Beginners notes Foundation in ITIL Service Management This document is a “Bonus” for Six Sigma Management Kit owners The Office of Government Commerce in the United Kingdom owns the ITIL Content.
However, the use of ITIL processes is permitted and encouraged. More information on ITIL can be found at “http://www.itil.co.uk” www.itil.co.uk The Art of Service (owners of this document) have a licensing arrangement in place with Ovitz Taylor Gates, that permits the supply of this document with the Six Sigma Management Kit.
The full ITIL toolkit can be purchased by visiting: “http://www.itil-toolkit.com” www.itil-toolkit.com e-Learning courses: www.itsm-learning.com The Art of Service support the purchase of further material supplied by The Stationary Office (a commercial outlet for Her Majesty’s Stationary Office (HMSO).
Such material can be purchased by visiting: “http://www.itsmdirect.com” www.itsmdirect.com. This document has been modified slightly. Table of Contents TOC \o “1-3” \h \z \l “36875572” 1 Table of Contents 36875572 \h 2 \l “36875573” 2 Start Here. 36875573 \h 4 \l “36875574” 3 Foundation Certificate in IT Service Management 36875574 \h 4 \l “36875575” 3.1 EXIN Exam requirements specifications 36875575 \h 4 — The candidate is able to indicate the importance of a methodical and systematic approach to information technology service: for users and customers of IT Service for suppliers of IT Service. The Service Management processes and the interfaces between them The candidate has understanding of the Service Management processes and the interfaces between them. The candidate is able to: Mention the benefits of the Service Management processes for an organisation Distinguish between ITIL processes and organisational units Indicate which elements are needed for the ITIL processes. IT Service Management Introduction into IT Service Management Most organisations now understand the benefits of having Information Technology (IT) throughout their corporate structure.
Few realise the potential of truly aligning the IT department’s objectives with the business objectives.
More and more organisations start to recognize IT as being crucial to the service delivery to their customers. When the IT services are crucial to the organisation, you need to be absolutely positive that the IT group adds value and delivers consistent services. With this in mind as the ultimate goal for the IT organisation, we should look at the organisation’s objectives. To achieve these overarching, organisational objectives, the organisation has business processes in place.
These business processes can be anything: sales, admin support, financial processes, etc. Information systems and technology are fundamental requirements to providing capability for the organisation to achieve these business objectives by enabling the activities to be carried out in an effective an efficient manner. — Implementing ITIL Service Management Introduction ITIL Service Management is something that impacts the entire IT organisation.
Implementing end-to-end processes can have a big impact on the way things are done and can initiate a lot of uncertainty and resistance with staff.
For these reasons, it is important to implement ITIL Service Management with a step-by-step approach that takes things slowly but steady. Developing ITIL processes is a fairly easy job to do… making sure everybody understands the processes and uses them is more difficult and requires serious planning. It is to be advised to use a project management approach to ITIL Service Management implementation and stay focused on the end result. Cultural change 10% of the implementation project will be about process design and the more instrumental things in organisational change; 90% will be about cultural change and personal motivation of staff to use the end-to-end processes as the better way to do business. People (YOU!) will feel vulnerable and out of control, the perfect breeding ground for resistance… know that it is coming and work with it. The most important thing in this stage of the ITIL implementation is to keep the focus on the reason why your organisation needs ITIL Service Management in the first place. Some of the do’s and don’ts — Basic concepts Security Management comes under the umbrella of Information Security, which aims to ensure the safety of information.
Safety refers to not being vulnerable to known risks, and avoiding unknown risks where possible.
The tool to provide this is security.
The aim is to protect the value of the information.
This value depends on confidentiality, integrity and availability. Confidentiality: protecting information against unauthorised access and use. Integrity: accuracy, completeness and timeliness of the information. Availability: the information should be accessible at any agreed time. This depends on the continuity provided by the information processing systems. Secondary aspects include privacy (confidentiality and integrity of information relating to individuals), anonymity, and verifiability (being able to verify that the information is used correctly and that the security measures are effective).? Objectives In recent decades, almost all businesses have become more dependent on information systems.
The use of computer networks has also grown, not only within businesses but also between them, and between businesses and the world outside.
The increasing complexity of IT infrastructure means that businesses are now more vulnerable to technical failures, human error, intentional human acts, hackers and crackers, computer viruses, etc.
This growing complexity requires a unified management approach.
Security Management has important ties with other processes.
Other ITIL processes, under the supervision of Security Management, carry out some security activities. Security Management has two objectives: To meet the security requirements of the SLAs and other external requirements further to contracts, legislation and externally imposed policies. To provide a basic level of security, independent of external requirements Security Management is essential to maintaining the uninterrupted operation of the IT organisation. It also helps to simplify Information Security Service Level Management, as it is much more difficult to manage a large number of different SLAs than a limited number. The process input is provided by the SLAs, which specify security requirements, possibly supplemented by policy documents and other external requirements.
The process also receives information about relevant security issues in other processes, such as security incidents.
The output includes information about the achieved implementation of the SLAs, including exception reports and routine security planning. At present, many organisations deal with Information Security at the strategic level in information policy and information plans, and at the operational level by purchasing tools and other security products.
Insufficient attention is given to the active management of Information Security, the continuous analysis and translation of policies into technical options, and ensuring that the security measures continue to be effective when the requirements and environment change.
The consequence of this missing link is that, at the tactical management level, significant investments are made in measures that are no longer relevant, at a time when new, more effective measures ought to be taken.
Security Management aims to ensure that effective Information Security measures are taken at the strategic, tactical and operational levels. Benefits Information Security is not a goal in itself; it aims to serve the interests of the business or organisation.
Some information and information services will be more important to the organisation than others.
Information Security must be appropriate to the importance of the information.
Striking a balance between security measures and the value of the information, and threats in the processing environment develops tailor-made security. An effective information supply, with adequate Information Security is important to an organisation for two reasons: Internal reasons: an organisation can only operate effectively if correct and complete information is available when required.
The level of Information Security should be appropriate for this. External reasons: the processes in an organisation create products and services, which are made available to the market or society, to meet defined objectives.
An inadequate information supply will lead to substandard products and services, which cannot be used to meet the objectives and which will threaten the survival of the organisation.
Adequate Information Security is an important condition for having an adequate information supply.
The external significance of Information Security is therefore determined in part by the internal significance.
Security can provide significant added value to an information system.
Effective security contributes to the continuity of the organisation and helps to meet its objectives.? Process Organisations and their information systems change.
Checklists such as the Code of Practice for Information Security Management are static and insufficiently address rapid changes in IT.
For this reason, Security Management activities must be reviewed continuously to ensure their effectiveness.
Security Management amounts to a never-ending cycle of plan, do, check, and act.
The activities undertaken by Security Management, or undertaken in other processes under the control of Security Management are discussed below.
Figure 21 shows the Security Management cycle.
The customer’s requirements appear at the top right, as input to the process.
The security section of the Service Level Agreement defines these requirements in terms of the security services and the level of security to be provided. The service provider communicates these agreements to his organisation in the form of a Security Plan, defining the security standards or Operational Level Agreements.
This plan is implemented, and the implementation is evaluated.
The plan and its implementation are then updated.
Service Level Management reports about these activities to the customer.
Thus, the customer and the service provider together form a complete cyclical process.
The customer can modify his requirements on the basis of the reports.
And the service provider can adjust the plan or its implementation on the basis of these observations, or aim to change the agreements defined in the SLA.
The control function appears in the middle of Figure 21.
This diagram will now be used to discuss the Security Management activities. ?Figure 23: Security Management Cycle Relationships with other processes Security Management has links with the other ITIL processes.
This is because the other processes undertake security-related activities.
These activities are carried out in the normal way, under the responsibility of the relevant process and process manager.
However, Security Management gives instructions about the structure of the security-related activities to the other processes.
Normally, these agreements are defined after consultation between the Security Manager and the other process managers. Configuration Management In the context of Information Security, Configuration Management is primarily relevant because it can classify Configuration Items.
This classification links the CI with specified security measures or procedures. The classification of a CI indicates its required confidentiality, integrity and availability.
This classification is based on the security requirements of the SLA.
The customer of the IT organisation determines the classification, as only the customer can decide how important the information or information systems are to the business processes.
The customer bases the classification on an analysis of the extent to which the business processes depend on the information systems and the information.
The IT organisation then associates the classification with the relevant CIs.
The IT organisation must also implement this set of security measures for each classification level.
These sets of measures can be described in procedures.
Example: ‘Procedure for handling storage media with personal data’.
The SLA can define the sets of security measures for each classification level.
The classification system should always be tailored to the customer’s organisation.
However, to simplify management it is advisable to aim for one unified classification system, even when the IT organisation has more than one customer. In summary, classification is a key issue.
The CMDB should indicate the classification of each CI.
This classification links the CI with the relevant set of security measures or procedure. Incident Management Incident Management is an important process for reporting security incidents.
Depending on the nature of the incident, security incidents may be covered by a different procedure than other Incidents.
It is therefore essential that Incident Management recognise security incidents as such.
Any Incident, which may interfere with achieving the SLA security requirements, is classified as a security incident.
It is useful to include a description in the SLA of the type of Incidents to be considered as security incidents.
An Incident that interferes with achieving the basic internal security level (baseline) is also always classified as a security incident.
Incidents reports are generated not only by users, but also by the management process, possibly on the basis of alarms or audit data from the systems.
It is clearly essential that Incident Management recognise all security incidents.
This is to ensure that the appropriate procedures are initiated for dealing with security incidents.
It is advisable to include the procedures for different types of security incidents in the SLA plans and to practice the procedure.
It is also advisable to agree a procedure for communicating about security incidents.
It is not unusual for panic to be created by rumours blown out of proportion. Similarly, it is not unusual for damage to result from a failure to communicate in time about security incidents.
It is advisable to route all external communications related to security incidents through the Security Manager. Problem Management Problem Management is responsible for identifying and solving structural security failings.
A Problem may also introduce a security risk.
In that case, Problem Management must involve Security Management in resolving the Problem.
Finally, the solution or workaround for a Problem or Known Error must always be checked to ensure that it does not introduce new security problems.
This verification should be based on compliance with the SLA and internal security requirements. — Availability Management Availability Management addresses the technical availability of IT components in relation to the availability of the service.
The quality of availability is assured by continuity, maintainability and resilience.
Availability Management is the most important process related to availability.
As many security measures benefit both availability and the security aspects confidentiality and integrity, effective coordination of the measures between Availability Management, IT Service Continuity Management, and Security Management is essential. Capacity Management Capacity Management is responsible for the best possible use of IT resources, as agreed with the customer.
The performance requirements are based on the qualitative and quantitative standards defined by Service Level Management.
Almost all Capacity Management activities affect availability and therefore also Security Management. IT Service Continuity Management IT Service Continuity Management ensures that the impact of any contingencies is limited to the level agreed with the customer.
Contingencies need not necessarily turn into disasters.
The major activities are defining, maintaining, implementing, and testing the contingency plan, and taking preventive action.
Because of the security aspects, there are ties with Security Management.
On the other hand, failure to fulfil the basic security requirements may be considered itself as a contingency. Security section of the Service Level Agreement The Service Level Agreement (SLA) defines the agreements with the customer.
The Service Level Management process is responsible for the SLA (see also Chapter 11).
The SLA is the most important driver for all ITIL processes.
The IT organisation indicates to what extent the requirements of the SLA are achieved, including security requirements.
The security elements addressed in the SLA should correspond to the security needs of the customer.
The customer should identify the significance of all business processes.
These business processes depend on IT services, and therefore on the IT organisation.
The customer determines the security requirements on the basis of a risk analysis.
The security elements are discussed between the representative of the customer and the representative of the service provider.
The service provider compares the customer’s Service Level Requirements with their own Service Catalogue, which describes their standard security measures (the Security Baseline).
The customer may have additional requirements.
The customer and provider compare the Service Level Requirements and the Service Catalogue.
The security section of the SLA can address issues such as the general Information Security policy, a list of authorised personnel, asset protection procedures, restrictions on copying data, etc.? The security section of the Operational Level Agreement The Operational Level Agreement is another important document.
It describes the services provided by the service provider.
The provider must associate these agreements with responsibilities within the organisation.
The Service Catalogue gives a general description of the services.
The Operational Level Agreement translates these and general descriptions into all services and their components, and the way in which the agreements about the service levels are assured within the organisation. Example: the Service Catalogue refers to ‘managing authorisations per user and per individual’.
The Operational Level Agreements details this for all relevant services provided by the IT organisation.
In this way, the implementation of the measure is defined for the departments providing UNIX, VMS, NT, Oracle services, etc.
Where possible, the customer’s Service Level Requirements are interpreted in terms of the provider’s Service Catalogue, and additional agreements are concluded where necessary.
Such additional measurements exceed the standard security level.
When drafting the SLA, measurable Key Performance Indicators (KPI) and criteria must also be agreed for Security Management.
KPIs are measurable parameters (metrics), and performance criteria are set at achievable levels.
In some cases it will be difficult to agree on measurable security parameters.
This is easier for availability, which can generally be expressed numerically.
However, this is much more difficult for integrity and confidentiality.
For this reason, the security section of the SLA normally describes the required measures in abstract terms.
The Code of Practice for Information Security Management is used as a basic set of security measures.
The SLA also describes how performance is measured.
The IT organisation (service provider) must regularly provide reports to the user organisation (customer).? EXTRA READING Central Command Releases Its Annual Computer Security Survey Results for 2002 Virus protection concerns continue to increase among P2P users; Cyber-warfare likely according to respondents MEDINA, Ohio, September 24, 2002 – Central Command, Inc., a leading provider of PC anti-virus software and computer security services announced today the findings of its annual security survey.
The survey, reflecting up-to-date industry trends, was e-mailed to 943,026 PC users worldwide and explored individual’s computer security settings and behaviours with known computer security vulnerabilities.
With a 7% response rate, the survey provides valuable insight on the constant battle with computer viruses. — Control – Information Security policy and organisation The Control activity in the centre of Figure 21 is the first sub process of Security Management and relates to the organisation and management of the process.
This includes the Information Security management framework.
This framework describes the sub processes: the definition of security plans, their implementation, evaluation of the implementation, and incorporation of the evaluation in the annual security plans (action plans).
The reports provided to the customer, via Service Level Management, are also addressed.
This activity defines the sub processes, security functions, and roles and responsibilities.
It also describes the organisational structure, reporting arrangements, and line of control (who instructs who, who does what, how is the implementation reported). The following measures from the Code of Practice are implemented by this activity. Policy: Policy development and implementation, links with other policies. Objectives, general principles and significance. Description of the sub processes. Allocating functions and responsibilities for sub processes. Links with other ITIL processes and their management. General responsibility of personnel. Dealing with security incidents. Information Security organisation: Management framework. Management structure (organisational structure). Allocation of responsibilities in greater detail. Setting up an Information Security Steering Committee. Information Security coordination. Agreeing tools (EG for risk analysis and improving awareness). Description of the IT facilities authorisation process, in consultation with the customer. Specialist advice. Cooperation between organisations, internal and external communications. Independent EDP audit. Security principles for access by third parties.
Read more about However, the use of ITIL processes is permitted and encouraged: