Escolar Documentos
Profissional Documentos
Cultura Documentos
The Decision
Deciding which model to use is a classic cost-benefit tradeoff. Each maturity model has a particular focus of control from which the improvement benefit is derived. The SEI CMM focuses on practices that bring software engineering, such as IT application software engineering, under control while COBIT processes are aimed at a broader range of IT practices. A decision matrix mapping benefits, costs and alternatives clearly communicates the trade-offs and can be used in making the decision and in implementation communications. Figure 1 is a decision matrix showing evaluation criteria and maturity model options for SEI CMM, COBIT or the two combined. The SEI CMM is comprised of five levels of maturity (figure 2). Each level is a conceptual step or stage of process definition resulting in control, effectiveness and efficiency in producing software. The starting point is initial (maturity level 1), an ad hoc approach. Progression is expected through the repeatable (maturity level 2), defined (maturity level 3) and managed (maturity level 4), culminating in the optimizing (maturity level 5) level. The key practice areas (KPAs) are grouped by level. To be assessed as repeatable, the organization must implement all of the level 2 KPAs and show evidence of having met the goals and objectives for those practices. The level 2 KPAs shown in figure 2 are: requirements management, software project planning, software project tracking and oversight, software subcontract management, software quality assurance and software configuration
Managed (4)
Defined (3)
Repeatable (2)
Initial (1)
The value of any model in driving performance improvement depends on whether the model will identify opportunities for improvement appropriate to the organization. COBIT can be used to identify weaknesses and opportunities for improvement in efficiency, effectiveness, confidentiality, integrity, compliance and reliability. COBIT can also be used to optimize management of people, applications, technology, facilities and data. These are IT opportunities. Implementing SEI CMM KPAs delivers improvements in effectiveness and efficiency of people, applications and technology. There are few SEI CMM references to processes or goals to assure confidentiality or data integrity. Security, business continuity and disaster recovery risk mitigation practices are largely missing from the SEI CMM.
management. To be assessed as defined, all of the KPAs for level 3 must be implemented with evidence of having met the goals and objectives for those areas, as well as continuing to meet the goals and objectives for level 2 KPAs.
COBIT
COBIT comprises 34 IT processes organized into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. The COBIT management guidelines contain the maturity model, process description, information criteria and IT resources, which indicate the improvement potential, critical success factors, key goal indicators and key performance indicators for each process. The COBIT framework, detailed control objectives and audit guidelines improve the IT organizations level of control, mitigating risks and sustaining performance. The management guidelines can be used with this knowledge base and COBIT Online benchmarking to prioritize and guide improvement.
Gap analysis takes weeks, implementation takes months, and there may be a lag after implementation before seeing results. The quality focus may be difficult for software engineers concerned with creativity rather than discipline, and the cost of quality language requires management interpretation to derive financial performance expectations. The target population to understand COBIT is the entire IT organization and management, including business management. Fortunately, the COBIT documentation has been designed to address the needs of each of the target populations: Executive Summary for business management, Management Guidelines for IT management, Control Objectives for process implementers and Audit Guidelines for auditors. The entire COBIT 3rd Edition package consists of fewer than 500 pages. It is clear and concise and takes a relatively short period of time to read and comprehend. Self-assessments for prioritization and gap analysis take days, implementation takes weeks and results are almost immediately apparent. A drawback for management is the emphasis on control and risk mitigation rather than performance opportunity. COBITs language of control is also not generally well understood by engineering organizations without previous exposure to audit or financial controls. Creating awareness of the need for controls and risk mitigation in those not familiar with the concept can get in the way of understanding the value.
project tracking and oversight, quality management, audit, training, process documentation, configuration and change. These resulted in high-level correlation (see figure 3). The second pass was for more inclusive correlation based on similarities in the activities intent and goals, and the third pass examined the potential for fulfilling COBIT detailed control objectives using SEI CMM practices. Figure 4 shows the information graphically. The KPAs are sorted by their SEI CMM level (shown in figure 2). The count totals are shown in the bars, with a total bar for each capability maturity model level 2, level 3, and levels 4 and 5 (left X-axis) correlated to each COBIT process (Y-axis) with the percent coverage (right Y-axis) of COBIT detailed control objectives superimposed.
PO1 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10
Define a strategic plan Define the information architecture Determine technological direction Define the IT organization and relationships Manage the IT investment Communicate management aims and direction Manage human resources Ensure compliance with external requirements Assess risks Manage projects
Identify automated solutions Acquire and maintain application software Acquire and maintain technology infrastructure Develop and maintain procedures Install and accredit systems Manage changes
RM SPP, ISM SPP, PTO, ISM SPP, PTO, SPP, PTO, ISM, ISM SQA, SPE SQA, OPF, SQA, OPF, SQM, SQM, TP, ISM TP, ISM, QPM Acquire and Implement RM, TCM RM, SPE, TCM SPE, SSM, SCM SPE, SSM, SCM, RM SCM, TCM, PCM SCM, TCM, SSM ISM, OPF, OPD OPF, OPD, PCM, SPE, ISM SPE SPE, ISM SCM, PCM, SCM TCM Deliver and Support SSM SSM SPP,ISM SPP, PTO OPD, TP SCM DP SPP, PTO, ISM SPP, PTO, ISM OPD, TP,SPE SQA SCM DP SPP, PTO, ISM
4 of 18 6 of 17 3 of 6 3 of 4 6 of 14 5 of 8
DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 DS11 DS12 DS13 M1 M2 M3 M4
Define and manage service levels Manage third-party services Manage performance and capacity Ensure continuous service Ensure systems security Identify and allocate costs Educate and train users Assist and advise customers Manage the configuration Manage problems and incidents Manage data Manage facilities Manage operations Monitor the processes Assess internal control adequacy Obtain independent assurance Provide for independent audit Defect prevention Intergroup coordination Integrated software management Organization process definition Organization process focus Process change management PTO: QPM: RM: SCM: SPE: SPP:
IC Monitor and Evaluate QPM, PCM QPM, PCM SQA SQA SQA, PR SQA, PR,SSM SQA Legend: SEI CMM KPAs Used in Correlation Matrix Project tracking and oversight Quantitative process management Requirements management Software configuration management Software product engineering Software project planning SQA: SQM: SSM: TCM: TP:
0 of 7 6 of 8 0 of 9 3 of 13 0 of 21 3 of 3 2 of 3 2 of 3 6 of 8 3 of 5 3 of 30 0 of 6 0 of 8 4 of 4 3 of 4 6 of 8 4 of 8
0% 75% 0% 23% 0% 67% 67% 67% 75% 60% 10% 0% 0% 100% 75% 75% 50%
Software quality assurance Software quality management Software subcontract management Technology change management Training program
COBIT Process
KPA Count
2.5
1.5 10% 1 5% .5
Summary
Sustaining current performance while continuously reducing costs, decreasing exposure to risk and carving out resources to safely improve performance from a budget constantly targeted for cost reduction is the IT challenge. Maturity models can tell where there are opportunities to improve the organizations performance. By using a maturity model, the organization can safely and predictably reproduce the performance improvement results of others with confidence in the approach and the expected expenditure of resources and benefits to be derived. Using any model requires an investment in learning, assessment and implementation. Best practice maturity models tell how to attain the improvements with the most precision and accuracy and may require more investment because of their detailed and specialized guidance. Model synergies, including continuous improvement practices, leverage sustaining costs for higher returns. Using COBIT with SEI CMM combines the best of both worlds to improve IT performance and drive the results to the business bottom line.
acquire and maintain application software, PO11 manage projects, PO10 manage quality and DS2 manage third-party services. The integral processes to sustain performance are AI6 manage change and DS9 manage the configuration. Additional COBIT planning and monitoring processes to sustain performance and generate additional opportunities are PO1 define the strategic plan, emphasizing capability improvement planning, and M1 monitor the processes, so that the organization recognizes the expected process performance improvement results from the capability maturity improvement projects. M2 assess internal control adequacy also sustains the performance and generates information that can be leveraged to identify additional opportunities.
Debra Mallette, CISA, CSSBB, SEI CMM and CMMI Assessor, and Managed Change Master is a process program manager for a large healthcare IT organization. Her experience ranges across industries and organizations. She has been published and has presented at the Motorola Software Engineering Symposium and SEI CMMs SEPG. Her specialty is strategic capability improvement for enterprises making the transition to the information age. She can be contacted at debra.mallette@kp.org.
Monica Jain, CSQA is a process consultant at Covansys Corporation, USA, specializing in technology and business consulting. Her areas of interest include implementation of CMM, CMMI, ITIL, and conducting audits and assessments. She has also cleared the ITIL Foundation Certification examination conducted by EXIM UK. She can be contacted at mjain@covansys.com or monica_j18@yahoo.com.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2005 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org