What do IT governance and the Sarbanes-Oxley Act have to do with the service desk? Information technology plays a major role in most business' internal control activities. This requires that the internal controls are created, executed and monitored by all departments to ensure businesses are in compliance.
So, if an organization must meet SOX compliance objectives, the need for IT governance is critical.
SOX requires that businesses demonstrate proper governance to ensure financial transparency. Governance is not management, it is making sound decisions. It is about roles and responsibilities, as well as measuring and reporting on an organization's administrative techniques.
Governance ensures that organizations continually review and improve business processes. However, governance, as it relates to IT, ensures regulatory and legal compliance and operational excellence, and it makes businesses better at managing risk.
There are several IT governance frameworks that can help Windows shops work toward compliance. The two most frequently cited are Control Objectives for Information and Related Technology (COBIT) and Microsoft Operations Framework (MOF), which is Microsoft's prescriptive version of the Information Technology Infrastructure Library (ITIL).
COBIT, now in version 4.1, is a collection of accepted best practices for IT governance, control and assurance. It's a framework for IT management that is distributed by the Information Systems Audit and Control Association (ISACA). More specifically, it identifies which of the seven information criteria -- effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability -- are important for the IT processes to fully support the business.
COBIT supports IT governance and its auditing framework for SOX compliance ensures that the IT department is aligned to the business and can maximize benefits. The framework also makes sure IT uses resources responsibly and that it manages risks appropriately.
Microsoft's version of ITIL has the IT service management framework to establish the processes that will be eventually audited for compliance. It has three foundation elements:
Process model -- overlaps the ITIL framework and is a blueprint of the processes used to manage IT services..
Team model -- supports the Process Model by providing guidelines for organizing employees into teams or role clusters. The model describes key activities within each role cluster.
Risk management model -- integrates proven risk management techniques with the overall framework.
So where does Microsoft's framework and COBIT mesh? We can use COBIT at the highest level to provide an overall control framework based on an IT process model. Microsoft Operational Framework covers the discrete areas of the IT process model, like the service desk and the incident management process.
For example the eighth part of the Delivery and support section of COBIT 4.1 identifies five control objectives:
- the service desk
- registration of customer queries
- incident escalation
- incident closure, and
- reporting and trend analysis
The supporting quadrant defines the incident management process and related activities, like incident escalation, which are needed to establish and run a service desk. They use the plan-do-check-act method of continual improvement because the goal is to mature your processes.
It is crucial to determine the maturity level of service desk processes, as the maturity level will establish to what extent the service desk will be involved in complying with SOX.
COBIT includes a maturity model similar to the Capability Maturity Model Integration (CMMI) hierarchy. For example, the maturities range from zero (does not exist) to five (optimized process). Where a service desk's incident management processes fit on the maturity scale pinpoints the quality level of your process -- the higher the level the better.
The bottom line is that the service desk contributes to the Windows shop's ability meet SOX compliance needs. So do your part.
Stuart D. Galup is an associate professor of computer information systems at Florida Atlantic University. He is a Certified Computing Professional and ITIL Service Manager. He has held a number of senior information technology positions and holds a U.S. patent. Galup has written more than 45 academic publications and two books.
This was first published in March 2008