TECHNICAL WHITE PAPER

BSM for COBIT 4.0

A Practical Path to Supporting COBIT

TABLE OF CONTENTS

EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About COBIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Business Service Management A Practical Path to Supportting COBIT . . . . . . . . . . . . . . . . . 1
BMC SOLUTIONS AND COBIT CONTROLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
COBIT and IT Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
COBIT and ITIL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
PLAN AND ORGANIZE (PO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
BMC Solution Fit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
BMC Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Acquire and Implement (AI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
BMC Solution Fit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
BMC Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Deliver and Support (DS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
BMC Solution Fit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
BMC Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Monitor and Evaluate (ME). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
BMC Solution Fit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
BMC Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
CONCLUSION

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
BSM Makes Compliance a Result of Running I.T. Well . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

EXECUTIVE SUMMARY
ABOUT COBIT
Control Objectives for Information and related Technology (COBIT) is an IT-focused governance and
control framework created by the IT Governance Institute (ITGI) and Information Systems Audit and Control
Association (ISACA). COBIT was developed as an open standard, and provides good practices across a
domain and process framework. COBIT presents activities in a manageable and logical structure. COBIT is
being increasingly adopted globally as the governance and control model for implementing and demonstrating
eective IT governance. The rst, second, and third editions/versions of COBIT were published in 1994, 1998, and
2000, respectively.
COBIT harmonizes well with established frameworks, such as the Soware Engineering Institutes Capability
Maturity Model, ISO 9000, ISO 17799 (standard security framework, now ISO 27001) and ITIL. In fact, 13 of the 34
high-level control objectives are derived directly from the ITIL Service Support and Service Delivery areas.

BUSINESS SERVICE MANAGEMENT  A PRACTICAL PATH TO SUPPORTING COBIT

BMC Soware has been recognized by leading analysts for our comprehensive oering of solutions that help
IT organizations control their IT environment and meet compliance objectives. Just as ERP provided a platform
for eective business planning and operations, Business Service Management (BSM) provides a platform for
eective IT planning and operations.
BSM oers a common and consistent way for information to be shared across IT functions and departments.
BSM simplies, standardizes, and automates IT processes through out-of-the-box best practice templates and
integrated workows that include IT Governance, Risk and Compliance elements for multiple regulations and
frameworks, across multiple platforms. BMC BSM solutions enable IT to manage based on business priorities.
BSM solutions from BMC help IT organizations automate IT controls while complying with governmental
regulation, industry best practices and internal policies. With BSM solutions from BMC, IT organizations
can meet and exceed business objectives AND mitigate risks while delivering superior performance within
constraints.
Many BMC solutions align with the fulllment of COBIT, but to maximize the impact upon COBIT controls, we
recommend that you focus rst on building your foundational controls in the following key solution areas:

Change and Conguration management

Soware Compliance management
Security and Access Management
Compliance Automation

With the foundation controls in place, you will be well positioned to address:

Data Recovery Management, Application management, and general IT controls

Infrastructure coverage from mainframe to mobile, data center to desktop.
Support of control frameworks (COBIT), best practices (ITIL), and standards (ISO 20000 and ISO 27000)
This document maps BMC solutions to COBIT control objectives outlined in the COBIT 4.0 guide. In many cases, text from the COBIT 4.0 document has been summarized in order to condense the information. Sections in boxes are direct
quotes from COBIT 4.0, Source: COBIT 4.0. 1996, 1998, 2000, IT Governance Institute. All rights reserved. Used by permission. Visit www.isaca.org to get a free download of the complete COBIT document.

BMC SOLUTIONS AND COBIT CONTROLS

Overall, BMC solutions apply to 32 of the 34 COBIT control objectives. These solutions oer a broad range of
coverage in many important areas, and are organized into the following four main groups to best address COBIT
Controls.

PLAN AND ORGANIZE

8 of 10 control objectives

ACQUIRE AND IMPLEMENT

7 of 7 control objectives

DELIVER AND SUPPORT

13 of 13 control objectives

MONITOR AND EVALUATE

4 of 4 control objectives

Figure 1 BMC solutions and COBIT controls

COBIT AND IT GOVERNANCE

One way to dene IT Governance is management, measurement and reporting to facilitate good decision
making. The COBIT framework provides a reference process model and common language for everyone in an
enterprise to view and manage IT activities. To govern IT eectively, it is important to appreciate the activities

and risks within IT that need to be managed. They are usually ordered into the responsibility domains of plan,
build, run and monitor. Within the COBIT framework, these domains are called:

Plan and Organize (PO)Provides direction to solution delivery (AI) and service delivery (DS)
Acquire and Implement (AI)Provides the solutions and passes them to be turned into services
Deliver and Support (DS)Receives the solutions and makes them usable for end users
Monitor and Evaluate (ME)Monitors all processes to ensure that the direction provided is followed.

COBIT AND ITIL

BMC solutions help automate ITIL best practices and COBIT guidelines. Combined, ITIL and COBIT help you
increase the quality of business services that your IT organization delivers, while also lowering overall
costs. ITIL is a framework that addresses IT service management best practices, and COBIT addresses
the establishment of business goals, providing the processes to deliver toward those goals and measure
progress. By following these frameworks, your IT organization can provide fast, consistent, reliable
technology services that increase revenue, reduce costs, and demonstrate compliance with the SarbanesOxley Act (SOX), Basel II, and other regulatory standards. These frameworks help you achieve BSM by
managing IT based on business priorities.
PLAN AND ORGANIZE PO
This domain covers strategy and tactics, and concerns the identication of the way IT can best contribute
to COBITof
4.0:
Successful
the risks
andstrategic
exploit thevision
benets
of IT,toand
ways to
to According
the achievement
the
businessenterprises
objectives.understand
The realization
of this
needs
bend
planned,
deal with:
communicated,
and managed for dierent perspectives. Furthermore, a proper organization and
technological infrastructure should be put in place.

Aligning IT strategy with the business strategy

Cascading
IT strategy
and goals
down
into themanagement
enterprise questions:
domain
This
typically
addresses
the
following
Providing organizational structures that facilitate the implementation of strategy and goals
AreCreating
IT and constructive
the businessrelationships
strategy aligned?
and eective communications between the business and IT, and with external
Is partners
the enterprise achieving optimum use of its resources?
Does
everyone
the organization understand the IT objectives?
Measuring
ITsin
performance
Are IT risks understood and being managed?
cannot
eectively
against
business
and governance requirements without adopting and
Enterprises
Is the quality
of IT deliver
systems
appropriate
forthese
business
needs?
implementing a governance and control framework for IT to:

Make a link to the business requirements

Make performance against these requirements transparent
Organize IT activities into a generally accepted process model
Identify the major resources to be leveraged
Dene the management control objectives to be considered

Business orientation is the main theme of COBIT. It is designed to be employed not only by IT service providers,
users, and auditors, but also, and more importantly, as comprehensive guidance for management and business
process owners.
COBIT denes IT activities in a generic process model within four domains. These domains are Plan and Organize,
Acquire and Implement, Deliver and Support, and Monitor and Evaluate. The domains map to ITs traditional
responsibility areas of plan, build, run, and monitor.

BMC SOLUTION FIT

Plan and Organize control objectives are what we refer to as general IT management controls. These controls
result in many of the decisions and policies that are input into the IT service management system.
This section will examine all ten of the Plan and Organize control objectives, drilling deeper into the eight
objectives directly supported by BMC solutions:

PO2 Dene the Information Architecture

PO4 Dene the IT Processes, Organization, and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects.

BMC SOLUTIONS
BMC Atrium Discovery
BMC Atrium CMDB Suite
BMC Atrium Orchestrator
BMC BladeLogic Client Automation
BMC BladeLogic Network Automation
BMC BladeLogic Server Automation Suite
BMC Remedy IT Service Management Suite
BMC Remedy Identity Management Suite
SailPoint IdentityIQ
BMC IT Business Management Suite

ACQUIRE AND IMPLEMENT AI

This domain covers objectives that help realize the IT strategy. IT solutions need to be identied, developed,
acquired, implemented, and integrated into the business process. In addition, changes and maintenance of
existing systems are covered by this domain to make sure the solutions continue to meet business objectives.
This domain typically addresses the following management questions:

Are new projects likely to deliver solutions that meet business needs?
Are new projects likely to be delivered on time and within budget?
Will the new systems work properly when implemented?
Will changes be made without upsetting current business operations?

BMC SOLUTION FIT

This section will examine all seven of the Acquire and Implement control objectives directly supported by BMC
solutions:

AI1 Identify Automation Solutions

AI2 Acquire and Maintain Application Soware
AI3 Acquire and Maintain Technology Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes
AI7 Install and Accredit Solutions and Changes

BMC SOLUTIONS
BMC Atrium CMDB Suite
BMC Atrium Orchestrator
BMC Event and Impact Management
BMC BladeLogic Client Automation
BMC BladeLogic Network Automation
BMC BladeLogic Server Automation Suite
BMC BladeLogic Application Automation
BMC Remedy IT Service Management Suite
BMC Remedy Identity Management Suite
SailPoint Identity IQ
BMC IT Business Management Suite

DELIVER AND SUPPORT DS

This domain is concerned with the actual delivery of required services, which includes not only service delivery,
but also management of security and continuity, service support for users, and management of data and the
operational facilities.
Typically addressed are the following management questions:

Are IT services being delivered in line with business priorities?

Are IT costs optimized?
Is the workforce able to use the IT systems productively and safely?
Are adequate condentiality, integrity, and availability in place?

BMC SOLUTION FIT

This section will examine all thirteen of the Deliver and Support control objectives directly supported by BMC
solutions:

DS1 Dene and Manage Service Levels

DS2 Manage Third-Party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Conguration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations

BMC SOLUTIONS
BMC Atrium CMDB Suite
BMC Atrium Discovery
BMC Atrium Orchestrator
BMC Analytics for BSM
BMC Dashboards for BSM
BMC MainView

BMC Control-M
BMC Control-D
BMC Data Management for z/OS
BMC Database Recovery Management
BMC ProactiveNet Performance Management
BMC Event and Impact Management
BMC Service Level Management
BMC BladeLogic Client Automation
BMC BladeLogic Networks
BMC BladeLogic Decision Support for Network Automation
BMC BladeLogic Server Automation Suite
BMC BladeLogic Decision Support for Server Automation
BMC BladeLogic Application Automation
BMC Remedy IT Service Management Suite
BMC Remedy Identity Management Suite
Sailpoint Identity IQ
BMC IT Business Management Suite

MONITOR AND EVALUATE ME

This domain covers objectives that IT processes need for regular assessment of their quality and compliance
with control requirements. It addresses performance management, monitoring of internal control, regulatory
compliance, and providing governance.
This domain typically addresses the following management questions:

Is ITs performance measured to detect problems before it is too late?

Does management ensure that internal controls are eective and ecient?
Can IT performance be linked back to business goals?
Are risk, control, compliance, and performance measured and reported?

BMC SOLUTION FIT

This section will examine all of the Monitor and Evaluate control objectives, which are all supported by BMC
solutions:

ME1 Monitor and Evaluate IT Performance

ME2 Monitor and Evaluate Internal Control
ME3 Ensure Regulatory Compliance
ME4 Provide IT Governance

BMC SOLUTIONS
BMC Atrium CMDB Suite
BMC Atrium Orchestrator
BMC Analytics for BSM
BMC Dashboards for BSM
BMC MainView
BMC Control-M
BMC Control-D
BMC ProactiveNet Performance Management
BMC Event and Impact Management

BMC Service Level Management

BMC BladeLogic Client Automation
BMC BladeLogic Networks
BMC BladeLogic Decision Support for Network Automation
BMC BladeLogic Server Automation Suite
BMC BladeLogic Decision Support for Server Automation
BMC BladeLogic Application Automation
BMC Remedy IT Service Management Suite
BMC Remedy Identity Management Suite
SailPoint Identity IQ
BMC IT Business Management Suite

CONCLUSION
BSM MAKES COMPLIANCE A RESULT OF RUNNING I.T. WELL
As your IT organization transitions to face the challenge of managing IT based on business priorities, you can
use COBIT controls and Business Service Management solutions from BMC to help meet the challenge. COBIT
provides the framework for setting business goals and objectives, and measuring the progress of how those
goals are accomplished. BSM solutions from BMC provide you with the most eective approach for managing IT
from the perspective of the business. All potential users can benet from using the COBIT content as an overall
approach to managing and governing IT, orchestrated with more detailed standards.
When you introduce solutions that enhance implementation and maintenance of COBIT controls enterprise
wide, you can better meet business objectives and deliver higher quality business services at lower costs to
your organization.
BMC oers solutions that enable you to control your IT environment and meet governance and compliance
objectives, as dened by COBIT. BSM solutions from BMC help you automate IT controls; comply with
government regulations, industry best practices, and internal policies; manage risk eectively; and improve
overall business performance. These solutions help you manage IT based on business priorities, and align IT
processes to business needs.

Business runs on IT. IT runs on BMC Soware.

Business thrives when IT runs smarter, faster, and stronger. Thats why the most demanding IT organizations in
the world rely on BMC Soware across both distributed and mainframe environments. Recognized as the leader
in Business Service Management, BMC oers a comprehensive approach and unied platform that helps IT
organizations cut cost, reduce risk, and drive business prot. For the four scal quarters ended March 31, 2010,
BMC revenue was approximately $1.91 billion. Visit www.bmc.com for more information.

BMC, BMC Soware, and the BMC Soware logo are the exclusive properties of BMC Soware, Inc., are registered with the U.S. Patent and Trademark Oce, and may be
registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other
countries. All other trademarks or registered trademarks are the property of their respective owners. 2010 BMC Soware, Inc. All rights reserved.

*141967*