TMCnet News

IT By The Book -- Delighting customers consistently while constantly evolving what IT does takes a plan. Here are three respected sources for guidance.
[December 10, 2007]

IT By The Book -- Delighting customers consistently while constantly evolving what IT does takes a plan. Here are three respected sources for guidance.

(Information Week Via Thomson Dialog NewsEdge) It's long been accepted that constant change is fundamental to IT. While most IT pros understand that change is part of the game, the organizations they support often resist it or have a hard time understanding why IT operates under the strictures it does. CIOs must be prepared to overturn accepted norms in the pursuit of innovation. Finessing those changes means more than just leadership skills or charisma. It calls for having a clear blueprint as to the direction of the organization and its goals.

Many organizations struggle with that blueprint. It's not simple for IT to define its goals, position services and the need for constant evolution, and then communicate its capabilities and services to its line-of-business customers. The good news is that a lot of thinking has already gone into the problem.

The answer for many has been to follow the models set down in ITIL 2.0 (Information Technology Infrastructure Library), the 10-book set of best practices for IT service management that's gained wide popularity among international organizations and the vendor community. While ITIL will go far, skeptics contend that it's too specific. IT needs to think more broadly, they say, and blend ITIL with other, broader specifications. COBIT, or Control Objectives for Information and Related Technology, and ISO 17799, which is more specific to security, along with ITIL form the basis of a blueprint for IT governance.


Attempting to mix the three management specifications-COBIT, ITIL, and ISO 17799-can be daunting, and much work has been done to harmonize them. You can think of the three this way: COBIT tells you what to monitor and control. ITIL describes how to go about implementing the processes for doing that. ISO/IEC 17799:2000 lays out a process for securing those services and addressing legal requirements.

COBIT was published by the IT Governance Institute and is positioned as a high-level governance and control framework. The framework specifies 34 high-level control objectives for IT processes. Corresponding to these 34 control objectives are 318 recommended detailed control objectives to provide management assurance and advice for improvement.

ISO/IEC 17799:2000 is a framework for information security management published by the International Organization for Standardization and the International Electrotechnical Commission. The standard was first published in 2000 and updated in June 2005. It specifies best practices for security in 12 areas and offers guidance on such topics as protecting personal data, internal information, and intellectual property.

ITIL was developed by the U.K. government starting in the '80s and provides best practices for delivering IT services. The first version was a 48-book collection that was subsequently reduced to 10 books focusing solely on IT process. ITIL 3, released this year, is condensed into five books and refines the notion of IT service. Previously, core tenants were divided between service support and service delivery; these are now combined.


But not all organizations are prepared for the level of overhaul implied by COBIT. ITIL addresses the immediate need for many IT organizations to provide systemization and structure to current processes without the work required by COBIT.

Two principal concepts characterize the basic thinking of ITIL: customer orientation and holism. ITIL's fundamental goal is for organizations to provide services at a reliable level of quality. To achieve that objective, ITIL seeks to empower customer-facing IT personnel-those individuals consulting with users, helping them use services, collecting their opinions, addressing incidents, monitoring service performance, and managing change-and makes them responsible for service delivery.

At the same time, ITIL pushes for holistic service design. All aspects involved in delivering a specific service are considered-the functional technological elements, the personnel needed to deliver and maintain those elements, and the processes necessary to ensure the functioning of those services. The possible risks and impact on the existing computing environment are assessed with contingency plans considered. Future service requirements are then factored in as well.

To illustrate how ITIL works, take the example of change management. When an event occurs, such as Cisco releasing an IOS upgrade (illustrated at the top of this page), some organizations might simply deploy the change across their infrastructure. An ITIL-based process is more elaborate, providing a process for accountability, engaging the organization, and prioritizing the change in the context of other changes.

In this instance, the Change Initiator, perhaps a network administrator, enters a change request into a database or some other tracking system for approval. The request is made up of a unique identifier, the name of the item to be changed, a brief description of the action, and the reason for the change. The request goes to a Change Manager, most likely the administrator's manager, for review in the context of IT's objectives, other pending changes, and other criteria.

Assuming the change is approved, the Change Initiator creates a plan explaining the full details of the change, its impact on services and users, the impact and risk of change failure, a rollback procedure in the event of a problem, and the date and time that the change will take place. The plan then goes through a peer review for technical accuracy and proceeds to the Change Manager or, depending on the severity of the change, a Change Board for approval. Depending on the size of the organization, the Change Board may be a single individual or it may be comprised of individuals across the organization, typically the individual responsible for delivering the service, a representative of the business, and the Change Manager. If the change is approved, then it's implemented according to the defined plan and the changes are logged in a central repository.

Similarly, problem resolution under ITIL is structured and thorough, and involves both reactive and proactive processes. The incident management process addresses resolution of specific problems. A user complaining about poor voice quality (illustrated on the previous page), for example, causes the service desk to log the issue in its ticketing system. The service desk then attempts to solve the problem, checking its knowledge base and repository of configuration information, such as a configuration management database, or CMDB. Unresolved problems are escalated to higher-level support teams for diagnosis. The service desk ultimately informs the user of the solution or why the problem can't be solved.

Problem resolution also involves proactive measures, which are described in the problem management process. Under this process, IT measures the importance of various incidents and then sets about investigating their root cause. Once resolved, the problem is logged in the company's knowledge base for use by the service desk in resolving future incidents.

By wrapping process, people, and technologies together, ITIL with COBIT and ISO 17799 give IT the reference framework for governing its operations. Whether they achieve their goals is up to you.

Write to Dave Greenfield at [email protected].


COBIT's Pentagon: Cobit's goal is to help IT understand the needs of the business and to put practices in place to meet them as efficiently as possible. Strategic alignment keeps IT and more general enterprise planning in sync. Value delivery takes that strategic value proposition and delivers on it. Resource management helps IT put its money and other assets where they'll do the most good, while risk management establishes a conversation between corporate officers and IT executives so that systems reflect the enterprise's aversion to risk. Performance management monitors IT's implementation efforts, providing measures for success and constant improvement.

Copyright 2007 CMP Media LLC. All rights reserved.

Copyright 2007 CMP Media LLC

[ Back To's Homepage ]