By Alcyone Consulting Group
Executive Summary:
Nearly all of us who are running an IT shop feel the need to gain or increase control,
predictability, and efficiency. That’s true whether we’ve just come off achieving CMM level 3, or are still struggling with legacy IT management practices. Solving these problems from scratch can take daunting amounts of time and effort, and still leave you vulnerable to audit issues.
CobiT® and ITIL® together are a powerful force for IT Operational efficiency and effectiveness. CobiT provides a framework for IT governance, aligning IT with business requirements. ITIL is a collection of best practices in Service Management, Security, Infrastructure Management, and Application Management. Together they can make the process improvement task much more achievable.
Using CobiT and ITIL in combination links proven IT best practices (ITIL) to CobiT’s regulatory and business requirements. CobiT’s objectives define the Key Performance Indicators for each major IT process area, assuring both a well-run IT Organization and the ability to meet regulatory requirements.
This paper describes CobiT and ITIL, why Alcyone Consulting combined them, and how your organization can benefit from this work for better IT effectiveness.
What is the business problem?
Before we introduce CobiT and ITIL, and the value of combining them, let’s review the business problem that makes this a compelling discussion. The following describes a typical public company’s IT organization and change drivers:
• Your auditors are telling you that your team is not doing something right and
you have to change it … now!
• The business is telling you that you don’t understand their needs or are not responsive enough.
• The CEO is telling you that you have to make your IT organization more cost effective.
On top of all this, you are being asked to make improvements while living within this year’s operating budget. Leveraging either CobiT or ITIL will help you with the above objectives. The questions are: What are they? How do you know which to use -and when?
What ARE these things?
CobiT: Control Objectives IT
CobiT was developed in the early 1990s by Information Systems Audit and Control Foundation (ISACF) with the goal of providing a set of best practices that are meaningful and useful to IT Staff, auditors, and customers. A major research effort delving into all relevant existing standards and best practices was undertaken to develop the CobiT objectives.
The initial release of the Framework, Control Objectives and Audit Guidelines, was in 1996.
Over the next four years two additional books were published: Implementation Toolset and Management Guidelines. These books contain maturity models, performance indicators and critical success factors.
A quote from the introduction:
“The resulting control objectives have been developed for application to organization-wide information systems. The term “generally applicable and accepted” is explicitly used in the same sense as Generally Accepted Accounting Principles (GAAP).”
CobiT is organized into four domains: Planning and Organization, Acquisition and
Implementation, Deployment and Support, and Monitoring.
(For a diagram of these domains please download the complete whitepaper)
Each of the high-level control objectives in the above diagram are divided into detailed control objectives. COBIT identifies a broad set of 318 control points (e.g., Procurement Control)
designed to provide reasonable assurance that certain objectives will be achieved. What it does not do, is describe a complete set of IT processes – more on this to come.
CobiT was largely ignored by the marketplace until the Sarbanes-Oxley Act of 2002 (SOX). Once this act took effect in the United States, CobiT was able to show the direction for compliance was already in place. SOX requires that companies certify internal financial processes, and that auditors issue opinions regarding the completeness of those processes. In addition, SOX requires that companies understand and document internal controls around financial reporting. And that’s exactly what implementing CobiT is able to deliver.
