Integrating the best practices of IT management using the Brazilian rhythm.

Like Samba, an unprecedented event in the world

Celso Monastero, Joel Mana Gonalves
PRODESP Cia. De Processamento de Dados do Estado de So Paulo, Rua Agueda Gonalves, 240 06760-900 Taboo da Serra, Brazil cmonastero@sp.gov.br, joelmana@sp.gov.br

Abstract. The abstract should summarize the contents of the paper and should contain at least 70 and at most 150 words. It should be set in 9-point font size and should be inset 1.0 cm from the right and left margins. There should be two blank (10-point) lines before and after the abstract. This document is in the required format. Keywords: We would like to encourage you to list your keywords in this section.

Introduction

In recent years, the concept of management in emerging countries is now seen as a way to reach, quickly and efficiently, an open market to new entrants. Inside this trend, Brazilian companies have been seeking, under the best management practices, how to maximize this potential. The number of companies that have certified some system management grew more than 30% from 2004 to 2010, from 6,420 to more than 10,000, according INMETRO National Institute of Weights and Measures in Brazil, creating a critical mass of management expertise that has been translated into significant business results, calling the attention of the international corporate world and reflected in bulky source of revenue already in the house of billions of dollars in a year. From that perspective, have developed sui generis conditions in Brazil to create models that meet the specific needs of the expanding market with own characteristics of strategic management. The current optimism about the future of the countr and the growth of foreign markets has generated steady increase in productivity and entrepreneurial activities, which combined with an improvement in the conditions of education of the population generates an management environment extremely creative.. This creates, in the country, confidence in ability to perform, in this environment that can germinate the idea of integration, whose implementation presented here, and its materialisation through the tetrahedron model of IT Management that we present.

Required more and more efficiency on the items availability, confidentiality and integrity, the Data Center have been forced to adapt quickly to new technologies, many of them disruptive, that characterize the contemporary market. From that perspective, the adoption of best practices worldwide IT management in an integrated strategic advantage shown for the Data Center to carry out government services at the same levels of more advanced centers for technology in the world to meet the governments of an increasingly professional and citizen with increasing effectiveness.

The Process of Integration of the Management Systems of Quality, Information Security and IT Services in Prodesp

Prodesp, the largest information technology services Company to government1 and third into the segment in the private sector2 has since 2002 invested in certificates management processes in order to professionalize and promote the concept of process management throughout the production area and services. In 2003 evolved into the ISO 9001:2000 version and in 2009 for the 2008 version. Since 2003, annually, thr quality management system was having extensions of scope, in 2004, 90% of areas subject to Board of Production and Services, in 2005 encompassed the Ombudsman in 2006, the Office of Projects and Infrastructure of the Social Inclusion Program called Acessa So Paulo, in 2007, 100% of the areas subject to Board of Production and Services, 100% of the areas of the Superintendent of Technology and in 2009 the Superintendency of New Projects - Monitoring and Study of Indicators of the Citizen Aid Program called Poupatempo (translating we have Safe time). During these eight years, we achieved certification of the Management System of Information Security ISO 27001, in 2005 and in 2008, the Certification in Management System IT Service in ISO 20000, both with very supportive of the structure of ISO 9001. Realizing that interaction, was started in 2009, the new process of integration of Quality Management Systems, Information Security Management and IT Services that was based on a solid theoretical and practical construction. The certifications were mingling naturally over time allowed see that some attitudes in muto contribuirna oara viewing the possibility of the contract. The certifications were mingling naturally and, with the passage of time, allowed to glimpse some attitudes that have contributed to the final result. The concept of certifying systems had turned clear to Prodesp a definition of the Quality Policy Business, Information Security and IT services in a complementary way, creating operational processes fully interconnected, maintaining records cataloged, performance evaluation processes through indicators, dealing with complaints from customers and security incidents, continued improvement in workforce and employee involvement in the processes. It was with this scenario than in Prodesp more specifically on the Board of production and services, has implemented a strategic management practices since 2002.

Living thus with the most modern concepts of IT management, coupled with heavy investments in infrastructure that contributed to its own modernization, which is essential to meet the developmental trend that permeated the state government of Sao Paulo. It was in this light on the evolution of IT management practices that Prodesp threw himself in the job of integrating the three standards ISO conquered.

Integration

The Integrated Quality Management, Security and IT services, described in this paper, is based on the standards ISO 9001:2000, ISO 27001:2005 and ISO/IEC 20000:2005 and its integration is based on standard Publicly Available Specification -- PAS 99 Integrated Management Systems. The implementation of joint activities practiced in the various management levels, that this study intends to demonstrate, has ensured the advice of our customers and build an Integrated Management System Quality, Information Security and IT services in line with the objectives outlined in the administration detailed in the strategic vision and mission of the company, reviewed by the current Board. It was noticeable the developments in understanding the process and the concepts between the internal audit in April and external audit in July. Since the internal audit with the interaction of the rules, went through a process of unification of the 3 main manuals into one document named Manual of Management Integrated System, which has proved to be strategic in the best view of the concept of integration. The procedures related to planning, data analysis, auditing and corrective actions were reviewed and their content appropriate to the concept of integration of standards. This condensation of information contributed to a reduction in the number of documents and greatly facilitated its management. External audits have created a level of maturity that enables us to overcome the challenge of integration and achieve certification in the three ISOs in a single event. The Management of Quality System, subject to audit, continued to show strength in the practices adopted, having been recorded only two opportunities for improvement without the occurrence of non compliances, reinforcing the consolidation of the process of Board of Production and Services, Superintendent of Technology and Ombudsman, and with the current scope, contributed to the improvement of services provided by certified areas. The Management of Information Security System has been audited and the design of information security within the Board of Production and Services greatly strengthened in both its understanding and applicability with the integration. The Management of IT Services System showing consolidation in the company had a series of processes created and improved in areas certified under ISO reflecting the visibility of services developed in the Board of Production Services to meet growing customer demand. The definition of effective controls, such as the consolidation of the Management of Changes, the classification of performance indicators and the creation of the CSIRT Computer Security Incident Response Team, is creating an integrated

environment for senior management, ensuring alignment with strategic dynamism that has marked the certified areas of the Company and PRODESP as a whole.

Tetrahedron model

Using the high level of entrepreneurial management and preparation of its staff and based on standard PAS99: 2006, Prodesp invested in the spirit of efficiency and innovation in emerging countries, to prospect the market, its customers and suppliers were consulted, it was researched the topic and built a model of integration. The reason of the appearance of the model Tetrahedron Prodesp for Integrated Systems Management Group was based on the perception that the uniqueness of the project demanded a pedagogical action so the employees of Prodesp internalized the concept and the market could quickly assimilate the model and apply it, contributing to reverse significant gains with the possible resource optimization and differentiation in the international market, generating more visibility and technical opportunities for the IT segment in Brazil. Model TETRAHEDRON PRODESP (Fig. 01) has a strong visual appeal, making palpalvel the integration of standards, facilitating the comprehension of a process

Fig. 1 : Tetrahedron PRODESP of IT Management The ITIL four P : People, Product, Process, Partner

In technical terms adherence to the requirements of PAS99 version 2006 are set out in the theoretical scheme presented in Figure 2 and reference the junction of common procedures for each standard.

Fig.2 : Theoretical Model f the integration of the IT standardization In the scheme, each requirement has come from groups of procedures of the standards in integration. Procedures for corrective actions and management metrics for data analysis have become more efficient, given the three systems in a unified manner. Forms, document classification and amplifies the concept of impact analysis and risk were other gains from the initiative of integration. Finally, three books have been unified into a manual of the Iintegrated IT Management consists of a chapter dedicated to the process integration and three partitions translating the concepts belonging to each of the three ISOs.

Integrated Measurement

It is proposed as a factor in measuring the performance of the IT Integrated Management System , using a system based on concept of Balanced Scorecard which involves the construction of a book of detailed metrics.

Fig.3 : Indicators measurement table Using a meeting of indicators, of the three original management systems, it was created a grid of indicators (fig 3) containing assessment methods, goals and level of impact. Every six months, to reassess these levels of impact and comes up to a factor that weights for system objectives percentage of income, allowing explicit audit in which the trend and prospect of work to be developed in the maintenance of the Integrated System (fig.04 )

Fig.4 : Performance Indicator Management System IT

Conclusion

The benefits of the processes can be summarized in 5 basis points 1. Improving the focus on the business; 2. Holistic approach to the management of business risks; 3. Less conflict between systems; 4. Reduced duplication and bureaucracy; 5. Greater effectiveness and efficiency in internal and external audits The model we present has learned the way of those of developed countries, but also has the feel of modernity is expected that Brazil materialize in the coming years, innovating with a conformation own expertise with Brazilian rhythms.