Best practice, practice, practice

In general, IT executives implement best practices because they need to increase IT predictability and efficiency, reduce support costs, improve customer service quality or meet regulatory requirements.

The two most well-known standards - the IT Infrastructure Library (ITIL) and the Control Objectives for Information and related Technology (COBIT) - have existed for at least 10 years, support a broad range of management  services, are sponsored by very well-respected organizations (COBIT by the IT Governance Institute and ITIL by the IT Service Management Forum) and have been implemented by thousands of organizations of all sizes.

However, COBIT and ITIL are very different in their orientation, definition, classes of problems they address and the specific implications regarding "implementation."

The COBIT standard, which the IT Auditors Association first released in 1996, was designed with business accountability and auditability in mind. For example, a frequent application of COBIT is control definition that helps businesses comply with federal government mandates, such as the Sarbanes-Oxley Act.

Think of a control as a logical safety valve designed to ensure that a specific operation that supports the creation of production financial data executes as intended, without introducing any erroneous or fraudulent data that could compromise the quality of the company's financial reporting.

An example is a set of traceable (and auditable) flows across one or more production applications that reliably increase product inventory when shipments are received from suppliers and decrease product inventory when finished products are shipped to customers. An example of an IT control is the installation of anti-virus software on every new desktop that is installed within a specific facility, along with the ongoing distribution of new virus signatures to each licensed desktop.

IT control definition, testing and progress measurement are task categories that are natural COBIT strengths. The COBIT model is very specific in its definition of the processes and the auditable controls that need to be in place to ensure reliable and predictable IT processes.

The processes defined in COBIT are grouped into four separate domains that align with the IT implementation cycle. They are: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring.

Each of the 34 processes also has its own assigned number within its parent domain for identification. For example, Problem Management controls and their associated metrics are the 10th process defined in the Delivery and Support domain, while Change Management is the sixth process defined within the Acquisition and Implementation domain.

The definition of each COBIT process also clearly states the control objectives of the process, the critical success factors needed to successfully implement the process, specific quantitative metrics that can be used to measure process quality improvement and a process-specific maturity model that defines the process functionality that progresses from predominantly manual to fully automated and optimized.

In addition, process-specific success factors and quantitative improvement metrics (referred to as the Key Goal Indicators and Key Performance Indicators) are also defined. These can be used as part of a continuous improvement process.