A synopsis on CobiT and Library
by Joe Kirsch
As new technologies arise,
different problems/challenges present themselves. Public libraries have become increasingly automated; the
existence of some type of Technical Services Section or Systems Librarian/Technical Librarian has become more
common in larger and well established libraries in South Africa.
CobiT (Control Objectives for Information and related Technology)
The Systems Librarian relates to
IT standards and good practices and the Systems librarian provide an interface between two worlds:
libraries and computing.
CobiT and IT
Value, risk and
control constitute the core of IT governance. CobiT (IT governance) integrates and institutionalizes good
practices to ensure that the enterprise/organization IT (this includes Technical Services) supports the Library Management IT related objectives/goals. CobiT (IT governance) can enable
Libraries to take full advantage of its information, thereby maximizing benefits, capitalizing on opportunities
and gaining competitive advantage. These outcomes require a framework for control over the ICT
For many Library Managers, information (patron and item
data) and the technology that supports it represent their most valuable, but often least understood assets.
Successful Library Managers recognize the benefits of information technology and use it to drive their
Libraries’ services value to their patrons and communities. These Library Managers also understand the
associated risks, and library automation compliance standards such as SIP2, NCIP, EDI, Marc21, Z39.50, etc., and the
critical dependence of many library processes on information technology.
Library Management should optimize
the use of available IT resources:
Applications are the automated user systems and manual procedures that process the information
is the data, in all their forms, input, processed and output by the information systems in whatever form is used by
Infrastructure is the technology and facilities (i.e., hardware, operating systems, database management
systems, networking, multimedia, and the environment that houses and supports them) that enable the processing of
• People are
the personnel required to plan, organize, acquire, implement, deliver, support, monitor and evaluate the
information (Technical Services and ICT department)
To discharge these responsibilities, as well as
to achieve its objectives/goals, Library management should understand the status of its enterprise architecture
for IT and decide what governance and control it should provide. It is highly recommended that an
Memorandum of Understanding (Terms of Reference)/SLA (Service Level
Agreement) be entered into between Library & Information Services and the ICT department. The development
and use of MOUs/SLAs are an integral part of a successful quality system as they provide
individuals/departments with the information to perform a job properly, and facilitate consistency in the
quality and integrity of a product or end-result.
Should you have
an Memorandum of Understanding (Terms of
Reference)/SLA (Service Level Agreement) with the ICT
A Service Level Agreement (or SLA), goes beyond
a simple statement of priorities. An SLA includes formal goals for your ICT department to shoot for in terms of
reliability and response times. For instance, an SLA might specify that the library’s server
will be available 99 percent of the time. Even if you don’t institute service-level standards for every aspect of
your IT technical support, you can establish standards for some of the more important elements. For example, you
might associate a standard response time with each of the impact levels. Impact level I (i.e., top-priority
incidents) will be resolved within a day.
Of course, you have to talk to your ICT department to find out which goals
are reasonable and which ones aren’t. Also, you should only set goals for the outcomes you know how to measure.
The IT department should not promise a one-day turnaround on an issue if there isn’t a system in place to
track turnaround times and report on them.
MOUs and SLAs are becoming standard business
practice across a broad spectrum of industry and commerce. SLAs are a formal means of identifying key services
and processes required to meet business needs - these are monitored and any problem areas highlighted for
The process has grown initially within the IT industry, both as a business
requirement to optimize the provision of IT resources, and as a response to the challenge of external
outsourcing of IT services.
SLA (Service Level Agreement) Purpose
A summary of the main aims of the
· To improve service by defining and focusing on
key services required to meet business requirements
· To discipline the service provider to review
their ability to meet these requirements
· To discipline the Library Management to examine
their requirements for key services
· To agree on the expectation in all parties as
to the levels of service that can be provided at an acceptable cost
· To improve understanding and working
The basic reason for going through this process is simple - to improve
service quality. This is done by identifying, quantifying and agreeing
the levels of service required, such that the “customer” area operates efficiently. The SLA process is a quality
improvement process above all else, as it highlights gaps and problems in the process of servicing the business
requirements. The process is also a good vehicle for developing increased understanding across divisional and
functional boundaries and improving expectation management. It is thus
a useful tool for organizations wishing to develop greater synergy and teamwork as
a means of corporate development.
SLA (Service Level Agreement) is not a
The SLA process involves cultural change. As
such its success depends more on people and attitudes than technical innovation or skill. It is thus important
that all involved in this process understand not only the operational requirements, but also the needs and aims
driving the process. For successful SLA implementation, it is almost as important to appreciate what SLAs
are not as what
they are. When negotiating
and drawing up an SLA, it is vital to appreciate this distinction, otherwise the process will
The SLA document should be regarded as a list of targets, rather than a
legal straight jacket signed and sealed in blood. If the latter approach is taken, particularly if little data
exists on current levels of service, this can be a recipe for animosity and
misunderstanding. Both parties must appreciate during negotiations that the SLA itself does not guarantee that the expected service levels will always be met, with penalties if they are not.
This may influence the provider only to commit to a low service level -
rendering the document meaningless. Alternatively, if the level
is set unrealistically high and targets are not met, expectations will not be
realized and working relationships damaged.
SLA (Service Level
With SLAs the
process is more important than the document. It must be viewed by all involved as an ongoing process
towards improved quality, rather than as an absolute and potentially punitive dictum. One good reason for
avoiding contractual status is that often both parties don’t really know the current level of service
provided, and are thus in no position to commit themselves to targets that they may have no possibility of
achieving with their current resources. Once the SLA process has identified actual service levels and resource
requirements, it may then be possible and realistic to develop the SLA into a contract if
The business orientation of CobiT consists of linking IT
related Library and Information Services objectives to the enterprises vision and KPIs, providing metrics and
maturity models to measure their achievement, and identifying the associated responsibilities. Goals are defined
top-down in that a business goal will determine a number of IT goals to support it. An IT goal is achieved by one
process or the interaction of a number of processes. Therefore, IT goals help define the different process goals.
In turn, each process goal requires a number of activities, thereby establishing the activity goals.
Strategic alignment focuses on ensuring the
linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning
IT operations with enterprise operations.
Value delivery is about executing the value
proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the
strategy, concentrating on optimizing costs and proving the intrinsic value of IT.
Resource management is about the optimal
investment in, and the proper management of, critical IT resources: applications, information, infrastructure
and people. Key issues relate to the optimization of knowledge and infrastructure.
Risk management requires risk awareness by senior
corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance
requirements, transparency about the significant risks to the enterprise and embedding of risk management
responsibilities into the organization.
Performance measurement tracks and monitors
strategy implementation, project completion, resource usage, process performance and service delivery, using,
for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond
all sizes must be aware of the risks involved in deploying technology. These risks range from hardware and
software failure to privacy invasion. Increasingly, libraries have a need to invest in planning and policymaking
related to technical risks. Systems Librarians are key individuals within enterprise/organization to lead the
effort. They bring to the table a broad understanding of the technology and technical issues as well as the
library and human issues.
CobiT’s Information Criteria
To satisfy business objectives, information
needs to conform to certain control criteria, which CobiT refers to as businessrequirements for information. Based on the
broader quality, fiduciary and security requirements, seven distinct, certainlyoverlapping, information criteria are defined
deals with information being
relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent
and usable manner.
•Efficiency concerns the provision of information
through the optimal (most productive and economical) use of resources.
the protection of sensitive information from unauthorized disclosure.e
•Integrity relates to the accuracy and completeness of
information as well as to its validity in accordance with business values and expectations.
•Availability relates to information being available when
required by the business process now and in the future. It also concerns the safeguarding of necessary resources
and associated capabilities.
•Compliance deals with complying with the laws,
regulations and contractual arrangements to which the business process is subject, i.e., externally imposed
business criteria as well as internal policies.
•Reliability relates to the provision of appropriate
information for management to operate the entity and exercise its fiduciary and governance
Define the key activities and end
deliverables of the process. Assign and communicate unambiguous roles and responsibilities for effective and
efficient execution of the key activities and their documentation as well as accountability for the process end
deliverables. Ensure that the policies, plans and procedures are accessible, correct, understood and up to date.
In most cases libraries effectively rely on the support of their in-house ICT department due to the fact that
in most libraries the Technical Services department/division only consists of one to three technical
professionals (Systems Librarians). For example, information and communication technology (ICT) department. In
South Africa most Local Government (Municipalities) ICT departments have the ultimate say and have complete
control over computer related projects and purchases. As libraries are increasingly intertwined with information
technology, the people who understand the capabilities, implications, and limitations of the technology must be
able and ready to articulate library concerns in a meaningful fashion.
One of the most
potentially damaging myths in systems work is the notion that vendors can be relied on to provide all
information about computing and networking. For organizations that do not have any level of internal technical
expertise, it is common to seek support from vendors. While many vendors may offer accurate technical
information or advice, some requests for information could create conflicts of interest for vendors (i.e., they
are being asked to suggest solutions in areas in which they sell their products). Libraries sometimes fall prey
to overdependence on
a vendor. While for some libraries the ILS vendor may be the only option, in general it is wise not to depend
too much on any single vendor for technology products and services. Although libraries can do well in
outsourcing a number of services, responsibility and accountability should not be contracted
The main theme of CobiT is ‘business orientation’. IT governance is part of enterprise
governance. It is defined as a structure of relationships and processes to direct and control the enterprise toward
achieving its goals by adding value while balancing risk verses return over IT and its processes. Change must meet
business objective. In summery, CobiT is a framework and supporting tool set that allows
managers to bridge the gap with respect to control requirements, technical issues and business risks, and
communicate that level of control to stakeholders. Systems Librarians can provide a means of enhancing the
overall value, risk and control of IT
and ensure good practices. However, due to the nature of the Local Government Libraries it will be vital for the
Library and Information Services to have an updated MOU/SLA with their ICT
Librarianship should be more than just taking responsibility for the Library’s integrated library system (ILS)
management; network, management and support; server and host administration; desktop computing; training,
documentation and support; application development; planning and budget; specification and purchasing, etc.
Systems Librarians need to view the entire enterprise/organization from IT governance and IT resource management
perspective, technology exploration and evaluation, risk management, etc., so as to ensure value, risk and
Date: 16 March