Achieving IT Governance and

compliance using Kovair Global

Lifecycle By Bob Aiello, Editor in Chief, CM Crossroads Journal raiello@acm.org

Kovair Software, Inc. 1533 California Circle, Suite # 210 Milpitas, CA 95035 408-262-3871 x 2008

sales@kovair.com

www.kovair.com

1

T Governance and compliance are increasingly important to senior management who have the

responsibility for the overall control and health of a large corporation. In fact, IT Governance and

compliance are mandated competencies of any organization that wants to stay in business in today’s global technology-centric environment. Public companies are mandated by Federal laws -

including section 404 of the Sarbanes-Oxley Act of 2002 - to establish effective practices such as

reporting and operational controls such as Change Management. Managers who need to implement

these procedures have a number of standards and frameworks to help them, including IEEE 12207

lifecycle processes, ISACA Cobit 4.1, SEI CMMI and the itSMF ITIL v 3.

The Sarbanes-Oxley law has provided the stimulus for many corporations to take a hard look at their

reporting and operational controls, but unfortunately, many firms miss the opportunity to achieve

improved productivity through their effective implementation of these controls. Instead a failed audit

may have them scrambling to quickly meet the letter of the law in order to stay within bounds on

compliance. At best, this may be a missed opportunity. For some companies, this expediency may

ultimately result in lost competitive advantage. Implementing improved controls and processes have the

potential to provide the organization with significant improved productivity and value, and that is

exactly what this white paper is all about.

Many practitioners and line managers complain that some of the industry frameworks explain “what”

needs to be done without giving enough information on “how” to implement these procedures. In this

paper, we will examine exactly how to implement a few of the Cobit controls using the Kovair Global

Lifecycle. The complete Cobit 4.1 framework is available from the ISACA website ( www.isaca.org).

Kovair resources and their affiliates will be glad to discuss exactly how any of the controls in industry

frameworks may be operationalized and achieved through better tools and process.

In this white paper, we will discuss implementing controls to manage changes, IT processes

and (briefly) manage configurations.

The Cobit 4.1 framework has an IT Process called AI6 – Manage Changes which states that all changes,

including emergency maintenance and patches, relating to infrastructure and applications within the

production environment are formally managed in a controlled manner. Changes (including those to

procedures, processes, system and service parameters) are logged, assessed and authorized prior to

implementation and reviewed against planned outcomes following implementation. This assures

© Kovair Software, Inc. 2000 – 2008 2 IT Governance and compliance using Kovair

mitigation of risks of negatively impacting the stability or integrity of the production environment (Cobit

4.1, AI6).

For many organizations, implementing this control objective may prove to be a difficult task. The

Kovair Global Lifecycle provides the tools and process necessary to remove the ambiguity and realize

improved productivity through the proper implementation of the Cobit 4.1 framework and, of course,

achieve the objectives of IT Governance and compliance. What follows is one brief example of how this

control may be analyzed, interpreted and implemented. Your organization may need to interpret or tailor

this control objective differently but the implementation effort would be the same.

The Cobit AI6 – Manage Changes IT Process states that control over the IT process of

Managing Changes is achieved by:

Defining and communicating change procedures, including emergency changes

Assessing, prioritizing and authorizing changes

Tracking status and reporting on changes

The Kovair Global Lifecycle allows you to define the exact tasks necessary to implement each of the

control practices required to meet the control objective of “setting up formal change management

procedures to handle in a standardized manner all requests (including maintenance and patches) for

changes to applications, procedures, processes, system and service parameters, and the underlying

platforms”. Some of these control practices (the full list is available from ISACA) indicated by the

AI6 control are:

1) Develop, document, and promulgate a change management framework that specifies the policies

and processes including:

Roles and responsibilities

Classification and prioritization of all changes based on business risk

Authorization and approval of all changes by the business process owners and IT

Tracking and status of changes © Kovair Software, Inc. 2000 – 2008 3 IT Governance and compliance using Kovair

2) Establish and maintain version control over all changes

3) Implement roles and responsibilities that involve business process owners and appropriate technical

IT functions. Ensure appropriate segregation of duties.

4) Establish appropriate record management practices and audit trails to record key steps in the

change management process. Ensure timely closure of changes. Elevate and report to management

changes that are not closed in a timely fashion.

Implementing this example would be straightforward in Kovair and all of the required processes can

be specified exactly as required by the Cobit 4.1 framework. For example, Kovair screens would be developed to allow authorized personnel to enter specific requested changes,

organized by predefined categories. All of the information would be entered via the Kovair-built

screens along with predefined values (defaults). Linked fields can be set to change dynamically based

upon pre-selected values. In Kovair, anything can be configured so that your process works exactly the

way that you need it to.

Potential causes of Risk can be categorized and selected to be assigned to a Change Request. The Risk

list can be organized by Change Request type and updated dynamically to reflect the organization’s

own risk management processes.

Authorization and approvals of all changes can be organized by individuals, groups or even predefined

shared approval boards that can be configured exactly as required by the business needs. In fact,

implementing PO4 – Define the IT Processes, Organization and Relationships - requires that the

processes establish and implement IT roles and responsibilities, including supervision and segregation

of duties. Kovair has a robust structure in place to define all of these relationships explicitly as needed.

There is also the facility to override controls, in emergency situations, with required approvals and

automatic notification of specified audit resources (e.g. head of security, CTO etc.). This provides the

ability to enforce processes and yet also has the flexibility to allow for exceptions by implementing a

specific auditable exception process.

The Kovair Omnibus Integration Bus can be used to integrate with leading testing tools, source code

management repositories and even in-house custom systems. Kovair can be configured to be your central

repository for all information related to a particular change including configuration management. © Kovair Software, Inc. 2000 – 2008 4 IT Governance and compliance using Kovair

That means that companies using the ITIL v3 framework can use Kovair as the central repository for

the Configuration Management Database (CMDB).

Kovair makes tracking the status of changes very straightforward as all of the required steps and their

individual completion are shown via status reports, history logs and even visual diagrams. Compliance is

much easier when there are sufficient reports to show exactly which steps were completed, and by

whom, as well as all of the related approvals (and rejections). Information can also be summarized and

reported to senior management to provide visibility into all of the required IT controls.

The Cobit framework indicates that AI6 can be measured by:

Number of disruptions or data errors caused by inaccurate specifications or incomplete

impact assessment

Amount of application or infrastructure rework caused by inadequate change specifications

Percent of changes that follow formal change control processes

These are valid metrics that can be communicated to senior management to provide visibility into

the organization’s Change Management process.

Implementing IT Governance and compliance is all about confirming that the right things are done, in

the right time and the right way. It’s also about traceability and providing visibility to all of the

stakeholders involved. Kovair is the robust automated process workflow solution that can help your

organization successfully implement IT Governance and compliance best practices. Are you ready to

use compliance to enhance your organization’s productivity?

© Kovair Software, Inc. 2000 – 2008 5 IT Governance and compliance using Kovair