Preferring ITIL or TOGAF; Considerations for Enterprise Adaptation

November 2013

Enterprise Architecture has become a rising area of interest for many professionals in order to manage the technology portfolio of an enterprise. TOGAF (The Open Group Architecture Framework) provides methods, models and references to guide the design, implementation and evolution of business capability by means of IT functionality. ITIL (Information Technology Infrastructure Library) makes a similar promise from a different perspective and has been the favourite reference for many IT service / solution provider organizations with its unique focus to the IT service lifecycle. I tried to reveal the unique characteristics, approaches, differences and highlights of these frameworks in order to assist the readers to understand the use of these frameworks, and guide the potential efforts for adaptation of any or both of the frameworks in the enterprise environment.

Security as a Service, Does It Really Work?

June 2013

The cloud model has brought obvious benefits to the IT ecosystem. Unlike the early days of cloud services when enterprises had been reluctant to consume public cloud services -mostly due to security concerns in relation to the loss of control for in house technology and processes-, the market is now growing exponentially with varied solutions and matured vendor services boosted by evolved set of standards, practices and guidance for service assurance.

De-perimeterisation is one of the major impacts of cloud migration and requires new approaches for security controls. As the data to be secured is now outside the secured corporate perimeter, the complexity of protecting data and the risk of compromise is higher. Security as a Service (SecaaS) is the cloud solution set offering a standardized security framework with centralized resources of technology, processes and expertise. The SecaaS market promotes several benefits of this model however these benefits must be weighted together with the associated risks due to centralization of resources, loss of direct control for technology and possible conflicts and gaps in roles and responsibilities.

Review: Open Enterprise Security Architecture (O-ESA)

April 2013 

O-ESA, by the Security Forum of the Open Group, describes a framework for policy-driven security architecture. The context of security here is maintaining the confidentiality, availability and integrity of the electronic form of information. Enterprise security architecture is defined as the component of the overall enterprise architecture to fulfil these objectives.

The book views enterprise security architecture in the larger context as part of an overall enterprise security program with relations to Corporate IT Governance, Risk Management, Physical Security and Enterprise Architecture. A good layout of enterprise security program is given in the introduction section as four concentric rings of responsibility; program management, governance, technology architecture and operations.

The Promise of COBIT5, What is New?

March 2013

For anyone who benefited from COBIT 4.1 to control IT with the framework's well-organized list of domains and processes, COBIT 5 may look quite complicated or elaborate with its multi-dimensional approach and extended scope. I tried to find out what is new in the framework and how it is structured in order to help governing and managing enterprise IT.

COBIT 4.1 was well positioned as a control framework for IT to deliver against business requirements. This position perfectly supported the “monitor”, “control” and “direct” mandates of IT governance. COBIT 4.1 was process-oriented and had a flat structure for the whole list of IT processes in sets of activities with defined responsibilities, goals and performance metrics. Each process defined the control objective, its justification to meet the relevant business goals, mapping of the business goals to IT goals, and further definition of key controls to achieve those IT goals. Key metrics were listed to measure the performance of the process and activities. The relation of each IT process to the five IT governance focus areas* and the COBIT information criteria** was also provided. It was quite simple to follow this structure in order to control a single IT process.