The document discusses research conducted by the IT Process Institute on the relationship between IT controls and organizational performance. The research found that: 1) Higher performing organizations consistently implement a small number of "foundational" IT controls related to change management, access controls, and configuration management. 2) For larger organizations, nine additional controls around release management, problem management, and service level management help explain performance differences. 3) How organizations manage exceptions to IT processes, through detection and enforcement of consequences, is a key factor in performance. Those that do not enforce consequences see less benefit from controls.

1. Metricon 4.0: The importance of context Security measures as a dependent variable Data reveals foundational practices that optimize security and operations Kurt Milne Managing Director, IT Process Institute [email_address] Gene Kim CTO, Co-Founder, Tripwire, Inc. [email_address] , @RealGeneKim

2. Where Did The High Performers Come From?

5. Mission - advancing the science of IT management Research Prescriptive Guidance Benchmarking IT Management Leadership Foster sustainable change Enable industry comparison Link practice to results

6. Data driven management - spectrum of influence Intuitive Analytical Academic Study Population Sample Population Sample Academic Study Population Sample Population Sample Academic Study Population Study Benchmark ROI Story Best Practice Peer Recommendation Anecdote Prior Experience ITPI Focus Vendors Consultants Industry Analyst Tradeshows Industry Press Blogshere

13. Study #1: 2006: Design Survey: Pick IT Controls Source: COBIT, IT Governance Institute/ISACA We selected the 6 leading BS15000 areas within ITIL that are conjectured to be “where to start.” These were Access, Change, Resolution, Configuration, Release, Service Levels 1 We then selected 63 COBIT control objectives within these areas. 2 Source: IT Infrastructure Library (ITIL) / BS 15000

14. Study #1: 2006: The 63 IT Controls The resulting controls that we selected were in the following control categories: • Access Controls : 17 controls • Change Controls : 13 controls • Configuration Controls : 7 controls • Release Controls : 6 controls • Service Level Controls : 8 controls • Resolution Controls : 12 controls

17. 2006: Three Clusters Of Respondents Each wedge in the pie represents one of the foundational controls. Each bar represents the percentage of the cluster members that responded ‘yes’ to that control. 2 Almost all of the members of the high performing cluster had all of the foundational controls. 3 Almost all of the members of the low performing cluster had no controls, except for access and resolution. 4 Source: IT Process Institute, May 2006 Low Performer Medium Performer High Performer The ITPI identified 23 “foundational controls” and used cluster analysis techniques to identify the relationship between the use of Foundational Controls and performance indicators of the companies studied Three clusters emerged. 1

19. MTTR For Large Outages

20. First Fix Rate

21. Percentage Of Outages Fixed Within SLA Limits

22. Change Success Rate