The document discusses ITSM governance and how it relates to cloud computing. It defines governance and IT governance, explaining that governance provides accountability and consistency. It outlines some frameworks for ITSM governance including ITIL, COBIT and ISO20000. The document recommends using a combination of these frameworks. It describes roles in ITSM governance including prescriptive, audit, coordination, and monitor roles. Finally, it provides an example of how to structure an ITSM governance approach around processes, controls, tasks and evidence.
2. David Mainville
CEO / Co-founder
dmainville@navvia.com
Twitter @mainville
February
2014
Copyright
2014,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
2
3. What are you hoping to learn from
today’s presentation?!
February
2014
Copyright
2014,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
3
4. Let’s
start
with
a
poll
What is your organization’s position
on SaaS / cloud?!
!
1.
We do not allow SaaS applications!
2.
We currently have no SaaS
applications but are investigating!
3.
We currently use SaaS applications!
4.
Don’t know!
November
2013
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
4
5. 65%
of
respondents
are
either
using
or
invesFgaFng
SaaS
Source: 8th annual ITSM Industry Survey!
November
2013
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
5
6. What
is
SaaS
/
cloud
compuFng?
Cloud computing most often refers to IT Services that are
provided to users over the internet on a pay as you go or ondemand model much like a public utility.
November
2013
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
6
7. Common
terms
SaaS
U$lity
Compu$ng
Private
Cloud
Mul$-‐Tenant
On-‐demand
Pla8orm
as
a
Service
Infrastructure
as
a
Service
November
2013
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
7
8. Just
more
markeFng
hype?
November
2013
2/13/2014
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
8
9. The
Big
Switch
• The
new
“industrial
revoluFon”
• A
watershed
of
creaFve
energy
• A
focus
on
core
competencies
November
2013
2/13/2014
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
9
10. Companies
are
invesFng
heavily
in
the
cloud
App Store, iTunes…!
November
2013
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
10
11. @
Navvia
• 100%
of
our
business
apps
are
cloud
based
– Email
&
file
sharing
– Sales
&
markeFng
– Finance
&
Admin
– DEV
Infrastructure
– PROD
hosFng
• We
also
sell
ITSM
cloud
soaware
November
2013
2/13/2014
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
11
12. Some
ITSM
cloud
players
http://www.zdnet.com/saas-itsm-tools-forrester-delivers-market-overview-7000011865/!
Note:
a
non-‐exhaus.ve
list,
new
entrants
con.nue
to
enter
the
marketplace
November
2013
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
12
13. Cloud
doesn’t
mean
beber
It’s
a
delivery
opFon
that
sFll
needs
to
be
tailored
to
your
needs
November
2013
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
13
14. ITSM
governance
&
the
cloud
November
2013
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
14
15. What
is
governance?
• In
the
case
of
a
business
or
of
a
non-‐profit
organisaFon,
governance
relates
to
consistent
management,
cohesive
policies,
guidance,
processes
and
decision-‐rights
for
a
given
area
of
responsibility.
• IT
Governance
primarily
deals
with
connecFons
between
business
focus
and
IT
management.
The
goal
of
clear
governance
is
to
assure
the
investment
in
IT
generate
business
value
and
mi.gate
the
risks
that
are
associated
with
IT
projects
November
2013
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
15
17. Why
ITSM
governance?
• Maximize
value
of
IT
investment
• Support
complex
regulatory
requirements
– Sarbanes-‐Oxley,
Basel-‐II
• Third
party
cerFficaFons
– ISO20000,
SAS70…
• ConFnual
Service
Improvement
November
2013
2/13/2014
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
17
18. Governance
frameworks
• ITIL
– Provides
guidance
on
the
processes
• COBIT
– Widely
accepted
by
the
IT
audit
community
– Defines
controls,
processes
and
audit
tests
(evidence)
• ISO20000
Our
experience
shows
that
the
best
approach
is
to
use
a
combina$on
of
frameworks
for
ITSM
governance
– Defines
a
standard
for
a
Service
Management
System
November
2013
2/13/2014
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
18
19. ITSM
governance
roles
• Prescrip$ve
role
assigns
authority
and
accountability
• Audit
role
reports
on
compliance
to
process
owners,
execuFves
and
directors
• Coordina$on
role
assigns
and
coordinates
the
governance
tasks
• Monitor
role
tracks
governance
reporFng
for
the
audit
role
• User/Provider
roles
execute
the
governance
tasks
November
2013
2/13/2014
An
ITSM
“Program
Office”
or
“Governance
Board”
is
the
ideal
place
to
center
your
governance
ac$vi$es
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
19
20. An
ITSM
governance
approach
PROCESS
CONTROLS
TASKS
EVIDENCE
CHANGE
MANAGEMENT
AI6.1
STANDARDS
&
PROCEDURES
AI6.2
ASSESSMENT
&
AUTHORIZATION
AI6.3
EMERGENCY
CHANGES
Task
1
Provide
Evidence
of
Change
Mgmt.
System
Emergency
Change
Categories
November
2013
2/13/2014
Emergency
Change
Reports
AI6.4
TRACKING
AND
REPORTING
AI6.5
CHANGE
CLOSURE
&
DOC
Task
2
Provide
Evidence
of
Emergency
Change
Handling
Documented
Emergency
Procedures
Review
of
Emergency
Changes
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
20
21. ITSM
governance
&
service
delivery
Actual
Service
Levels
Desired
Service
Levels
—
Ungoverned
processes
“wear
down”
over
Fme
—
The
result
is
service
variability
versus
consistency
—
More
effort
to
manage
/
less
customer
saFsfacFon
November
2013
2/13/2014
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
21
22. Achieving
ITSM
governance
• Define
your
processes
• IdenFfy
the
Control
ObjecFves
• Assign
Accountability
for
Control
ObjecFves
• Require
evidence
of
compliance
• Measure
and
report
on
process
compliance
November
2013
2/13/2014
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
22
23. Let’s
take
a
poll!
Do you have formal governance in place for
ITSM?!
!
1.
Defined, implemented and enforced!
2.
Defined but not implemented!
3.
Implemented but not enforced!
4.
No ITSM governance in place!
November
2013
2/13/2014
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
23
24. Governance
remains
very
weak
Only 29% of respondents have implemented and enforce, up slightly from 28%
in last years survey!
Source: 8th annual ITSM Industry Survey!
November
2013
2/13/2014
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
24
25. Its
no
wonder
ITSM
programs
fail
November
2013
2/13/2014
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
25
26. Does
governance
differ
in
the
cloud?
November
2013
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
26
27. I
see
governance
from
a
variety
of
perspecFves
November
2013
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
27
28. Governing
a
cloud
applicaFon
QuesFons
to
ask
your
Cloud
or
SaaS
vendor
Requirement
Comment
Data
ClassificaFon
Is
the
Data
being
stored
public,
internal,
confidenFal,
restricted
or
highly
restricted?
Physical
Security
Does
the
vendor
meet
all
security
standards
for
datacenter
access?
AuthenFcaFon
What
are
the
policies
and
technology
are
in
place
to
limit
access
to
data
to
right
people?
AuthorizaFon
Who
at
the
vendor
site
is
authorized
to
access
the
data,
what
controls
are
in
place?
Audit
Logging
What
security
logs
are
maintained
by
the
vendor
/
what
is
logged
by
the
system?
ConfidenFality
What
policies
/
technology
exist
to
ensure
company
data
is
kept
confidenFal
–
is
Payment
Card
(PCI)
or
Personally
IdenFfiable
InformaFon
(PII)
stored
in
the
cloud
applicaFon?
Virus
ProtecFon
What
policies
and
technologies
are
in
place
to
ensure
the
data
remains
virus
free?
Security
Config
Has
the
vendors
infrastructure
been
configured
to
ensure
against
vulnerabiliFes
–
is
it
audited?
Patch
Mgmt.
What
policies
/
technology
is
in
place
to
ensure
criFcal
updates
are
applied
in
a
Fmely
manner?
Physical
Config.
How
is
our
data
segregated
from
the
vendors
other
clients?
November
2013
2/13/2014
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
28
29. Governing
a
cloud
applicaFon
QuesFons
to
ask
your
Cloud
or
SaaS
vendor
Requirement
Comment
Disaster
Recovery
What
policies
and
technology
are
in
place
to
address
a
disaster
and
support
resumpFon
of
service
(failover,
backups,
offsite
storage,
backup
faciliFes…)
Human
Resource
Security
What
policies
and
pracFces
are
in
place
to
ensure
the
vendors
personnel
are
a)trained
in
security
pracFces
and
b)
have
been
adequately
screened
(background
checks)
Compliance
What
audit
protocols
/
pracFces
does
the
vendor
have
in
place
to
ensure
compliance
to
their
internal
policies
and
processes
Soaware
Config
Mgmt.
What
policies,
pracFces
and
technologies
exist
to
ensure
the
vendor
has
adequate
control
over
their
source
code
libraries
and
that
there
is
a
separaFon
of
duFes
between
development
and
producFon
Insurance
/
Risk
What
levels
of
coverage
does
the
vendor
have
to
protect
from
IdenFty
Thea,
Cyber-‐ExtorFon,
Cyber-‐Terrorism,
InformaFon
Asset
Network
Security,
Web
Content,
Errors
and
Omissions,
Network
Business
InterrupFon
Financial
Risk
Is
the
cloud
vendor
viable?
What
protecFons
exist
if
they
were
to
become
in
solvent?
CommunicaFons
What
policies
and
pracFces
are
in
place
by
the
vendor
to
communicate
security
incidents?
Data
RetenFon
How
long
does
the
vendor
retain
the
data,
how
is
it
protected,
how
can
the
data
be
extracted
from
the
cloud
applicaFon
if
the
contract
is
terminated
November
2013
2/13/2014
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
29
30. Related
reading
ISO/IEC
20000
COBIT
to
ISO/IEC
20000
COBIT
User
Guide
COBIT
to
ITIL
V3
Defines
the
standard
for
a
Service
Management
System
(part
1&2)
How
to
use
COBIT
Controls
to
support
ISO/
IEC
20000
Guidance
for
Service
Managers
on
the
Use
of
COBIT
to
support
ITIL
&
ISO/IEC
20000
How
to
use
COBIT
Controls
to
support
ITIL
V3
hbp://www.itgovernance.co.uk/
hbp://www.isaca.org/
hbp://www.isaca.org/
hbp://www.isaca.org/
November
2013
2/13/2014
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
30
31. Cloud
Security
Alliance
SM
hbps://cloudsecurityalliance.org/
Security
Guidance
for
CriFcal
Areas
of
Focus
in
Cloud
CompuFng
Cloud
Controls
Matrix
v1.1
-‐
Fundamental
security
principles
to
guide
cloud
vendors
and
to
assist
prospecFve
cloud
customers
in
assessing
the
overall
security
risk
of
a
cloud
provider.
November
2013
2/13/2014
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
31
32. What
does
this
all
mean
to
me?
November
2013
2/13/2014
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
32
33. Three
things
to
remember
• Cloud
CompuFng
will
conFnue
to
grow
• IT
must
remains
accountable
for
governing
cloud
apps
• Understanding
the
cloud
is
crucial
to
your
career
November
2013
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
33
34. Navigating ITSM via our tools and services
Over 14 years of ITSM success!
November
2013
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
34
35. Navvia Software
The Navvia Process Management Platform
Simple w
Social w
Effective
November
2013
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
35
36. 5 valuable tools for your ITSM program!
November
2013
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
36
37. ITSM
Service
Offerings
•
ITSM
Accelerators
•
Onsite
ITSM
Services
from
assessments
through
to
strategy
and
implementaFons
•
ITSM
tool
selecFon
&
implementaFon
•
ITSM
educaFon
November
2013
Copyright
2013,
Navvia
-‐
A
Division
of
ConsulFng-‐Portal
37