Post on 27-Dec-2015
ITIL & COBITO6PLMKevin Lisay – 1501147113Rendy Winarta – 1501149226Steven Ekaputranto - 1501148362Stefani Trifosa – 1501158893Gladys Natalia – 1501165476
Background Information Technology is a thing that can’t be
missed in this modern world. Effectiveness and efficiency that IT offers are great and gives so much benefit. Any company especially the big one can’t endure to use IT nowadays.
In order to make the structure of IT operates really well, many of company use ITIL (Information Technology Infrastructure Library), which is a set of document a set of documents which defines best practices and accepted techniques in Information Technology community. Also COBIT (Control objectives for information and related technology) that helps top tier user (managers, IT professionals and assurance professionals) develop IT itself.
Scope
1. Implementation of Information Technology Infrastructure Library.
2. Implementation of Control Objective for Information and Related Technology.
3. Differences between Information Technology Infrastructure Library and Control Objective for Information and Related Technology.
What is ITIL (Information Technology Infrastructure Library)ITIL is the most widely adopted
approach for IT Service Management in the world. It provides a practical, no-nonsense framework for identifying, planning, delivering and supporting IT services to the business.
COBIT? (Control objectives for information and related technology)A model designed to control the IT
function. This model was originally developed by the Information System Audit and control foundation (ISACF).
COBIT support IT governance by providing a comprehensive description of the control objectives for IT processes and by offering the possibility of examining the maturity of these processes.
Implementation of Information Technology Infrastructure Library.
1.Process Implementation
Objective The objective of this document is to provide a template for
developing process implementation plans that will be usable across a wide range of diverse organizations
Program Management
2. Process Implementation Projects
Process, People And Technology (The Integrated Project Plan)◦ Project Timelines◦ Expected Project Deliverables
Implementation Roles◦ Process Owner◦ Core Process Team◦ Stakeholder Groups And Subject Matter Experts◦ Internal and External Process Advisors
Pink Elephant Consulting RolesHigh Level Process Model Development
3. Process Embedding Strategy
Process Workshops / Training◦ Develop Lesson Plans◦ Schedule Workshop And Process Embedding Date◦ Coaching Period◦ Initial Process Review And Adjustment
Detailed Activities (Project Check List)◦ People Involved◦ Awareness Campaign◦ Systems Implementation Activities◦ Support Tools◦ Post Implementation and Audit◦ Other Considerations
4. Evaluationof The Project
Post Project ReviewAuditing Using Quality
Parameters◦Generic Quality Parameters for IT
Service Management◦Process Specific Quality Parameters
for IT Service Management
Implementation of Control Objective for Information and Related Technology.
1. BackgroundThe bank in the given case is a global
conglomerate with operations in more than 50 countries and with more than 125,000 employees across the globe. The bank’s technology teams are located throughout the world to support global lines of business. The IT teams include development centers that are part of the bank and others that are outsourced to vendors, as well as technology back offices that support IT infrastructure and services. The bank had a history of multiple governance and assurance templates and processes followed by different teams, regions and locations. Hence, the key challenge was to create a common governance and assurance process across technology teams.
2. Use of COBITDefining a framework to use—
Control objective framework (COF)
Identifying a standard definition of ‘entities’ against which risks and controls were to be evaluated—Key entity management model
Identifying a risk management process—Risk and control assessment (RCA)
Defining COF It should act as a tool to facilitate the effective
assessment of risks and controls within technology.
It should act as a reporting framework to demonstrate how technology satisfies reporting regulatory requirements, including those of Sarbanes-Oxley.
It should act as an aid to drive management assurance.
The steps in implementing COF using COBIT included:
Identify principal risks Identify level II risks Identify control objectives
Benefit of Defining COF
Prior to implementing this framework, each entity, organization and location had its own set of controls. COBIT helped in developing and managing a single list of controls for each type of risk through the mapping of needed controls to COBIT. In turn, this assisted with the attestation of each type of risk, which provided confidence to senior executives on the reporting and attestation process. Subsequently, a risk assessment process was developed to define risks and controls. This helped in ensuring that adequate controls were deployed to cover the principal risks and level II risks.
Identifying Entities for Managing Risks and Controls◦Process entities◦Supporting services entities◦Technology entities◦Project entities
Defining and Implementing the RCA Process
Training Key Stakeholders
One of the main challenges was to explain the entire process to all of the stakeholders with different backgrounds and understanding of risks and controls and at various locations. The challenge was managed by creating additional training programs at various levels.
Differences Between ITIL and COBIT
- ITIL - COBITControl FocusedUses IT MetricsUsed by auditors in
SOXCritical Success
FactorsIncludes a
discussion of qualityIncludes a
discussion of process maturity
Strong concentration on processes
Security is a very important component
Focused on service delivery
Has a broad base of adopting organizations with lessons learned
Has an organization certification schema
Here is a table explaining COBIT, ITIL, and one other framework (CMMi) for SOX :
Another table describing COBIT, ITIL, another framework (CMMi) for non-SOX Objectives