As IT becomes increasingly automated under the new data centre architecture, more companies are embracing best-practices procedures outlined in formal IT frameworks. At stake are service quality, security, regulatory compliance and other increasingly important strategic corporate goals.
The IT Infrastructure Library (ITIL), Control Objectives for Information and Related Technology (COBIT), Capability Maturity Model Integration (CMMi) and ISO 17799 are playing the biggest roles in the creation of the new data centre. “These frameworks were written by different groups at different times for different reasons…but each has contributions to make to the new (virtualized) data centre,” says David Pultorak, president of Fox IT, a consulting firm specializing in IT service management.
Pultorak uses ITIL for service management as an example of how an IT framework can serve as a stepping stone to the new, more agile data centre. “The ITIL framework supports defining services in a way that is distinct from the technology that underpins them, allowing flexibility in what technology components are used to support and deliver the service,” he says. While some duplication occurs among the frameworks, they are more complementary than overlapping and companies often employ more than one.
Popular in Europe for years, ITIL is gaining attention at U.S. organizations. The framework originates with the Central Computer and Telecommunications Agency (now the Office of Government Commerce) in the U.K., which developed this set of best practices standards for IT service management in the late 1980s. The IT Service Management Forum, a global organization consisting of more than 12,000 corporate and government members, is responsible for advancing IT best practices through the use of ITIL.
Organized into a set of “books,” ITIL offers a customizable framework of practices to provide high-quality service to internal users. ITIL covers functions such as service support, software support, computer operations and security management.
“ITIL is applicable to the data centre because companies can use it to make sure they’re doing the right things in terms of processes,” Pultorak says. For example, an insurance firm with a service-oriented data centre could use ITIL procedures to ensure claims processing data is always available.
Organizing around services “sets the stage for the linkages between business and IT to be automated,” Pultorak says. “With this stage set, and with the right infrastructure and management technologies, previously unimaginable levels of data centre agility will enable greater business agility.”
At Lockheed Martin Enterprise Information Services (EIS), ITIL is helping IT react more effectively when dealing directly with internal customers, says Kim Sawyer, vice-president of computing and network services at the Bethesda, Md., company. While still in the early phase of adopting ITIL, Lockheed Martin EIS supports the Lockheed Martin Enterprise Service Desk, incident management and problem management functions via ITIL, she says. Change management, configuration management and release management are on the ITIL service management docket, she adds.
ITIL best practices in service-level management, capacity management and availability management are key for service-delivery functions, Sawyer says. “By having a common language and understanding of the processes, we will be able to deliver a robust and reliable infrastructure for our customers to perform their jobs.” At Homestore Inc., a provider of online real estate services, ITIL is providing better measures of IT service levels for capacity planning, business continuity and networking following multiple corporate acquisitions, says Phil Dawley, CIO at the Westlake Village, Calif., company. The company uses a variety of software tools, including Cendura’s Cohesion, to achieve ITIL compliance.
The framework also will help Homestore adopt on-demand computing and other elements of the new data centre, Dawley says. “If you’re managing a more complex, decentralized environment, then you’d better be more sophisticated about the processes you use to manage those. ITIL gives us a way to understand (all IT processes). The new data centre will not operate effectively until we’ve been able to measure and monitor all those systems.”
Developed in 1996 by the Information Systems Audit and Control Association and IT Governance Institute as a standard for IT security and control practices, COBIT provides a reference framework for IT, security, auditing managers and users. Now in its third edition, COBIT is growing in acceptance as a good practice for control over data, systems and related risks. It helps companies deploy effective governance over systems and networks.
COBIT’s Management Guidelines component consists of tools to measure a company’s capabilities in 34 IT processes. These include performance measurement elements, a list of critical success factors that provides best practices for each IT process and maturity models to help in benchmarking.
“COBIT’s real focus is on whether or not you have controls in place that ensure you are compliant with relevant regulatory authorities,” Fox IT’s Pultorak says. “It helps organizations determine if they are doing what they said they would and if they are able to show evidence of this.” For example, if a corporation said it would secure entry to its data centre using a logon process, it can show completed logs for a given period based on COBIT.
The standard is becoming important as organizations work to be compliant with the Sarbanes-Oxley Act and other regulations. It’s also important to the data centre because it offers a way to implement controls in processes.
“COBIT has proven to be an excellent tool for measuring and assessing our IT controls,” says Sawyer of Lockheed Martin, which also uses CMMi and ISO 17799 to improve its processes and IT service levels. “Our internal audit group has effectively used it to evaluate the management of our infrastructure and to identify areas for improvement or risk.”
Homestore uses COBIT as part of its Sarbanes-Oxley compliance efforts, Dawley says. “It fits nicely with ITIL. COBIT allows us to check our ITIL implementation to make sure we’re addressing the appropriate risks across the organization,” he says.
Published by the Software Engineering Institute at Carnegie Mellon University in 1991, CMMi has evolved into a framework to help guide process improvements in software development, systems engineering and R&D.
The framework is used to improve the quality of products and services, increase development efficiency and reduce the risks associated with development projects. It has five levels of organizational “maturity,” with each level representing a set of best practices that organizations must implement to make improvements.
CMMi can be helpful for new data centre efforts when it is used to measure the relative maturity of IT processes. For example, before the IT department at a retailer began operational process improvements, it called on Fox IT to assess maturity, Pultorak says. The problem management process was immature while the incident management process was mature, he says. “This was an important first step … so it had the basis for making improvements in the right places and in the right measure,” he says.
At Lockheed Martin, the CMMi Level 5 certification achieved last year has helped the company deliver more complete, reliable software to internal users, Sawyer says.
ISO 17799, developed by the International Organization for Standardization in 2000, is a detailed security standard organized into major areas: business continuity planning, system access control, system development and maintenance, physical and environmental security, compliance, personnel security, security organization, computer and operations management, asset classification and control and security policy.
In fact, ITIL’s security management guidelines are based on the ISO 17799 standard.
The standard establishes best practices to ensure that business operations will keep running if a systems outage or other interruption occurs; to control access to data, systems and networks; to protect the confidentiality and integrity of information; to prevent unauthorized access to business facilities; and to comply with regulations.
Beware of framework overload
All the IT frameworks are generally accepted as best practices, experts say. Adopting them lets companies align processes internally and with business partners.
“If you cook up your own thing, it becomes harder to integrate with others and harder to defend yourself under scrutiny of an audit,” Pultorak says. Still, firms need to be aware of framework overload.
“Companies need to have a focus, set goals for implementing frameworks and devote adequate project management resources,” Pultorak says. “If you overdo these frameworks and misapply them or are not sure what the implementation is, the result can be less than satisfactory.”
It also can be expensive. Depending on the scope, each implementation can cost global companies hundreds of thousands of dollars. Costs can be hard to pin down because they include expenses such as training, consulting and software products that support the frameworks.
Measuring ROI of deployments also can be difficult. “Since the focus is on process improvements — not just technology assets — IT managers generally don’t understand how to do an ROI assessment,” says Ruben Melendez, president of Glomark Group, a consulting firm specializing in technology ROI. “Very few companies have done an ROI assessment of their ITIL (or other framework) implementations.” Most of the economic benefits come from higher business processes uptime, he says.
Are frameworks essential? Lockheed Martin’s Sawyer thinks so. “(Common languages and disciplined processes) are the groundwork for re-architecting the data centre for the future,” she says. “By speaking the same language, we are able to move more quickly through discussions, thereby reaching decisions in shorter cycles. Moving toward managed data centres and flexible capacity cannot be achieved without standardization.”
Violino is a freelance technology writer. He can be reached at [email protected].