Published by The Art of Service on June 13, Every enterprise needs to tailor the use of standards and practices to suit its individual requirements. The growing adoption of IT best practices has been driven by a requirement for the IT industry to better manage the quality and reliability of IT in business and respond to a growing number of regulatory and contractual requirements. There is a danger, however, that implementation of these potentially helpful best practices can be costly and unfocused if they are treated as purely technical guidance. To be most effective, best practices should be applied within the business context, focusing on where their use would provide the most benefit to the organisation. Top management, business management, auditors, compliance officers and IT managers should work together to make sure IT best practices lead to cost-effective and well-controlled IT delivery. Standards and best practices are not a panacea; their effectiveness depends on how they have been implemented and kept up to date.
|Published (Last):||17 December 2012|
|PDF File Size:||13.35 Mb|
|ePub File Size:||19.67 Mb|
|Price:||Free* [*Free Regsitration Required]|
Why Best Practices Are Important The effective use of IT is critical to the success of enterprise strategy, as illustrated by the following quote: The use of IT has the potential to be the major driver of economic wealth in the 21st century. While IT is already critical to enterprise success, provides opportunities to obtain a competitive advantage and offers a means for increasing productivity, it will do all this even more so in the future.
IT also carries risks. It is clear that in these days of doing business on a global scale around the clock, system and network downtime has become far too costly for any enterprise to afford. In some industries, IT is a necessary competitive resource to differentiate and provide a competitive advantage, while in many others it determines survival, not just prosperity. The UK government recognised very early on the significance of IT best practices to government and, for many years, has developed best practices to guide the use of IT in government departments.
These practices have now become de facto standards around the world in private and public sectors. ITIL was developed more than 15 years ago to document best practice for IT service management, with that best practice being determined through the involvement of industry experts, consultants and practitioners.
ISACA recognised in the early s that auditors, who had their own checklists for assessing IT controls and effectiveness, were talking a different language to business managers and IT practitioners. Over the years, COBIT has been developed as an open standard and is now increasingly being adopted globally as the control model for implementing and demonstrating effective IT governance.
Commercial exploitation requires a license see www. It describes proven best practice for procurement, programmes, projects, risk management and service management. The toolkit brings together policy and best practice in a single point of reference, helping to identify the critical questions about capability and project delivery and giving practical advice on ways to improve. Additional information is available at www. However, users need more guidance on how to integrate the leading global frameworks and other practices and standards.
In response to this need, ongoing research has been undertaken into the mapping of COBIT to a wide range of other practices. However, COBIT does not include process steps and tasks because, although it is oriented toward IT processes, it is a control and management framework rather than a process framework.
COBIT focuses on what an enterprise needs to do, not how it needs to do it, and the target audience is senior business management, senior IT management and auditors. ITIL is based on defining best practice processes for IT service management and support, rather than on defining a broad-based control framework.
It focuses on the method and defines a more comprehensive set of processes. Now that these standards and best practices are increasingly being used in real-world situations, experiences are maturing and organisations are moving from ad hoc and chaotic approaches to IT, to defined and managed processes. As IT governance—the concept and the actual practice—gains momentum and acceptance, IT best practices will increasingly be aligned to business and governance requirements rather than technical requirements.
Achieving this both in theory the organisation is clearly defined and in practice everyone knows what to do and how requires the right culture, policy frameworks, internal controls and defined practices. Best Practices Provide Many Benefits The effective adoption of best practices can provide many benefits, especially in the area of advanced technology. It is designed to be employed not only by users and auditors, but also, and more important, as comprehensive guidance for management and business process owners.
Increasingly, business practice involves the full empowerment of business process owners so they have total responsibility for all aspects of the business process. In particular, this includes providing adequate controls. The COBIT framework provides a tool for the business process owner that facilitates the discharge of this responsibility. The framework starts from a simple and pragmatic premise: To provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.
The framework continues with a set of 34 high-level control objectives, one for each of the IT processes, grouped into four domains: Plan and Organise, Acquire and Implement, Deliver and Support, and Monitor. This structure covers all aspects of information and the technology that supports it. By addressing these 34 high-level control objectives, the business process owner can ensure that an adequate control system is provided for the IT environment.
IT governance provides the structure that links IT processes, IT resources and information to enterprise strategies and objectives. IT governance integrates optimal ways of planning and organising, acquiring and implementing, delivering and supporting, and monitoring and evaluating IT performance.
IT governance enables the enterprise to take full advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining competitive advantage. The management guidelines further enhance and enable enterprise management to deal more effectively with the needs and requirements of IT governance. Specifically, COBIT provides maturity models for control over IT processes, so management can map where the organisation is today, where it stands in relation to the best in class in its industry and to international standards, and where the organisation wants to be.
Critical success factors CSFs define the most important management-oriented implementation guidelines to achieve control over and within its IT processes. Key goal indicators KGIs define measures that tell management—after the fact—whether an IT process has achieved its business requirements.
Key performance indicators KPIs are lead indicators that define measures of how well the IT process is performing in enabling the goal to be reached.
What are the indicators of good performance? What are the critical success factors? What are the risks of not achieving our objectives? What do others do? How do we measure and compare? COBIT 4. This growing dependency necessitates quality IT services at a level matched to business needs and user requirements as they emerge.
IT service management is concerned with delivering and supporting IT services that are appropriate to the business requirements of the organisation. ITIL provides a comprehensive, consistent and coherent set of best practices for IT service management and related processes, promoting a quality approach for achieving business effectiveness and efficiency in the use of IS.
ITIL service management processes are intended to underpin, but not dictate, the business processes of an organisation. To assure this quality, responsibility is assigned to individuals who: — Consult the users and help them use the services in an optimal manner — Collect and forward opinions and recommendations of users — Resolve incidents — Monitor the performance of the services delivered — Manage change The book Planning to Implement Service Management discusses the key issues of planning and implementing IT service management.
It also explains the steps required for implementation and improvement of IT service delivery. ICT Infrastructure Management covers all aspects of ICT infrastructure from the identification of business requirements through the tendering process, to the testing, installation, deployment, and ongoing support and maintenance of the ICT components and IT services.
ITIL Security Management details the process of planning and managing a defined level of security on information and ICT services, including all aspects associated with the reaction to security incidents. Readers should note that the content of the IT Infrastructure Library is currently being refreshed, but that activity does not invalidate the guidance in this paper, although all references are to the current publications.
See the News section of www. It can be seen as a basis for developing security standards and management practices within an organisation to improve reliability on information security in inter-organisational relationships. The standard was published in in its first edition, which was updated in June It can be classified as current best practice in the subject area of information security management systems. The original BS was revised and reissued in September The guiding principles are the initial point when implementing information security.
They rely on either legal requirements or generally accepted best practices. Adoption of standards and best practices will help enable quick implementation of good procedures and avoid lengthy delays re-inventing wheels and agreeing on approaches.
However, the best practices adopted have to be consistent with the risk management and control framework, appropriate for the organisation, and integrated with other methods and practices that are being used. Standards and best practices are not a panacea, and their effectiveness depends on how they have been actually implemented and kept up to date. They are most useful when applied as a set of principles and as a starting point for tailoring specific procedures.
To avoid practices becoming shelfware, change enablement is required so management and staff understand what to do, how to do it and why it is important. For best practices to be effective, the use of a common language and a standardised approach oriented toward real business requirements is best, as it ensures everyone follows the same set of objectives, issues and priorities. Tailoring Every organisation needs to tailor the use of standards and practices, such as those examined in this document, to suit its individual requirements.
The organisation needs an effective action plan that suits its particular circumstances and needs. First, it is important for the board to take ownership of IT governance and set the direction management should follow.
Making sure that the board operates with IT governance in mind does this best. Planning With this mandate and direction in place, management then can initiate and put into action an implementation approach. To help management decide where to begin and to ensure that the implementation process delivers positive results where they are needed most, the following steps are suggested: 1. Set up an organisational framework ideally as part of an overall IT governance initiative with clear responsibilities and objectives and participation from all interested parties that will take implementation forward and own it as an initiative.
Align IT strategy with business goals. In which current business objectives does IT have a significant contribution? Obtain a good understanding of the business environment, risk appetite and business strategy as they relate to IT. Understand and define the risks. Define target areas and identify the process areas in IT that are critical to managing these risk areas. Analyse current capability and identify gaps. Perform a maturity capability assessment to find out where improvements are needed most.
Develop improvement strategies, and decide which are the highest priority projects that will help improve the management and governance of these significant areas. This decision should be based on the potential benefit, ease of implementation, and with a focus on important IT processes and core competencies. Specific improvement projects as part of a continuous improvement initiative should be outlined.
Measure results, establish a scorecard mechanism for measuring current performance and monitor the results of new improvements considering, as a minimum, the following key considerations: — Will the organisational structures support strategy implementation? Repeat steps 2 through 7 on a regular basis.
Therefore, a key success factor is the enablement and motivation of these changes. In most enterprises, achieving successful oversight of IT takes time and is a continuous improvement process. This needs to be based on the principles of best managing the IT investment.
Aligning Best Practices IT best practices need to be aligned to business requirements and integrated with one another and with internal procedures. COBIT can be used at the highest level, providing an overall control framework based on an IT process model that should generically suit every organisation.
These mappings are based on subjective judgement and are intended only to be a guide. This mapping is not intended to be definitive or prescriptive; it is only a guide. Links are shown only at the high level, pointing to the relevant section in the other documents. More information can be found at www. It is enabled by a strategic planning process undertaken at regular intervals giving rise to long-term plans; the long-term plans should periodically be translated into operational plans setting clear and concrete short-term goals.
Aligning CobiT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit
Alphabet Soup: Cobit, ITIL and ISO