itSMF Australia 2009 Conference: summary report of ITSM standards and frameworks survey

[Abstract]: This report provides a summary of responses from surveys related to adoption of Information Technology Service Management (ITSM) frameworks. The surveys were conducted at the itSMF National Conference in Sydney in 2009. Two surveys were conducted: the Corporate survey for organisations and the other for Consultants and Trainers. For the Corporate survey 65 responses were received but only eight for the Consultant and Trainers survey. The responses for the Corporate survey came mainly from large organisations representing both the public and private sectors. The vast majority of organisations whose staff responded to the survey have adopted the IT Infrastructure Library (ITIL) and are making substantial progress in implementing this framework. Priority has been given to implementing the service desk function, change management and incident management processes. Some of the processes in v3 which were not in v2 show low levels of awareness and adoption. Many organisations are also advanced in their implementation of Prince 2, Balanced Scorecard, ISO 9001, ISO/IEC 27001 (Information Security), Government standards and the Project Management Body of Knowledge (PMBOK). The strongest motivating factor to implement IT Service Management is to improve the focus on IT service. The maturity level of ITSM processes is generally rated higher than in previous years with many reporting as repeatable (level 2) and defined (level 3). Most of the respondents have completed ITIL foundation training and many have also achieved intermediate and advanced qualifications. Commitment from senior management is identified as the most critical factor for successful ITSM implementation. Almost one half believe ITSM has met or exceeded their expectations although many stated it is too early to tell if ITSM has delivered benefits. There is strong consensus that the major benefit of ITSM is improved customer satisfaction. Many further benefits have been realised including improved response and resolution, clarification of roles and responsibilities, and improved IT service continuity. Unfortunately, most of the consultants and trainers who attended the conference as delegates or exhibitors did not complete the questionnaire, therefore the analysis of the eight responses may not be representative and care should be exercised in interpreting the results. Generally, the views expressed by the Consultants echoed those of the Corporate respondents and confirmed the strong move towards ITIL V3, as well as growing interest in ISO/IEC 20000 certification. The success factors favoured by the Consultants varied compared to those of the Corporate respondents. Compared to the responses to the Corporate survey, the Consultants and Trainers gave a higher ranking to the importance of sufficient funding for ITSM initiatives and documentation and integration of processes. Another difference was in the Consultants’ perceptions of the effectiveness of ITSM wherein the Corporate respondents gave a more positive view that ITSM met or exceeded expectations. As for the benefits from ITSM, only two of the top benefits reported by the Consultants were in the top five in the Corporate survey

The role of IT/IS in combating fraud in the payment card industry

The vast growth of the payment card industry (PCI) in the last 50 years has placed the industry in the centre of attention, not only because of this growth, but also because of the increase of fraudulent transactions. The conducted research in this domain has produced statistical reports on detection of fraud, and ways of protection. On the other hand, the relevant body of research is quite partial and covers only specific topics. For instance, the provided reports related to losses due to fraudulent usage of cards usually do not present the measures taken to combat fraud nor do they explain the way fraud happens. This can turn out to be confusing and makes one believe that card usage can be more negative than positive. This paper is intended to provide accumulative and organized information of the efforts made to protect businesses from fraud. We try to reveal the effectiveness and efficiency of the current fraud combating techniques and show that organized worldwide efforts are needed to take care of the larger part of the problem. The research questions that will be addressed in the paper are: 1) how can IT/IS help in combating fraud in the PCI?, and 2) is the implemented IT/IS effective and efficient enough to bring progress in combating fraud? Our research methodology is based on a case study conducted in a Macedonian bank. The research is explorative and will be mostly qualitative in nature; however some quantitative aspects will be included. The findings indicate that fraud can take up many forms. A classification of the different forms of data theft into different fraudulent appearances was made. We showed that the benefits from implementing the fraud reduction efforts are multiple. Results show that a bank has to be very small to experience losses from fixed expenditures coming from the implementation of the fraud reduction IT/IS. Medium-sized and large banks should not even see any problems arising from those expenditures. Based on the empirical data and the presented facts we can conclude that the fraud reduction IT/IS do have a positive effect on all sides of the payment process and fulfills the expectations of all stakeholders

WHY FIRMS SEEK ISO 20000 CERTIFICATION - A STUDY OF ISO 20000 ADOPTION

Since the end of 2005, the ISO 20000 international standard for IT service management has been in existence, offering a normative management and organization concept for aligning the performance of IT services, and enabling companies to certify their compliance according this standard by third parties. There is a great interest in the standard, and the forecasts for the adoption and dissemination of the standard are, to a large extent, very positive. In contrast, some critical voices cast doubts upon the wisdom of normative management and organization concepts, and upon the possibility to verify or measure the conformity with public standards. Therefore it is our aim to study the current dissemination of the standard ISO 20000, and to examine the behaviour of companies adopting it. Till now there are no significant findings for questions like: Why do companies seek to conform to ISO 20000 and what benefits do they experience. Our results show that certified companies are motivated internally (process and quality improvements) and externally (marketing advantages) and do experience significant benefits. There are some significant differences between small and large companies certified as well as between internally and externally motivated companies

Itil and Iso / Iec 20000 : Analysis, Comparison, and Their Relationship with Agile

RESUMEN: El objetivo del presente Trabajo de Fin de Máster es describir dos de los marcos de gestión de servicios de TI (ITSM) más reconocidos, como son ITIL e ISO / IEC 20000, comparándolos entre ellos y mostrando como se relacionan con las nuevas metodologías Agile. La gestión de servicios de TI surge ante la necesidad de administrar eficientemente los servicios de TI para que aporten valor a los clientes, tanto internos como externos, y asegurar que las distintas áreas de la organización estén alineadas. Al comparar a ITIL con ISO / IEC 20000, la diferencia más evidente es que el primero es un marco de mejores prácticas que no posee certificación para las organizaciones, mientras que el segundo, es una norma internacional que detalla los requerimientos que las organizaciones deben cumplir para obtener la certificación. Sin embargo, ITIL e ISO / IEC 20000 tienen similitudes y comparten varias prácticas entre ellos, por lo que, comúnmente las organizaciones implementan primero ITIL y después certifican en ISO / IEC 20000. Comenzar con ITIL les ayuda a comprender los procesos, a identificar las áreas que necesitan mejorar y a estar familiarizadas con la metodología de trabajo. Luego, cuando ya conocen sus procesos, pueden intentar obtener la certificación ISO / IEC 20000-1 que les permitirá destacar entre los competidores. A pesar de que ITSM y Agile parezcan muy distantes, los dos tienen objetivos en común, como lograr la satisfacción de los clientes, entregar valor, trabajar en etapas y simplificar las cosas. Además, las actualizaciones de ITIL e ISO / IEC 20000 han introducido cambios para integrar la metodología Agile. Es conveniente que los marcos de ITSM se implementen en combinación con Agile, ya que, a las ventajas que aporta un sistema de gestión servicios de TI, se le agregan los beneficios de la metodología Agile, como una mayor colaboración y una gran capacidad de introducir cambios y adaptarse a las nuevas demandas. Se debe tener en cuenta que, el uso de metodologías Agile en ambientes ITSM genera un cambio en la cultura organizacional, ya que modifica la forma en la que se venía trabajado. ABSTRACT: The objective of this work is to describe two of the most recognized IT Service Management (ITSM) frameworks, ITIL and ISO / IEC 20000, comparing them and showing how they are linked to new Agile methodologies. ITSM comes up to efficiently manage IT services, in order to add value to internal and external customers and to ensure that all the organization departments are aligned. When comparing ITIL to ISO / IEC 20000, the most obvious difference is that ITIL is a best practice framework, that do not certificate organizations, while ISO / IEC 20000 is an international standard with requirements that organizations must fulfill to get certified. However, ITIL and ISO / IEC 20000 have similarities and share several practices so usually, organizations begin adopting ITIL and later certify ISO / IEC 20000. Starting with ITIL helps to understand the processes, to identify areas that need improvement and to learn the ITSM terms. After knowing their processes, they can try to obtain the ISO / IEC 20000-1 certification that will allow them to differentiate from other competitors. Although ITSM and Agile seem disconnected, both have common goals, such as customer satisfaction, deliver value, work in steps, and simplify things. Also, the last updates of ITIL and ISO / IEC 20000 have made changes to integrate the Agile methodology. It is appropriate that ITSM frameworks are used along with Agile, so ITSM advantages are improved with Agile methodology benefits, such as better collaboration and great ability to introduce changes and adapt to new requirements. It should be considered that using Agile methodologies in ITSM environments brings a change in the organizational culture, since it modifies the way of working.Máster en Empresa y Tecnologías de la Informació

How to meet security standards as a cloud provider - A journey set out to clear the sky of cloud security and certifications

An upcoming trend in the current IT-landscape is to outsource services to so called Cloud Service Providers (CSPs). However, many companies are still sceptical to this new kind of services, since they bring about a certain loss of control. For this reason, it is important for CSPs to show that their services are secure. There are several options in proving this and it is up to every CSP to choose which of those options, in this report referred to as assessment schemes, that suits them best. The question is, how do they make this choice? In the starting phase of this thesis project, an extensive information search was carried out. More than 30 different certifications, standards, attestations, ratings, assessments, reports, compliances or audits, touching upon this subject were found. Add to the equation that much of the information found was questionable or straight out incorrect, and the question of which assessment scheme to concentrate on becomes quite complex. The described problem was identified by the Belgian company Ferranti Computer Systems, who just opened up their cloud services to customers. In collaboration with them, the following three goals were defined to solve the problem: - Create a clear overview of the cloud assessment schemes that exist on the market - Provide methods to categorize or compare assessment schemes - Make a case study on Ferranti Computer Systems demonstrating how the accomplishments can be put to practice To fulfill those goals, three main deliveries were created. First of all an overview including a short explanation of relevant assessment schemes on the market. Second, a comparison of assessment schemes in terms of risk mitigation. Four known cloud risks were put forward and some surprising observations were made. The third delivery was a case study on Ferranti Computer Systems. Previous findings in combination with results from interviews were used to select a suitable assessment scheme for their cloud platform. The assessment scheme they chose was more or less unknown to everyone at Ferranti Computer Systems. It was the research that opened their eyes to this new assessment scheme and convinced them to try something new, rather than choosing something they knew about by reputation. Seeing how the investigation changed their mind, it became obvious how important it is to create more transparency in the world of assessment schemes. It is essential that companies choose the assessment scheme that is most suitable for them and that they have a clear understanding of why it is suitable. This thesis proves the need for clarity among cloud security assessment schemes and presents methods to achieve this clarity

”Development and Importance of Management Systems According to ISO for IT Organizations and the Resulting Demand for Consulting Services. An Analysis Between USA and Germany.”

This research analyzes the demand of two international standards, ISO 27001 (Information Security) and ISO 20000-1 (IT Service Management), and the resulting impact on the demand for ISO consulting. Due to rising security breaches with increased media coverage, the public and the government is starting to recognize the importance of protecting critical data. Implementing an Information Security Management System enables companies to sufficiently safeguard their information in the long-term and adhere to governmental regulations. Companies seek to implement an IT Service Management System in order to implement best practices in their organization and enable themselves to compete in the market on a global basis. ISO 27001 and ISO 20000-1 enable a company to operate in more successful ways by reducing the cost of operations and reducing the risk of severe damages to a company’s reputation in case of any cyberattacks. The standards are complex in nature and most companies do not have enough internal resources to implement the standards on their own. Also, the introduction of an Information Security Management System requires adoption by the entire organization and not just single departments. The scope of such a system requires deepener knowledge of the standards in order to successfully implement the management system and for the company to benefit from its long-term effectiveness. Thus, the demand for the implementation of ISO 27001 and ISO 20000-1 result in an increased demand for the services of ISO consulting firms

“Unblackboxing” Decision Makers’ Interpretations of IS Certifications in the Context of Cloud Service Certifications

IS literature has predominantly taken a black box perspective on IS certifications and studied their diverse set of outcomes, such as signaling superior quality and increased customer trust. As a result, there is little understanding about the structure of certifications and its role in decision makers’ evaluations of certifications to achieve these outcomes. However, idiosyncrasies of novel IT services, such as cloud services, create a need for “unblackboxing” certifications and theorizing about their constituting structural building blocks and structural elements, as well as examining key features that might lead to a more favorable evaluation of a certification by decision makers. To advance theory building on certifications, this article develops an empirically grounded typology of certifications’ key structural building blocks and structural elements, and examines how they interpret substantive features within these elements. Using evidence from 20 interviews with decision makers from a wide range of industries in the context of cloud service certifications, we find that a decision maker’s aggregate evaluation of a certification is a function of their interpretations of its features guided by cognitive interpretive schemas along six key structural elements, contrasted with the decision makers’ expectations regarding the certification’s outcomes. This study contributes by conceptualizing the necessary and sufficient elements of certifications, constructing a nascent theory on decision makers’ evaluations of certifications, and illuminating the dynamics between certifications’ structural elements and outcomes as a coevolutionary process. We discuss implications for the certification literature and give managerial advice regarding the factors to consider when designing and evaluating certifications

Managing information security risk using integrated governance risk and compliance.

This paper aims to demonstrate the building blocks of an IT Governance Risk and Compliance (IT GRC) model as well the phased stages of the optimal integration of IT GRC frameworks, standards and model through a longitudinal study. A qualitative longitudinal single case study methodology through multiple open-ended interviews were conducted over a period of four years (July 2012 to November 2015) in a retail financial institution. Our empirical study contributes to both academic research and practice in IT GRC. First, we identified the various building blocks of IT GRC domain from vertical as well as horizontal perspectives. Second, we methodologically demonstrated the gradual metamorphosis of the evolution of an IT GRC from a single ITG framework to multiple IT GRC building blocks. The journey thus throws light on the gradual staged process of attaining maturity in IT GRC by an organization. The resultant IT GRC model thus, guides managerial actions towards a better understanding of the positioning of IT GRC building blocks in an organization through the understanding of the interaction of vertical and horizontal domains. The results of the paper thus enable practitioners and academics to better understand and evaluate IT GRC implementation for effective governance, reduce risk and ensure compliance in organizations

Do international standards influence the development of smart regions and cities?

Rast gradskog stanovništva utječe na održivost i razvoj pametnih regija. Međunarodni standardi mogu pružiti dobre prakse u širokim područjima koja se odnose na ekološke, sigurnosne i društvene aspekte koji doprinose postizanju gospodarskog i održivog rasta, dobrobiti i sigurnosti okoliša. Cilj ove studije je istražiti postoji li povezanost između razine pametnih gradova u različitim regijama i broja certifikata koji bi mogli pokrenuti daljnji razvoj pametnih i održivih gradova. Analizirali smo standarde koji podržavaju razvoj održivih i pametnih gradova iz različitih zemalja i istražili njihov utjecaj na razinu pametnih i održivih gradova. Za mjerenje uspješnosti gradova koristili smo UN-ovu inicijativu za prosperitet grada (CPI) i njezinih šest dimenzija: produktivnost, razvoj infrastrukture, kvalitetu života, jednakost i društvenu uključenost, održivost okoliša i urbano upravljanje i zakonodavstvo. Za analiziranje utjecaja međunarodnih standarda na inicijativu pametnih regija i gradova proveli smo SEM analizu. Rezultati istraživanja potvrđuju da postoji značajna razlika između razine pametnih gradova u različitim regijama i broja certifikata koji bi mogli pokrenuti daljnji razvoj pametnih i održivih gradova. Nadalje, potvrđen je pozitivan utjecaj međunarodnih standarda na razvoj pametnih regija i gradova. Vjerujemo da predstavljeni pristup može pružiti dodatni uvid u čimbenike koji utječu na razvoj pametnih regija i gradova i pokrenuti daljnja istraživanja o toj temi.The growth of city population has consequences on the sustainability and development of smart regions. International standards can provide good practices in wide areas related to environmental, security and social aspects that contribute to the achievement of economic and sustainable growth, well-being, and safe environment. The aim of this study is to explore if there is an association between the level of smart cities in different regions and the number of certificates that could initiate further development of smart and sustainable cities. We analysed standards that support the development of sustainable and smart cities from different countries and explored their influence on the level of smart and sustainable cities. To measure the performance of cities we used the UN-habitat City Prosperity Initiative (CPI) and its six dimensions: Productivity, Infrastructure Development, Quality of Life, Equity and Social Inclusion, Environmental Sustainability, and Urban Governance and Legislation. To analyse the influence of international standards on smart regions and cities initiative we conducted SEM analysis. The results of the research have proved that there is a significant difference between the level of smart cities in different regions and the number of certificates that could initiate further development of smart and sustainable cities. Additionally, a positive impact of international standards on the development of smart regions and cities is confirmed. We believe that the presented approach might provide additional insights into the factors which impact the development of smart regions and cities and initiate further studies on the topic

ASSESSMENT OF THE QUALITY MANAGEMENT SYSTEM IN WOODWORKING COMPANIES

The woodworking industry, with its universal and wide use of products and the level of employment of people, has existed for centuries and will continue to do so, as forest management and the processing of harvested timber is a long process. Customizing consumer orders ranging from cheap everyday things to exclusive, individual projects is about quality. And for quality assurance, companies in various industries have developed and use a general quality management system standard – ISO 9001. The topicality of the research relatesto the companies' doubts about the implementation and maintenance of the quality management system (ISO 9001) as a valuable long-term investment in the company's development and market expansion. The aim of the research is to study the quality management system of three wood processing companies and to evaluate them. In the research, the authors gave insight into the development of the concept of quality and the formation of the quality management system, the ISO 9001 quality standard. The assessment of the quality management system of three wood processing companies is based on the main financial performance indicators of the companies