CHAPTER II
THEORITICAL FRAMEWORK
2.1
Service Level Management
BMC Software states that Service is defined as one or more IT systems
which enable a business process, something that changes value to the
business that may be comprised of other services. A good starting point is to
ask the customers which IT Services they use and how those services map
onto their business processes.
The Service Level Management (SLM) process is used by organization
to determine the level of IT service needed to support the business. It also
enables monitoring to identify whether the required service levels are being
achieved. Service Level Agreement (SLA), which are managed through
Service Level Managament process, provide specific targets against which
the performance of the IT organization can be measured.
According to Information Technology Infrastructure Library (ITIL)
training documents, the definition of Service Level Agreement (SLA) is the
written agreement both between IT provider and the IT customer, defining
the key service targets and responsibilities of both parties. Wikipedia defines
Service Level Agreement (SLA) as a formal agreement between 2 parties. It
is a contract that exists between customers and their service providers. It
12
13
records
the
common
understanding
about
services,
priorities,
responsibilities, guarantee, etc with the main purpose to agree on the level of
service. In the conclusion, Service Level Agreement is defined as an
agreement between IT service providers and their customers in providing the
certain level of services.
Service Level Management is aimed to maintain and improve IT
service quality through the constant cycle of agreeing, monitoring, and
reporting upon IT service achievements and instigation of action to eradicate
poor service – in the line of business and const justification. The SLM
process is responsible for ensuring that :
1.
SLA, Operating Level Agreement (OLA) which
is an internal
agreement covering delivery of services that supports IT
organizations in their delivery of services, and Underpinning
Contracts (UC) which is a contract with external supplier
covering delivery of services that supports IT organization in
their delivery of services, are met.
2.
Any adverse impact on service quality is kept to a minimum
14
Figure 2.1. SLM Structures (Source: BMC ITIL Foundation)
The improvements in service quality and reductions in service
disruption that can be achieved through Service Level Management can
ultimately lead to significant financial savings. Furthernore, less time and
effort is spent by IT staff in resolving fewer failures and IT customers are
able to perform their business without adverse impact. To satisfy the needs
of business and to provide SLA, service providers must first understand and
then meet the availability and performance expectations of business owners
and end users who are engaged in the business process. During the SLM
process, SLAs are defined between the Customer and the IT Provider. Those
agreements define the key service targets and responsibilities of both parties.
2.2
COBIT Framework
COBIT stands for Control Objectives for Information and Related
Technology is a framework and supporting toolsets for managers to bridge
15
the gap with respect to control requirements, technical issues, and business
risk, and communicate that level of control to stakeholders.
According to Wikipedia, COBIT is a set of best practices (framework)
for information technology management created by the Information System
Audit and Control Objectives (ISACA), and the IT Governance Institute
(ITGI) in 1992. COBIT composed of 34 IT processes that can be grouped
into 4 domains: Planning and Organizations (PO), Acquiring and
Implementation (AI), Delivery and Support (DS), and Monitoring and
Evaluation (ME). COBIT is designed for use by 3 distinct audiences:
1.
Management – to help them balance risk and control investment in
an often-unpredictable IT environment.
2.
Users – to obtain assurance on the security and controls of IT
services provided by internal or third parties.
3.
Auditors – to substantiate their opinions and provide advice to
management and internal controls.
COBIT provides its audiences with a set of generally accepted
measures, indicators, processes and best practices to assist them in
maximizing the benefits derived through the use of information technology
and developing appropriate IT governance and control in a company.
COBIT was released in 1996, whose mission is to research, develop,
publish, and promote an authoritative, up-to-date, international set of
generally accepted information technology control objectives for day-to-day
16
use by business managers and auditors. Providing a good practice across a
domain and process framework and presents activities in manageable and
logical structures, COBIT is strongly focused on control, less on execution.
It will help in IT-enabled investment, ensure service delivery, and provide a
measure against which to judge when things do go wrong.
Figure 2.2. COBIT Framework (Source: IT Governance Institute, 2007)
17
COBIT consists of 34 high-level control objectives, one for each
process. These control objectives are categorized into 4 groups:
1. Planning and Organization
Planning and Organization will cover the use of information and
technologies and how it can be best used in a company to achieve
company’s goals and objectives. It also highlights the organizational
and infrastructural form of IT in order to achieve the most optimal
results and to generate the most benefit from the use of IT. This
process is indicated into 11 high-level control objectives as follow:
Activity
PO1
Define a strategic
IT Plan
PO2
Define the
Information
Architectures
PO3
Determine
Technology
Direction
PO4
Define IT
Processes,
Organization, and
Relationship
PO5
Manage the IT
Investment
PO6
Communicate
Process Description
Required to manage and direct all IT
resources in line with business
strategies and priorities.
The Information system function
creates and regularly updates a
business information models and
defines the appropriate system to
optimize the use of this information.
The information service function
determines the technology direction to
support the business.
An IT organization is defined by
considering requirements for staff,
skill,
function,
authority,
accountability,
roles
and
responsibilities, and supervision.
Established and maintained to manage
IT-enable investment program and that
encompasses cost, benefit, and
prioritization within budget, a formal
budgeting process and management
against the budget.
Management develops an enterprise IT
18
Management
Aims and
Direction
PO7
Manage IT
Human Resources
PO8
Managing Quality
PO9
Asses and Manage
IT Risk
PO10 Manage Project
control framework and defines and
communicates policies
Acquired and Maintained for the
creation and delivery of IT services to
the business.
This is enabled by planning,
implementing, and maintaining the
QMS by providing clear quality
requirements, policies, and procedures.
Documents a common and agreedupon level of IT risk, mitigation
strategies, and residual risk
Ensures the correct prioritization and
co-ordination of all projects
2. Acquisition and Implementation
Acquisition and Implementation covers identifying of IT
requirements, acquiring the technology, and implementing it within the
current company’s business process. This domain also addresses the
development of the maintenance plan that a company should adopt in
order to prolong the life of an IT system and it components. This
process is indicated in the 11 high-level control objectives as follow:
Activity
AI1
Identify Automated
Solutions
AI2
Acquire and Maintain
Application Software
Process Description
The need for a new application
or function requires analysis
before acquisition or creation
to ensure that the business
requirements are satisfied in
effective
and
efficient
approach
Application are made available
in
line
with
business
requirements
19
AI3
Acquire and Maintain
Technology Infrastructures
AI4
Enable Operation and Use
AI5
Procure IT Resources
AI6
Manage Changes
AI7
Install and Accredit
Solutions and Changes
Organization have processed
for
the
acquisition,
implementation, and upgrade
of
the
technology
infrastructures
Knowledge about the new
system is made available
IT
resources,
including
hardware, software, people,
and services need to be
procured
All
changes,
including
emergencies maintenance and
patches,
relating
to
infrastructure and application
within
the
production
environment are formally
managed in controlled manner
New systems need to be made
operational once development
is complete
3. Delivery and Support
Delivery and Support focuses on the delivery aspect of
information technology. It covers areas such as the execution of the
application within the IT systems and its results as well as the support
processes that enable the effective and efficient execution of these IT
systems. Training and Security Issues are also covered within. This
process is indicated in the 11 high-level control objectives as follow:
Activity
DS1
Define and Manage
Service Level
Process Description
Effective
communication
between IT management and
business customers regarding
service required is enabled by a
20
DS2
Manage Third Party
Services
DS3
Manage Performance
and Capacity
DS4
Ensure Continuous
Services
DS5
Ensure System Security
DS6
Identify and Allocate
Cost
DS7
Educate and Train User
DS8
Manage Service Desk
and Incident
DS9
Manage the
Configuration
documented definition of and in
agreement on IT service and
service levels
The need to assure that the
services provided by third party
meet
business
requirements
requires an effective third party
management process
The need to manage performance
and capacity of IT resources
requires a process to periodically
review current performance and
capacity of IT resources
The
need
for
providing
continuous IT services requires
developing, maintaining and
testing IT continuity plans,
utilizing offsite backup storage
and providing periodic continuity
plan training
The need to maintain the
integrity of information and
protect IT assets requires a
security management process
The need for a fair and equitable
system of allocating IT cost to
the business requires of accurate
measurements and agreement
with business user on fair
allocation
Effective education of all users of
IT systems, including those
within IT, requires identifying
training needs for each of user
groups
Timely and effective response to
IT user queries and problems
requires a well-designed and well
executed service desk and
incident management process
Effective problem management
requires the identification and
classification of problems, root
causes analysis, and resolution of
21
DS10
Manage Problem
DS11
Manage Data
DS12
Manage the Physical
Environment
DS13
Manage Operation
problems
Effective problem management
requires the identification and
classification of problems, root
causes analysis, and resolution of
problems
Effective
data
management
requires
identifying
data
requirements
Protection
for
computer
equipment and personal requires
well-designed and well-managed
physical facilities
Complete and accurate of data
requires effective management of
data processing procedures and
diligent maintenance of hardware
4. Monitoring and Evaluation
This Monitoring and Evaluation domain deals with a company’s
strategy in assessing the needs of the company and whether or not the
current IT system still meets the objectives for which it was designed
and the controls necessary to comply with regulatory requirements.
Monitoring also covers the issue of an independent assessment of the
effectiveness of IT system in its ability to meet business objectives and
the company’s control processes by internal and external auditors. This
process is indicated in the 11 high-level control objectives as follow:
Activity
ME1
Monitor and Evaluate
IT Performance
ME2
Monitor and Evaluate
Process Description
Effective
IT
performance
management requires a monitoring
process
Establishing an effective internal
22
Internal Control
2.3
ME3
Ensure Compliance
with External
Requirements
ME4
Provide IT
Governance
control program for IT requires a
well-defined monitoring process
Effective oversight of compliance
requires establishment of a review
process to ensure compliances with
laws regulations, and contractual
requirements
Establishing
an
effective
governance framework includes
defining organizational structures,
processes, leadership, roles and
responsibilities to ensure that
enterprise IT investment are
aligned
and
delivered
in
accordance
with
enterprise
strategies and objectives
COBIT Maturity Model
The Maturity Model provided by COBIT Management Guidelines for
the 34 IT Process is becoming an increasingly popular tool to manage the
timeless issue of balancing risk and control in a cost-effective manner.
In the article “The COBIT Maturity Model in Vendor Evaluation Case”,
COBIT Maturity Model is an IT Governance Tool used to measure how well
developed the management processes are with respect to internal control.
The maturity model allows the organization to grade itself from Nonexistent
(0) to Optimized (5).
A fundamental feature of the maturity model is that it allows an
organization to measure as-is maturity levels, and defines to-be maturity
levels as well as gaps to fill. As a result an organization can discover
practical improvements to the system internal control of IT. However,
23
maturity levels are not a goal, but rather they are a means to evaluate the
adequacy of internal controls with respect to company objectives.
IT Management is constantly on the lookout for benchmarking and selfassessment tools in response to the need to know what to do in an efficient
manner. Starting from COBIT’s processes and high-level control objectives,
the process owner should be able to incrementally benchmark against that
control objective. This provides for three needs:
1.
Relative measure of the organization is
2.
Manner to efficiently decide where to go
3.
Tool for measuring progress against the goal.
The COBIT Framework defines 34 IT processes within an IT
environment. For each process there is one high-level control statement and
between 3-30 detailed control objectives. The approach to maturity models
for control over IT processes consists of developing a method of scoring so
that an organization can grade itself from Non-existent to Optimized (from 0
to 5). Whatever the model, the scales should not be too granular, as that
would render the system difficult to use and suggest a precision that is not
justifiable.
24
Figure 2.3. The Scale for Maturity Model
(Source: IT Governance Institute, 2007)
Based on the COBIT Management Guidelines, for each 34 processes,
there is an incremental scale, based on the rating of 0 to 5. The scale is
associated with generic qualitative maturity model description ranging from
Non-Existent to Optimized as follows:
Maturity
Level
0
1
2
Status of the Internal Control Environment
There is no recognition of the need for internal
control. Control is not the part of the organization's
Nonculture or mission. There is a high risk of control
Existent
deficiencies and incidents
There is some recognition of the need for internal
control. The approach to risk and control
Initial/Ad- requirements is ad-hoc and disorganized without
communication or monitoring. Deficiencies are not
hoc
identified. Employees are not aware of their
responsibilities
Controls are in place but not documented. Their
operation is dependent on knowledge and motivation
of individuals. Effectiveness is not adequately
Repeatable evaluated. Many control weaknesses exist and are not
but
adequately addressed; the impact can be severe.
Intuitive Management’s actions to resolve control issues are
not prioritized or consistent. Employees may not be
aware of their responsibilities
25
Controls are in place and adequately documented.
Operating effectiveness is evaluated on periodic basis
and there is an average number of issues. However,
evaluation process is not documented. While
3
Defined
management is able to deal predictably with most
control issues, some control weaknesses are predicted
and impacts could still be severe. Employees are
aware of their responsibilities for control.
There is an effective internal control and risk
management environment. A formal, documented
evaluation of control occurs frequently. Many
Managed controls are automated and regularly reviewed.
Management is likely to detect most control issues
4
and
Measurable but not all issues routinely identified. There is
consistent follow-up to address identified control
weaknesses. A limited, tactical use of technology is
applied to automate controls.
An enterprise-wide risk and control program provide
continuous and effective control and risk issues
resolution. Internal control and risk management are
integrated with enterprise practices; supported with
automated
real-time
monitoring
with
full
5 Optimized
accountability
for
control
monitoring,
risk
management and compliance enforcement. Control
evaluation is continuous, based on self-assessment
and gap and root causes analyses. Employees are
proactively involved in control improvements.
The advantage of maturity model approach is that it is relatively easy for
management to place itself on the scale and appreciate what is involved if
improved performance is needed. The scales include 0 because it is possible
that no process exists at all. The “0-5” scale is based on a simple maturity
scale showing how a process evolves from a non-existent capability to an
optimized capability. This approach has been derived from the Maturity
Model that the Software Engineering Institute defined for the maturity of the
26
software development capability. Against these levels, developed for each
COBIT 34 IT Processes, management can map:
- The current status of organization – where the organization is today
- The current status of (best-in-class) of industry – the comparison
- The current status of international standards – additional comparison
- The organization’s strategy for improvement – where the organization
wants to be