A synopsis on CobiT and Library Management

by Joe Kirsch

As new technologies arise, different problems/challenges present themselves. Public libraries have become increasingly automated; the existence of some type of Technical Services Section or Systems Librarian/Technical Librarian has become more common in larger and well established libraries in South Africa.

CobiT (Control Objectives for Information and related Technology)

The Systems Librarian relates to IT standards and good practices and the Systems librarian provide an interface between two worlds: libraries and computing.

CobiT and IT governance

Value, risk and control constitute the core of IT governance. CobiT (IT governance) integrates and institutionalizes good practices to ensure that the enterprise/organization IT (this includes Technical Services) supports the Library Management IT related objectives/goals. CobiT (IT governance) can enable Libraries to take full advantage of its information, thereby maximizing benefits, capitalizing on opportunities and gaining competitive advantage. These outcomes require a framework for control over the ICT department.

For many Library Managers, information (patron and item data) and the technology that supports it represent their most valuable, but often least understood assets. Successful Library Managers recognize the benefits of information technology and use it to drive their Libraries’ services value to their patrons and communities. These Library Managers also understand the associated risks, and library automation compliance standards such as SIP2, NCIP, EDI, Marc21, Z39.50, etc., and the critical dependence of many library processes on information technology.

CobiT Cube

IT Resources

Library Management should optimize the use of available IT resources:

• Applications are the automated user systems and manual procedures that process the information

• Information is the data, in all their forms, input, processed and output by the information systems in whatever form is used by the business

• Infrastructure is the technology and facilities (i.e., hardware, operating systems, database management systems, networking, multimedia, and the environment that houses and supports them) that enable the processing of the applications

• People are the personnel required to plan, organize, acquire, implement, deliver, support, monitor and evaluate the information (Technical Services and ICT department)

To discharge these responsibilities, as well as to achieve its objectives/goals, Library management should understand the status of its enterprise architecture for IT and decide what governance and control it should provide. It is highly recommended that an Memorandum of Understanding (Terms of Reference)/SLA (Service Level Agreement) be entered into between Library & Information Services and the ICT department. The development and use of MOUs/SLAs are an integral part of a successful quality system as they provide individuals/departments with the information to perform a job properly, and facilitate consistency in the quality and integrity of a product or end-result.

Should you have an Memorandum of Understanding (Terms of Reference)/SLA (Service Level Agreement) with the ICT Department?

A Service Level Agreement (or SLA), goes beyond a simple statement of priorities. An SLA includes formal goals for your ICT department to shoot for in terms of reliability and response times. For instance, an SLA might specify that the library’s server will be available 99 percent of the time. Even if you don’t institute service-level standards for every aspect of your IT technical support, you can establish standards for some of the more important elements. For example, you might associate a standard response time with each of the impact levels. Impact level I (i.e., top-priority incidents) will be resolved within a day.
Of course, you have to talk to your ICT department to find out which goals are reasonable and which ones aren’t. Also, you should only set goals for the outcomes you know how to measure. The IT department should not promise a one-day turnaround on an issue if there isn’t a system in place to track turnaround times and report on them.

MOUs and SLAs are becoming standard business practice across a broad spectrum of industry and commerce. SLAs are a formal means of identifying key services and processes required to meet business needs - these are monitored and any problem areas highlighted for action.

The process has grown initially within the IT industry, both as a business requirement to optimize the provision of IT resources, and as a response to the challenge of external outsourcing of IT services.

SLA (Service Level Agreement) Purpose

A summary of the main aims of the process:

· To improve service by defining and focusing on key services required to meet business requirements

· To discipline the service provider to review their ability to meet these requirements

· To discipline the Library Management to examine their requirements for key services

· To agree on the expectation in all parties as to the levels of service that can be provided at an acceptable cost

· To improve understanding and working relationships

The basic reason for going through this process is simple - to improve service quality. This is done by identifying, quantifying and agreeing the levels of service required, such that the “customer” area operates efficiently. The SLA process is a quality improvement process above all else, as it highlights gaps and problems in the process of servicing the business requirements. The process is also a good vehicle for developing increased understanding across divisional and functional boundaries and improving expectation management. It is thus a useful tool for organizations wishing to develop greater synergy and teamwork as a means of corporate development.

SLA (Service Level Agreement) is not a contract!

The SLA process involves cultural change. As such its success depends more on people and attitudes than technical innovation or skill. It is thus important that all involved in this process understand not only the operational requirements, but also the needs and aims driving the process. For successful SLA implementation, it is almost as important to appreciate what SLAs are not as what they are. When negotiating and drawing up an SLA, it is vital to appreciate this distinction, otherwise the process will fail.

The SLA document should be regarded as a list of targets, rather than a legal straight jacket signed and sealed in blood. If the latter approach is taken, particularly if little data exists on current levels of service, this can be a recipe for animosity and misunderstanding. Both parties must appreciate during negotiations that the SLA itself does not guarantee that the expected service levels will always be met, with penalties if they are not. This may influence the provider only to commit to a low service level - rendering the document meaningless. Alternatively, if the level is set unrealistically high and targets are not met, expectations will not be realized and working relationships damaged.

SLA (Service Level Agreement)
With SLAs the process is more important than the document. It must be viewed by all involved as an ongoing process towards improved quality, rather than as an absolute and potentially punitive dictum. One good reason for avoiding contractual status is that often both parties don’t really know the current level of service provided, and are thus in no position to commit themselves to targets that they may have no possibility of achieving with their current resources. Once the SLA process has identified actual service levels and resource requirements, it may then be possible and realistic to develop the SLA into a contract if required.

The business orientation of CobiT consists of linking IT related Library and Information Services objectives to the enterprises vision and KPIs, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities. Goals are defined top-down in that a business goal will determine a number of IT goals to support it. An IT goal is achieved by one process or the interaction of a number of processes. Therefore, IT goals help define the different process goals. In turn, each process goal requires a number of activities, thereby establishing the activity goals.

• Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations.

• Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT.

• Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimization of knowledge and infrastructure.

• Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organization.

• Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.

Risk Management

Enterprises of all sizes must be aware of the risks involved in deploying technology. These risks range from hardware and software failure to privacy invasion. Increasingly, libraries have a need to invest in planning and policymaking related to technical risks. Systems Librarians are key individuals within enterprise/organization to lead the effort. They bring to the table a broad understanding of the technology and technical issues as well as the library and human issues.

CobiT’s Information Criteria

To satisfy business objectives, information needs to conform to certain control criteria, which CobiT refers to as businessrequirements for information. Based on the broader quality, fiduciary and security requirements, seven distinct, certainlyoverlapping, information criteria are defined as follows:

•Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner.

•Efficiency concerns the provision of information through the optimal (most productive and economical) use of resources.

•Confidentiality concerns the protection of sensitive information from unauthorized disclosure.e

•Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations.

•Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

•Compliance deals with complying with the laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies.

•Reliability relates to the provision of appropriate information for management to operate the entity and exercise its fiduciary and governance responsibilities.

CobiT

Ownership and Responsibilities

Define the key activities and end deliverables of the process. Assign and communicate unambiguous roles and responsibilities for effective and efficient execution of the key activities and their documentation as well as accountability for the process end deliverables. Ensure that the policies, plans and procedures are accessible, correct, understood and up to date. In most cases libraries effectively rely on the support of their in-house ICT department due to the fact that in most libraries the Technical Services department/division only consists of one to three technical professionals (Systems Librarians). For example, information and communication technology (ICT) department. In South Africa most Local Government (Municipalities) ICT departments have the ultimate say and have complete control over computer related projects and purchases. As libraries are increasingly intertwined with information technology, the people who understand the capabilities, implications, and limitations of the technology must be able and ready to articulate library concerns in a meaningful fashion.

Outsourcing

One of the most potentially damaging myths in systems work is the notion that vendors can be relied on to provide all information about computing and networking. For organizations that do not have any level of internal technical expertise, it is common to seek support from vendors. While many vendors may offer accurate technical information or advice, some requests for information could create conflicts of interest for vendors (i.e., they are being asked to suggest solutions in areas in which they sell their products). Libraries sometimes fall prey to overdependence on a vendor. While for some libraries the ILS vendor may be the only option, in general it is wise not to depend too much on any single vendor for technology products and services. Although libraries can do well in outsourcing a number of services, responsibility and accountability should not be contracted out.

Conclusion
The main theme of CobiT is ‘business orientation’. IT governance is part of enterprise governance. It is defined as a structure of relationships and processes to direct and control the enterprise toward achieving its goals by adding value while balancing risk verses return over IT and its processes. Change must meet business objective. In summery, CobiT is a framework and supporting tool set that allows managers to bridge the gap with respect to control requirements, technical issues and business risks, and communicate that level of control to stakeholders. Systems Librarians can provide a means of enhancing the overall value, risk and control of IT and ensure good practices. However, due to the nature of the Local Government Libraries it will be vital for the Library and Information Services to have an updated MOU/SLA with their ICT department. Systems Librarianship should be more than just taking responsibility for the Library’s integrated library system (ILS) management; network, management and support; server and host administration; desktop computing; training, documentation and support; application development; planning and budget; specification and purchasing, etc. Systems Librarians need to view the entire enterprise/organization from IT governance and IT resource management perspective, technology exploration and evaluation, risk management, etc., so as to ensure value, risk and control.