continuously improved within this process category.

Items put forward for inclusion in the IT Portfolio are managed throughout their life cycle using product management approaches well established in many industries.

Processes: • • • • • • • IT Strategy IT Research and Innovation Architecture Management Risk Management Product Management Portfolio Management Program and Project Management Realization In the Realization process category solutions are created to satisfy the requirements of IT customers and stakeholders, including both the development of new solutions and the enhancements or maintenance of existing ones.

Development includes options to build or buy the components of solutions, and the integration of them for functional capability.

This process category encompasses the engineering and manufacturing of information technology products and services, and includes the making or buying of solutions, systems, integration, and extensions to existing solutions.

Maintenance and end-of-life shutdown activities (requiring solution adjustment) are also addressed in this category.

Processes: • • • • • Solution Requirements Solution Analysis and Design Solution Development and Integration Solution Test Solution Acceptance IBM Tivoli Unified Process (ITUP) Transition The Transition category of processes supports any aspect related to a life cycle status change in solutions and services.

The processes provide defined and repeatable approaches to planning, effecting and recording these transitions, and can be applied to all stages of the life cycle.

They also serve to maintain control over the information technology (IT) resources that are subject to such status changes.

Further, the processes in this category provide vital enabling information to other process areas related to the management of IT.

Using these processes, developments in IT capabilities supporting the stake holding businesses and customers achieve their desired operational status from which value can be derived.

Processes: • • • • • Change Management Release Management Deployment Management Configuration Management Asset Management

Read more about ITIL:

Accredited ITIL Foundation, Intermediate and Expert Certifications

Accredited ITIL Foundation, Intermediate and Expert Certifications, Learn more about ITIL HERE:

ITIL and Accredited ITIL Foundation, Intermediate and Expert Certifications

ITIL - Accredited ITIL Foundation, Intermediate and Expert Certifications

ITIL and Accredited ITIL Foundation, Intermediate and Expert Certifications

ITIL - Accredited ITIL Foundation, Intermediate and Expert Certifications