There are various established and well defined capability or maturity models utilized to assess process management today. Of these, the most common measurement models utilized to assess SAM related processes include: ISO/IEC 15504 (often referred to as SPICE); Control Objective for Information and related Technology (CobiT); Capability Maturity Model Integration (CMMI); Business Process Maturity Model (BPMM); Microsoft’s Software Asset Management Optimization Model (SOM); IAITAM’s 360 Assessment Model and the Software Asset Management Consortium’s (SAMC) Software Asset Management Standards. Currently, Microsoft’s, IAITAM’s and SAMC’s models specifically address SAM in their models. CobiT is more generic but still applicable and widely used. a) Further information on CobiT Selected Mappings gives further specific information about CobiT and SAM.
NOTE: . This part of ISO/IEC 19770 does not endorse any specific source of external models of guidance on SAM and no ISO/IEC endorsement of related products or the sourcing organizations is implied. [A standard form of references for the above section may be added, consistent with that in intro to Appendix C]
These various capability or maturity models utilize two different methodologies in their assessment process. The most common methodology is based on assessing each individual process based on its ability to achieve its prescribed objectives or outcomes. The other methodology, which is used by both Microsoft’s SOM and IAITAM’s 360 Assessment models, is based on grouping like processes and then assessing these groups based on the ability to achieve prescribed objectives or outcomes. In addition, the CobiT and BPMM models could easily accommodate the grouping methodology around recognized business and IT goals.
Below is a brief overview of the more common capability or maturity models in the environment.
E.2.2 ISO/IEC 15504/33000
ISO/IEC 15504 series is currently in revision to become the 33000 series. The ISO/IEC 15504 series not only provides an introduction to the concepts of process assessment, it also provides an assessment framework and some exemplar process assessment models. ISO/IEC 15504 utilizes the following 6 levels when evaluating the effectiveness of a process:
0 - Incomplete process: The process is not implemented, or fails to achieve its process purpose. At this level there is little or no evidence of any systematic achievement of the process purpose.
1 - Performed process: The implemented process achieves its process purpose.
2 - Managed process: The previously described Performed process is now implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained.
3 - Established process: The previously described Managed process is now implemented using a defined process that is capable of achieving its process outcomes.
4 - Predictable process: The previously described Established process now operates within defined limits to achieve its process outcomes.
5 - Optimizing process: The previously described Predictable process is continuously improved to meet relevant current and projected business goals.
E.2.3 CobiT™
(See alsoa) Further information on CobiT Selected Mappings.) CobiT’s process model subdivides IT into four domains and 34 processes in line with the responsibility areas of plan, build, run and monitor, providing an end-to-end view of IT. CobiT utilizes the following 6 levels when evaluating the effectiveness of a process:
0 - Non-existent: Complete lack of any recognisable processes. The enterprise has not even recognised that there is an issue to be addressed.
1 - Initial/Ad Hoc: There is evidence that the enterprise has recognised that the issues exist and need to be addressed. There are, however, no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized.
2 - Repeatable but Intuitive: Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely.
3 - Defined Process: Procedures have been standardised and documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices.
4 - Managed and Measurable: Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 - Optimised: Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity modelling with other enterprises. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.
E.2.4 BPPM maturity model
BPMM’s maturity model is based on CMMI model principles. While BPMM covers a broad range of domains utilizing 30 process areas, it can be extended to cover a specific domain in more detail. BPMM utilizes the following 5 levels when evaluating the effectiveness of a process:
1 - Initial or “Fire-fighting management”: There are no specific objectives. Success in these organizations depends on the competence and heroics of the people in the organization and not on the use of proven processes.
2 - Managed or “Work unit management”: The objective is to create a management foundation within each work unit or project.
3 – Standardized or “Process management”: The objective is to establish and use a common organizational process infrastructure and associated process assets to achieve consistency in how work is performed to provide the organization’s products and services.
4 – Predictable or “Capability management”: The objective is to manage and exploit the capability of the organizational process infrastructure and associated process assets to achieve predictable results with controlled variation
5 - Innovating or “Change management”: The objective is to continuously improve the organization’s processes and the resulting products and services through defect and problem prevention, continuous capability, and planned innovative improvements.
E.2.5 Microsoft SAM Optimization Model
Microsoft’s SAM Optimization Model (SOM) grouped the 27 processes identified in ISO/IEC 19770-1 into 6 categories then identified 10 key competencies to measure. Microsoft believes these 10 competencies focus on what organizations need to follow to implement an effective SAM program. The SOM utilizes the following 4 levels when evaluating the effectiveness of a competency:
:
Basic SAM - “Ad Hoc”: Little control over what IT assets are being used and where. Lacks policies, procedures, resources, and tools.
Standardized SAM — “Tracking Assets”: SAM processes exist as well as tool/data repository. Information may not be complete and accurate and typically not used for decision making.
Rationalized SAM — “Active Management”: Vision, policies, procedures, and tools are used to manage the IT S/W asset lifecycle. Reliable information used to manage the assets to business targets.
Dynamic SAM — “Optimized”: Near real-time alignment with changing business needs. Business competitive advantage through SAM.
E.2.6 IAITAM 360 assessment model
(See also Annex C.) IAITAM’s 360 Assessment model is based on the 12 Key Process Areas (KPAs) identified in the IAITAM Best Practice Library (IBPL). IAITAM groups the various processes into the 12 KPAs for assessment and utilizes the following 5 levels when evaluating the effectiveness of a process:
Ad hoc: No processes are defined; functions and policies exist only in silos; Internal communication is at minimum; Reactive instead of proactive actions; Compliance risk exists; Productivity is minimized; and Value is minimized.
Repeatable: Major processes are being repeated throughout the organization; Processes are beginning to show financial successes; Processes are beginning to be defined and repeatable, yet still function independently; Policies are defined and executed; Procedures are established; Interdependencies are at a minimum; Alignment with business needs are at a minimum; Roles are emerging; and Executive buy in is achieved
Alignment: Major processes are well defined and interaction with other processes and KPAs is clearly understood; Efficiencies exist within the program but are not yet maximized; Interdependencies exist but are not yet maximized; ITAM Program is beginning to function as a core competency; Communication effectiveness is maximized throughout the organization; Compliance risks are markedly reduced; and Roles are defined and executed.
Strategic: Process performance is optimized as is the interaction between processes and KPAs; Proactive decision making is becoming a standard action; Roles are functioning toward a common goal; Projects are planned according to needs; Business goals are being achieved; Program is aligned with business needs and goals; and Organizational buy in is achieved.
Adaptive Valuation: Process outcomes are predictable; Process outcomes are adjustable as necessary; Program is functioning as a core competency within the organization; and Compliance risks are understood or eliminated.
E.2.7 SAM Consortium (SAMC) maturity model
(See also Annex C.) SAMC’s maturity model is based on their Software Asset Management Standards document which defines 13 managerial domains on how organizations might conduct SAM. This maturity model utilizes the following 6 levels when evaluating the effectiveness of a process:
Level 0 - Incomplete: Management is not implemented at all. This is the lowest evaluation (maturity level). Level 1 - Initial/Ad Hoc: Management is not organized, and is implemented dependent upon responsible persons and other individuals.
Level 2 - Repeatable: An organizational system exists in part, and continuous management is implemented.
Level 3 - Defined: Policies and regulations across the organization and management systems are appropriately prescribed, and contain no serious flaws.
Level 4 - Managed: Implementation of management in accordance with the prescribed policies, regulations and management systems is monitored.
Level 5 - Optimized: SAM is reviewed on an as-needed and periodical basis in order to implement optimal management to reflect the changing environment surrounding SAM. This is the highest evaluation (maturity level).