Vol. 39 (Number 32) Year 2018 • Page 26
Diana Nathaly LÓPEZ Armendáriz 1; María José VACA Rivas 2; Hernan Eduardo CUEVA Delgado 3
Received: 23/02/2018 • Approved: 11/04/2018
ABSTRACT: The components that make Information Technology in organizations, every day take greater relevance, for it develops models that help the "Government and Management" of the organization, through the application of the reference framework COBIT which is a methodology distributed by the ISACA and the best practices of ITIL, the same that facilitates the execution of services. Process improvement within the organization improve response times in the resolution of incidents and efficiency of services. |
RESUMEN: Los componentes que forman la Tecnología de Información en las organizaciones cada día toman mayor relevancia, para ello se desarrolla modelos que ayuden al “Gobierno y Gestión”, con la aplicación del marco de referencia COBIT que es una metodología distribuida por ISACA y las mejores prácticas de ITIL, la misma que facilita la ejecución de servicios. La mejora de procesos dentro de la organización permite mejorar tiempos de respuesta en la resolución de incidentes y eficiencia de los servicios. |
The organizations require as an important factor of production the development of technologies and methodologies that allow the control of the services. There are some models of agile methodologies that allow the correct functioning of service management. In this article an analysis is made to the reference frameworks COBIT and ITIL with the controls established by the ISO / IEC 27000 standard, the maturity and metrics models that allow to guarantee a correct operation of the information technology management model.
COBIT allows the evaluation of information technology management through the audit environment. For this, it is necessary to apply standards that guarantee the implementation, supervision, review and continuous improvement of information security management.
Regarding technology services, the ITIL framework is used, which through its implementation plan helps to improve the controls for the IT services processes such as the service center, incident management, identification, assignment of those responsible, definition of actions, reestablishing an interrupted service, defining solutions in an agile way and registering a database with solutions that help solve future similar events.
The ISO / IEC 20000-1 standard promotes the adoption of an integrated process approach, for an effective review of managed services that meet business and customer requirements. For good IT governance, it must rely on a framework of standards and behavior standards to ensure that the IT unit supports the business objectives of the organization. Every year there are more companies certified in IT Service Management standards such as ISO-20000 or Information Security Management standards such as ISO-27000. Object is developed a model for the management of information technology services, using the frameworks of the ISO / IEC 27000, ISO / IEC 20000, ITIL V3 2011 and COBIT V5 standards.
The Information Technology Infrastructure Library (ITIL) is a set of best practices for IT service management (ITSM) that aligns business needs with IT services. The ITIL certification, owned and maintained by the U.K. Office of Government Commerce (OGC), is an entry level qualification in IT service management [2]. Globally-recognized and respected, the ITIL certification enables professionals to use IT as a tool to facilitate growth and transformation of business. ITIL provides a framework for the governance of IT, the ‘service wrap’, and focuses on the continual measurement and improvement of the quality of IT service delivered, from both a business and a customer perspective. This focus is a major factor in ITIL’s worldwide success and has contributed to its prolific usage and to the key benefits obtained by those organizations deploying the techniques and processes throughout their organizations [2]. Some of these benefits include: increased user and customer satisfaction with IT services; improved service availability, directly leading to increased business profits and revenue; financial savings from reduced rework, lost time, improved resource management and usage; improved time to market for new products and services; improved decision making and optimized risk. Companies are demanding a better and more disciplined delivery of IT services to ensure the perfect organizational functioning. In such way, IT departments/functions have been called upon to respond quickly to new business opportunities, to demonstrate sound financial management, and to satisfy internal staff and external customers. Such service levels can be achieved through an effective relationship and communication between the IT and business structures. The adoption of the ITIL model brings some advantages to organizations, such as better quality of service, greater availability and stability of ICT services, a clear view of the capacities of the areas related to ICT service provision, and improved customer satisfaction, among other benefits [4].
The COBIT 5 framework for the governance and management of enterprise IT is a leading-edge business optimization and growth roadmap that leverages proven practices, global thought leadership and ground-breaking tools to inspire IT innovation and fuel business success [7]. This framework is built on five basic principles, which are covered in detail, and includes extensive guidance on enablers for governance and management of enterprise IT [9]. Addresses the governance and management of information and related technology from an enterprisewide, end-to-end perspective.
COBIT 5 provides a holistic and systemic view on governance and management of enterprise IT, based on a number of enablers. The enablers are enterprisewide and end-to-end, i.e., inclusive of everything and everyone, internal and external, that are relevant to governance and management of enterprise information and related IT, including the activities and responsibilities of both the IT functions and non-IT business functions.
Information is one of the COBIT enabler categories. The model by which COBIT 5 defines enablers allows every stakeholder to define extensive and complete requirements for information and the information processing life cycle, thus connecting the business and its need for adequate information and the IT function, and supporting the business and context focus [9].
The ISO/IEC 27000 family of standards helps organizations keep information assets secure. Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties. This International Standard is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-for-profit organizations). All information held and processed by an organization is subject to the risks of attack, error and natural disaster, and other vulnerabilities inherent to its use. Information security is therefore at the heart of an organization’s activities and focuses on information that is considered a valuable “asset” requiring appropriate protection, for example against the loss of availability, confidentiality and integrity [10].
ISO/IEC 20000 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfil agreed service requirements.
The proposed methodology is based on the international standards COBIT V5, ITIL V3 2011 and ISO / IEC 27000. Fig. 3 details the macro process of the management model specifying what are the regulations, resources, inputs and outputs.
IT governance consists of a complete framework of structures, processes and relational mechanisms. The structures imply the existence of responsibility functions, such as the executives and those responsible for IT accounts, as well as various IT committees. Processes refer to monitoring and making strategic IT decisions. Relational mechanisms include alliances and participation of the IT organization, dialogue in strategy and shared learning [5]. The Management Model for Information Technology should consider the following phases: Strategic management of services, Design of services, Transition of services, Operation of services and Management and continuous improvement.
Phase strategic management of services: Its main purpose is to convert technological services into a strategic asset, aligning the objectives of the organization as a contribution to institutional objectives, in response to the needs demanded by internal customers.
Management of the IT Services Briefcase represents a complete list of all technological services. It is structured based on the compilation of the needs transmitted by the internal users, and through the self-diagnosis of the institutional needs.
Demand Management consists in projecting the consumption cycles, scope and impact of the technological needs identified, in order to prioritize urgent needs through a cost / benefit analysis that bases the management of financial resources.
Financial Management seeks to obtain the economic resources to carry out the implementation of the prioritized services, in accordance with the internal rules and guidelines for the allocation of budgetary resources.
Product: Services Briefcase
Phase design of the services: defines as the technical and methodological design for the implementation and deployment of information technology services, which includes; architectures, plans, policies and documentation to support the services. This process not only affects new services, but also those that have been modified to move to an operating environment.
Management of the IT Services Catalog has the purpose of establishing the physical and human resources necessary for the development, implementation or improvement of the services contained in the briefcase of services, as well as defining the quality parameters with which the services will be provided in accordance to the institutional reality.
Management of Information Security consists of rationally granting to internal users the access permits to technological services provided by the Technology Directorate, as well as designing security policies consistent with the guidelines and guidelines of the governing body of electronic government in order to reduce the security risks that threaten the flight or loss of information or the continuity of services.
Infrastructure Capacity Management is in charge of ensuring that all IT services are backed by sufficient and correctly sized storage and processing capacity to meet the required demand.
Availability and Continuity of Services is responsible for ensuring that IT services are available and functioning correctly whenever users require them to be used within the framework of established service levels.
Phase transition of services: it constitutes the development of new services or changes in existing services in a controlled manner, ensuring a streamlined, effective and efficient transition process, minimizing risks and impacts towards the end user.
Transition Planning and Support has the purpose of coordinating and planning changes in services, ensuring that these are carried out through appropriate mechanisms, in the right circumstances and times, minimizing the possible impacts that these may cause to users during the time Take the transition
Change Management consists in carrying out and properly implementing all changes, whether these are new services, improvements in services or changes in the IT infrastructure, considering the market costs and the procedures that must be applied for that purpose.
Management of Configurations is responsible for taking control of all the elements of configuration of the IT infrastructure with the appropriate level of detail, in order to expedite the timely change in the configurations of technological services according to institutional needs.
Deployment Management is responsible for implementing changes in technological services, providing users with the necessary technical support for the proper use of the different technological services implemented.
Phase operation of the services: Its final objective is to ensure that services are correctly implemented, implemented and optimized, providing the value and utility required by the user, the solution of incidents and troubleshooting in IT services.
Event Management consists of the registration of all the events that occur in the provision of technological services.
Incident Management aims to address and resolve in an efficient and timely manner any incident that causes an interruption to the services implemented.
Problem Management is responsible for thoroughly investigating the underlying causes of any alteration, real or potential of IT services, and the approach of possible solutions to problems.
Technical Instruction is to provide users with a detailed explanation on the use and management of IT services.
In this phase is the function of the Service Desk [1] and [6], which is considered an important process since it is the point of contact for users, customers and the management of IT services. The point of contact with the client can take various forms depending on the breadth and depth of the services offered: Call Center, Support Center (Help Desk) and Service Center (Service Desk).
Management phase and continuous improvement: its focus is on continuously aligning and re-aligning technological services with the needs of the organization, by measuring the established performance parameters and those resulting from the operation of the services in a given period.
Based on the guidelines presented by the ITIL V3 2011 processes, Fig. 4 shows the convergence between the phases of the life cycle of the IT service.
COBIT V5 facilitates some processes that help in the design of the service desk [9]. The processes are the following:
DSS02: Manage the Requests and the Incidents of the Services.
Description: Provide a timely and effective response to user requests and the resolution of all types of incidents. Recover normal service; register and complete user requests; and record, investigate, diagnose, scale and resolve incidents.
Purpose: Achieve greater productivity and minimize interruptions through the rapid resolution of user queries and incidents.
DSS03: Manage the problems.
Description: Identify and classify problems and their root causes. Provide timely solutions to prevent recurring incidents. Provide recommendations for improvement.
Purpose: Increase availability, improve service levels, reduce costs, and improve customer comfort and satisfaction by reducing the number of operational problems.
A scheme is made in which the controls are specified that are related to the standards and policies established by ISO / IEC 27000.
For the evaluation of the objectives it is necessary to define the Corporate Objectives Company / Corporate Objectives COBIT V5 and establish weights for each declared objective. The corporate objectives of the organization are: (A) Improve the performance of processes, (B) Achieve positive operational margins and (C) Improve service availability. Weight values: (3) totally related, (1) little related, (0 or "empty") there is no relationship. Then you can set the priority value according to the result obtained in the total of the weights. If it is greater than or equal to (6) it has priority "P", otherwise the priority is "S". The IT objectives are the following:
The achievement of corporate goals requires a series of IT results, represented by IT related goals. These goals are found in the IT Integral Scorecard (IT BSC - Balance Scorecard for IT). The basic cause-effect relationships in the IT BSC are presented through their perspectives, the greater the orientation to the future, the more operational excellence can be achieved. Operational excellence will lead us to satisfy the needs of users, which represents a positive contribution for the organization. Weight values: (3) totally related, (1) little related, (0 or "empty") there is no relationship. Then you can set the priority value according to the result obtained in the total of the weights. If it is greater than or equal to (20) it has priority "P", otherwise the priority is "S".
The next step is to create an IT optimization strategy, segment the users of the interested parties in order to meet the organizational objectives. The model facilitates the administration of technical operations, with the controls proposed in the COBIT V5 standards. To carry out this important change, organizations must conduct a self-assessment, create a strategy and align IT with their commercial activity. The IT Governance is a structure of relationships and processes to direct and control that the company reaches its goals, giving value while balancing the risk vs the return on IT. To carry out the integrated audit, financial and operational audit steps must be combined. The types of audits that must be developed are by scope and by who executes it. The scope classification contains Accounting, Operational, Administrative and Specialized Financial information.
For the development of the process DSS02 and DSS03, the metrics detailed in the following chart must be made:
Metric: Percentage of critical business processes, IT services and business programs enabled by IT covered by risk assessments. / Number of significant incidents related to IT that were not identified in the risk assessment. / Percentage of risk assessments of the organization that include the risks related to IT. / Frequency of updating the risk profile.
Metric: Number of business interruptions due to incidents in the IT service. / Percentage of interested parties satisfied with the fulfillment of the IT service delivered with respect to the agreed service levels. / Percentage of users satisfied with the quality of the IT services delivered.
For the development of the process DSS03, the metrics detailed in the following chart must be made:
Metric: Frequency of evaluations of the maturity of the capacity and the optimization of costs. / Trend of the results of the evaluations. / Satisfaction levels of business and IT executives with costs and IT capabilities.
Metric: Level of satisfaction of business users and availability of management information. / Number of incidents in business processes caused by the unavailability of information. / Relation or quantity of erroneous business decisions in which the lack of information or erroneous information has been the main cause.
COBIT to be a framework of Government for Information Technology based on processes allows to create value within the organization, ensure the optimization of risks, ensure the delivery of benefits, optimize resources, and ensure transparency of resources, compliance with standards, regulations and policies. Considering that the maturity of the Information Technology government improves if the participation of all the groups involved increases or intensifies.
ITIL helps us to launch an IT management that is focused on service, standardize processes, roles, service levels and their relationships. The implementation of an IT management model is a fundamental part of the organization, because it improves the quality of the service and the response times. One of the most important processes within this framework is the "Service Desk" function, since it is the point of contact between the user and the IT areas.
After analyzing the standards for management of Technologies based on COBIT V5, ITIL V3 2011 and ISO / IEC 27000, it is feasible that the implementation of the proposed controls helps to optimize the management of resources, minimize risks, third party satisfaction and safety of information, all aligned with the strategic objectives of the organization. The security of the information must be part of the day to day for the Organization and must intervene each and every one of those involved in each of its processes.
Axelos ITIL® Glossary of Terms, https://www.axelos.com/Corporate/media/Files/Glossaries/ITIL_2011_Glossary_ES-(Latin-America)-v1-0.pdf
Osiatis, Fundamentals of IT Services Management, http://www.osiatis.es/formacion/Formacion_ITIL_web_version3.pdfhttp://www.osiatis.es/formacion/Formacion_ITIL_web_version3.pdf
itSMF UK, ITIL® Foundation Handbook, 3rd ed. The Stationery Office, London (2012)
Orr, A.T., Great Britain Cabinet Office. Introduction to the ITIL Service Lifecycle, 3rd ed., 2011. ed. The Stationery Office (2011)
Bon J. V., Arjen de Jong, Kolthof A., Pie M., Tjassing R., Fundaments of ITIL V3, Van Haren, (2009)
Oseatis, Service Centre, http://itil.osiatis.es/Curso_ITIL/Gestion_Servicios_TI/service_desk/vision_general_service_desk/vision_general_service_desk.php
Oliver, Derek, and CISM CISA. "Delivering business benefits with COBIT: An introduction to COBIT 5." Cobit Focus 3 (2011): 1-3
ISACA, COBIT 5 A Business Framework for Government and Enterprise IT Management (2012)
ISACA, COBIT 5 Catalyst Processes (2012)http://www.isaca.org/COBIT/Documents/COBIT5-Framework-Spanish.pdf
ISO 27000, http://www.iso27000.es/download/doc_iso27000_all.pdf
ISO 27001, http://www.iso.org/iso/iso27001
Fernández, Luis Gómez, and Ana Andrés Álvarez. Application Guide for the Standard UNE-ISO/IEC 27001 on security in information systems for SMEs. Spanish Association for Standardization and Certification (2012)
ISO 20000, http://www.normas-iso.com/iso-20000/
1. Career in systems, Universidad Tecnológica Empresarial de Guayaquil, Urdesa Central Guayacanes 520 y la 5ta., Guayaquil- Ecuador. Email:
dlopez@uteg.edu.ec, dianalopez784@gmail.com
2. Career in systems, Universidad Tecnológica Empresarial de Guayaquil, Urdesa Central Guayacanes 520 y la 5ta., Guayaquil- Ecuador. Email:
mariajosevaca@hotmail.com
3. Career in systems, Universidad Tecnológica Empresarial de Guayaquil, Urdesa Central Guayacanes 520 y la 5ta., Guayaquil- Ecuador. Email: hcueva@fiec.espol.edu.ec