ISACA’s information technology management framework Control Objectives for Information and Related Technology (COBIT) is widely regarded as the global standard when it comes to leading and governing enterprise IT.

Since its initial introduction in 1996, COBIT has gone through a number of iterations and releases. However, the current volume, COBIT 5, is an essential tool for anyone managing information systems and IT teams.

But what does COBIT 5 actually involve? Here is a brief summary of the five key principles highlighted in this framework. For more information and to become officially certified in this area, you may want to sign up for a COBIT 5 training course.

COBIT 5: The 5 key principles

According to ISACA, COBIT 5 helps businesses maximise IT value by “maintaining a balance between realising benefits and optimising risk levels and resource use”.

In order to achieve this balance, COBIT 5 has outlined five principles. These principles are designed to be generic and versatile, meeting the needs of any business, regardless of size or unique IT requirements.

1. Meeting stakeholder needs

The first principle of COBIT 5, Meeting Stakeholder Needs, encompasses the idea that enterprises exist to create value for stakeholders – whatever that value may be. When making decisions regarding IT management and governance, organisations therefore need to consider which stakeholders stand to benefit from this decision, as well as who is taking on the majority of the risk.

2. Covering the enterprise end-to-end

Because COBIT 5 looks at governance and IT management decisions from an End-to-End enterprise perspective, organisations employing this framework make decisions that extend past the IT function, and instead treat IT as an asset that aligns with other processes.

3. Applying a Single, Integrated Framework

COBIT 5’s single integrated framework allows it to be used as an overarching governance tool and management system that is relevant to other frameworks within the organisation.

4. Enabling a Holistic Approach

Holism – the concept of systems being viewed as a whole, as opposed to individual components – is a critical modern business strategy. COBIT 5 takes a holistic approach to IT management and governance, allowing for greater collaboration and achievement of common goals.

5. Separating Governance From Management

Finally, COBIT 5 emphasises the need to make a clear distinction between IT governance and management. This is important as ISACA believes the two components require separate organisational structures and different processes, as they each serve separate organisational purposes.

The modern workplace is evolving rapidly, with more businesses moving towards a 'consumersation' of internal IT in order to cater to an increasingly tech-savvy workforce.

In fact, a new report from Gartner – entitled Prepare for the Security Implications of the Digital Workplace – predicts that 25 per cent of large businesses will have implemented a strategy specifically designed to 'consumerise' their corporate computing environments by the year 2018.

While this shift is bringing a number of significant collaboration and productivity benefits, it is also leading to security implications that today's organisations and IT professionals need to be aware of.

"Employee digital literacy has led to a growing consumerisation movement within most enterprises, with employees using a wide variety of consumer-oriented apps for business purposes," explained Gartner vice president Tom Scholtz.

According to Mr Scholtz, this movement towards an increasingly digital workplace is seeing IT departments lose control over servers and business networks, as well as devices and applications that employees use day-to-day.

"In a fully consumerised workplace, the information layer becomes the primary infrastructure focal point for security control. This reality necessitates a shift toward a more information-focused security strategy," he said.

Gartner has suggested that the best way for businesses to adapt their IT security policies in light of this change is to start showing greater trust in employees, casting out restrictive security controls in the process.

By taking a "people-centric approach" to IT security, organisations can encourage employees to take on individual accountability.

Mr Scholtz has suggested that organisations look to combine comprehensive information security education programs with greater collaboration between employees and managers in order to maximise security performance.

This suggestion is further evidence of the ever-changing nature of cybersecurity and the modern digital environment, and highlights the importance of continued training and education in this field.

Organisations need to take the initiative and defend themselves against the full scope of modern cybersecurity threats, or risk malicious parties having a direct impact on their business and reputation.

That's the message of high-ranking US cybersecurity expert Michael S. Rogers, who recently sat down with Trish Regan of Bloomberg Television to address the evolving nature of cybercrime and IT governance.

According to Mr Rogers, the first step towards achieving greater cybersecurity is acknowledging that these threats exist.

"When I look at the problem set, I'm struck by a couple things that I highlight with my business counterparts," said Mr Rogers, who serves as director of the National Security Agency and chief of the Central Security Service.

"Traditionally, we've largely been focused on attempts to prevent intrusions. I've increasingly come to the opinion that we must spend more time focused on detection."

Mr Rogers has emphasised that businesses and government agencies need to come together in order to combat modern cybersecurity threats, noting that this strategic partnership "is where we will become very powerful".

Although he was addressing a US-based audience, Mr Roger's words have implications for Australian organisations and IT professionals as well.

The 2013 CERT Australia Cyber Crime and Security Survey has revealed that Australian organisations are seeing a significant increase in cyber security incidents per annum. As a result, they are showing a growing awareness regarding the dangers that modern cybersecurity threats can pose.

With cybercriminals and cybercrime rings becoming increasingly sophisticated and organised, we can expect this trend to continue in the near future. IT professionals should take note of this fact, and think about how qualifications in this critical area will benefit them moving forward.

Expanding your skillset by undertaking further training in evolving fields such as IT governance and information security is a great way to improve your value to your organisation while also improving your ongoing employability.


February 2014
13 February	20 February These are Cuisenaire Rods. Used to help learn mathematical equations.
27 February
March 2014
6 March	20 March
27 March
April 2014
3 April	10 April
24 April
May 2014
1st May	8 May
22 May	29 May

10 Tips for ITIL^® Implementation

ITIL can help business leaders to streamline business processes or improve overall operations. There are many different ways to implement ITIL in a business or company. Here are some of the tips and recommendations on how to implement ITIL in your workplace.

Tip 1

Get yourself a GREAT Project Manager.

Be picky. Yes, I know they are hard to find, but look out for someone that can easily enlist people to just do the job. Don’t settle for less than the best. Pay them what they are worth. They should be natural leaders and have a natural command for authority. Acceptance amongst their pears and an optimistic outlook to the project is going to get you far.

Tip 2

Communicate:

This is not a top secret project so therefore no need to be so hush-hush about it. Risk is defined as the uncertainty of outcome. Now, the uncertainty of the intended outcome is then also a risk, isn’t it? Please communicate your plans at all levels. We need people to get excited about the project and don’t let them feel they were not part of the idea. Knowledge is power and we want power throughout the enterprise. From the moment we are born and for some of us even before, our parents try to communicate and teach us these vital skills. It’s part of survival and this is the last place where you want to drop the ball.

Remember that you have to identify your audience, know what you want to say, identify the need for communication (not just because…) and ensure that the communication path is set both ways.

Tip 3

Where does it hurt?

Identify your IT organisation’s pain points and a set a course of action for improvements. To start the ball rolling, identify those most painful – related to incident, problem and change management.
Enjoy the smiles on your colleagues faces when a brilliant band-aid or better, has been applied and sanity is restored!

Tip 4

Ensure you have a well defined baseline of your current capability of each process before you get carried away with an improvement project. Once you start making improvements/changes to your processes, there will be no means to prove your success if you haven’t measured it before. Document your current baseline and compare at a later state to show your improvements.

Tip 5

Password-changes – Mondays are best!

Do you struggle with high call volumes on Mondays? Even though self-help service is in place, the calls still keep coming…
Make a simple change in policy. Restrict password-change messages to appear only on Mondays and Tuesdays. This way they will be more likely to remember it by next Monday. Also, never implement password changes before a long weekend. A simple change in the policy can work wonders!

Tip 6

Stop… scope… creep….!

Just when you have just had your project finally approved, additional work hits your plate!
We have all had this issue, I’m sure. This will add cost, undefined risk and most definitely delay your project. How do you stop this? A good starting point is to clearly define and communicate what is in the scope and what is out of the scope. Put necessary boundaries in place!

Tip 7

Relationships are the Key!

To truly benefit from using ITIL consider each process and its link. We all know each process consists of inputs, activities and outputs. An input generally comes from a process and the outputs are then again needed for another. It is important when designing and building these processes to think how they link. There is no value in a process that stands alone. How we link in relationships is the key.

Tip 8

Training is vital!

Create a great Service Desk team by giving them the appropriate ITIL training they need to successfully fulfil their roles. Businesses require skilled people to make good decisions. The delay of a good decision by even a few minutes or seconds can have devastating affects on the business. A well trained and happy ITIL team at the Service Desk sets the tone for IT and provides effective communication for the users and customers alike. Don’t skimp on their training. Strengthen and support them with good skills so the rest of your IT organisation can optimise its resources.

Tip 9

Can I see the Menu?

Imagine going to your local supermarket and asking for a 5m x 3m sheet of steel? Or trying to buy a new set of tyres for the old tractor in the barn at the post office? So why do our customers sometimes come to us with very difficult and absurd requests?

You need to focus on what it is you do best to know and understand your customer so your services will be able to meet their needs. Many ITSPs rush in trying to fix processes and forget the most important step. What services do we deliver? If you don’t have a menu, the customers will just ask for anything and everything.

Tip 10

Welcome Bad News!

Have an open door policy to invite bad news. Welcome it and react in a positive manner. If you do, you will reduce the risk of finding the issues too late and incurring unnecessary cost.

We are promoting continual service improvement and helping educating our cutomers all at the same time.

Scene: Australian Cricket Team dressing room.

A view inside the Australian Cricket Team Dressing Room, ahead of the Second Ashes Test match, at Adelaide Oval on December 4, 2013 in Adelaide. (Getty Images)

“Dudes, COBIT works. We started implementation during that dismal time in England and look at the results”. “We have washed the old England enemy white!”

“However, we should not allow ourselves to be complacent. We can use the COBIT process MEA01 (Monitor, Evaluate and Assess Performance and Conformance) to initiate continual improvement of our performance.”

“Here are the documented findings of my research along with improvement recommendations.”

Like all COBIT processes MEA01 has a number of Management Practices that break down into activities. COBIT also defines the expected outputs from each of these practices. The following is a briefing on the 5 Management Practices of MEA01:

1. Establish a monitoring approach.

We need to establish our approach to monitoring our performance and agree our goals and metrics with our stakeholders. Our primary stakeholder is pretty clear, it’s all Australians and our engagement with them occurs in a number of ways both on and off the field. Beware the stakeholders who try to improve our performance by getting us inebriated.

2. Set performance and conformance targets.

Our public have set their expectations and we need to meet them. Not surprisingly the target is world number 1 in all forms of cricket. These have been published quite clearly and there is unlikely to be any requests to change these in the near future.

At the Test Match level we expect to inflict a St. Valentine’s day type massacre during the first test against South Africa.

Winning the 2015 World Cup is the unsurprising target for the One Day International (ODI) team.

3. Collect and process performance and conformance data.

This is easy to do, we just go to the officially published world cricket rankings on the internet.

We are currently:

Test Matches:	World number 3
One Day International:	World number 1
Twenty20:	World number 6

4. Analyse and report performance.

We don’t need to report, the media does that for us. What could be more efficient than getting a third party to do it for free?

Analysis shows an improvement in our Test Match ranking following the recent Ashes whitewash victory. At number 3, we still need to nail the South Africans and the Indians to get back to our rightful position. Our ODI ranking cannot be improved but care is needed. We dropped to number 2 after that shameful defeat in Perth but our fortunate win at Adelaide returned us to the top.

Twenty20 is plainly still unacceptable even though the recent 3-0 whitewash of England has moved us up from 8!

5. Ensure the implementation of corrective actions.

Our coach has been told that they are responsible for improving our Twenty20 position. This has started and the world cup will show that we are clearly number one whatever the rankings say.

Then we will instigate these improvements……

At this point all information transmissions stopped. We are still investigating the reason why and the incident record remains open. Once this incident has been successfully resolved we will release a further update.

Disclaimer:
We have been advised by our legal department to clearly mention that our company accepts no liability for the content of this report, or for the consequences of any actions taken on the basis of the information provided. We are also able to clearly state that no illegal phone taps were used in information gathering.

COBIT opportunity for Australia

Scene: Australian cricket team dressing room.

Dudes, we can do this!

“Dudes, we can do this. We can win this game but we can’t afford a recurrence of the events at Old Trafford when the rain washed the game out.

I suggest that we use the COBIT Information Enabler to assist us in making quality decisions.

By using the information available from a reliable source like the meteorological office we can make prudent decisions on when to declare and make England bat. Our critics are saying that had we used this information at Old Trafford we would have declared earlier and bowled England out before the rain came.

So let’s analyse this information from the quality perspective.

Intrinsic Quality

Accuracy – Yes the English weather forecasters are usually correct when they predict rain, after all it seems to rain a lot here.

Objectivity – Definitely unbiased and impartial. They have no idea we are using these good practices to help us.

Believability – Yes when the Pom weather guys say it will rain they are truly believable even if the weather itself is unbelievable! I can’t understand why they haven’t all migrated to Oz already.

Reputation – Who is better than the English meteorological guys? No one. Well, except that one time in ’87 when they said there wouldn’t be a hurricane [ https://en.wikipedia.org/wiki/Michael_Fish ]

Contextual and Representational Quality

Relevancy – We now know the relevance of understanding English weather. The review of Old Trafford was a learning experience.
Completeness – They even include the probability of rain and this gives us all we need for a proper risk assessment.
Currency – Yes. Real time. The latest internet services even give us the radar picture of the rain storm locations. If we club together, we might be able to afford the roaming charges.
Appropriate amount of information – No bs here. Simply… will it or won’t rain and when?.
Concise representation – Ok, well, we know the Brits have a circumspect way of delivering bad news; they’re not as direct as us Aussies, but it’s not as if weather reports take five hours to get to the point. Consistent representation – Depends which TV channel you watch but the BBC is nothing if not conservative (with a small ‘c’).
Interpretability – OK, the Brits do talk a funny language but what’s the problem? It’s not Benny Hill or Are You Being Served!
Understandability – OK, stuff like “the statistical probability of precipitous activity over the green and pleasant lands of the Kennington Oval” is a bit unnecessary but I think we can cope.
Ease of manipulation – No need to manipulate this data; it’s not like we have multiple uses for this information. Unless, gentleman, anyone has any suggestions as to how we can feed the locals with false data.

Security / Accessibility Quality

Availability / Timeliness – Well, except for the data roaming charges which is a constraint, there’s the TV and radio and hotel internet… any time. If anything, too much. Restricted Access – The weather forecast is not confidential, but let’s keep our plans for using it amongst ourselves, please.

So as a team we are going to use the weather information to decide when to make them bat and avoid the frustration of Old Trafford. All we need to do is make sure that the accurate and current information is available to us when we are out in the field. I suggest the coach simply makes some appropriate signal from the pavilion… perhaps… I dunno… a rain dance?

Gentlemen, your country expects – Go get them

…there again we could wait for it to go dark”

Disclaimer: Our company accepts no liability for the content of this report, or for the consequences of any actions taken on the basis of the information provided. No recording devices were used, and if they were, we will deny it.

ITIL IRL… Tales From Singapore.

On Saturday, I bought a new table fan. The old one was beyond economic repair and had died sometime during the night.

It was old and getting clogged with long dark hair (not mine, obviously) and cigarette ash (mine, of course) but I was loath to replace it because it looked so stylish and was a gift from a good friend.

The new one is cheap and quite ugly but at least it works.

On Sunday, it suddenly stopped. Well, how else would a fan stop?

“&^%%$% marvellous! MTBSI of one day! Typical!” thought I.

I fiddled with it and prodded it as all the best technicians do. No joy.

Then it occurred to me… wasn’t the light on in the other room? Ah, yes! And my laptop is now running off battery.

OK, time for some proper Incident Management.

Identification: Loss of power. But to what extent?

Category: Power failure limited to my apartment only (I can hear the TV throbbing next door)

Priority: One. Obviously. Anything that happens to me is priority one… by default!

Fan But whether my Service Desk will agree, who knows? I will mention, when I report it, that I will be calculating the cost of the food defrosting in the freezer. That should raise the Urgency if not the Impact.

Even though I have not reported the Incident yet and it hasn’t been logged (hey! I’m the user not the Service Desk), I decide that it’s worth doing some ‘initial diagnosis’ to save some time later.

I have an Incident Model for this one. It involves checking the switches in the fuse-box-thingy in the kitchen. There is a blue switch and a big, red one and lots of small black ones and they are supposed to be in the ‘up’ position. The blue one is down.

I flick the switch but it chooses to resist. I flick the others down, flick the blue one up (it acquiesces) and then systematically (because I have been trained well) flick the others up too. I discover that the truculent switch is the big, red one. I don’t know what this big, red switch does but it looks kinda important.

Time to get this one logged. But by whom? Who is my single point of contact?

I try one of the two agents (who have not, to date, performed well regarding response-targets). SingTel inform me that the number is unreachable.

I escalate to the Landlord. SingTel inform me that the number is also unreachable. I begin to wonder whether SingTel have a big, red switch too.

Next thing… an alert! Actually, it was just the doorbell.

The apartment is split level and is divided in two. I have the lower part and the agent had earlier informed me that the upper part has been recently occupied by “a lovely, Korean lady”. The electricity is shared.

She is at the door and I instantly confirm that she is Korean. Her English is understandable and … my Korean is non-existent.

I show her the switch box and try to explain (by waving my hands a bit) that I am attempting to get the incident logged.

Another alert (her phone). While she is talking I send an SMS to the other agent but then realise that that was not best practice; a priority one requires personal and personnel attention.

I hear the Korean lady say “all broken electronics”… she has had more luck than I in contacting one of our many ‘single’ points of contact. She hands the phone to me and I attempt to explain what diagnosis I have performed so far. I have no idea who I am speaking to but the lady at the other end thanks me and says she will contact agent #1 (which makes him sound like a James Bond character… probably a villain).

The Korean lady goes back upstairs and all I can do is wait. It occurs to me that I am unaware of any SLA but while I am pondering, Agent#1 sends a text. I realise that the lady on the phone didn’t write down what I said or more likely something was lost in translation because I have limited Singlish.

My mind goes back to all the time and effort expended over the years trying to get my Service Desk staff to accurately document their conversations and all those meetings with technical and application managers apologising for the lack of pertinent information (meaning they usually had to call the users themselves) and begging them to write ‘scripts per category’ so that the right questions can be asked during the logging stage.

This is the brief SMS exchange with Agent#1:

Agent#1: DLJ, off all small circuit. Up the blue one first, then red one, then the rest 1 by 1.

DLJ: Ok

…

DLJ: I off’d all small ones. Up’d the blue one. Up’d the red one and the blue one trips.

Agent#1: Ok

…

Agent#1: Electrician will come in 1 hours time. [sic]

DLJ: Thanks. Can you please let the tenant upstairs know that too? Cheers.

I’m not convinced these agents have had their ITIL training yet so I’m covering the bases by assuming the role of Incident Manager in charge of co-ordinating communication to all users (it has to be me; my flatmates have abandoned me like users going to lunch when their email is down) but at least I now know there is an Underpinning Contract for a Service-based SLA.

And actually, I’m impressed… I would never have been able to get an electrician to come out on a Sunday when I was back in the UK.

20 minutes later (yes, really), the engineer arrives and does what engineers do best: fiddle with things, suck their teeth, slowly shake their heads and ignore the user’s irritating questions.

I get him access to the flat above … and then leave him to his Investigation and Diagnosis.

He finds the cause (not the root cause because, as we all know, that’s Problem Management’s job) which is the Korean lady’s water heater for her shower and in my role as Incident Manager I keep Agent#1 updated.

So now the power is back on and my incident can be closed. The Korean lady’s incident remains open. There is a ‘workaround’ but I resisted the temptation to offer her my shower… maybe when we got to know each other better.

All in all the whole things was not too far from ITIL’s best practice. I even avoided behaving like the typical user, in 2 ways:

I resisted the temptation to ask for the engineer’s contact number so that I could bypass the service desk next time.
I didn’t say to the engineer “while you are here….” and get him to find out why the TV hasn’t been working for the past month… but that was only because he disappeared before I got the chance.

I guess the TV is a P5.

Sigh!

What a great time to be a POME in Australia..

By Neil Broadhead and DLJ.

I have now been a Prisoner Of Mother England living in Australia for 12 years and for much of my time here I have felt the pain as a list of Australian greats inflicted defeats on the mother country.

Australian Cricket Team Out by a duck!

But Glenn McGrath, Shane Warne, Matthew Hayden and the rest have become distant memories as the three lions started to roar on the playing fields of England, but is it all coming to an end?

England are now 2-0 up and need just one draw from the remaining three games to retain The Ashes but there is a rumour circulating around the hallowed grounds of Lords that Australia has started to use the principles of COBIT implementation to prove that the vision of a long period of English cricketing supremacy is merely a mirage.

According to some recently leaked minutes from an anonymous source it would appear that Australia has adopted the COBIT implementation process. I have made my comments at the end of this leaked document but it makes worrying reading:

What are the drivers?

As Australians we need to return to the top of the cricketing ladder.

Where are we now?

What a painful question!

The team was dispatched to England following less than glorious performances around the cricketing world. The simple answer is that we have clearly been a side that has lost respect and are no longer feared.

Where do we want to be?

Why?! Back at the top of course!

What needs to be done?

There are a few steps to climb. Firstly re-establish Australia as a leading force with a respectable if not winning performance in England followed by the destruction of the old enemy when they dare to visit the Australian shores at the end of the year.

To do this, we need an Assessment… We need to take a cold hard look at our enablers:

Principles, policies and frameworks
Processes
Organisational structures
Culture, ethics and behaviour
Information
Services, infrastructure and applications
People, skills and competencies

How do we get there?

Step 1: Done! We have appointed Darren Lehmann as the new coach.

Step 2: Review all the enablers above.

Did we get there?

Only time will tell, but the signs are promising.

How do we keep the momentum going?

Careful Governance. Management commitment. On-going investment. Success breeds success.

Whether you agree that the recent events or not it seems that the old enemy has taken some drastic action.

As a native Yorkshire man I must respect the ability of Darren Lehmann. After all he was the first overseas player to play for Yorkshire. You have to be something pretty special to play for Yorkshire.

… unfortunately. This morning I woke up to find Australia 303-3. Are my worst cricketing nightmares coming true so early? Is COBIT really giving Australia quick returns?

To maintain the momentum will be the challenge for Australia. Can Australia keep yesterday’s form and return to the top? History shows that after every great team has achieved the pinnacle they experience an inevitable fall. Can Australia use COBIT to reach and keep on top of the summit?

After all England have the new young Yorkshire man who is committed to giving the Australians pain for many years to come. Do not be deceived by Joe Root’s innocent looks; he has the strength and courage to keep England’s lions roaring and chewing up the Australian bowling for many years to come, but have England realised the power Australia’s new secret weapon?

English cricket needs to read this blog otherwise………

COBIT 5 Foundation Melbourne 20 to 22 May 2013

ALC’s Record YTD for 2013 – 100% pass on all COBIT 5 Foundation Examination attendees in Asia Pacific!!

COBIT 5 Foundation in Melbourne held from 20 to 22 May 2013 with Neil Broadhead.

Congratulations to the COBIT 5 Foundation course delegates this week, who have all passed.

February 2014

March 2014

April 2014

May 2014

10 Tips for ITIL® Implementation