Download - Integrating It Frameworks, Methodologies And Best Practices Into It Delivery And Operation
Integrating IT Frameworks, Methodologies and Best Practices Into IT Delivery and Operation
Alan McSweeney
March 23, 2010 2
Objectives
• Contains notes on the integration of available frameworks and methodologies into a possible integrated approach to providing information technology services
March 23, 2010 3
Information Technology and Related Frameworks and Methodologies
• Bewildering array of overlapping frameworks and methodologies across lifecycle of IT systems delivery and management
• Frameworks and methodologies have benefits− Provide a short-cut to determining the optimum approach to address a
business need− Contain collective learning and experience− Supported and enhanced− Useful but are a means to and end and not an end in themselves
• But there are many (too many) competing individual frameworks and methodologies representing specific potential solutions to specific needs− Focussing on individual aspects of IT
• Need for a higher view above the individual frameworks
• A view that represents how an IT function needs to operate holistically
March 23, 2010 4
Suggested Integrated IT Solution and Operations Management Approach
Integrated Solution and Operations
Management Approach
Architecture and
Realisation
Management and
Processes
Vision and Strategy
Architecture
Development, Customisation
and Configuration
Enterprise Management
Programme and Portfolio
Management
Project Management
Service Management
Architecture Management
Implementation and
Deployment
Operation and Control
March 23, 2010 5
Integrated IT Solution and Operations Management Approach
• Every IT function has two pillars
− Doing
• Strategy
• Design
• Development
• Implementation
− Managing the doing
• Business change
• Programmes
• Projects
• Operations
• Generalised approach that can integrate specific delivery frameworks as required
• Provide an overarching approach on which any function can be built
March 23, 2010 6
Direction and Focus of IT Solution and Operations Management Approach – Three Layers
Integrated Solution and Operations
Management Approach
Architecture and
Realisation
Management and
Processes
Vision and Strategy
Architecture
Development, Customisation
and Configuration
Enterprise Management
Programme and Portfolio
Management
Project Management
Service Management
Architecture Management
Implementation and
Deployment
Operation and Control
Integrated Solution and Operations
Management Approach
Architecture and
Realisation
Management and
Processes
Vision and Strategy
Architecture
Development, Customisation
and Configuration
Enterprise Management
Programme and Portfolio
Management
Project Management
Service Management
Architecture Management
Implementation and
Deployment
Operation and Control
General
Direction of
Solution
Lifecycle
From
Design to
Operation
Fundamental
Processes and
Competencies
Implementation
of New Projects
and Services
Operation of
Existing Services
March 23, 2010 7
Arrangement of Integrated IT Solution and Operations Management Approach Within Operational Context
Focus on architecture and design aspects of existing services
Focus on architecture, design, selection, development and
delivery aspects of new projects and services
Focus on management processes associated with the operation and
delivery of existing services
Focus on management processes associated with the architecture, design, selection, development
and delivery aspects of new projects and services
Management and Processes
Existing
Programmes,
Projects and
Services
New
Programmes,
Projects and
Services
Architecture and Realisation
Focus on the prerequisites and foundations for strategy,
architecture and design across IT function and solution lifecycle
Focus on the prerequisite and foundation management
processes across IT function and solution lifecycle
Fundamental
Organisational
Requirements
DO
ING
MA
NA
GIN
G T
HE
DO
ING
March 23, 2010 8
Integrated IT Solution and Operations Management Approach
• An practical and integrated solution and operations management approach consisting of two pillars:−Architecture and Realisation (“Doing”)
• Concerned with enterprise vision, strategy, architecture, implementation, delivery and subsequent operation
−Management and Processes (“Managing the Doing”)• Addresses the management of large-scale business and information
technology initiatives and associated programmes and projects
• Phases and processes within the two pillars can be integrated across a programme of work or the services can be delivered independently, depending on the requirements of the organisation
• Generalised framework that can be applied across multiple environments
March 23, 2010 9
Expanded Integrated IT Solution and Operations Management Approach - Architecture and Realisation Pillar
Architecture and Realisation
Vision and Strategy
Architecture
Development, Customisation
and Configuration
Implementation and
Deployment
Operation and Control
Enterprise Transition and
Transformation
Information Technology
Strategy
System ArchitectureBusiness Application
Architecture
Information Technology
Architecture
Accelerated Application
Prototyping and Development
Package Selection,
Customisation and
Implementation
Iterative Development
Readiness Assessment Pilot Deployment Preparation
System Operations and Service
Management
System Support and
Administration
Business Area Architecture
Deployment
Application Re-engineering
March 23, 2010 10
Expanded Integrated IT Solution and Operations Management Approach - Management and Processes Pillar
Management and Processes
Enterprise Management
Programme and Portfolio
Management
Project Management
Service Management
Architecture
Management
Business Change GovernanceArchitecture and Systems
Management
Programme ManagementPortfolio Project
Management
PMO Implementation
and OperationManagement of Projects
Business Architecture
Management
Information Architecture
Management
Technology Architecture
Management
Service DeliveryService Request
Management
Service Improvement
Programme
Management Support
Framework
Application Architecture
Management
IT Management
March 23, 2010 11
Integrated IT Solution and Operations Management Approach Within Operational Context
Management and Processes
Existing
Programmes,
Projects and
Services
New
Programmes,
Projects and
Services
Architecture and Realisation
Fundamental
Organisational
Requirements
Vision and Strategy
Architecture
Implementation and Deployment
Development, Customisation
and Configuration
Operation and Control
Enterprise Management
Programme and Portfolio Management
Project Management
Service Management
Architecture Management
March 23, 2010 12
Architecture and Realisation Pillar
• Vision and Strategy− Creates the business vision defines the direction for subsequent information technology initiatives− Internal and external requirements and processes are analysed− Allows prioritisation of the business and information system areas that will addressed in subsequent stages− Ensures that all further work is aligned with the vision and strategy
• Architecture− Designed to translate the Vision and Strategy into an implementable, operable and supportable structure− Architecture can encompass both enterprise and specific solution areas− Scope, requirements and functionality of the business processes and the associated information systems are
specified− Architecture is concerned with both business and information technology in parallel− Constituent projects and changes to deliver the architecture are identified
• Development, Customisation and Configuration− Selects, designs, builds, customises and tests the elements of the solution− Includes some or all of customised development, package customisation and system enhancement. − Development activities related to business change and technical infrastructure are addressed
• Implementation and Deployment− Takes the solution components and creates a fully operable system, complete with data and business process
changes− Includes integration testing, pilot, data conversion documented procedures, training, and operational readiness
and acceptance
• Operation and Control− Creates and implements practices for ensuring defined service levels for the operation, maintenance, and
support of the new or modified systems
March 23, 2010 13
Management and Processes Pillar
• Enterprise Management− Involves establishing business objectives, monitoring achievement against targets and making necessary
corrections
• Programme and Portfolio Management− Directs and manages programmes and portfolios of initiatives and undertakings offerings to balance benefits,
costs, resources and risks in a strategic context and ensuring benefits realisation− Establish the competency within an organisation to provide this service internally or manage its provision by
external agents
• Project Management− Concentrates on the effective and efficient processes required to identify, coordinate, and continuously focus
people and resources on achieving project objectives and commitment within time, cost, resource and quality controls
− Enables organisations to deliver both the simple and complex initiatives and to perform projects capably
• Service Management− Controls and manages the operational services phases of the overall initiative life cycle− Service request management handles requests from users− Manages their fulfilment and includes logging, performing initial analysis, monitoring, prioritising, measuring,
and closing− Service delivery management directs and manages services to ensure that the end-user receives the agreed
service
• Architecture Management− Concerned with the business, technical, and operational procedures and processes needed to ensure and
maintain integrated enterprise and solution architecture during the implementation of the solution and its subsequent operation
March 23, 2010 14
Groups of Information Technology and Related Frameworks, Methodologies and Toolsets
• Multiple existing IT frameworks can be divided into groups− Service and Application Management, Provisioning and Sourcing− Program and Project Management− Enterprise Architecture − Software Lifecycle Management− Value and Investment Management − Data Management− Quality Management− Governance, Security and Risk Management− Business Management and Support− Business Analysis
• Not an exhaustive list of frameworks or groups
• Each exists as a point solution to a specific requirement
• Frameworks need to be placed in context to allow most relevant and appropriate be selected
March 23, 2010 15
Groups of Information Technology and Related Frameworks, Methodologies and Toolsets
Information Technology and Related Frameworks, Methodologies and Toolsets
Service and Application Management, Provisioning and Sourcing
Quality Management
Program and Project ManagementGovernance, Security and Risk
Management
Software Lifecycle Management Business Management and Support
Value and Investment Management Business Analysis
Data Management Enterprise Architecture
March 23, 2010 16
Framework Groups Within Integrated Solution and Operations Management Approach
Management and Processes
Existing
Programmes,
Projects and
Services
New
Programmes,
Projects and
Services
Architecture and Realisation
Fundamental
Organisational
Requirements
Service and Application
Management, Provisioning and Sourcing
Enterprise Architecture
Program and Project
Management
Value and Investment
Management
Data Management
Quality Management
Business Analysis
Governance, Security and
Risk Management
Business Management and Support Software
Lifecycle Management
March 23, 2010 17
Organisations Need to Maintain Sets of Core Competencies That Cross All Functions
• Core competencies that organisations need and which cross functional areas− Performance and Quality Management− Resource Management− Funding, Financial, Investment and Budget Management and Total Cost of
Ownership− Human Capital and Resource Management− Organisation Design, Planning and Management− Usability and User Experience Design− Sourcing and Selection Management− Vendor and Supplier Management− Business Process Management− Benefits Assessment and Realisation− Capacity Planning, Forecasting and Demand and Supply Management
• These are common sets of skills needed for both pillars and across solution and service lifecycles
• Not specific to one area within integrated approach
March 23, 2010 18
Core Competencies That Cross All Functions
Integrated Solution and Operations
Management Approach
Architecture and
Realisation
Management and
Processes
Vision and Strategy
Architecture
Development, Customisation
and Configuration
Enterprise Management
Programme and Portfolio
Management
Project Management
Service Management
Architecture Management
Implementation and
Deployment
Operation and Control
Performance and Quality Management
Resource Management
Funding, Financial, Investment and Budget Management and Total Cost of Ownership
Human Capital and Resource Management
Organisation Design, Planning and Management
Usability and User Experience Design
Sourcing and Selection Management
Vendor and Supplier Management
Business Process Management
Benefits Assessment and Realisation
Capacity Planning, Forecasting and Demand and Supply Management
March 23, 2010 19
Core Competencies
• Frameworks can assist in quickly implementing some core competencies
Capacity Planning, Forecasting and Demand and Supply Management
MSP, IT Balanced Scorecard, ITIM, Val ITBenefits Assessment and Realisation
Business Process Management
eSCM, ISPLVendor and Supplier Management
eSCM, ISPLSourcing and Selection Management
Usability and User Experience Design
Organisation Design, Planning and Management
People CMMHuman Capital and Resource Management
ITIM, Val ITFunding, Financial, Investment and Budget Management and Total Cost of Ownership
Resource Management
ISO 9000, TickIT, TQM, Six SigmaPerformance and Quality Management
March 23, 2010 20
Frameworks and Integrated Solution and Operations Management Approach - Architecture and Realisation
ITIL, ISO 20000, IT Service CMM, ISPL, eSCM, ASL, USMBOK
System Support and Administration
ITIL, ISO 20000, IT Service CMM, ISPL, eSCM, ASL, USMBOK
System Operations and Service ManagementOperation and Control
Deployment
Deployment Preparation
Pilot
Readiness AssessmentImplementation and Deployment
Application Re-engineering
DSDM, RUPIterative Development
ITIM, Val ITPackage Selection, Customisation and Implementation
DSDM, RUP Accelerated Application Prototyping and Development
Development, Customisation and Configuration
TOGAF, DODAF, MODAF, NASCIO EAMMBusiness Area Architecture
TOGAF, DODAF, MODAF, NASCIO EAMMInformation Technology Architecture
TOGAF, DODAF, MODAF, NASCIO EAMMBusiness Application Architecture
TOGAF, DODAF, MODAF, NASCIO EAMM System ArchitectureArchitecture
TOGAF, DODAF, MODAF, NASCIO EAMM Information Technology Strategy
Enterprise Transition and TransformationVision and Strategy
Possible Methodology/Framework Toolset
Components of FunctionHigh Level Function
March 23, 2010 21
Frameworks and Integrated Solution and Operations Management Approach - Management and Processes
TOGAF, DODAF, MODAF, NASCIO EAMMApplication Architecture Management
TOGAF, DODAF, MODAF, NASCIO EAMMTechnology Architecture Management
TOGAF, DODAF, MODAF, NASCIO EAMMInformation Architecture Management
TOGAF, DODAF, MODAF, NASCIO EAMMBusiness Architecture ManagementArchitecture Management
ITIL, ISO 20000, IT Service CMM, ISPL, eSCM, ASL, USMBOK
Service Improvement Programme
ITIL, ISO 20000, IT Service CMM, ISPL, eSCM, ASL, USMBOK
Service Request Management
ITIL, ISO 20000, IT Service CMM, ISPL, eSCM, ASL, USMBOK
Service DeliveryService Management
PRINCE2, PMBOK, MSPManagement of Projects
PRINCE2, PMBOK, MSP PMO Implementation and OperationProject Management
PRINCE2, PMBOK, MSPPortfolio Project Management
PRINCE2, PMBOK, MSPProgramme ManagementProgramme and Portfolio Management
IT Management
MOF, BISL, ITIL, ISO 20000, IT Service CMM, ISPL, eSCM, ASL, USMBOK
Management Support Framework
Architecture and Systems Management
COBIT, ISO 38500, OCEGGovernance
Business ChangeEnterprise Management
Possible Methodology/Framework Toolset
Components of FunctionHigh Level Function
March 23, 2010 22
Service and Application Management, Provisioning and Sourcing Frameworks
Information Technology and Related Frameworks
Service and Application
Management, Provisioning and Sourcing
ITIL (Information Technology
Infrastructure Library)
ISO 20000 (ITSM
Standard)
IT Service CMM
(Capability Maturity Model)
ISPL (Information
Services Procurement
Library)
eSCM (eSourcing Capability Maturity Model)
ASL (Application
Services Library)
USMBOK (Universal
Service Management
Body of Knowledge)
March 23, 2010 23
ITIL (Information Technology Infrastructure Library)
• Aims to improve the overall quality of service to the business within imposed constraints while improving the overall effectiveness and efficiency of IT
• Consists of a series of books giving guidance on the provision of quality IT services, and on the accommodation and environmental facilities needed to support IT
• Provides a framework of best practice guidance for IT service management that has become the most widely used and accepted approach to IT service management in the world
• Developed in recognition of organisations' growing dependency on IT
• Core of ITIL provides best practice guidance for service delivery, service support, IT infrastructure management, planning to implement service management, application management, the business perspective, and security management
• Whole ITIL philosophy has grown up around the guidance contained within the ITIL books and the supporting professional qualification scheme
March 23, 2010 24
ISO 20000 (IT Service Management Standard)
• Formal standard for IT service management
• Management standard, addressing the establishment and maintenance of processes and the mechanism to ensure their relevance and improvement
• Consists of service delivery processes, resolution processes, relationship processes, control processes, and the release process
• Requires service providers to implement the PDCA( Plan-Do-Check-Act) cycle for service management processes
• Achieve formal certification and thus demonstrate compliance to accepted best practices but ISO 20000 is primarily a measure ofprocess conformance to be achieved rather than setting out a means of achieving this process conformance
• Covers only core elements of the service management process and thus cannot describe the full set of processes for any specific service provider
March 23, 2010 25
IT Service CMM (Capability Maturity Model)
• Maturity model for organisations that provide IT services such as management of hardware and software, operations, and software maintenance
• Used to assess current IT organisation's maturity and to improve IT processes
• Focus on process improvement but does not include specifications on how a specific maturity level should be reached
• Does not distinguish between internal and external IT service providers
March 23, 2010 26
ISPL (Information Services Procurement Library)
• Best practice library for the management of IT related acquisition processes
• Focus on the relationship between the customer and supplier organisation and on the procurement of information services
• Designed to professionalise customer-supplier relationships during an outsourcing initiative
• Designed to help understand services to be acquired and delivered and structure their acquisition and delivery
March 23, 2010 27
eSCM (eSourcing Capability Maturity Model)
• Two versions:− Sourcing partners (eSCM-SP)
− Client companies availing of outsourcing function (eSCM-CL)
• Sourcing partners−Defines sourcing capabilities that organisations should develop
and improve in order to be viewed by their current and prospective customers as capable and reliable partners
• Client companies availing of outsourcing function−Defines capabilities that organisations should develop and
improve in order to select and manage outsourcing relationship
• Covers the lifecycle of service provision from initiation to completion of a relationship
March 23, 2010 28
ASL (Application Services Library)
• Describes a standard for processes for management, maintenance and enhancement/renovation of (business) applications
• Aimed at managers and professionals loooking to improve maturity of the processes for delivering application management services
• Can be used to improve a broad spectrum of aspects of application management, varying from cost control and quality of service to staff motivation and strategic alignment
• Based on ITIL concepts
March 23, 2010 29
USMBOK (Universal Service Management Body of Knowledge)
• New major and comprehensive service management framework
• Driven by a single individual
• Designed as an open body of knowledge on successful service management
March 23, 2010 30
Program and Project Management Frameworks
Information Technology and Related Frameworks
Program and Project
Management
PRINCE2 (Projects in Controlled
Environments)
PMBOK (Project
Management Body of
Knowledge)
MSP (Managing Successful
Programmes)
IT Balanced Scorecard
March 23, 2010 31
PRINCE2 (Projects in Controlled Environments )
• Best practice project management standard in the UK and widely used elsewhere
• Process-based method for project management - sets of processes that provide a controlled project start, controlled project, andcontrolled close
• Covers management, control and organisation of a project and canbe used for any project type and size
• Concentrates on the work of project and team managers and management involved in decision-making within the project
• Covered aspects of projects are business case, organisation, plans, controls, management of risks, quality in a project environment,configuration management and change control
March 23, 2010 32
PMBOK (Project Management Body of Knowledge)
• Very widely used process-based project management guide and an internationally recognised standard that provides the fundamentals of project management as they apply to a wide range of projects
• Recognised throughout the world as a standard for managing projects
• Covers project knowledge areas: integration management, HR management, scope management, communications management, time management, risk management, cost management, procurement management and quality management
March 23, 2010 33
MSP (Managing Successful Programmes)
• Best practice guide on programme management
• Generic approach which can be used in all types of programmes
• Contains a set of principles and a set of processes for use when managing a programme
• Tool to manage strategic change in parts of an organisation
• Can be used together with PRINCE2
March 23, 2010 34
IT Balanced Scorecard
• Planning and management tool used to align business activities to the vision and strategy of the organisation, improve internal and external communications and monitor organisation performance against strategic goals
• Can be used to measure and manage IT performance and to enable alignment between business and IT
• Covers four perspectives: perspective, internal business process, learning and growth and customer
March 23, 2010 35
Software Lifecycle Management Frameworks
Information Technology and
Related Frameworks
Software Lifecycle
Management
CMMI (Capability
Maturity Model Integration)
ISO/IEC 12207 Systems And
Software Engineering –Software Life
Cycle Processes)
DSDM (Dynamic Systems
Development Method)
RUP (Rational Unified Process)
March 23, 2010 36
CMMI (Capability Maturity Model Integration
• Process improvement approach that provides with the essential elements of effective processes
• Currently addresses three areas
− Product and service development - CMMI for Development
− Service establishment, management, and delivery - CMMI for Services
− Product and service acquisition - CMMI for Acquisition
March 23, 2010 37
ISO/IEC 12207 Systems And Software Engineering –Software Life Cycle Processes)
• Defines a common framework for software life cycle processes, with well-defined terminology that can be referenced by the software industry
• Applies to the acquisition of systems and software products and services, to the supply, development, operation, maintenance, and disposal of software products and the software portion of a system, whether performed internally or externally to an organisation
• Provides a process that can be employed for defining, controlling, and improving software life cycle processes
March 23, 2010 38
DSDM (Dynamic Systems Development Method)
• Software development methodology originally based on and extends Rapid Application Development methodology
• Iterative and incremental approach that emphasisescontinuous user involvement
• Aims to deliver software systems on time and on budget while adjusting for changing requirements along the development process
March 23, 2010 39
RUP (Rational Unified Process)
• Iterative software development process framework created by the Rational Software Corporation (IBM)
• Can be tailored by the development organisations and software project teams who select the parts of the process that are appropriate
• Consists of project lifecycle phases and engineering and supporting disciplines
• Variants and extensions−Unified Process
−Open Unified Process
−Agile Unified Process
− Enterprise Unified Process
March 23, 2010 40
Value and Investment Management Frameworks
Information Technology and Related Frameworks
Value and Investment
Management
ITIM (Information Technology Investment
Management)
Val ITGartner Total
Cost of Ownership
March 23, 2010 41
ITIM (Information Technology Investment Management)
• Produced by the United States General Accounting Office (GAO)
• Identifies and organises thirteen processes that are critical for successful investment into a framework of increasingly mature stages
• Tool for internal and external evaluations of investment management process
March 23, 2010 42
Val IT
• Framework for the governance of IT investments to get business value from IT investments
• Provides guidance on different types of value (tangible and intangible) that can be considered and how to compare the tangible with intangibles benefits
• Tightly integrated with and extends and complements COBIT with management processes required to get good value from IT investments
March 23, 2010 43
Gartner Total Cost of Ownership
• Aims to be an industry standard TCO methodology
• TCO models are available for contact centre, data network, distributed computing, enterprise operations centre, enterprise storage management, help desk, and voice telecom
March 23, 2010 44
Data Management Frameworks
Information Technology and Related Frameworks
Data Management
DMBOK (Data Management
Body of Knowledge)
March 23, 2010 45
DMBOK (Data Management Body of Knowledge)
• Generalised and comprehensive framework for managing data across the entire lifecycle
• rovides a detailed framework to assist development and implementation of data management processes and procedures and ensures all requirements are addressed
• Enables effective and appropriate data management across the organisation
• Provides awareness and visibility of data management issues and requirements
March 23, 2010 46
Quality Management Frameworks
Information Technology and
Related Frameworks
Quality Management
ISO 9000 TickIT/TickITplusTQM (Total
Quality Management)
Six Sigma
March 23, 2010 47
ISO 9000
• ISO 9000 is a family of standards for quality management systems
• Developed to address the quality management systems within an organisation to demonstrate its capability to meet its customer's requirements
• Certifies that an organisation has carried out the correct processes but does not provide a quality guarantee of the end product
• Only standard that can be used for the certification of a quality management system
March 23, 2010 48
TickIT/TickITplus
• Quality management certification for software
• Mainly UK based
• Aims to improve the quality of software and its application
• Includes practical guidance for software development and services
• TickITplus adds industry best practice with international IT standards with ISO 9001 accredited certification
March 23, 2010 49
TQM (Total Quality Management)
• TQM is a management approach that seeks to integrate all organisational functions to focus on meeting customer needs and organisational objectives
• All personnel become involved in the continuous improvement of the production of goods and services
• Concerned with continuous improvement in all work from high level strategic planning and decision making to detailed execution of work elements
• Many methodologies and techniques to implement TQM approach
March 23, 2010 50
Six Sigma
• Data-driven approach and methodology for eliminating defects in any process
• Originated in manufacturing but now widely used
• Practical goal to increase profits by eliminating variability, defects, and waste that undermine customer loyalty
• Two Six Sigma components
− DMAIC - define, measure, analyse, improve and control for existing processes
− DMADV define, measure, analyse, design and verify for new processes
• Uses a set of quality management methods, including statistical methods, and creates a special infrastructure of people within the organisation who are experts in these methods
March 23, 2010 51
Governance, Security and Risk Management Frameworks
Information Technology and Related Frameworks
Governance, Security and
Risk Management
COBIT (Control Objectives for Information and Related Technology)
ISO 38500 (Corporate
Governance of Information Technology)
ISO 27000 / (Information
Security Management
System)
OCEG (Open Compliance and Ethics
Group)
IT Baseline Protection Catalogs
March 23, 2010 52
COBIT (Control Objectives for Information and Related Technology
• Framework for IT management created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)
• Enables clear policy development and good practice for IT control
• Emphasises regulatory compliance, helps organisations to increase the value attained from IT
March 23, 2010 53
ISO 38500 (Corporate Governance of Information Technology)
• Framework for governance of IT to assist senior management to understand and fulfill their legal, regulatory and ethical obligations in relation to the organisation’s use of IT
• Based on Austrailian standard AS 8015 for corporate governance of information and communication technology
• Encompasses establish responsibilities, plan to best support the organisation, acquire validly, ensure performance when required, ensure conformance with rules and ensure respect for human factors
March 23, 2010 54
ISO 27000 / (Information Security Management System)
• Family of 27000 standards for information security
• ISO 27001 specifies a management system to bring information security under management control
• Examine information security risks, taking account of the threats, vulnerabilities and impacts
• Design and implement information security controls to address those risks that are deemed unacceptable
• Implement management process to ensure that the controls continue to meet information security requirements
March 23, 2010 55
Open Compliance and Ethics Group
• OCEG Framework contains the GRC Capability Model –specified in the OCEG Red Book
• Provides comprehensive and detailed practices for an integrated GRC system
−Achieve business objectives
− Enhance organisational culture
− Increase stakeholder confidence
− Prepare and protect the organisation
− Prevent, detect and reduce adversity
−Motivate and inspire desired conduct
− Improve responsiveness and efficiency
−Optimise economic and social value
March 23, 2010 56
IT Baseline Protection Catalogs
• Collection of documents from the German Federal Office for Security in Information Technology
• Includes standard security measures for typical IT systems with normal protection needs
• Component catalog defines overall aspects of IT, infrastructure, IT systems, networks and IT applications
• Threat catalog details potential threats to IT systems
• measures catalog define measures necessary to achieve baseline protection
March 23, 2010 57
Business Management and Support Frameworks
Information Technology and
Related Frameworks
Business Management and Support
MOF (Microsoft Operations Framework)
BISL (Business Information
Service Library)
March 23, 2010 58
MOF (Microsoft Operations Framework)
• Contains practices, principles, and activities that provide guidelines for achieving reliability for IT solutions and services
• Provides question-based guidance that allows you to determine what is needed now as well as activities that will keep the IT organisation running efficiently and effectively in the future
• Creates an environment where business and IT can work together toward operational maturity using a proactive model that definesprocesses and standard procedures to gain efficiency and effectiveness
• Covers activities and processes involved in managing IT services: definition, development, operation, maintenance and retirement
March 23, 2010 59
BISL (Business Information Service Library)
• Public domain standard for functional and and information management
• Describes processes within business information management at the strategy, management, and operations level
• Establishes a bridge between IT and business processes and between business information administrators and information managers
• Identifies processes at three levels: operations, management, and strategic
• Covers operations management, functionality management, change management and transition, planning and control, financial management, demand management, contract management, develop information strategy, develop information organisation strategy and information coordination
March 23, 2010 60
Business Analysis Frameworks
Information Technology and Related Frameworks
Business Analysis
Business Analysis Body of Knowledge
(BABOK)
Structured Systems
Analysis and Design
Method (SSADM)
March 23, 2010 61
Business Analysis Body of Knowledge (BABOK)
• Developed by the IIBA (International Institute of Business Analysis)
• BABOK is the collection of knowledge within the profession of Business Analysis and reflects generally accepted practice
• Describes business analysis areas of knowledge, their associatedactivities and tasks and the skills necessary to be effective in their execution
• Identifies currently accepted practices
• Recognises business analysis is not the same as software requirements
• Defined and enhanced by the professionals who apply it
• Captures the knowledge required for the practice of business analysis as a profession
March 23, 2010 62
Structured Systems Analysis and Design Method (SSADM)
• Systems approach to the analysis and design of information systems
• Waterfall approach incorporates document-led approach to system design
• Includes
− Logical Data Modelling
−Data Flow Modelling
− Entity Behaviour Modelling
March 23, 2010 63
Enterprise Architecture Frameworks
Information Technology and Related Frameworks
Enterprise Architecture
TOGAF (The Open Group Architecture Framework)
Department of Defense
Architecture Framework
(DoDAF)
Ministry of Defence
Architectural Framework (MODAF)
Zachman
Federal Enterprise
Architecture (FEA)
NASCIO EAMM (NASCIO
Enterprise Architecture
Maturity Model)
March 23, 2010 64
TOGAF (The Open Group Architecture Framework)
• TOGAF is a framework - a detailed method and a set of supporting tools — for developing an enterprise architecture− TOGAF is not itself an architecture
• Architecture design is a technically complex process and the design of mixed, multivendor architectures is particularly complex
• TOGAF plays an important role in helping to demystify and reduce the risk in the architecture development process
• TOGAF provides a platform for adding value and enables users to build genuinely open systems-based solutions to address their business issues and needs
• Because TOGAF has a detailed implementation framework, the project to implement it and the associated time and cost can be defined more exactly
• Framework can be customised to suit the requirements of the organisation
• TOGAF has a broad coverage and a business focus and seeks to ensure that IT delivers what the business needs
• TOGAF focuses on both the “what” and the “how”
March 23, 2010 65
Department of Defense Architecture Framework (DoDAF)
• Framework for developing and representing architecture descriptions that ensure a common denominator for understanding, comparing, and integrating architectures
• Establishes data element definitions, rules, and relationships and a baseline set of products for consistent development of systems, integrated or federated architectures
March 23, 2010 66
Ministry of Defence Architectural Framework (MODAF)
• Framework defining a standardised way of creating enterprise architecture
• Defines architectural views covering the strategic goals of the enterprise and the people, processes and systems that deliver those goals
March 23, 2010 67
Zachman
• Zachman Framework for Enterprise Architecture defines a collection of perspectives involved in enterprise architecture
• Provides a logical structure for classifying and organisingthe descriptive representations of an enterprise
• High level framework
March 23, 2010 68
Federal Enterprise Architecture (FEA)
• Methodology for information technology acquisition, use and disposal
• Contains a set of reference models
− Performance Reference Model
− Business Reference Model
− Service Component Reference Model
−Data Reference Model
− Technical Reference Model
March 23, 2010 69
NASCIO EAMM (NASCIO Enterprise Architecture Maturity Model)
• Developed by National Association of State Chief Information Officers (NASCIO)
• Provides a path for architecture and procedural improvements within an organisation
• Framework combines business and environment processes and representations to allow planning and development of an architecture blueprint
• Designed to improve information sharing across government boundaries, as well as to position government enterprises for the digital government age and the advantages and opportunities that technology presents
March 23, 2010 70
Summary
• Large number of potentially very useful frameworks and methodologies existing as point solutions
• Need to select the most appropriate framework to suit your needs
• Need to integrate frameworks into IT operations and delivery structure