An Introduction to Frameworks for IT Management

7/30/2019 An Introduction to Frameworks for IT Management

1/56

An Introduction toFrameworks for IT

Management

An overview of various ITframeworks focusing on Standards &

Controls


2/56

Frameworks ..

To build strategies

Recognized to be best practice in It

Management

Core instruments for many It managers

Vendor neutral

Written in accessible & plain way


3/56


4/56

ISO/IEC 27001:2005 - Information technology -Security techniques - Information security

management systems - Requirements but it is

commonly known as "ISO 27001". Provides a model & detailed guidance for reducing

organizations exposure to IS risk as implemented

through as ISMS.

ISO27001 springs from British Standard BS7799 Latest Version 2005


5/56

ISO/IEC 27001:2005 - Information technology -Security techniques - Information security

management systems - Requirements but it is

commonly known as "ISO 27001". Provides a model & detailed guidance for reducing

organizations exposure to IS risk as implemented

through as ISMS.

ISO27001 springs from British Standard BS7799 Latest Version 2005


6/56

An instrument

by which the value of each organisations

information assets are protected on an ongoing basis

Recognizes many facets of informationsecurity eg. Technical, human, system,

organizational, societal etc.

Where is it used?


7/56

Two parts:

ISO 27001:2005 Information Technology

Security Techniques Information SecurityManagement Systems Requirements

ISO 17799:2005 Information Technology Security Techniques Code of practice for

Information Security Management

What is it?


8/56

Management approach to the synthesis of an

information Security Management Systemsthat is fit for the purpose

Measured by the information securityrequirements and expectations of all the

interested parties

ISO 27001:2005


9/56

Is a code of practice

11 areas and 39 security control objectives

each of which is directed at a particular areaof information security concern

Code of practice describes high levelinformation security objectives and controls by

which risks in the scope of objectives aretreated

ISO 17799:2005


10/56

How to ?


11/56

How to ?


12/56

How to ?- Plan

Planning stage - 4 parts

ISMS documentation defining

Information security policy

Statement of applicability

Asset Identification

Risk assessment

Risk treatment


13/56

How to ?- Plan


14/56

How to ?- To Do

To do stage

Formulate & improve a risk treatment plan

Identifying appropriate managementactions, resources, responsibilities and

priorities for managing IS risks

By implementing the controls selected in

SOA to meet control objectives


15/56

How to ?- Check

Check stage

Report on the result of the performance &

fitness-for-purpose of the operation will begiven to management

Process performance assessed against

ISMS policy, & objectives after itereation

under PDCA cycle


16/56

How to ?- Act

Act stage

After management review, corrective &

preventive actions based on ISMS audit &management review

To achieve continual improvement fo the

ISMS


17/56

Relevance

Relevance to IT Management

Recognized the value of information that anorganization uses

Many of these information assets will be ITequipment

Many of the controls impinge on IT management

Information Security is NOTjust an ITmanagement issue


18/56

Strengths &

weaknesses

Detailed guidance of the fit-for-purpose IsManagement System

Measured by Organization's risk profile

Built by iteration through PDCA cycle improving theeffectiveness

Focus on Confidentiality, integrity & availability

Problem in implementing due to large number ofassets available to the organization

When extending organizations information resourcesoutside, difficult to subject the external organizations

to the same standards


19/56

The First international standard for IT

Service Management

Initially developed as a British StandardBS15000

Version 1 published in 2000, V.2 in 2002

Currently Certification is owned andmanaged by itSMF (IT Service

Management Forum)


20/56

Where is it used?

Appropriate to IT Service Provider

organizations

To all industry sector and all sizes oforganizations except smallest

(perhaps ISO9000 would suit !)

Traditionally used to achieve formal

certifications

Helpful as a benchmark


21/56

What is it?

Two parts:

Specification "promotes the adoption of anintegrated process approach to effectively deliver

managed services to meet the business andcustomer requirements" Requirements

Code of Practice expansion 7 explanation of therequirements specified in the first part- describes

the best practices for service management


22/56

What is it?

Both parts share a common structure Scope

Terms & Definitions

Planning and Implementing Service Management Requirements for a Management System

Planning & Implementing New or Changed Services

Service Delivery Processes

Relationship Processes

Control Processes

Resolution Processes

Release Process.


23/56

What is it?


24/56

What is it? Service Delivery Processes

Service level management

Service reporting

Service continuity and availability management

Budgeting and accounting of IT services

Capacity management

Information security management

Relationship Processes

Business relationship management

Supplier management

Resolution Processes

Incident management

Problem management

Control Processes

Configuration management

Change management


25/56

What is it?


26/56

How to ?

Primarily a measure of process conformance

to be achieved than a means of achieving

Can be applied by any service provide whowishes to demonstrate conformance with best

practices in IT service management

Steps

Internal comparison

Internal benchmarking

Formal certification


27/56

Concerned of service management and hence

centrally relevant

Does not depend on any specific approachAssessments are made against the process in

place, irrespective of methods, guidance,

techniques adopted

Costs include training of staff, cost of

improvement, cost of assessment

Relevance


28/56

Still early in life

With growing popularity worldwide, an agreed

and accepted core of best practiceAddresses on generically valid core elements

of the service management processes

Hence, cannot describe the full set of

processes/ procedures required to deliver

effective and efficient customer focused

services

Strengths&

weaknesses


29/56

A branding term given to a structured,

disciplened, rigourous approach to

process improvement Literally means only 3.4 defects per

million opportunities occurring

After the rise of TQM, Motorola EngineerBill Smith coined the term in early 1980


30/56

Origin in manufacturing industry, now in

>10 industry sectors eg. defense,

finance, ICT Invented by Motorola

Optimized by GE

Initially perceived as a methodology foroperations & manufacturing industries

Where ?


31/56

ABN Amro NV in Netherlands did a Pilot in2004 with the help of Cape Gemini

Led to cost reduction of 1.2 million Euros in 3month period

Also the approach helped to work togetherglobally and to quantify the process KPIs andimprovements.

Adopted not just Six sigma methodology butalso the mindset viz. Six Sigma philosophy

Where ?


32/56

Refers

to the statistical notion of having 99.99% confidence

Fundamental objective

is implementation of a measurement-based strategy

That focuses on process improvement and variation reduction

Practical goal

to increase profits by eliminating variability, defects and wastethat undermine customer loyalty

Relies on

Tried-and-true methods available for decades and combinethese to create a new and structured methodology

What ?


33/56

Three Levels

Metric: 3.4 Defects Per Million Opportunities

(DPMO) Methodology:

DMAIC (Define-Measure-Analyze-Improve-Control)

DMADV (Define-Measure-Analyze-Design-Verify)

DFSS (Design For Six Sigma)

Philosophy

What ?


34/56

DMAIC


35/56

How to ?


36/56

Tools & Templates (illustrative): Affinity Diagram

Brainstorming

Calculators

Cause & Effect/Ishikawa/Fishbone

Control Charts Contract management software

Creativity/ Out-of-the-box thinking

Design fo Experiment

Document Control

Flow Chart Risk Assessment

Process map

Scatter diagram

Six Sigma reports templates etc..

How to ..


37/56

A rigorous improvement method or philosophy which is fast toimplement with high success rate

Consists one language worldwide

Best suited to high volume/high risk process, large data setsavailable, measurable & repeatable processes

Not one-size-fits-all methodology

Can be used in many situations but not always in the same way

Substantial requirement of resources in plans to adopt philosophy

Can benefit the organization, IFused in the right way and for theright purpose.

Strengths&

weaknesses


38/56

It was ideated and first detailed by RobertKaplan and David Norton.

The Balnced Scorecard is a strategic

planning and management system used to align business activities to the

vision and strategy of the organization,

improve internal and externalcommunications and

monitor organization performance againststrategic goals.


39/56

Performance management system thatenables business to drive strategies basedon measurement & follow up

Can be easily applied to IT investments,projects, departments as performancemanagement & alignment system

Growing popularity to the concept Widely supported & disseminated by

international consultant groups like Gartner,IDC etc

Where ?


40/56

The balanced scorecard suggests we view 4 critical perspectivesof our business:

Learning & growth: includes training, learning, corporate cultureand attitudes, self growth. Individuals are the main repository ofknowledge of an organisation and the critical resource.

Business process: Metrics based on internal business processesallow management to monitor how well the business is running

Customer: Indicators on customer satisfaction and tools toimprove and monitor customer relations are critical

Financial: Timely and accurate financial data is still a key tomanage the business. Data should be centralised and of fast andeasy access, but financial data should not be the only indicator,thus the original intention of the word balanced .

What ?


41/56

What ?


42/56

High level road map to BSC

Presentation of the concept to senior management

Establish a project team

Gather data & collect information on Corporate IT strategy

IT metrics already in use for performance measurement

Develop organization specific IT Balanced Score Card

How to?


43/56

Some lessons learned

Start small with only key objectives

Consider BSC technique as a supportive mechanism for

IT/Business alignment & IT Governance Consider & implement IT BSC as an evolutionary project

Provide a formal project organization

Provide best IT practices supporting the IT BSC

Regularly revisit

Focus first on establishment of appropriate objectives andmeasures and after that on automation via tools and software

How to?


44/56

How to?


45/56

How to?

ManagementManagement

CycleCycle

6

1

43

2

5

Source: Chang, Richard Y.; Mark W. Morgan;

Performance Scorecards, Jossey-Bass, 2000

Collect information.

1. Collect1. Collect

Create the scorecard design.

2. Create2. Create

Cultivate acceptance and the

measurement culture.

3. Cultivate3. Cultivate

Cascade measures down through the

organisation.

4. Cascade4. Cascade

Connect objectives and measures to

employees.

5. Connect5. Connect

Confirm effectiveness through

evaluation leading to ongoing

improvement.

6. Confirm6. Confirm


46/56

Getting business value from IT and measuring that

value are important governance domains

Combined responsibility of business & IT to take both

tangible & intangible costs & benefits into account

IT BSC provides answers to questions like

How do I get back the extra money spent on IT ?

How does my It benchmark against competitors?

Do I get back from It the promised returns?

How do I learn from past performance?

Is my It implementing strategy in alignment with business?

Relevance to IT

Management


47/56

IT BSC is treated as the best practice for performance

measurement and alignment

It provides the systematic translation of the strategy into critical

success factors and metrics Gives a balanced view of total value delivery of IT to the

business

Provides a snapshot of where your IT organization is at a

certain point in time

Barriers & pitfalls:

Visions & strategies that are not actionable

Strategies that are not linked to departmental. Team & individualgoals

Feedback, that is tactical & not strategic

Strengths&

weaknesses


48/56

PRINCE2 (PRojects IN ControlledEnvironments) is a process-based

method for effective projectmanagement.

PRINCE2 is a de facto standard usedextensively by the UK Government and

is widely recognised and used in theprivate sector, both in the UK andinternationally.


49/56

It concentrates on the work of the projectmanager, team managers and members

of senior management involved indecision making

de facto best practice projectmanagement standard in the UK &

widely used in Netherlands & Australia Spreading fast across the world

Where ?


50/56

The key features of PRINCE2 are: Its focus on business justification

A defined organisation structure for theproject management team

Its product-based planning approach Its emphasis on dividing the project into

manageable and controllable stages

Its flexibility to be applied at a levelappropriate to the project.

What ?


51/56

Two key principles of PRINCE2 are:

A project should be driven by its business case

check for conformity in regular intervals andstop if justification is disappeared

PRINCE2 is product based focuses on

products (documents) to be produced by the

project and NOT the activities to produce them

What ?


52/56

PRINCE2


53/56

PRINCE2


54/56

Covers all sizes of projects

Thorough understanding is required to able

to use its flexibility & scalability Does not attempt to cover techniques that

are already in public domain eg. network

planning & use of Gantt charts

How to ?


55/56

Originally devised for IT by a group of ITmanagers

Very relevant to the management of Itprojects

Excellent approach to planning &organization of a project & describes the

production of a business case (often a weakarea in IT projects !!)

Closing of a project is also very relevant

Relevance to IT

Management


56/56

A disciplined approach to project management throughcombination of processes & components

Controls, risks and quality chapters of the method areparticularly strong

A complete approach to the management of risk is given

Quality coverage begins before the project officially begins

PRINCE2 is not a complete answer to project management

Does not contain techniques such as soft skills like leadership

It does not cover programs

Strengths&

weaknesses

An Introduction to Frameworks for IT Management

Documents