IT frameworks demystified

ITIL, COBIT, CMMi, ISO 17799 - best practices abound for managing the new data center.

As IT becomes increasingly automated under the new data center architecture, more companies are embracing best-practices procedures outlined in formal IT frameworks. At stake are service quality, security, regulatory compliance and other increasingly important strategic corporate goals.

The IT Infrastructure Library (ITIL), Control Objectives for Information and Related Technology (COBIT), Capability Maturity Model Integration (CMMi) and ISO 17799 are playing the biggest roles in the creation of the new data center. "These frameworks were written by different groups at different times for different reasons . . . but each has contributions to make to the new [virtualized] data center," says David Pultorak, president of Fox IT, a consulting firm specializing in IT service management.

Pultorak uses ITIL for service management as an example of how an IT framework can serve as a steppingstone to the new, more agile data center. "The ITIL framework supports defining services in a way that is distinct from the technology that underpins them, allowing flexibility in what technology components are used to support and deliver the service," he says.

While some duplication occurs among the frameworks, they are more complementary than overlapping and companies often employ more than one.


Popular in Europe for years, ITIL is gaining attention at U.S. organizations. The framework originates with the Central Computer and Telecommunications Agency (now the Office of Government Commerce) in the U.K., which developed this set of best practices standards for IT service management in the late 1980s. The IT Service Management Forum, a global organization consisting of more than 12,000 corporate and government members, is responsible for advancing IT best practices through the use of ITIL.

Organized into a set of "books," ITIL offers a customizable framework of practices to provide high-quality service to internal users. ITIL covers functions such as service support, software support, computer operations and security management.

"ITIL is applicable to the data center because companies can use it to make sure they're doing the right things in terms of processes," Pultorak says.

For example, an insurance firm with a service-oriented data center could use ITIL procedures to ensure claims processing data is always available.

Organizing around services "sets the stage for the linkages between business and IT to be automated," Pultorak says. "With this stage set, and with the right infrastructure and management technologies, previously unimaginable levels of data center agility will enable greater business agility."

At Lockheed Martin Enterprise Information Services (EIS), ITIL is helping IT react more effectively when dealing directly with internal customers, says Kim Sawyer, vice president of computing and network services at the Bethesda, Md., company. While still in the early phase of adopting ITIL, Lockheed Martin EIS supports the Lockheed Martin Enterprise Service Desk, incident management and problem management functions via ITIL, she says. Change management, configuration management and release management are on the ITIL service management docket, she adds.

ITIL best practices in service-level management, capacity management and availability management are key for service-delivery functions, Sawyer says. "By having a common language and understanding of the processes, we will be able to deliver a robust and reliable infrastructure for our customers to perform their jobs."

At Homestore, a provider of online real estate services, ITIL is providing better measures of IT service levels for capacity planning, business continuity and networking following multiple corporate acquisitions, says Phil Dawley, CIO at the Westlake Village, Calif., company. The company uses a variety of software tools, including Cendura's Cohesion, to achieve ITIL compliance.

The framework also will help Homestore adopt on-demand computing and other elements of the new data center, Dawley says. "If you're managing a more complex, decentralized environment, then you'd better be more sophisticated about the processes you use to manage those. ITIL gives us a way to understand [all IT processes]. The new data center will not operate effectively until we've been able to measure and monitor all those systems."


IT frameworks at a glance

IT Infrastructure Library (ITIL): Provides best practices standards for IT service management.

Control Objectives for Information and Related Technology (COBIT): Delivers a reference framework for control over data, IT systems and related risks.

Capability Maturity Model Integration (CMMi): Guides process improvements in software development, systems engineering, R&D and other initiatives.

ISO 17799: Security standard for business continuity, access control, compliance and more.

Developed in 1996 by the Information Systems Audit and Control Association and IT Governance Institute as a standard for IT security and control practices, COBIT provides a reference framework for IT, security, auditing managers and users. Now in its third edition, COBIT is growing in acceptance as a good practice for control over data, systems and related risks. It helps companies deploy effective governance over systems and networks.

COBIT's Management Guidelines component consists of tools to measure a company's capabilities in 34 IT processes. These include performance measurement elements, a list of critical success factors that provides best practices for each IT process, and maturity models to help in benchmarking.

"COBIT's real focus is on whether or not you have controls in place that ensure you are compliant with relevant regulatory authorities," Fox IT's Pultorak says. "It helps organizations determine if they are doing what they said they would and if they are able to show evidence of this." For example, if a corporation said it would secure entry to its data center using a logon process, it can show completed logs for a given period based on COBIT.

The standard is becoming important as organizations work to be compliant with the Sarbanes-Oxley Act and other regulations. It's also important to the data center because it offers a way to implement controls in processes.

"COBIT has proven to be an excellent tool for measuring and assessing our IT controls," says Sawyer of Lockheed Martin, which also uses CMMi and ISO 17799 to improve its processes and IT service levels. "Our internal audit group has effectively used it to evaluate the management of our infrastructure and to identify areas for improvement or risk."

Homestore uses COBIT as part of its Sarbanes-Oxley compliance efforts, Dawley says. "It fits nicely with ITIL. COBIT allows us to check our ITIL implementation to make sure we're addressing the appropriate risks across the organization," he says.


Published by the Software Engineering Institute at Carnegie Mellon University in 1991, CMMi has evolved into a framework to help guide process improvements in software development, systems engineering and R&D.

The framework is used to improve the quality of products and services, increase development efficiency and reduce the risks associated with development projects. It has five levels of organizational "maturity," with each level representing a set of best practices that organizations must implement to make improvements.

CMMi can be helpful for new data center efforts when it is used to measure the relative maturity of IT processes. For example, before the IT department at a retailer began operational process improvements, it called on Fox IT to assess maturity, Pultorak says. The problem management process was immature while the incident management process was mature, he says. "This was an important first step ... so it had the basis for making improvements in the right places and in the right measure," he says.

At Lockheed Martin, the CMMi Level 5 certification achieved last year has helped the company deliver more complete, reliable software to internal users, Sawyer says.

ISO 17799

ISO 17799, developed by the International Organization for Standardization in 2000, is a detailed security standard organized into major areas: business continuity planning, system access control, system development and maintenance, physical and environmental security, compliance, personnel security, security organization, computer and operations management, asset classification and control and security policy.

In fact, ITIL's security management guidelines are based on the ISO 17799 standard.

The standard establishes best practices to ensure that business operations will keep running if a systems outage or other interruption occurs; to control access to data, systems and networks; to protect the confidentiality and integrity of information; to prevent unauthorized access to business facilities; and to comply with regulations.

Beware of framework overload

All the IT frameworks are generally accepted as best practices, experts say. Adopting them for data center automation lets companies align processes internally and with business partners.

"If you cook up your own thing, it becomes harder to integrate with others and harder to defend yourself under scrutiny of an audit," Pultorak says.

Still, firms need to be aware of framework overload.

"Companies need to have a focus, set goals for implementing frameworks and devote adequate project management resources," Pultorak says. "If you overdo these frameworks and misapply them or are not sure what the implementation is, the result can be less than satisfactory."

It also can be expensive. Depending on the scope, each implementation can cost global companies hundreds of thousands of dollars. Costs can be hard to pin down because they include expenses such as training, consulting and software products that support the frameworks.

Measuring ROI of deployments also can be difficult. "Since the focus is on process improvements - not just technology assets - IT managers generally don't understand how to do an ROI assessment," says Ruben Melendez, president of Glomark Group, a consulting firm specializing in technology ROI. "Very few companies have done an ROI assessment of their ITIL [or other framework] implementations." Most of the economic benefits come from higher business processes uptime, he says.

Are frameworks essential? Lockheed Martin's Sawyer thinks so. "[Common languages and disciplined processes]are the groundwork for re-architecting the data center for the future," she says. "By speaking the same language, we are able to move more quickly through discussions, thereby reaching decisions in shorter cycles. Moving toward managed data centers and flexible capacity cannot be achieved without standardization."

Violino is a freelance technology writer. He can be reached at


Copyright © 2005 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022