Thursday, June 05, 2008
ISO, ITIL and COBIT triple play fosters optimal security management execution
This information is a survey which about security professionals conducted for the recent research report Security Management Matures, ESG. The survey materials are the organizations with 1,000 or more employees, and what kind of the commercial frameworks which include ITIL, Cobit, ISO implement in the organization.
ESG discovered that 72 percent of North American enterprise-class organizations say they are implementing one or more formal IT best practice control and process models.
Among survey participants, 18 percent have simultaneously implemented ITIL, ISO and COBIT. Of those implementing just one set of standards, ITIL is the most frequently selected (16 percent) followed by ISO (11 percent). A significant 17 percent have not implemented any type of framework at this time. An additional 20 percent have implemented other best practices or did not know whether their organization used these types of frameworks.
Over three-quarters (76 percent) of the organizations implementing all three sets of guidelines indicate that demands to comply with external regulations were very influential in defining their security management requirements during the past year. In contrast, only 44 percent of those implementing ITIL alone and 51 percent of those with no frameworks in place felt the same way.
For those organizations implementing all three best practices guidelines, the data reveals that regulatory pressures impact multiple business activities, as these organizations are required to comply with diverse regulatory requirements, such as Sarbanes-Oxley, PIPEDA (Personal Information Protection and Electronic Documents Act, Canada), FISMA (Federal Information Security Management Act), HIPAA (Health Insurance Portability and Accountability Act) and PCI DSS (Payment Card Industry Data Security Standard). Across all of these different regulatory requirements, organizations implementing all three sets of best practices guidelines are significantly more likely to be subject to those requirements than are organizations with a lesser number of best practices frameworks currently in place.
Combined, these forces require organizations to promote extensive and ongoing communication, cooperation and reporting capabilities across information security groups, data center operations teams, e-mail administrators, facilities, human resources and other business groups in order to assure that information security control policies are implemented consistently across the business. By combining the detailed security specifications from ISO, IT operations and cross-IT workflow integration best practices from ITIL, and governance and control models from COBIT, the most sophisticated firms are able to address the full range of compliance and audit requirements set before them by government and industry compliance mandates.
ESG found interesting relationships between an organization's degree of implementation of security and governance standards and the amount of cooperation between different IT groups within that organization. Organizations implementing all three sets of best practices recommendations are most likely to report significant levels (62 percent) of cooperation between IT operations and information security groups, compared with 56 percent of those implementing ITIL only and just 46 percent of those that have not implemented any frameworks. Interestingly, those organizations that have not implemented any frameworks are most likely to have merged IT operations and information security groups (29 percent), compared to just 14 percent of those implementing multiple frameworks.
In my opinion, this time I understand more about why company implement more then one standard in the organization. Because of the complex requirement across business, security and IT teams, in facts these three groups are work together. As common sense, IT is support the business, but IT services can not without the security. As the summary which ESG made, inducts ITIL, ISO and COBIT for compliance requirements on governance, operational process and information security policy integration.
Alphabet Soup: Cobit, ITIL and ISO
This information is about Malcolm Wheatley interview an Expert Gary Hardy, Hardy is an adviser to both the IT Governance Institute and the Information Systems Audit and Control Association (ISACA), he having been a member of the latter for more than 25 years.
The content of the interviewing is about this question “How do Cobit and ITIL differ ?” Hardy answer is “Cobit [control objectives for information and related technology], the last version is the fourth release was lunched at November 2005, it is a high-level set of objectives with management and assurance tools for overall IT governance. People call it a standard, but it is not a framework. ITIL a set of best practices is mostly focused on service delivery and service management, the delivery of IT services in terms of the processes that should be followed.” Hardy also explained people say that Cobit is what you should do, and ITIL is how you should go about doing it—accepting that ITIL has a narrower scope.
Malcolm Wheatley asked again about how does ITIL's approach to security issues? Hardy answer is “ITIL talks about security, but mostly in the context of service delivery. Frankly, security isn't really what ITIL is focused on, it's not its core strength, and it's not what people go to ITIL for.”
Malcolm Wheatley asked the last question about how Cobit approaches to security issues. Hardy explained this Cobit has always been security-oriented, and at a high level sets out what should be done about security which the things that security should focus on. Cobit provides a set of objectives and guiding principles.
In my opinion, if the company’s character is service oriented, it is better using ITIL framework on the certification for their services quality. Such as Acer eDC. If an organization or company focus on the security aspect, they should take the Cobit standard. As the expert Hardy explained Cobit is focus on the security-oriented which the things should be done about security. If Cobit standard not popular at the location, ISO17799 may be another selection. Enterprise can choose the standard for they needed.
ITIL V3 Certification
http://www.itil-officialsite.com/Qualifications/ITILV3QualificationScheme.asp
http://www.itil-officialsite.com/Qualifications/ITILV3CreditSystem.asp
For the ITIL version 3 Certification, there have five core subjects which include Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement. Each core subject covers the knowledge next:
Service Strategy
– Value Creation
– Business Fundamentals of services
– Service Provider Types
– Service Structures
– Service Strategy Processes
– IT Financial Management
– Service Portfolio Management
– Demand Management
Service Design
– Service Design Principles
– Service Design Processes
– Service Catalog Management
– Service Level Management
– Capacity Management
– Availability Management
– Service Continuity Management
– Information Security Management
– Supplier Management
– Application Management
– Requirements Engineering
Service Transition
– Service Transition Principles
– Service Transition Processes
– Change Management
– Configuration Management System
– Service Asset and Configuration Management
– Knowledge Management
– Service Releases Planning
Service Operation
– Service Operation Principles
– Service Operations Processes
– Event Management
– Incident Management
– Problem Management
– Service Request Management
– Functions (Detailed Information for each)
– Service Desk
_ Technical Management
_ IT Operations Management
_ Applications Management
Continual Service Improvement
– Continuous Improvement Fundamentals
– Continuous Improvement Principles
– Continuous Improvement Models
– Measurement and Control
_ Measurement
_ Benchmarking
_ Reporting
– Implementation Consideration
– Service Level Management
There are four levels certification for ITIL version 3
- Foundation Level.
- Intermediate Level (Lifecycle Stream & Capability Stream) .
- ITIL Expert.
- ITIL Master.
Foundation Level
The Foundation Level focuses on knowledge and comprehension to provide a good grounding in the key concept, terminology and processes of ITIL.
Intermediate Level
There are two streams in the intermediate level. Both assess an individual's comprehension and application of the concepts of ITIL. Candidates are able to take units from either of the intermediate streams, which give them credits towards the diploma.
- Intermediate Lifecycle Stream - 5 individual certificates built around the five core OGC books: Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement.
- Intermediate Capability Stream - 4 individual certificates loosely based on the current V2 offerings but broader in scope in line with the updated V3 content.
ITIL Expert
To achieve the ITIL Expert in IT Service Management, candidates must successfully complete, in addition to the Foundation Level, a number of intermediate units and the Managing Through The Lifecycle capstone course. This course brings together the full essence of a Lifecycle approach to service management, and consolidates the knowledge gained across the qualification scheme.
ITIL Master
This level of the qualification will assess an individual's ability to apply and analyse the ITIL concepts in new areas. This higher level qualification is currently under development.
Relationship Between Version 3 & Version 2
Individuals with existing ITIL v2 qualifications can use those qualifications as credits towards the Expert or may find that the credits or qualifications they hold will make them eligible for the current v3 Bridging routes.
Foundation level - There is a short bridging course which covers the differences between v2 and v3 and allows someone to take an exam to demonstrate their understanding of the ITIL v3 approach.
ITIL v2 Practitioner qualifications count towards the ITIL Expert in Service Management. Depending on whether an individual holds a single topic certificate or a clustered certificate the credits will vary.
Any ITIL v2 Service Manager who wishes to gain the v3 Expert Level can take a bridging course and must pass the v3 Managers Bridge examination. The course covers the new concepts within ITIL v3 and fully integrates the benefits of the Lifecycle approach.
In my opinion, the ITIL version 3 certification is quite difficult than version 2. I can understand the version 3 qualification higher than version 2. If candidates don’t have the version 2 certification and then jump to the version 3, it is a huge challenge. Because the version 3 concepts are base on the version 2 and extending. Without the version 2 knowledge and then take the version 3 certification which has a high risk on failed examination. It is waste time and money. I don’t thing that investment is make sense. I believe the best strategy is holding the version 2 certification and then upgrade to version 3.
Wednesday, June 04, 2008
Risk? Survey Shows Information Technology Infrastructure Library (ITIL) Benefits Are Exclusive
According to a recent compass survey about the global adopter’s experience on ITIL framework inducts to the organization. The information is referring to Gregory Beat’s report.
The survey comprises 70 responses from executives with organizations from at least eleven different countries. Of the respondents, 82 percent started their ITIL implementation program at least eighteen months beforehand and should therefore be qualified o comment on their ITIL processes and the benefits that their ITIL program is delivering.
Respondents were asked to categorize the maturity of eight core ITIL processes which includes Incident, Change, Problem, Service Level, Continuity, Availability, Configuration and Capacity. The results from these responses (Established, Mature, and World Class) shows Incident Management (90%) to be the most mature and Capacity Management (35%) to be the least mature of ITIL processes. Of potential concern to executives is the finding that Configuration Management (40%), widely accepted as the underpinning of all other core ITIL processes, is regarded as less mature than almost all others.
Respondents were then asked to describe their level of confidence that their ITIL program is delivering tangible improvements in IT performance:
Unsurprisingly, respondents expressed a relatively high degree of confidence about 67% (Fully Confident 31%, Fairly Confident 36%), just 20% response Some Confidence and 13% feeling Little Confidence / Don’t know.
Interviewer then asked executives how well they measured the maturity of their ITIL processes. Only 4 percent of respondents felt able to say that all of their ITIL processes were fully measured for maturity, 28 percent for all ITIL processes some measured, and 55 percent felt able to say that some processes were some measures. About 13 percent were no measures for all ITIL processes.
Respondents were asked to define how well their organizations could measure the impact of process maturity on performance improvement. Surprisingly, only 9 percent of respondents (six out of seventy) felt able to say that the relationship was based on full measures, fully linking process maturity with performance. Seventy-two percent felt unable to acknowledge any linkage at all between process maturity and performance improvement.
As the result, what I can see this most adopter still standing on the ITIL induction, some adopter just start, some started for few months and no more adopter finished the whole processes on IT services improvement . Because the implementation process takes times typically, that represents on training, documentation, tools integration and such. As people take time to adapt the enterprise culture change as well. As a common sense one-size can not fit all the audiences on using the best-practice guidelines increase the efficiency of service management. Enterprise should establish a baseline on the performance improvement, and review it on schedule. Reduce the risk of failure. The benefits not appear to give results in terms of cost saving immediately; it will certainly bring about long-term business benefits.
The Top 10 Strategic Benefits of ITIL
According to the Introductory Overview of ITIL, the itSMF provides examples of figures from their research detailing some of the improvements business are experiencing every day:
- More than 70 percent reduction in service downtime
- ROI up by more than 1,000 percent
- Savings of nearly $200 million annually
- 50 percent reduction in new product cycles
For the example figures, how can we get those benefits from the planning? The following top 10 strategic benefits of ITIL is coming from the CMPP, with those strategic may be help the adopter have a direction where they can get the benefits from the improvements of business. The content of the 10 strategic benefits of ITIL as next:
- Provides a single, definable, repeatable, and scalable documented framework for IT best practices that flows across the IT organization.
- Clearly identifies roles and responsibilities for IT Service Management.
- Supports reducing IT costs and justifying the cost of IT quality.
- Supports ability of IT to measure and improve internal performance and service provisioning.
- Defines IT in terms of services rather than systems.
- Supports improvement of user productivity.
- Improves communication and information flows between IT and organization business departments.
- Provides a framework for IT to support regulatory challenges.
- Improves ability of IT to adjust as business opportunities and challenges are presented.
- Improves relationship of IT with the business – builds trust.
In summary, the ten points is a good idea which let the adopter realize which area they can get the benefits if inducts the ITIL standard to the organization. Are the figures of benefit always come true? I don’t think so. Because of the figures are references. How much the adopter would have? That will depend on the adopter’s execution ability during the ITIL induction. As we know there are many factors which will affect the final result. Different gains on different industry. However, I believe adopter will have the reaping on the days.
ITIL V3 Foundation Overview Diagram
For the last version of ITIL version 3 which have five core area which includes Service Strategy, Service Design, Service Operation and Continual Service Inprovement. But what is the relationship between that five core subjects with people, processes, products and partner's knowledge? It is so complicated and challenged with few words to descript those scenarios. If we don't have the real case experiences, how can we draw up that diagram? What can I say? It is an impossible mission. Fortunately, I found that diagram from Zyworld web site. It is very useful for people understand the relationship between people(users), processes(five core subjects), products(CMDB, SKMS) and partners(outsource or in-house design). With this diagram help, it is more easilt to understand the ITIL version 3 objectives.
ITIL Certification
Here list some information that about the ITIL certification. The information comes from the Great Lakes LIG’s ITIL Certification Presentation. According to the presentation, both company and employee will have the benefits when they get the ITIL certification. The benefits of ITIL certification includes two parts, one is the company. Other one is the employee. What are the benefits for the company and employee? The answer as following:
Benefits to Company:
- Certification provides an objective demonstration of the Company's breadth and currency of knowledge, which builds credibility and provides the competitive edge.
- Measurable improvement in product and service quality.
- Fosters customer confidence based on evidence of qualifications and suitability for the projects.
- Benchmarks IT skill sets possessed by its employees
Benefits to Employees:
- Certification provide a highly effective and practical way to:Gain additional knowledge and skills to perform current job more effectively.
- Acquire third party validation of knowledge and skills.
- Common understanding of Industry standards and terminology.
- Professional recognition and networking with other professionals.
ITIL Certification Providers
EXIN - The National Exam Institute for Informatics (Netherlands)
ISEB - The Information Systems Examination Board(UK)
Types of ITIL Certification
Foundation - Fundamental Level. Basic Understanding of the ten ITIL Service Delivery and Service Support processes and the Service Desk.
Objective: - Introduce knowledge and understanding of IT Service Management concepts and terminology, and insight into the applicability of IT Service Management.
Suitable for: - All personnel who wish to become familiar with the best practices of ITIM as defined by OGC ITIL guidelines.
Exam Qualification requirements:
No Formal entry requirements
Some experience in IT
Exam Format:
Closed book Multiple Choice
40 questions on Service Delivery Service
Support and Service Desk
Exam Duration: 1 hour
Exam Assessment:
Required to score 65% to pass (26 out of 40)
Cost:
Training Cost: $ 200 to $ 2500 approx
Exam Fee: $ 135 USD
Practitioner - In-depth understanding of one of the ten ITIL process areas
Objective: - Provide the knowledge and skills necessary to plan, implement and execute the IT Service Management processes.
Suitable for: - Person with responsibility for the definition, execution and maintenance of a specific ITSM process or processes in the Organization.
Exam Qualification Requirements:
Demonstrate one years experience in Practice area
Attend accredited course and complete in-course assignment
Hold Foundation Certificate in ITSM
Exam Format:
Closed book Multiple Choice
25 questions based on Case Study
Exam Duration: 1 hour
Exam Assessment:
Combined total score of 65% to pass (50 % of In-course Assignment & 50% of Exam score)
Cost:
Training Cost: Approx $ 2500 approx
Exam Fee: $ 160 USD
Manager (Masters) - Broader understanding of all ten processes and the Service desk function
Objective: -Provide the knowledge and skills necessary to plan, implement and execute the IT Service Management processes.
Suitable for: - Person with responsibility for the definition, execution and maintenance of a specific ITSM process or processes in the Organization.
Exam Qualification Requirements:
Demonstrate one years experience in Practice area
Attend accredited course and complete in-course assignment
Hold Foundation Certificate in ITSM
Exam Format:
Two Closed book essay exams based on Case
Study (Paper 1 Service Support, Paper 2
Service delivery)
Exam Duration:
3 hours each in a period of 24 hours
Exam Assessment:
Achieve a total score of 50% or more in both of the written exams)
Exam Offered in:
January, April, July, October
Cost:
Training Cost: Approx $ 6000 – 10,000 approx
Exam Fee: $ 360 USD
In my opinion, the ITIL certification is quite useful in the world. No worries where come from, each professional have the same language on the communication as well as working together. Those exams also take many times to prepare. Before we get the benefits, we need to pay much money on the training and examination. The total cost also expensive. That could be another long-term investment. I believe the result is excellent when we have the certification.