UPGRADE: Vol. IX, issue no. 1, February 2008

IT Governance
Published on behalf of CEPIS by Novática (ATI, Spain)

Chief Editor: Llorenç Pagés-Casas, <pages AT ati DOT es>

Associate Editor: Rafael Fernández Calvo, <rfcalvo AT ati DOT es>

Abstract: IT is a business like any other line of business, so why don’t we run it as a business? If we look at other disciplines, we can find excellent examples of the application of governance principles. In the IT market, however, we seem to have forgotten to apply some of the most elementary business policies. Recent developments have shown the catastrophical effects that may follow from this. So let’s have a closer look at this, and take the first elementary step by answering “What is IT Governance and what is it NOT?” The answer may come as a surprise. And IT Governance may be less difficult than it seemed.

Abstract: Although the contribution made to ITIL (Information Technology Infrastructure Library) by version 3 over version 2 cannot be considered as a radical change in direction, it does represent a step forward towards making ITIL not only a frame of reference for operational matters but also a valuable IT Governance tool. Rather than rendering the previous recommendations obsolete, the new version places them within a broader context. This article stresses the importance of this step forward and describes its most significant implications.

Abstract: In this article we analyse a compilation of tools and techniques produced by a working group coordinated by itSMF Spain with a view to providing professionals involved in projects implementing ITIL best practices with a range of project management tools and techniques (based on PMBOK and PRINCE2 methodologies) to facilitate project management and ensure a successful implementation of ITIL.

Abstract: The need of IT departments to create value for their organization’s business has given rise to a large number of tools (IT Governance), which to a greater or lesser extent have been closing the gap between IT and Business, but have failed when applied to Business Intelligence systems. This article demonstrates the need to create a dedicated BI Governance structure over and above IT Governance, a structure based on agility, versatility, and human relations which is specifically designed to provide information to decision makers.

Abstract: Changes in market demand and in technology have meant that managing IT projects has recently become an authentic challenge for those responsible for information technologies. This difficulty lies in managing individual as well as group projects. This last area includes the concept of a project portfolio, a set of projects carried out within an organization and sharing resources. In recent years portfolio management has proven to be a discipline that allows the value generated by IT to increase and helps implement strategy through the projects.

ISO20000 – An Introduction [PDF: 3 pages, 179 KB]
Lynda Cooper
Abstract: ISO20000 is the International Standard for IT Service Management. This article provides an overview covering the history of the standard, the scope and relationship to other standards and frameworks as well as benefits realised. The article also recommends additional sources of information.

COBIT as a Tool for IT Governance: between Auditing and IT Governance [PDF: 4 pages, 75 KB]
Juan-Ignacio Rouyet-Ruiz
Abstract: Cobit is establishing itself as an effective tool to set up IT Governance that will help IT departments convert themselves into technological partners of businesses. When analysing the suitability of Cobit for IT Governance we must be aware of its origins in auditing, and of its strengths and weaknesses resulting from such an origin. In this article we analyse Cobit’s strengths and weaknesses as a framework for IT Governance, using as a reference another IT Governance model, that of Peterson.

Implementing IT Governance Ad@pting CobiT, ITIL and Val IT: A Respectful Caricature [PDF: 4 pages, 117 KB]
Ricardo Bría-Menéndez and Manuel Palao García-Suelto
Abstract: In this article we present some guidelines for the combined use of three reference models and a series of points and criteria to be considered in respect of their complementarity.

What Governance Isn’t [PDF: 4 pages, 69 KB]
Rob England
Abstract: This article makes a quixotic attempt to stem the corruption of the word governance. Governance is policy making and policy policing. Anything else is management.

Dídac López-Viñas is the Director of IT Services at the Girona University (Universitat de Girona –UdG-, Spain), Director of ICT at the Science and Technology Park of the UdG, and consultant at UOC (Universitat Oberta de Catalunya) for postgraduate courses in technology services management. He is a graduate in Computer Science from UPC (Universitat Politècnica de Catalunya), holds a postgraduate degree in IT Management from ICT (Institut Català de Tecnologia), another in Enterprise Information Management (Infonomía, UPF), and an MBA from Las Heures (UB). Before working in university IT services he was a systems engineer at Hewlett Packard and IECISA. He has played an active role on various boards of governors of the ATI (the Spanish Association of Computer Technicians) and has collaborated with the COEIC (Col·legi Oficial d’Enginyeria en Informàtica de Catalunya) serving on the Dean’s Council. He has been president of ATI Catalunya since January 2005. <didac.lopez@ati.es>.

Antonio Valle-Salas is Project Manager at Abast Systems and is a specialist consultant in ITSM (Information Technology Service Management) and IT Governance. He graduated as a Technical Engineer in Management Informatics from UPC (Universitat Politécnica de Catalunya) and holds a number of methodology certifications such as ITIL Service Manager from EXIN (Examination Institute for Information Science), Certified Information Systems Auditor (CISA) from ISACA, and COBIT Based IT Governance Foundations from IT Governance Network, plus more technical certifications in the HP Openview family of management tools. He is a regular collaborator with itSMF (IT Service Management Forum) Spain and its Catalan chapter, and combines consulting and project implementation activities with frequent collaborations in educational activities in a university setting (such as UPC or the Universitat Pompeu Fabra) and in the world of publishing in which he has collaborated on such publications as IT Governance: a Pocket Guide, Metrics in IT Service Organizations, Gestión de Servicios TI. Una introducción a ITIL, and the translations into Spanish of the books ITIL V2 Service Support and ITIL V2 Service Delivery. <avalle@abast.es>.

Aleix Palau-Escursell is a partner and Commercial Director of NETMIND, a company engaged in IT training, consultancy, and management. Aleix holds a Higher Diploma in Management Informatics, a Master in Sales Management from EADA, and a Master in ICT Management from La Salle (Universitat Pompeu Fabra). His entire professional career to date has been in NETMIND where he has led the company’s commercial expansion and established it as one of the pioneers in the provision of training and consultancy services for Project Management, ITIL, and ISO 20000. In recent years he has played an active role in disseminating best practices and methodologies for Project Management and IT Service Management, collaborating with organizations such as PMI (Project Management Institute), itSMF (IT Service Management Forum), ATI, and La Salle, among others. <aleix@netmind.es>.

Willem-Joep Spauwen is a senior consultant at Quint Wellington Redwood Iberia. He graduated in Business Administration at the University of Groningen, Netherlands. He has specialized in ICT Governance and added value provided by business management and organization related Information Systems. His career began in the IT Department of Royal Dutch Airlines KLM, where he played an active role in the field of IT-Business alignment. At Quint Wellington Redwood he works as an international consultant in the field of IT management. He has taken part in several projects undertaken by multinationals in the Netherlands, the USA, Mexico, and Spain. He also participates regularly in a number of international forums. <w.j.spauwen@quintgroup.com>.

UPENET (UPGRADE European NETwork) [PDF: 5 pages, 144 KB]

From Pro Dialog (PTI-PIPS, Poland)
Software Engineering
A View on Aspect Oriented Programming
Konrad Billewicz

This paper was first published, in English, by Pro Dialog (issue no. 23, 2007, pp. 13-20). Pro Dialog, a founding member of UPENET, is a biannual journal published jointly, in English or Polish, by the Polish CEPIS society PTI-PIPS (Polskie Towarzystwo Informatyczne – Polish Information Processing Society) and the Poznan University of Technology, Institute of Computing Science.

Abstract: In this paper a wide view on aspect oriented programming is shown. The correlation with object oriented programming is presented. The strengths of aspect oriented design over object oriented design are pointed out. The typical usage of aspects is outlined. Several research and industry examples of aspect usage are provided.

CEPIS Working Groups [PDF: 2 pages, 105 KB]

Authentication Approaches for Online Banking

CEPIS Legal and Security Special Interest Network

Abstract: Authentication is essential part of modern e-commerce, particularly in online-banking. Owing to the popularity and wide use of on-line banking unwanted side effects aroused; i.e. abuses, activities by malicious and criminal users and rise of organized criminal attempts (e.g. phishing). This paper surveys contemporary authentication approaches taken by European banks and further argues that complex and error prone security measures do not provide any security improvement, but rather discourage or prevent users easily entering the electronic market place. Additionally, recommendations are given, which are targeted at different parties; i.e. banks and other financial institutions and organizations, governments and regulators, professionals and customers. For every group specific recommendations are suggested.

Monograph: IT Governance

Presentation
IT Governance: Fundamentals and Drivers [PDF: 3 pages, 62 KB]
(includes a set of useful references about the matter)
Dídac López-Viñas, Antonio Valle-Salas, Aleix Palau-Escursell, and Willem-Joep Spauwen

In recent years there has been much talk about IT Governance and the management of organizations in general, which has captured the interest of all those involved in ICT management.

After a number of decades during which ICT has been applied in organizations in an non-harmonized manner, with different aims in each organization, there was a growing realization that, while such technologies should be at the service of business, that is not always the case.

If we were talking about another functional area, such as Human Resources or Accounting, rather than ICT, we would take it for granted that the activities undertaken by those departments were aligned with the goals of the organization they belonged to, and we would not feel the need, although such a need may exist, to create reference models and methodologies to ensure that they were aligned. However, in many organizations ICT is not adequately aligned with the organization’s goals, which may lead to project deviations (negative return on investment, uncontrolled expenses, etc.), or unmanaged risks. This is what has given rise to the concept we know today as IT Governance.

Organizations may be thought of as a coordinated set of information systems in which human and material resources participate, but the key to successful organizations resides in the information per se and the way it is automated. Here is where the managers of organizations may question the manner in which that information is processed and the risks they are taking, both as a result of mistakes that may be made and in terms of the cost of not having that information.

Meanwhile, the strategic opportunities afforded to organizations by ICT have given rise to difficulties concerning the management of those technologies. Many companies do not hesitate to describe their ICT departments as strategic or critical to their core activities while at the same time recognizing that ICT causes problems that they hesitate to describe as unmanageable.

Thus ICT departments are often perceived as a pure expense rather than a value-adding resource. They are seldom considered as an opportunity, and investment in ICT is often seen as a technologists’ whim, always to be questioned.

Part of the problem lies in the difficulty that managers have in seeing ICT in the company as part of their responsibility and in acquiring the basic knowledge required to take on that responsibility. But the CIOs are also to blame for not understanding organizations and their business objectives, for not taking managerial language on board, for not listening to the real problems of functional managers, and for focusing their goals on technology and not on the practical exploitation of that technology.

We can sum up this general problem as being a difficulty to integrate and align ICT departments’ operations and internal organization within the greater organization and its technological goals. The problem also stems from the misconception that general managers have of ICT departments as separate and almost unrelated units due to the technological nature of their role.

Companies and organizations in general need to close this gap between general management and ICT departments by applying management methodologies that will integrate ICT departments within the greater organization and align their operations with corporate goals.

If this gap is to be closed, the managers of organizations need to understand that the ICT department must be managed within the context of business objectives as an inseparable part of the business, and that they need to learn ICT management methodologies. Meanwhile the managers of the ICT department should understand their mission within the context of the company’s corporate goals. ICT management should not be seen as a separate goal or discipline, but rather as a cross-functional process affecting the entire organization, one in which everyone should play an active role.

Many organizations are now getting the most out of ICT by understanding and managing the benefits and risks involved, by successfully aligning their ICT strategy with corporate strategy to form a single integrated strategy, by putting in place mechanisms and processes to implement that strategy, including mechanisms to monitor and control ICT systems, and by using metrics to measure ICT management performance. The set of methodologies that allows us to achieve the above objectives is what we now call IT Governance.

IT Governance draws on a number of different fields (monitoring and control, audit, metrics, service management, and quality management) to create models identified by such trendy terms as ITIL, Cobit, Val IT, ISO 20.000, etc., and their pertinent certifications. This same trend has also given rise to a great deal of confusion and management by fad with regard to the concepts involved.

The aim of the ensuing monograph is to bring readers up to speed with the latest trends, to show how such trends may be reasonably applied, and to try and explain just what IT Governance is, and what it is not.

Useful References on IT Governance

The following references, along with those included in the articles this monograph consists of, will help our readers to dig deeper into this field.

Books

Koen Brand, Harry Boonen. IT Governance based on CobiT 4.0. A management guide. ITSM Library. Van Haren Publishing, 2007. ISBN: 9087530218.
Jan Van Bon et al. IT Service Management – An Introduction. Van Haren Publishing. ISBN:978908 7530518.
Office of Government Commerce. Best practice for Service Support. ITIL the key to managing IT Services. TSO Books, 2001. ISBN: 9780113300150 / 0113300158.
Office of Government Commerce. Best practice for Service Delivery. ITIL the key to managing IT Services. TSO Books, 2001. ISBN: 9780113300174 / 0113300174.
Office of Government Commerce. ITIL Small-scale Implementation. TSO Books, 2005. ISBN: 978011 3309801/0113309805.
Mark D. Lutchen. Managing IT as a Business: A Survival Guide for CEOs. McGraw-Hill, 2006. ISBN: 0471471046.
Gary Case, Troy DuMoulin, George Spalding, Anil C. Dissanayake. Service Management Strategies that Work. Van Haren Publishing, 2007. ISBN: 9789087530488.
Peter Brooks. Metrics for IT Service Management. Van Haren Publishing, 2006. ISBN: 9789077212691.
IT Governance Institute. IT Governance Implementation Guide: Using COBIT and Val IT. 2nd Edition. ISACA, 2007. ISBN: 9781933284750.
IT Governance Institute. Cobit 4.1. ISACA, 2007. ISBN: 9781933284729.
Office of Government Commerce. ITIL Version 3 Core Titles: The Official Introduction to the ITIL Service Lifecycle; Continual Service Improvement (CSI); Service Design (SD); Service Operation (SO); Service Strategy (SS); Service Transition (ST). <http://www.itsmf.es/books.asp?Class=3411>.

Associations

IT Governance Institute <http://www.itgi.org>.
Information Systems Audit and Control Association <http://www.isaca.org>.
IT Infrastructure Library <http://www.itil.co.uk>.
Information Technology Service Management Forum <http://www.itsmf.es>.
ITSM Portal <http://en.itsmportal.net>.

Articles

ISACA. Val IT Overview <http://www.isaca.org/Template. cfm?Section=Home&CONTENTID=21569&SECTION=COBIT6&TEMPLATE=/ContentManagement/Content Display.cfm>.
Mark Toomey. AS8015 – Corporate Governance of ICT Practical Application <http://www.usq.edu.au/resources/as8015corporategovernanceofict.pdf>.
Pink Elephant. ITIL v3: What You Need To Know <https://www.pinkelephant.com/NR/rdonlyres/94D620D8-0351-4F9E-82D8-CF033200E8DA/765/ITILv3WhatYouNeedToKnowNA1.pdf>.
ITIL.org. ITIL V3-V2 Mapping <http://www.itil. org/en/itilv3-servicelifecycle/itilv3-v2mapping.php>.

Web Sites

The Val IT framework <http://itgovernance.pbwiki. com/ValIT>, <http://www.isaca.org/valit/>.
COBIT 4.1 news <http://www.isaca.org/cobit>.
Enabling IT Governance <http://erp4it.typepad.com/erp4it>.
History of ITIL <http://www.itilv3launch.com/pages/index.html>.
ITSMWatch <http://www.itsmwatch.com>.
ITIL Training Zone <http://www.itiltrainingzone.com>.
Troy DuMoulin’s blog <http://blogs.pinkelephant.com/troy>.
The IT Skeptic <http://www.itskeptic.org>.
Serge Thorn’s blog <http://sergethorn. blogspot.com>.
ICT Governance <http://www.gobiernotic.es> (in Spanish).

Last updated on July 10th, 2008

by the Editorial Team of Upgrade