7/30/2019 An Introduction to Frameworks for IT Management
1/56
An Introduction toFrameworks for IT
Management
An overview of various ITframeworks focusing on Standards &
Controls
7/30/2019 An Introduction to Frameworks for IT Management
2/56
Frameworks ..
To build strategies
Recognized to be best practice in It
Management
Core instruments for many It managers
Vendor neutral
Written in accessible & plain way
7/30/2019 An Introduction to Frameworks for IT Management
3/56
7/30/2019 An Introduction to Frameworks for IT Management
4/56
ISO/IEC 27001:2005 - Information technology -Security techniques - Information security
management systems - Requirements but it is
commonly known as "ISO 27001". Provides a model & detailed guidance for reducing
organizations exposure to IS risk as implemented
through as ISMS.
ISO27001 springs from British Standard BS7799 Latest Version 2005
7/30/2019 An Introduction to Frameworks for IT Management
5/56
ISO/IEC 27001:2005 - Information technology -Security techniques - Information security
management systems - Requirements but it is
commonly known as "ISO 27001". Provides a model & detailed guidance for reducing
organizations exposure to IS risk as implemented
through as ISMS.
ISO27001 springs from British Standard BS7799 Latest Version 2005
7/30/2019 An Introduction to Frameworks for IT Management
6/56
An instrument
by which the value of each organisations
information assets are protected on an ongoing basis
Recognizes many facets of informationsecurity eg. Technical, human, system,
organizational, societal etc.
Where is it used?
7/30/2019 An Introduction to Frameworks for IT Management
7/56
Two parts:
ISO 27001:2005 Information Technology
Security Techniques Information SecurityManagement Systems Requirements
ISO 17799:2005 Information Technology Security Techniques Code of practice for
Information Security Management
What is it?
7/30/2019 An Introduction to Frameworks for IT Management
8/56
Management approach to the synthesis of an
information Security Management Systemsthat is fit for the purpose
Measured by the information securityrequirements and expectations of all the
interested parties
ISO 27001:2005
7/30/2019 An Introduction to Frameworks for IT Management
9/56
Is a code of practice
11 areas and 39 security control objectives
each of which is directed at a particular areaof information security concern
Code of practice describes high levelinformation security objectives and controls by
which risks in the scope of objectives aretreated
ISO 17799:2005
7/30/2019 An Introduction to Frameworks for IT Management
10/56
How to ?
7/30/2019 An Introduction to Frameworks for IT Management
11/56
How to ?
7/30/2019 An Introduction to Frameworks for IT Management
12/56
How to ?- Plan
Planning stage - 4 parts
ISMS documentation defining
Information security policy
Statement of applicability
Asset Identification
Risk assessment
Risk treatment
7/30/2019 An Introduction to Frameworks for IT Management
13/56
How to ?- Plan
7/30/2019 An Introduction to Frameworks for IT Management
14/56
How to ?- To Do
To do stage
Formulate & improve a risk treatment plan
Identifying appropriate managementactions, resources, responsibilities and
priorities for managing IS risks
By implementing the controls selected in
SOA to meet control objectives
7/30/2019 An Introduction to Frameworks for IT Management
15/56
How to ?- Check
Check stage
Report on the result of the performance &
fitness-for-purpose of the operation will begiven to management
Process performance assessed against
ISMS policy, & objectives after itereation
under PDCA cycle
7/30/2019 An Introduction to Frameworks for IT Management
16/56
How to ?- Act
Act stage
After management review, corrective &
preventive actions based on ISMS audit &management review
To achieve continual improvement fo the
ISMS
7/30/2019 An Introduction to Frameworks for IT Management
17/56
Relevance
Relevance to IT Management
Recognized the value of information that anorganization uses
Many of these information assets will be ITequipment
Many of the controls impinge on IT management
Information Security is NOTjust an ITmanagement issue
7/30/2019 An Introduction to Frameworks for IT Management
18/56
Strengths &
weaknesses
Detailed guidance of the fit-for-purpose IsManagement System
Measured by Organization's risk profile
Built by iteration through PDCA cycle improving theeffectiveness
Focus on Confidentiality, integrity & availability
Problem in implementing due to large number ofassets available to the organization
When extending organizations information resourcesoutside, difficult to subject the external organizations
to the same standards
7/30/2019 An Introduction to Frameworks for IT Management
19/56
The First international standard for IT
Service Management
Initially developed as a British StandardBS15000
Version 1 published in 2000, V.2 in 2002
Currently Certification is owned andmanaged by itSMF (IT Service
Management Forum)
7/30/2019 An Introduction to Frameworks for IT Management
20/56
Where is it used?
Appropriate to IT Service Provider
organizations
To all industry sector and all sizes oforganizations except smallest
(perhaps ISO9000 would suit !)
Traditionally used to achieve formal
certifications
Helpful as a benchmark
7/30/2019 An Introduction to Frameworks for IT Management
21/56
What is it?
Two parts:
Specification "promotes the adoption of anintegrated process approach to effectively deliver
managed services to meet the business andcustomer requirements" Requirements
Code of Practice expansion 7 explanation of therequirements specified in the first part- describes
the best practices for service management
7/30/2019 An Introduction to Frameworks for IT Management
22/56
What is it?
Both parts share a common structure Scope
Terms & Definitions
Planning and Implementing Service Management Requirements for a Management System
Planning & Implementing New or Changed Services
Service Delivery Processes
Relationship Processes
Control Processes
Resolution Processes
Release Process.
7/30/2019 An Introduction to Frameworks for IT Management
23/56
What is it?
7/30/2019 An Introduction to Frameworks for IT Management
24/56
What is it? Service Delivery Processes
Service level management
Service reporting
Service continuity and availability management
Budgeting and accounting of IT services
Capacity management
Information security management
Relationship Processes
Business relationship management
Supplier management
Resolution Processes
Incident management
Problem management
Control Processes
Configuration management
Change management
7/30/2019 An Introduction to Frameworks for IT Management
25/56
What is it?
7/30/2019 An Introduction to Frameworks for IT Management
26/56
How to ?
Primarily a measure of process conformance
to be achieved than a means of achieving
Can be applied by any service provide whowishes to demonstrate conformance with best
practices in IT service management
Steps
Internal comparison
Internal benchmarking
Formal certification
7/30/2019 An Introduction to Frameworks for IT Management
27/56
Concerned of service management and hence
centrally relevant
Does not depend on any specific approachAssessments are made against the process in
place, irrespective of methods, guidance,
techniques adopted
Costs include training of staff, cost of
improvement, cost of assessment
Relevance
7/30/2019 An Introduction to Frameworks for IT Management
28/56
Still early in life
With growing popularity worldwide, an agreed
and accepted core of best practiceAddresses on generically valid core elements
of the service management processes
Hence, cannot describe the full set of
processes/ procedures required to deliver
effective and efficient customer focused
services
Strengths&
weaknesses
7/30/2019 An Introduction to Frameworks for IT Management
29/56
A branding term given to a structured,
disciplened, rigourous approach to
process improvement Literally means only 3.4 defects per
million opportunities occurring
After the rise of TQM, Motorola EngineerBill Smith coined the term in early 1980
7/30/2019 An Introduction to Frameworks for IT Management
30/56
Origin in manufacturing industry, now in
>10 industry sectors eg. defense,
finance, ICT Invented by Motorola
Optimized by GE
Initially perceived as a methodology foroperations & manufacturing industries
Where ?
7/30/2019 An Introduction to Frameworks for IT Management
31/56
ABN Amro NV in Netherlands did a Pilot in2004 with the help of Cape Gemini
Led to cost reduction of 1.2 million Euros in 3month period
Also the approach helped to work togetherglobally and to quantify the process KPIs andimprovements.
Adopted not just Six sigma methodology butalso the mindset viz. Six Sigma philosophy
Where ?
7/30/2019 An Introduction to Frameworks for IT Management
32/56
Refers
to the statistical notion of having 99.99% confidence
Fundamental objective
is implementation of a measurement-based strategy
That focuses on process improvement and variation reduction
Practical goal
to increase profits by eliminating variability, defects and wastethat undermine customer loyalty
Relies on
Tried-and-true methods available for decades and combinethese to create a new and structured methodology
What ?
7/30/2019 An Introduction to Frameworks for IT Management
33/56
Three Levels
Metric: 3.4 Defects Per Million Opportunities
(DPMO) Methodology:
DMAIC (Define-Measure-Analyze-Improve-Control)
DMADV (Define-Measure-Analyze-Design-Verify)
DFSS (Design For Six Sigma)
Philosophy
What ?
7/30/2019 An Introduction to Frameworks for IT Management
34/56
DMAIC
7/30/2019 An Introduction to Frameworks for IT Management
35/56
How to ?
7/30/2019 An Introduction to Frameworks for IT Management
36/56
Tools & Templates (illustrative): Affinity Diagram
Brainstorming
Calculators
Cause & Effect/Ishikawa/Fishbone
Control Charts Contract management software
Creativity/ Out-of-the-box thinking
Design fo Experiment
Document Control
Flow Chart Risk Assessment
Process map
Scatter diagram
Six Sigma reports templates etc..
How to ..
7/30/2019 An Introduction to Frameworks for IT Management
37/56
A rigorous improvement method or philosophy which is fast toimplement with high success rate
Consists one language worldwide
Best suited to high volume/high risk process, large data setsavailable, measurable & repeatable processes
Not one-size-fits-all methodology
Can be used in many situations but not always in the same way
Substantial requirement of resources in plans to adopt philosophy
Can benefit the organization, IFused in the right way and for theright purpose.
Strengths&
weaknesses
7/30/2019 An Introduction to Frameworks for IT Management
38/56
It was ideated and first detailed by RobertKaplan and David Norton.
The Balnced Scorecard is a strategic
planning and management system used to align business activities to the
vision and strategy of the organization,
improve internal and externalcommunications and
monitor organization performance againststrategic goals.
7/30/2019 An Introduction to Frameworks for IT Management
39/56
Performance management system thatenables business to drive strategies basedon measurement & follow up
Can be easily applied to IT investments,projects, departments as performancemanagement & alignment system
Growing popularity to the concept Widely supported & disseminated by
international consultant groups like Gartner,IDC etc
Where ?
7/30/2019 An Introduction to Frameworks for IT Management
40/56
The balanced scorecard suggests we view 4 critical perspectivesof our business:
Learning & growth: includes training, learning, corporate cultureand attitudes, self growth. Individuals are the main repository ofknowledge of an organisation and the critical resource.
Business process: Metrics based on internal business processesallow management to monitor how well the business is running
Customer: Indicators on customer satisfaction and tools toimprove and monitor customer relations are critical
Financial: Timely and accurate financial data is still a key tomanage the business. Data should be centralised and of fast andeasy access, but financial data should not be the only indicator,thus the original intention of the word balanced .
What ?
7/30/2019 An Introduction to Frameworks for IT Management
41/56
What ?
7/30/2019 An Introduction to Frameworks for IT Management
42/56
High level road map to BSC
Presentation of the concept to senior management
Establish a project team
Gather data & collect information on Corporate IT strategy
IT metrics already in use for performance measurement
Develop organization specific IT Balanced Score Card
How to?
7/30/2019 An Introduction to Frameworks for IT Management
43/56
Some lessons learned
Start small with only key objectives
Consider BSC technique as a supportive mechanism for
IT/Business alignment & IT Governance Consider & implement IT BSC as an evolutionary project
Provide a formal project organization
Provide best IT practices supporting the IT BSC
Regularly revisit
Focus first on establishment of appropriate objectives andmeasures and after that on automation via tools and software
How to?
7/30/2019 An Introduction to Frameworks for IT Management
44/56
How to?
7/30/2019 An Introduction to Frameworks for IT Management
45/56
How to?
ManagementManagement
CycleCycle
6
1
43
2
5
Source: Chang, Richard Y.; Mark W. Morgan;
Performance Scorecards, Jossey-Bass, 2000
Collect information.
1. Collect1. Collect
Create the scorecard design.
2. Create2. Create
Cultivate acceptance and the
measurement culture.
3. Cultivate3. Cultivate
Cascade measures down through the
organisation.
4. Cascade4. Cascade
Connect objectives and measures to
employees.
5. Connect5. Connect
Confirm effectiveness through
evaluation leading to ongoing
improvement.
6. Confirm6. Confirm
7/30/2019 An Introduction to Frameworks for IT Management
46/56
Getting business value from IT and measuring that
value are important governance domains
Combined responsibility of business & IT to take both
tangible & intangible costs & benefits into account
IT BSC provides answers to questions like
How do I get back the extra money spent on IT ?
How does my It benchmark against competitors?
Do I get back from It the promised returns?
How do I learn from past performance?
Is my It implementing strategy in alignment with business?
Relevance to IT
Management
7/30/2019 An Introduction to Frameworks for IT Management
47/56
IT BSC is treated as the best practice for performance
measurement and alignment
It provides the systematic translation of the strategy into critical
success factors and metrics Gives a balanced view of total value delivery of IT to the
business
Provides a snapshot of where your IT organization is at a
certain point in time
Barriers & pitfalls:
Visions & strategies that are not actionable
Strategies that are not linked to departmental. Team & individualgoals
Feedback, that is tactical & not strategic
Strengths&
weaknesses
7/30/2019 An Introduction to Frameworks for IT Management
48/56
PRINCE2 (PRojects IN ControlledEnvironments) is a process-based
method for effective projectmanagement.
PRINCE2 is a de facto standard usedextensively by the UK Government and
is widely recognised and used in theprivate sector, both in the UK andinternationally.
7/30/2019 An Introduction to Frameworks for IT Management
49/56
It concentrates on the work of the projectmanager, team managers and members
of senior management involved indecision making
de facto best practice projectmanagement standard in the UK &
widely used in Netherlands & Australia Spreading fast across the world
Where ?
7/30/2019 An Introduction to Frameworks for IT Management
50/56
The key features of PRINCE2 are: Its focus on business justification
A defined organisation structure for theproject management team
Its product-based planning approach Its emphasis on dividing the project into
manageable and controllable stages
Its flexibility to be applied at a levelappropriate to the project.
What ?
7/30/2019 An Introduction to Frameworks for IT Management
51/56
Two key principles of PRINCE2 are:
A project should be driven by its business case
check for conformity in regular intervals andstop if justification is disappeared
PRINCE2 is product based focuses on
products (documents) to be produced by the
project and NOT the activities to produce them
What ?
7/30/2019 An Introduction to Frameworks for IT Management
52/56
PRINCE2
7/30/2019 An Introduction to Frameworks for IT Management
53/56
PRINCE2
7/30/2019 An Introduction to Frameworks for IT Management
54/56
Covers all sizes of projects
Thorough understanding is required to able
to use its flexibility & scalability Does not attempt to cover techniques that
are already in public domain eg. network
planning & use of Gantt charts
How to ?
7/30/2019 An Introduction to Frameworks for IT Management
55/56
Originally devised for IT by a group of ITmanagers
Very relevant to the management of Itprojects
Excellent approach to planning &organization of a project & describes the
production of a business case (often a weakarea in IT projects !!)
Closing of a project is also very relevant
Relevance to IT
Management
7/30/2019 An Introduction to Frameworks for IT Management
56/56
A disciplined approach to project management throughcombination of processes & components
Controls, risks and quality chapters of the method areparticularly strong
A complete approach to the management of risk is given
Quality coverage begins before the project officially begins
PRINCE2 is not a complete answer to project management
Does not contain techniques such as soft skills like leadership
It does not cover programs
Strengths&
weaknesses