IT Governance Blog

How to Pass the ITIL Foundations Certification Exam

2008-10-25T09:25:29Z

I’ll take a break in the action of going through CobiT to tell you that I recently passed the ITIL v3 Foundation for Service Management Certification exam. I had received an offer through HDI for a course and exam package and decided it was time to go for it, both to force me to look deeper into ITIL but to also see how relevant this exam would be for my staff. I ended up passing with a 90% score. Since only 65% is required to pass I guess you could say I passed with flying colors. By the way, what is up with a passing score being 65%? That’s insulting. When I was in school that was at least a D.

If you are interesting in taking this certification exam I thought it would be worthwhile to describe the process and tools I used for passing the ITIL Foundations Exam.

First, I purchased the Official Introduction to the ITIL Service Lifecycle. You should get this book even if you are not planning to sit for the exam. It is the defacto introduction to ITIL. My first step in studying for the exam was to read through this book cover to cover, using a highlighter to mark passages that seemed important.

My second step was to go through the course that I purchased through HDI. You may find that something like the ITIL V3 Foundation Complete Certification Kit - Study Guide Book and Online Course works better and cheaper for you, but I was happy with the CBT from HDI. I went through the course once just going through it, no notes, no nothing. Just watching and learning.

The second time I went through the ITIL CBT Training I also opened the ITIL Intro book and read along with it and the course, and I started making flashcards on both the key points as highlighted in the CBT and the key points that I had previously highlighted in the book.

At this point I had a pretty good handle on the concepts. Now came the time to start practicing for taking the exam. For this I found some decent mock exams on the internet from CRM Help Desk Software.com.

The process I used for leveraging the mock exams was pretty standard I think. Each mock exam was 40 questions so I printed off a number of scoresheets that I could use. I started by taking mock exam #1 and as I was going through the questions I would mark the ones that I knew I was 100% correct on. After I was done I would grade myself, and then go through each question to see if I understood why the answer is what it is. I did this both for questions I got wrong but also questions I got right. I paid partiuclar attention to those questions that I had marked as 100% sure but in fact I got wrong! I repeated this process for each of the 4 mock exams I had, until I was consistently getting everything correct.

Finally, on the day of the exam I showed up about 30 minutes early and did some cramming using the flashcards I had prepared. Since you can’t bring anything into the testing center I just sat in my car while going through them.

It would be nice to be able to see which 4 questions I missed but other than seeing what category they were in you can’t so I will have to be satisfied that my studying paid off. I’m still waiting for my certificate from HDI but I’m sure that will be coming soon.

I hope this helps you pass the ITIL v3 Foundation for Service Management Certification exam. If you use any of these tips to pass the exam why not come back here and let me know!

PO3.2 Technology Infrastructure Plan

2008-10-05T14:11:05Z

CobiTdefinition:

Create and maintain a technology infrastructure plan that is in accordance with the IT strategic and tactical plans. The plan should be based on the technological direction and include contingency arrangements and direction for acquisition of technology resources. It should consider changes in the competitive environment, economies of scale for information systems staffing and investments, and improved interoperability of platforms and applications.

Bill says,

It is in the Technology Infrastructure Plan where the strategy and the tactical meet. This is where you define things such as the role virtualization will play in addressing your technology strategy, who your primary technology sourcing vendors will be, and how geographical issues will impact your data center and staffing plan.

For example, let’s say that in your Technological Direction Planning you have identified that virtualization provides not only business opportunities for your company but opportunities for server consolidation and improved support within your IT organization. As that as the backdrop for the direction you want to go, it is in the TIP where you will outline how you will accomplish that. It is appropriate that in the TIP you will also outline how such a move will save on staffing expenses should that be an expected outcome.

By now you have seen enough of CobiT to know that much of this really isn’t complicated and it really is kind of obvious. You might be saying, why do I have to be told to create a direction plan and that a plan for how to implement that direction, as that seems so obvious. The problem is as obvious as it may seem it simply doesn’t get done to the degree you would expect. By following a framework like CobiT you can ensure that you are following best practices for running an IT organization. A governance framework is not designed to produce any real “aha” moments - it is simply to ensure that you have control over the basics. It is control of the basics where many companies fall down.

One thing you will note is the CobiT doesn’t give you guidance on much beyond what the basics are. So for example, what is the audience of the Technology Infrastructure Plan? Do you share it with your managers? All IT staff? Everyone in the company? CobiT isn’t going to give you guidance there, that is up to you and your knowledge of the culture of your company.

For me, I actually create two versions of the plan. One for Senior Management and one for general consumption. I believe that it is important to have corporate visibility to these plans.

The second step in Determining the Technological Direction is building the Technology Infrastructure Plan.

PO3.1 Technological Direction Planning

2008-08-29T11:31:23Z

CobiTdefinition:

Analyse existing and emerging technologies, and plan which technological direction is appropriate to realise the IT strategy and the business systems architecture. Also identify in the plan which technologies have the potential to create business opportunities. The plan should address systems architecture, technological direction, migration strategies and contingency aspects of infrastructure components.

Bill says,

You have to give your team some context for your technical leadership direction. Are you the kind of leader, and hence your IT organization, who is a risk taker willing to implement the latest and greatest technology? Or are you more pragmatic, waiting for the other guys to take the risks on new technology first?

It is in the Technical Direction Planning CobiT control objective where you define this direction, and hence lay out the future for the direction your team will take from a technical standpoint.

Does Software as a Service make sense for your organization? What about mobile technologies? VOIP? Are there productivity improvements to be made there or are the risks too great? You need to map out these existing and emerging technologies and make clear what you as a leader are willing to accept.

From then on the details can be worked out.

The first step in Determining the Technological Direction is doing the necessary technological direction planning.

PO3 Determine Technological Direction

2008-10-05T14:12:51Z

CobiT definition:

The information services function determines the technology direction to support the business. This requires the creation of a technological infrastructure plan and an architecture board that sets and manages clear and realistic expectations of what technology can offer in terms of products, services and delivery mechanisms. The plan is regularly updated and encompasses aspects such as systems architecture, technological direction, acquisition plans, standards, migration strategies and contingency. This enables timely responses to changes in the competitive environment, economies of scale for information systems staffing and investments, as well as improved interoperability of platforms and applications.

Control over the IT process of
Determine technological direction

that satisfies the business requirement for IT of
having stable, cost-effective, integrated and standard application systems, resources and capabilities
that meet current and future business requirements

by focusing on
defining and implementing a technology infrastructure plan, architecture and standards that
recognise and leverage technology opportunities

is achieved by
• Establishing a forum to guide architecture and verify compliance
• Establishing the technology infrastructure plan balanced against cost, risk and
requirements
• Defining the technology infrastructure standards based on information
architecture requirements

and is measured by
• Number and type of deviations from the technology
infrastructure plan
• Frequency of the technology infrastructure plan review/update
• Number of technology platforms by function across the enterprise

Control objectives:

PO3 Determine Technological Direction

PO3.1 Technological Direction Planning
PO3.2 Technology Infrastructure Plan
PO3.3 Monitor Future Trends and Regulations
PO3.4 Technology Standards
PO3.5 IT Architecture Board

Check out the links for details on the control objectives.

IT Governance Certifications

2008-10-25T10:00:21Z

I’ve decided it was time that I get a little more serious about my IT Governance education and as such I have decided to pursue a couple of worthwhile certifications - ITIL Foundations (for a start) and CGEIT, which is Isaca’s Certified in the Governance of Enterprise IT certification.

For the Foundations’s certificate studying I purchased Introduction to the ITIL Service Lifecycle (ITIL Version 3) which does a very good job going over the highlight’s of ITIL and is their official introductory guide. I also signed up for some online education through HDI, which is an acreddited training organization, which also included a discunted exam fee. The online course is available for about 12 weeks, so sometime between now and then I’ll register and take the exam, which is multiple choice.

Going through the book and the online course together has been invaluable, I am really understanding the overall service lifecycle very well, and am actually looking forward to starting to purchase the core books and getting more in depth into studying ITIL and IT Governance.

Update - I passed the exam with a 90% score. Read more on how I did it by checking out How to Pass the ITIL Foundations Certification Exam.

This is what Isaca says about the CGEIT:

This certification will benefit the individual, through recognition of their professional knowledge and competencies; skill-sets; abilities and experiences, and will enhance their professional standing. It will also add value to the enterprises they support through the demonstration of a visible commitment to excellence in IT governance practices.

The certification process has been specifically developed for professionals who have a significant management, advisory, or assurance role relating to the governance of IT. The certification promotes the advancement of professionals who wish to be recognized for their IT governance-related experience and knowledge.

The exam for this is scheduled on December 12th. Just passing the exam is not enough to earn the certification To earn the CGEIT credential, an individual must:

Pass the CGEIT exam (first exam - December 2008)
Adhere to the ISACA Code of Professional Ethics
Agree to comply with the CGEIT Continuing Education Policy
Provide evidence of appropriate IT governance work experience as defined by the CGEIT Job Practice

Based on my work experience I should have no problem qualifying (as long as I pass the exam!). Reference materials for study are available as free downloads on their website. I did register as an Isaca member to get the discount, so now I am an official Isaca member.

It’s been awhile since I have studied like this but I like it! I look forward to sharing more about my experience in seeking these certifications.

PO2.4 Integrity Management

2008-08-21T11:40:09Z

CobiT definition:

Define and implement procedures to ensure the integrity and consistency of all data stored in electronic form, such as databases, data warehouses and data archives.

Bill says,

“All data stored in electronic form” is one hell of a big task, but if you are to implement the proper level of controls that is truly what you are on the hook for. Once you have classified your data you will have a list of what is important to your business and what you need to control. Now you have to design and implement the procedures that ensure that data is what you think it is and it has the visibility that you think it should have.

Integrity of the data is fairly simple for static data, you really just need to be able to maintain an archived version that you can compare it to proving it’s integrity, assuming of course that you have the security of that data established properly.

The biggest challenge to integrity management is in your transactional database where your staff, and perhaps even your customers, are responsible for maintain some aspect of that data. This is where you need to automate as much as possible so that you are not relying on human nature, but no matter how much of that you do you will still be on the heck for documenting those processes and controls.

Integrity management is difficult but important. If you have followed the steps within this control objective you should be well on your way to achieving a good level control.

The fourth step in Defining the Information Architecture is integrity management.

PO2.3 Data Classification Scheme

2008-07-19T22:20:18Z

CobiT definition:

Establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public,
confidential, top secret) of enterprise data. This scheme should include details about data ownership; definition of appropriate
security levels and protection controls; and a brief description of data retention and destruction requirements, criticality and
sensitivity. It should be used as the basis for applying controls such as access controls, archiving or encryption.

Bill says,

What I really like about CobiT is it forces you to look at things in a comprehensive way. For data classification you really need to analyze every bit of data you collect, categorize it, and decide who will have access, how you will control it, etc - but those are future controls. For this one it is all about defining the classification of data.

Let’s look at some non-traditional data that really does need to be captured in your classification scheme. For example, you probably use WebEx for data conferencing. And I am sure you realize that there is a lot of data archives pertaining to the meetings held through WebEx - many of which can have very telling titles.

As an aside, if you are using WebEx make sure you do not have your site open to the public - or you have strict rules and controls in place regarding what people can use as the subject line in meetings. Prior to us turning this off I saw some pretty awkward meeting titles that were open for all to see - employees, customers and competitors.

So you probably have never thought about that data but you need to. What parts are important? I know for me we record the monthly usage locally because after three months we lose access to it through WebEx. Who has access to that? How can we be sure we know who is responsible for archiving it? These are all important questions that you need to go through as part of the classification exercise.

Don’t be scared off by how much data you have, this is work that needs to be done!

The third step in Defining the Information Architecture is defining the data classification sceme.

PO2.2 Enterprise Data Dictionary and Data Syntax Rules

2008-07-12T14:12:29Z

CobiT definition:

Maintain an enterprise data dictionary that incorporates the organisation’s data syntax rules. This dictionary should enable the
sharing of data elements amongst applications and systems, promote a common understanding of data amongst IT and business
users, and prevent incompatible data elements from being created.

Bill says,

Establishing and maintaining a data dictionary for a complex application is difficult but not impossible, particulary if the application and the underlying data structure and processes don’t change much. But when you start defining an overall data dictionary for your enterprise it becomes a much more difficult challenge. When building a data dictionary, however, don’t feel as though it needs to be perfect - better than to have a mess documented than not at all.

In today’s corporate IT applications space integration between applications is critical. The ability to integrate between applications effectively is contingent on a good enterprise data dictionary. If you have not done this then you are not doing the corporate governance that you should be doing.

An important component of this is to understand what the data means and ensuring that both the business and IT are in alignment. For example, we have a phone system that records ACD transaction and one of the pieces of data that comes out of this application is abandoned calls. What does that mean to you? Does it mean something different to sales? In our case IT thought they knew what abandoned calls meant and sales thought it meant something else. When in fact the vendor defined it to mean even something else! SLAs had been established around this key piece of data and nobody in the business truly understand what it actually meant.

The second step in Defining the Information Architecture is establishing an enterprise data dictionary along with corresponding data syntax rules.

PO2.1 Enterprise Information Architecture Model

2008-08-29T11:19:21Z

CobiTdefinition:

Establish and maintain an enterprise information model to enable applications development and decision-supporting activities,
consistent with IT plans as described in PO1. The model should facilitate the optimal creation, use and sharing of information by the
business in a way that maintains integrity and is flexible, functional, cost-effective, timely, secure and resilient to failure.

Bill says,

I haven’t seen a company yet that has done this one even close to complete. What it’s talking about is defining data models for customers, vendors, employees, etc - across all applications define a consistent data model as an aid to integration and reporting. With a new company starting up I think this is something that could be done, but most of us have legacy data and applications that make a consistent data model very difficult.

Still, it is worth the effort to get it done. With a consistent and holistic enterprise information architecture model the quality of your analytics, the simplicity of your integrations and the power of your business are all magnified.

Take something as simple as the employee data model. Should be a no-brainer right? Well, it isn’t. Your HR program came stock with certain fields, your CRM with others and you probably have built a myriad of other functional applications leveraging employee data. Taking the time to make the data models consistent across all employee applications is a hard project to fund. More likely you will define your employee data model at the data warehouse level, and map your integrations with each application such that it feeds the necessary data. Once you have a data model defined in the warehouse you are about as close to having a solid data model as you could expect.

Still, even though it is hard it needs to be done the best you can.

The first step in Defining the Information Architecture is defining the enterprise information architecture model.

PO2 Define the Information Architecture

2008-08-02T18:37:41Z

CobiT definition:

The information systems function creates and regularly updates a business information model and defines the appropriate systems
to optimise the use of this information. This encompasses the development of a corporate data dictionary with the organisation’s
data syntax rules, data classification scheme and security levels. This process improves the quality of management decision making
by making sure that reliable and secure information is provided, and it enables rationalising information systems resources to
appropriately match business strategies. This IT process is also needed to increase accountability for the integrity and security of
data and to enhance the effectiveness and control of sharing information across applications and entities.

Control over the IT process of
Define the information architecture

that satisfies the business requirement for IT of
being agile in responding to requirements, to provide reliable and consistent information and to
seamlessly integrate applications into business processes

by focusing on
the establishment of an enterprise data model that incorporates a data classification scheme
to ensure the integrity and consistency of all data

is achieved by
• Assuring the accuracy of the information architecture and data model
• Assigning data ownership
• Classifying information using an agreed-upon classification scheme

and is measured by
• Percent of redundant/duplicate data elements
• Percent of applications not complying with the information
architecture methodology used by the enterprise
• Frequency of data validation activities

Control objectives:

PO2 Define the Information Architecture

PO2.1 Enterprise Information Architecture Model
PO2.2 Enterprise Data Dictionary and Data Syntax Rules
PO2.3 Data Classification Scheme
PO2.4 Integrity Management

Check out the links for details on the control objectives.