Embed Size (px)
Citation preview
ITM 592 Project Final Report
Alignment of COBIT v4.1 metrics to Event, Incident and Problem Management processes of ITIL
v3.
Submitted by
Armağan Şahin
Supervised by
Burçin Bozkaya
9/9/2009
2008/2009 Summer
© Sabanci University
Page | 0
Contents
Introduction …………………………………………………………………………..…………2
A brief history of ITIL .……………………………………………………………..….…...…..4
ITIL v3 Core Books.……………………………………………………………………….…....6
A brief history of COBIT………………………………………………………....…………......8
A closer look-in to the COBIT v4.1……………………………………………..………………9
Basic COBIT Principle……………………………………………………………...………......12
Maturity Models of COBIT …………………………………………………………...…..……15
Performance Measurement in COBIT ……………………..…………………………...……....17
The COBIT Framework Model………………………………………... ………………...…….17
Methodology…………………………………………………………………. ……...………...21
Metric Alignment ……………………………………………………………...….……...….…24
Explanations and Conclusions …………………………………………………....….…..…….24
References……………………………………………………….………………….………..…25
Appendix………………………………………………………………………….….……...….25
A. Post Project Analysis………………………………………………………………………...25
A.1. Initial Plan………………………………………………………………………….….…...25
A.2. Updated Plan………………………………………………………………………...……. 25
A.3. Realized Tasks………………………………………………………………….…..…..…..26
Page | 1
Introduction
In today’s rapidly changing IT world, every enterprise needs certain type of
information according as its field of activity to realize the main goals of the businesses and
customers. It can be increasing revenues or cutting costs that are concrete indicators or it can
be more abstract issues which are about the quality of services that a service provider
supplies. Delivering services can be tough because the term “Service” is not a flat term
measuring when it is compared to costs or benefits which can be represented in dollars. At
this point, a set of five core books called “ITIL”(The Information Technology
Infrastructure Library) which are prepared by the Office of Government Commerce(OGC)
helps the businesses by providing codes of practice in support of Total Quality and creating a
common vocabulary in order to help organizations for maintaining IT capabilities and
managing their service management processes. When it comes to measure the quality of
services, the businesses may need to recourse to different methods.
COBIT which means “The Control OBjectives for Information and related
Technology” also serves for measuring the IT services besides its helping side of . The
Control Objectives for Information and related Technology (COBIT) is a set of best
practices (framework) for information technology (IT) management created by the
Information Systems Audit and Control Association (ISACA), and the IT Governance
Institute (ITGI) in 1996. COBIT provides managers, auditors, and IT users with a set of
generally accepted measures, indicators, processes and best practices to assist them in
maximizing the benefits derived through the use of information technology and developing
appropriate IT governance and control in a company.[1] Meanwhile, the ITIL has its own
metrics at the end of each process. But just using the metrics of ITIL is not enough. Because
the standard consulting approach used in ITIL is to determine the current "as-is" state
through assessment, then decide the "to-be" state, and then work on the gap. ITIL v3 still
fails to provide an as-is assessment model, though COBIT does.[2]
After having explained both ITIL v3 and COBIT v4.1 it is useful to go
over the goal of this project.
Page | 2
In this project it is aimed that to reveal the relationship between COBIT v4.1 metrics and
ITIL v3 processes. Thus knowing the relationship between them people who needs to
measure their service qualities can understand their current positions on delivering a service
and improve the quality of services they deliver. With specific COBIT metrics for each ITIL
v3 process it is easier to look at which side of the service and stage is hitching. For example;
It is discovered that for various ITIL v3 processes which are 4.2.5.6 Incident Escalation,
4.2.5.1 Incident Identification, 4.2.5.2 Incident Logging and 4.2.5.3 Incident Identification
there are a number of metrics are founded such as;
Number of escalations or unresolved issues due to lack of, or insufficient
responsibility for, assignments for 4.2.5.6 Incident Escalation,
Percent reduction in number of high severity and,
Incidents per user per month for 4.2.5.1 Incident Identification, 4.2.5.2 Incident
Logging and 4.2.5.3 Incident Identification.
Like it is touched in different parts of this paper, ITIL v3 does not contain those relationships
stated above one by one in each ITIL v3 process. It only has its own metrics that are
concerned with the general sense. And 28 metrics which are identified from the COBIT v4.1
are aligned to 3 ITIL v3 processes which are Event, Incident and Problem Management.
Detailed table of relationship between metrics-processes is provided in an attached excel file.
Recently, we have the last versions of both the COBIT and the ITIL . The COBIT version 4.1
and the ITIL version 3 are being used as the latest resources. Generally, both the COBIT and
the ITIL have some specific advantages. Initially, ITIL is the only consistent and
comprehensive documentation of best practice for IT Service Management and has the
following benefits; [3]
Reduces costs
Improves IT services through the use of proven best practice processes
Improves customer satisfaction through a more professional approach to service delivery
Standards and guidance
Improves productivity
Page | 3
Improves use of skills and experience
Improves delivery of third party services through the specification of ITIL .
Secondly, in the light of information in the COBIT v4.1 book, the COBIT has some
advantages for managers, stakeholders and businesses too. These benefits can be grouped
into different group of people such as;
Stakeholders within the enterprise who have an interest in generating value from IT
investments:
o Those who make investment decisions
o Those who decide about requirements
o Those who use IT services
Internal and external stakeholders who provide IT services:
o Those who manage the IT organization and processes
o Those who develop capabilities
o Those who operate the services
Internal and external stakeholders who have a control/risk responsibility:
o Those with security, privacy and/or risk responsibilities
o Those performing compliance functions
o Those requiring or providing assurance services.
In addition to ITIL, I will try to touch on the COBIT (The Control Objectives for
Information and related Technology) to explain the project and relationship between them in
detail. But first let’s start with the history of the ITIL.
A brief history of ITIL [4]
In the 1980s, the UK Government's CCTA developed a set of recommendations, in
response to the growing dependence on IT, and the recognition that without standard practices,
government agencies and private sector contracts were independently creating their own IT
management practices. The IT Infrastructure Library originated as a collection of books each
covering a specific practice within IT Service Management. ITIL was built around a process-
model based view of controlling and managing operations often credited to W. Edwards Deming
Page | 4
and his PDCA cycle. After the initial publication in 1989, the number of books quickly grew
within ITIL v1 to over 30 volumes.
In 2000/2001, to make ITIL more accessible (and affordable), ITIL v2 consolidated the
publications into 8 logical 'sets' that grouped related process guidelines to match different aspects
of IT management, applications, and services. However, the main focus was known as the
Service Management sets (Service Support and Service Delivery) which were by far the most
widely used, circulated, and understood of ITIL v2 publications.
In April 2001 the CCTA was merged into the Office of Government Commerce (OGC),
an office of the UK Treasury. In 2006, the ITIL v2 glossary was published.
In May 2007, this organization issued the version 3 of ITIL (also known as the ITIL
Refresh Project) consisting of 26 processes and functions, now grouped under only 5 volumes,
arranged around the concept of Service lifecycle structure. In 2009, the OGC officially
announced that ITIL v2 would be withdrawn and launched a major consultation as per how to
proceed. The eight ITIL version 2 books and their disciplines are:
1. Service Delivery which includes;
Service level management
Capacity management
Financial management
Availability management
IT service continuity management.
2. Service Support which includes;
Configuration management
Change management
Release management
Incident management
Problem management
Service desk .
3. ICT Infrastructure Management,
4. Security Management,
Page | 5
5. The Business Perspective,
6. Application Management,
7. Software Asset Management,
To assist with the implementation of ITIL practices a further book was published providing
guidance on implementation (mainly of Service Management):
8. Planning to Implement Service Management,
And this has more recently been supplemented with guidelines for smaller IT units, not
included in the original eight publications:
9. ITIL Small-Scale Implementation.
Overview of the ITIL v3 library[4]
Five key volumes comprise the ITIL v3, published in May 2007:
1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement.
ITIL v3 Core Books
Five different books form the ITIL v3.These are;
Service Strategy : It aims to provide guidance on how to design, develop and implement
Service Management. It is about ensuring that IT organizations are in position to achieve
operational effectiveness and to offer distinctive services to their customers. Its ultimate
goal is to make the IT organization think and act in a strategic manner.[5]
Service Design : Its objective is to design and develop IT services. Its scope includes the
design of new services, as well as changes and improvements to existing ones. [6]
Page | 6
Service Operation : It makes sure that IT services are delivered effectively and
efficiently. [7]
Service Transition : It aims to build and deploy IT services. It also makes sure that
changes to services and Service Management Processes are carried out in a coordinated
way[8].
Continual Service Improvement : The goal of Continual Service Improvement is to
align and realign IT Services to changing business needs by identifying and
implementing improvements to the IT services that support the Business Processes.
Figure 1. Red rectangles represents the chosen processes to align the COBIT v4.1 metrics.
Service Transition : It aims to build and deploy IT services. It also makes sure that
changes to services and Service Management Processes are carried out in a coordinated
way[8].
Continual Service Improvement : The goal of Continual Service Improvement is to
align and realign IT Services to changing business needs by identifying and
Page | 7
implementing improvements to the IT services that support the Business Processes[9].
Figure 2. shows the interrelationship between the ITIL service management processes.
Each process tries to find an answer the following questions;
Service Strategy –How to develop a business-driven strategy for IT service
management?
Service Design –How to design a system to support the chosen strategy?
Service Transition –How to transition newly designed system to the production
environment ?
Service Operation –How to support operations in an ongoing fashion?
Continual Service Improvement –How to continue improving processes and
operations?
In the following explanations, you will find why these COBIT control objectives are related
with the ITIL V3 processes as well as understanding the main framework of the COBIT.
A brief history of COBIT[10]
The Control Objectives for Information and related Technology (COBIT) is a set of best
practices (framework) for information technology (IT) management created by the Information
Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in
1996. COBIT provides managers, auditors, and IT users with a set of generally accepted
Page | 8
measures, indicators, processes and best practices to assist them in maximizing the benefits
derived through the use of information technology and developing appropriate IT governance
and control in a company. COBIT has had four major releases:
In 1996, the first edition of COBIT was released.
In 1998, the second edition added "Management Guidelines".
In 2000, the third edition was released.
o In 2003, an on-line version became available.
In December 2005, the fourth edition was initially released.
o In May 2007, the current 4.1 revision was released.
A closer look-in to the COBIT v4.1[10]
For many enterprises, information and the technology that supports it represent their most
valuable, but often least understood, assets. Successful enterprises recognize the benefits of
information technology and use it to drive their stakeholders’ value. These enterprises also
understand and manage the associated risks, such as increasing regulatory compliance and
critical dependence of many business processes on information technology (IT). The need for
assurance about the value of IT, the management of IT-related risks and increased requirements
for control over information are now understood as key elements of enterprise governance.
Value, risk and control constitute the core of IT governance.
IT governance is the responsibility of executives and the board of directors, and consists
of the leadership, organizational structures and processes that ensure that the enterprise’s IT
sustains and extends the organization’s strategies and objectives.
To satisfy business objectives, information needs to conform to certain control criteria,
which COBIT refers to as business requirements for information. Based on the broader quality,
fiduciary and security requirements, seven distinct, certainly overlapping, information criteria are
defined as follows;
1-Effectiveness deals with information being relevant and pertinent to the business process as
well as being delivered in a timely, correct, consistent and usable manner.
Page | 9
2-Efficiency concerns the provision of information through the optimal (most productive and
economical) use of resources.
3-Confidentiality concerns the protection of sensitive information from unauthorized
disclosure.
4-Integrity relates to the accuracy and completeness of information as well as to its validity in
accordance with business values and expectations.
5- Availability relates to information being available when required by the business process now
and in the future. It also concerns the safeguarding of necessary resources and associated
capabilities.
6-Compliance deals with complying with the laws, regulations and contractual arrangements to
which the business process is subject, i.e., externally imposed business criteria as well as internal
policies.
7-Reliability relates to the provision of appropriate information for management to operate the
entity and exercise its fiduciary and governance responsibilities. Furthermore, IT governance
integrates and institutionalizes good practices to ensure that the enterprise’s IT supports the
business objectives. IT governance enables the enterprise to take full advantage of its
information, thereby maximizing benefits, capitalizing on opportunities and gaining competitive
advantage. These outcomes require a framework for control over IT that fits with and supports
the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal
Control—Integrated Framework, the widely accepted control framework for enterprise
governance and risk management, and similar compliant frameworks.
Organizations should satisfy the quality, fiduciary and security requirements for their
information, as for all assets.
Management should also optimize the use of available IT resources, including
applications, information, infrastructure and people. To discharge these responsibilities, as well
as to achieve its objectives, management should understand the status of its enterprise
architecture for IT and decide what governance and control it should provide. Control Objectives
for Information and related Technology (COBIT®) provides good practices across a domain and
process framework and presents activities in a manageable and logical structure. COBIT’s good
practices represent the consensus of experts. They are strongly focused more on control, less on
Page | 10
execution. These practices will help optimize IT-enabled investments, ensure service delivery
and provide a measure against which to judge when things do go wrong.
COBIT is focused on what is required to achieve adequate management and control of
IT, and is positioned at a high level. COBIT has been aligned and harmonized with other, more
detailed, IT standards and good practices.
COBIT acts as an integrator of these different guidance materials, summarizing key
objectives under one umbrella framework that also links to governance and business
requirements. All of the COBIT components interrelate, providing support for the governance,
management, control and assurance needs of the different audiences, as shown in the figure 3:
Figure 3.Interrelationship between COBIT v4.1 components
COBIT is a framework and supporting tool set that allow managers to bridge the gap with
respect to control requirements, technical issues and business risks, and communicate that level
of control to stakeholders. COBIT enables the development of clear policies and good practice
for IT control throughout enterprises. COBIT is continuously kept up to date and harmonized
with other standards and guidance. Hence, COBIT has become the integrator for IT good
practices and the umbrella framework for IT governance that helps in understanding and
Page | 11
managing the risks and benefits associated with IT. The process structure of COBIT and its high-
level, business-oriented approach provide an end-to-end view of IT and the decisions to be made
about IT.
The benefits of implementing COBIT as a governance framework over IT include:
• Better alignment, based on a business focus
• A view, understandable to management, of what IT does
• Clear ownership and responsibilities, based on process orientation
• General acceptability with third parties and regulators
• Shared understanding amongst all stakeholders, based on a common language
• Fulfillment of the COSO requirements for the IT control environment.
COBIT mission is to research, develop, publicize and promote an authoritative, up-to-
date, internationally accepted IT governance control framework for adoption by enterprises and
day-to-day use by business managers, IT professionals and assurance professionals.
Basic COBIT Principle[10]
The COBIT framework is based on the following principle (Figure 4): To provide the
information that the enterprise requires to achieve its objectives, the enterprise needs to invest in
and manage and control IT resources using a structured set of processes to provide the services
that deliver the required enterprise information. Managing and controlling information are at the
heart of the COBIT framework and help ensure alignment to business requirements.
Figure 4.Basic COBIT principle.
Page | 12
Managing and controlling information are at the heart of the COBIT framework and help ensure
alignment to business requirements. COBIT defines IT activities in a generic process model
within four domains. These domains are Plan and Organize (PO), Acquire and Implement (AI),
Deliver and Support(DS), and Monitor and Evaluate (ME). The domains map to IT’s traditional
responsibility areas of plan, build, run and monitor.
To govern IT effectively, it is important to appreciate the activities and risks within IT
that need to be managed. They are usually ordered into the responsibility domains of plan, build,
run and monitor. Within the COBIT framework, these domains, as shown in figure 5, are called:
• Plan and Organize (PO)—Provides direction to solution delivery (AI) and service delivery
(DS)
• Acquire and Implement (AI)—Provides the solutions and passes them to be turned into
services
• Deliver and Support (DS)—Receives the solutions and makes them usable for end users
• Monitor and Evaluate (ME)—Monitors all processes to ensure that the direction provided is
followed.
Figure 5.The four interrelated domains of COBIT.
Page | 13
PLAN AND ORGANISE (PO)This domain covers strategy and tactics, and concerns the identification of the way IT can best
contribute to the achievement of the business objectives. This domain typically addresses the
following management questions:
• Are IT and the business strategy aligned?
• Is the enterprise achieving optimum use of its resources?
• Does everyone in the organization understand the IT objectives?
• Are IT risks understood and being managed?
• Is the quality of IT systems appropriate for business needs?
ACQUIRE AND IMPLEMENT (AI)To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as
implemented and integrated into the business process. In addition, changes in and maintenance
of existing systems are covered by this domain to make sure the solutions continue to meet
business objectives. This domain typically addresses the following management questions:
• Are new projects likely to deliver solutions that meet business needs?
• Are new projects likely to be delivered on time and within budget?
• Will the new systems work properly when implemented?
• Will changes be made without upsetting current business operations?
DELIVER AND SUPPORT (DS)This domain is concerned with the actual delivery of required services, which includes service
delivery, management of security and continuity, service support for users, and management of
data and operational facilities. It typically addresses the following management questions:
• Are IT services being delivered in line with business priorities?
• Are IT costs optimized?
• Is the workforce able to use the IT systems productively and safely?
• Are adequate confidentiality, integrity and availability in place for information security?
Page | 14
MONITOR AND EVALUATE (ME)All IT processes need to be regularly assessed over time for their quality and compliance with
control requirements. This domain addresses performance management, monitoring of internal
control, regulatory compliance and governance. It typically addresses the following management
questions:
• Is IT’s performance measured to detect problems before it is too late?
• Does management ensure that internal controls are effective and efficient?
• Can IT performance be linked back to business goals?
• Are adequate confidentiality, integrity and availability controls in place for information
security?
Maturity Models of COBIT[10]
Senior managers in corporate and public enterprises are increasingly asked to consider
how well IT is being managed. In response to this, business cases require development for
improvement and reaching the appropriate level of management and control over the information
infrastructure. While few would argue that this is not a good thing, they need to consider the
cost-benefit balance and these related questions:
• What are our industry peers doing, and how are we placed in relation to them?
• What is acceptable industry good practice, and how are we placed with regard to these
practices?
• Based upon these comparisons, can we be said to be doing enough?
• How do we identify what is required to be done to reach an adequate level of management and
control over our IT processes?
It can be difficult to supply meaningful answers to these questions. IT management is
constantly on the lookout for benchmarking and self-assessment tools in response to the need to
know what to do in an efficient manner. Starting from COBIT’s processes, the process owner
should be able to incrementally benchmark against that control objective. This responds to three
needs:
1. A relative measure of where the enterprise is
2. A manner to efficiently decide where to go
3. A tool for measuring progress against the goal.
Page | 15
Maturity modeling for management and control over IT processes is based on a method of
evaluating the organization, so it can be rated from a maturity level of non-existent (0) to
optimized (5). This approach is derived from the maturity model that the Software Engineering
Institute (SEI) defined for the maturity of software development capability.
Using the maturity models developed for each of COBIT’s 34 IT processes, management
can identify:
• The actual performance of the enterprise—Where the enterprise is today
• The current status of the industry—The comparison
• The enterprise’s target for improvement—Where the enterprise wants to be
• The required growth path between ‘as-is’ and ‘to-be’.
To make the results easily usable in management briefings, where they will be presented
as a means to support the business case for future plans, a graphical presentation method needs to
be provided(Figure 6);
Figure 6. Graphic Representation of Maturity Models
The advantage of a maturity model approach is that it is relatively easy for management to
place itself on the scale and appreciate what is involved if improved performance is needed.
The scale includes 0 because it is quite possible that no process exists at all. The 0-5 scale is
based on a simple maturity scale showing how a process evolves from a non-existent capability
to an optimized capability. At the end of the each process, the performance of that process is
evaluated by the maturity models which measures the enterprise’s actual performance is for its
IT processes. The figure 7 shows an example maturity model :
Page | 16
Figure 7.Generic Maturity Model
Performance Measurement in COBIT[10]
Goals and metrics are defined in COBIT at three levels:
• IT goals and metrics that define what the business expects from IT and how to measure it
• Process goals and metrics that define what the IT process must deliver to support IT’s
objectives and how to measure it
• Activity goals and metrics that establish what needs to happen inside the process to achieve the
required performance and how to measure it.
The COBIT Framework Model[10]
The COBIT framework, therefore, ties the businesses requirements for information and
governance to the objectives of the IT services function. The COBIT process model enables IT
activities and the resources that support them to be properly managed and controlled based on
COBIT’s control objectives, and aligned and monitored using COBIT’s goals and metrics, as
illustrated in the figure 8 :
Page | 17
Figure 8. COBIT Management, Control, Alignment and Monitoring.
To summarize, IT resources are managed by IT processes to achieve IT goals that respond to the
business requirements. This is the basic principle of the COBIT framework, as illustrated by the
COBIT cube in figure 9 :
Figure 9.The COBIT Cube
Page | 18
In more detail, the overall COBIT framework can be shown graphically, as depicted in figure 10,
with COBIT’s process model of four domains containing 34 generic processes, managing the IT
resources to deliver information to the business according to business and governance
requirements:
Figure 10. Overall COBIT Framework
Page | 19
ITIL helps the businesses by providing codes of practice in support of Total Quality and creating
a common vocabulary in order to help organizations for maintaining IT capabilities and
managing their service management processes. On the other hand, COBIT helps firms to see
whether if there are gaps in the service management thanks to the maturity models that COBIT
present. So ITIL takes the metrics for evaluating the service management from COBIT, in spite
of the fact that ITIL has its metrics but ITIL v3 still fails to provide an as-is assessment model,
though COBIT does. In the following figure explains what type of objectives should be done to
increase the efficiency and effectiveness of services and helps to show the weak side of ITIL v3
which is Metrics & Measurements;
Scheme 1.Red rectangle shows the weak side of ITIL v3.
Page | 20
Methodology
For aligning the metrics from COBIT v4.1 to Event, Incident and Problem Management
processes of ITIL v3,firstly the latest version of COBIT and the related processes of ITIL were
analyzed in detail. The relationships in each process was checked over to which part of the
process be used. These three processes are selected at the beginning of the project. In order to
understand where COBIT metrics were used, it is useful to define ITIL v3 processes that were
selected:
• Event Management : An event can be defined as any detectable or discernible
occurrence that has significance for the management of the IT Infrastructure or the
delivery of IT service and evaluation of the impact a deviation might cause to the
services. Event Management is the process that monitors all events that occur through the
IT infrastructure to allow for normal operation and also to detect and escalate exception
conditions. (ITIL Service Operation book)The Figure 12 represents the Event
Management process:[11]
Figure 12.Event Management process flow
Page | 21
• Incident Management : In ITIL v3, incident is an unplanned interruption to an IT
service or reduction in the quality of an IT service. Failure of a configuration item that
has not yet impacted service is also an incident, for example failure of one disk from a
mirror set. Incident Management Concentrates on restoring the service to users as quickly
as possible, in order to minimize business impact. The process flow for this process
shown in Figure 13; [11]
Figure 13.Incident management process flow.
Page | 22
• Problem Management : ITIL defines a ‘problem’ as the unknown cause of one or more
incidents. Problem Management involves root-cause analysis to determine and resolve
the cause of events and incidents, proactive activities to detect and prevent future
problems/incidents and a Known Error sub-process to allow quicker diagnosis and
resolution if further incidents do occur. [11]
Figure 14.Problem Management processMetric Alignment
Page | 23
After having understanding each ITIL process, we needed to metrics from the COBIT
because as I mentioned before, ITIL does not include enough metrics to understand what part of
the service is missing or being realizing ineffectively. In the light of this information the total of
9 COBIT v4.1 processes are identified including PO4. Define the IT Processes, Organization and
Relationships, PO9.Assess and Manage IT Risks, AI2. Acquire and Maintain Application
Software, AI7. Install and Accredit Solutions and Changes, DS8.Manage Service Desk and
Incidents, DS10. Manage Problems , DS12. Manage the Physical Environment, DS13. Manage
Operations, ME1. Monitor and Evaluate IT Performance that contain 28 metrics for 3 processes
of ITIL v3 which are Event Management, Incident Management and Problem Management.
Note : Alignment of the COBIT metrics to Event, Incident and Problem Management of the ITIL
v3 processes is explained in the attached excel file.
Explanations and Conclusions
As differences between the realized tasks and planned ones, software procedures that
required to do the project were needed effectively. However, it was mentioned that we were
included into this project in the summer term, I was able to do the necessary parts of this project.
For example aligning those metrics that gathered and found in the COBIT to Event, Incident and
Problem Management processes of the ITIL v3 that forms the name of the project.
After having discussions with Yasemine Özşen, the mentor of this project who is Process
Leader & Compliance Specialist & Project Manager, I was told to find the missing metrics in the
ITIL and let the COBIT metrics to align to the Event, Incident and Problem Management of the
ITILv3 processes. Although the software design could not be done properly, the individuals who
works in the IT sector and deal with the problems and service management can use this metrics
to see whether if the things are managed smoothly.
The total of 28 COBIT metrics that belong to 9 COBIT processes were aligned to the
Event, Incident and Problem Management processes of the ITIL v3.Revealed metrics can be
found in the attached excel file in detail.
References
Page | 24
[1] : http://en.wikipedia.org/wiki/COBIT
[2] : http://www.itsmwatch.com/itil/article.php/3799811
[3] : http://www.itil-officialsite.com/AboutITIL/WhatisITIL.asp
[4] : http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library
[5] : http://wiki.en.it-processmaps.com/index.php/ITIL_V3_Service_Strategy
[6] : http://wiki.en.it-processmaps.com/index.php/ITIL_V3_Service_Design
[7] : http://wiki.en.it-processmaps.com/index.php/ITIL_V3_Service_Operation
[8] : http://wiki.en.it-processmaps.com/index.php/ITIL_V3_Service_Transition
[9]:http://en.wikipedia.org/wiki/
Information_Technology_Infrastructure_Library#5._Continual_Service_Improvement_.2
8CSI.29
[10] : COBIT v4.1 Book published by ISACA and ITGI in May 2007.
[11] : ITIL v3 Service Operation Book, published by the United Kingdom's Office of
Government Commerce (OGC) in May 2007.
Appendix
A. Post Project Analysis
A.1. Initial Plan
Main goal of the project was to obtain a software by choosing an ITIL process and
applying the COBIT metrics into the assigned process by the end of the summer semester. By
using this tool, individuals could see the specific measurement criteria in service management.
During this summer term, only parts of the project let us to investigate and compare both
COBITv4.1 metrics and ITIL v3 processes within a short period of time.
A.2. Updated Plan
After having understanding that specifying or developing a tool for this purpose is not possible
because of the reason that mentioned in A.1 Initial Plan, I focused to analyze COBIT and ITIL
and compare the differences between them. When doing this comparison, meanings of each
process in the COBIT and their relationship between each other and also the metrics revealed
Page | 25
and aligned to ITIL processes, Event-Incident-Problem, were tried to bring to light rather than
developing a tool because of the length of this project.
A.3. Realized Tasks
In order to understand which tasks were accomplished it is chosen to indicate the work
breakdown structure defined before starting this project. This WBS chart is as follows;
Level Hierarchical Breakdown
Document gathering (ITIL & COBIT)
Analyze of ITIL processes
Analyze of COBIT metrics
Chosen process and metric alignment
Page | 26
