Beginner’s notes Foundation in ITIL Service Management Table of Contents TOC \o “1-3” \h \z \u HYPERLINK \l “_Toc67894357” 1 Start Here. PAGEREF _Toc67894357 \h 4 HYPERLINK \l “_Toc67894358” 2 Foundation Certificate in IT Service Management PAGEREF _Toc67894358 \h 5 HYPERLINK \l “_Toc67894359” 2.1 EXIN Exams PAGEREF _Toc67894359 \h 5 HYPERLINK \l “_Toc67894360” 2.1.1 The importance of IT Service Management PAGEREF _Toc67894360 \h 5 HYPERLINK \l “_Toc67894361” 2.1.2 Service Management processes PAGEREF _Toc67894361 \h 5 HYPERLINK \l “_Toc67894362” 2.1.3 The ITIL management model PAGEREF _Toc67894362 \h 5 HYPERLINK \l “_Toc67894363” 2.1.4 Basic concepts of ITIL PAGEREF _Toc67894363 \h 7 HYPERLINK \l “_Toc67894364” 2.2 Course Material PAGEREF _Toc67894364 \h 7 HYPERLINK \l “_Toc67894365” 3 IT Service Management PAGEREF _Toc67894365 \h 9 HYPERLINK \l “_Toc67894366” 3.1 Introduction to IT Service Management PAGEREF _Toc67894366 \h 9 HYPERLINK \l “_Toc67894367” 3.2 ITIL Service Management PAGEREF _Toc67894367 \h 10 HYPERLINK \l “_Toc67894368” 3.2.1 Business Alignment PAGEREF _Toc67894368 \h 11 HYPERLINK \l “_Toc67894369” 3.2.2 Processes PAGEREF _Toc67894369 \h 11 HYPERLINK \l “_Toc67894370” 3.2.3 Processes, Services and Functions PAGEREF _Toc67894370 \h 12 HYPERLINK \l “_Toc67894371” 4 ITIL Overview PAGEREF _Toc67894371 \h 14 HYPERLINK \l “_Toc67894372” 4.1.1 History of ITIL PAGEREF _Toc67894372 \h 15 HYPERLINK \l “_Toc67894373” 5 Implementing ITIL Service Management PAGEREF _Toc67894373 \h 19 HYPERLINK \l “_Toc67894374” 5.1 Introduction PAGEREF _Toc67894374 \h 19 HYPERLINK \l “_Toc67894375” 5.2 Cultural change PAGEREF _Toc67894375 \h 20 HYPERLINK \l “_Toc67894376” 5.3 Implementation Checklist PAGEREF _Toc67894376 \h 20 HYPERLINK \l “_Toc67894377” 6 ITIL Service Management Processes PAGEREF _Toc67894377 \h 21 HYPERLINK \l “_Toc67894378” 6 ITIL Service Management Processes PAGEREF _Toc67894378 \h 22 HYPERLINK \l “_Toc67894379” 6.1 Service Delivery Set PAGEREF _Toc67894379 \h 22 HYPERLINK \l “_Toc67894380” 6.1.1 Service Level Management PAGEREF _Toc67894380 \h 22 HYPERLINK \l “_Toc67894381” 6.1.2 Financial Management for IT Services PAGEREF _Toc67894381 \h 23 HYPERLINK \l “_Toc67894382” 6.1.3 Availability Management PAGEREF _Toc67894382 \h 25 HYPERLINK \l “_Toc67894383” 6.1.4 Capacity Management PAGEREF _Toc67894383 \h 27 HYPERLINK \l “_Toc67894384” 6.1.5 IT Service Continuity Management PAGEREF _Toc67894384 \h 27 HYPERLINK \l “_Toc67894385” 6.1.5 IT Service Continuity Management PAGEREF _Toc67894385 \h 28 HYPERLINK \l “_Toc67894386” 6.2 Service Support Set PAGEREF _Toc67894386 \h 29 HYPERLINK \l “_Toc67894387” 6.2.1 Service Desk PAGEREF _Toc67894387 \h 29 HYPERLINK \l “_Toc67894388” 6.2.2 Incident Management PAGEREF _Toc67894388 \h 31 HYPERLINK \l “_Toc67894389” 6.2.3 Problem Management PAGEREF _Toc67894389 \h 32 HYPERLINK \l “_Toc67894390” 6.2.4 Change Management PAGEREF _Toc67894390 \h 33 HYPERLINK \l “_Toc67894391” 6.2.5 Release Management PAGEREF _Toc67894391 \h 34 HYPERLINK \l “_Toc67894392” 6.2.6 Configuration Management PAGEREF _Toc67894392 \h 36 HYPERLINK \l “_Toc67894393” 7 Security Management PAGEREF _Toc67894393 \h 37 — HYPERLINK \l “_Toc67894412” 7.6 Points of Attention and costs PAGEREF _Toc67894412 \h 47 HYPERLINK \l “_Toc67894413” 7.6.1 Points of attention PAGEREF _Toc67894413 \h 47 HYPERLINK \l “_Toc67894414” 7.6.2 Costs PAGEREF _Toc67894414 \h 48 HYPERLINK \l “_Toc67894415” 8 IT Service Management Tools PAGEREF _Toc67894415 \h 50 HYPERLINK \l “_Toc67894416” 8.1.1 Type of tools PAGEREF _Toc67894416 \h 50 HYPERLINK \l “_Toc67894417” 8.1.2 The Cost of a Tool PAGEREF _Toc67894417 \h 50 Start Here. This document is designed to answer many of the questions about IT Service Management and the ITIL Framework. The document has evolved over many years and offers the reader the chance to quickly learn through reading and re-reading a lot of the theory behind ITIL (IT Infrastructure Library).
It provides answers, but it will also raise some questions for the reader. It is a beginner’s document.
It tells stories. A pre-requisite for reading this document is that you have worked through the 12 Fact Sheets and understand the core of each ITIL Process. Foundation Certificate in IT Service Management Welcome to what may be your starting point on your education path for IT Service Management and the ITIL Framework. You are going to learn that not only does ITIL provide you an easy to understand set of IT Management processes it also gives you the option to be recognised through a variety of qualification exams. This document is provided to you as a research tool and summary of the ITIL Processes. Many questions about ITIL are answered in this document. EXIN Exams EXIN are one of the global testing bodies authorised to set and mark questions to test knowledge in the area of IT Service Management and the ITIL Framework. The large majority of people who take this Foundations course are interested in also sitting for the ITIL Foundation Certificate.
Once the ITIL Foundation certificate has been passed the participant can elect to undertake studies in a specific process area (ITIL Practitioner) or studies regarding the challenges regarding implementation and adoption of ITIL (ITIL Managers). The following sections discuss the knowledge required by those wishing to pass the initial Foundation exam.
This knowledge is gained during the ITIL Foundation course with The Art of Service. The importance of IT Service Management The candidate understands the importance of IT Service Management in the IT Infrastructure environment. The candidate is able to discuss the merits of a process driven approach to information technology service provision both: users and customers of IT Service suppliers of IT Services. Service Management processes The candidate understands Service Management processes and the inter-relationships between them. The candidate is able to: Describe the benefits of Service Management processes for an organization Distinguish between ITIL processes and organizational functions and business processes Indicate the elements that contribute towards ITIL process implementation. The ITIL management model Using the following diagram as a guide the exam candidate will be able to: Distinguish the objectives, activities and results of the various ITIL processes Provide examples of the data/information flows from one process to every other process. Basic concepts of ITIL The exam participants will also understand the following terms and concepts (note this is not a comprehensive list, simply an indication): Application Sizing Financial Management for IT Services Request for Change, RFC Asset Management First Line Support Resilience Assets Forward Schedule of Changes, FSC Resource Management Audit Full Release Restoration of Service Availability Functional Escalation — Release Unit Version Failure Reliability Vulnerability Fault Report Work-around Course Material The course trainer will typically present the course subject (ITIL IT Service Management) through slides, discussions and exercises.
The exercises are generally based on a case study. The Fact sheets give an overview per process on the goal, activities and results. This syllabus gives some more information on IT Service Management to prepare the course participant for the ITIL Foundation exam.
It provides some additional reading material, internet-links and evidence of ITSM implementations. When provided with the course material the itSMF booklet provides a summarised overview of the ITIL processes with concise descriptions and diagrams. IT Service Management Introduction to IT Service Management Most organisations now understand the benefits of having Information Technology (IT) throughout their structure.
Few realise the potential of truly aligning the IT department’s objectives with the business objectives.
However, more and more organisations are beginning to recognize IT as being a crucial delivery mechanism of services to their customers. When the IT services are so critical, steps must be in place to ensure that the IT group adds value and delivers consistently. So the starting point for IT Service Management (ITSM) and the ITIL Framework is not technology it is the organisational objectives. To meet organisational objectives, the organisation has business processes in place. Examples of business processes are sales, admin and financial departments work together in a “sales process” or logistics, customer service and freight who have a “customer returns process”. Each of the units involved in these business processes needs one or more services (eg.
CRM application, e-mail, word processing, financial tools). Each of these services runs on IT infrastructure.
IT Infrastructure includes hardware, software, procedures, policies, documentation, etc.
This IT Infrastructure has to be managed.
ITIL provides a framework for the management of IT Infrastructure. Proper management of IT Infrastructure will ensure that the services required by the business processes are available, so that the organisational objectives can be met. Historically, these processes delivered products and services to clients in an off-line environment (the ‘brick-and-mortar’ companies).
The IT organisation provides support to the back-office and admin processes.
IT performance is measured internally as the external clients are only indirectly influenced by the IT performance. Today, with online service delivery, the IT component of the service delivery can be much stronger.
The way of delivering the service is IT based and therefore internal and external clients measure the performance of the IT group. Service delivery is more important than a glimpse of brilliance every now and then.
The internal clients (business processes) and external clients need availability of the IT services and to be able to expect a consistent performance.
Consistency comes through the ability to repeat what was done well in the past. IT Service Management is a means to enable the IT group to provide reliable Information Systems to meet the requirements of the business processes, irrespective of the way these services are delivered to the external customers.
This in turn enables the organisation to meet its Business Objectives. Definition: IT Service Management is the effective and efficient process driven management regarding the quality of IT services, provided to end-users. ITIL Service Management Any organisation that delivers IT services to their customers with a goal to support the business processes, needs inherent structure in place.
Historically, that structure was based around functions and technical capabilities.
With the ever-increasing speed of change and the associated need for flexibility a technology driven approach (in most situations) is no longer appropriate. That is why IT organisations are looking for alternatives.
Some alternatives include: Total Quality Management TQM processes and continuous improvement projects COBIT as a control & measurement mechanism CMM for control and structure in software (and system) development ITIL for operational and tactical management of IT service provision Which single or combination of frameworks selected is entirely dependant on the needs of the organisation. For many IT organisations, ITIL is a very good way of managing service delivery and to perform the IT activities in end-to-end processes. Further research and reading on other models and frameworks: (web sites are active at time of writing – use the search topic on the left in your internet search engine for more information) COBIT http://www.isaca.org/cobit.htm CMM http://www.sei.cmu.edu/cmm/cmm.html EFQM http://www.efqm.org/new_website/ Six Sigma http://www.ge.com/sixsigma/ Deming http://www.deming.org British Standards Institution http://www.bsi.org.uk The Balanced scorecard http://www.balancedscorecard.org/basics/bsc1.html SHAPE \* MERGEFORMAT Business Alignment By implementing IT Service Management in your IT organisation you support the IT objectives of delivering services that are required by the business. You can’t do this without aligning the IT strategy with the business strategy. You can’t deliver effective IT services without knowing about the demands, needs and wishes of the customer.
IT Service Management supports the IT organisation to align IT activities and service delivery, with business requirements. Processes — The potential measurement points are at the input, the activities or the output of the process. EMBED PowerPoint.Slide.8 The standards (or ‘norms’) for the output of each process have to be defined such that the complete set of processes meets the corporate objectives. If the result of a process meets the defined standard, then the process is effective.
If the activities in the process are also carried out with the minimum required effort and cost, then the process is efficient. The aim of process management is to use planning and control to ensure that processes are effective and efficient. Processes, Services and Functions Most businesses are hierarchically organised.
They have departments, which are responsible for a group of employees.
There are various ways of structuring departments, for example by customer, product, region or discipline.
IT services generally depend on several departments, customers or disciplines.
For example, if there is an IT service to provide users with access to an accounting program on a central computer, this will involve several disciplines. To provide the accountancy program service the computer centre has to make the program and associated database accessible.
The data and telecommunications department has to make the computer centre accessible, and the PC support department has to provide users with an interface to access the application. Processes that span several departments can monitor the quality of the service by measuring aspects, such as availability, capacity, cost and stability.
IT Service Management to match these quality aspects with the customer’s demands. ITIL provides a concise and commonsense set of processes to help with the management, monitoring and delivery of services. A process is a logically related series of activities for the benefit of a defined objective.
The following diagram illustrates cross functional process flows. With ITIL we can study each process separately to optimise its quality.
The process manager is responsible for the process results (i.e.
Is the process effective). The logical combination of activities results in clear transfer points where the quality of processes can be monitored. The management of the organisation can make decisions about the quality of an ITIL process from data provided by each process.
In most cases, the relevant performance indicators and standards will already be agreed upon.
The day-to-day control of the process can then be left to the process manager.
The process owner will assess the results based on a report of performance indicators and whether they meet the agreed standard. Without clear indicators, it would be difficult for a process owner to determine whether the process is under control or if improvements are required. We have discussed processes and we have positioned services.
We have highlighted the difference between functions and processes. Functionally structured organisations are characterised by: Somewhat fragmented Focus on vertical and functional matters With many control activities Emphasis on high/low people relationships In functionally driven organisations we may often see: Concept of walls or silos; not my responsibility A hint of arrogance – “We in IT know what’s good for you.” Steering people instead of steering activities Because we have to communication Politically motivated decision making In contrast once processes are introduced we often see a change towards: Entire task focus — Interdependence of independent persons Accessibility of information This leads to a culture of: No boundaries, but interconnections Customer focused: what is the added value? Steering activities instead of steering people Communication because it is useful (fulfilling the needs of the customer) Decision making is matching & customising IT service provision is a process ITIL Overview The IT Infrastructure Library is a set of books with good practice processes on how to manage IT service delivery.
The library consists of many books and CD-ROMs. The core set of material is the following set of seven tightly coupled areas: Service Delivery Service Support Security Management The Business Perspective Applications Management ICT Infrastructure Management Planning to implement Service Management The Service Support, Service Delivery and Security Management components are regarded as the central pillars of the framework. These books cover the processes you will need to delivery customer-focused IT services according to your customers’ needs, demands and wishes. They help the IT group to be flexible and reliable enough to ensure consistent IT Service Delivery.
The other disciplines in the library support these central components. EMBED PowerPoint.Slide.8 History of ITIL During the late 1980’s the CCTA (Central Computer and Telecommunication Agency) in the UK started to work on what is now known as the Information Technology Infrastructure Library (ITIL). Large companies and government agencies in Europe adopted the framework very quickly in the early 1990’s and the ITIL framework has since become known as an industry best practice, for IT Service Management. ITIL has become the de-facto standard in delivering IT Services for all types of organisations.
Both government and non-government organisations benefit from the process driven approach, regardless of the size of the IT department. ITIL is used globally.
ITIL has no geographic boundaries.
It is used extensively throughout Europe, Australia, Canada, USA, United Kingdom and many emerging countries in Asia. In 2000 the British Treasury set up the OGC – Office for Government Commerce – to deal with all commercial activities within the government.
All activities formerly under the control of the CCTA (Central Computer and Telecommunications Agency) were also taken up by the new department.
Even though the CCTA no longer exists, it is noted that they were the original developers of the ITIL framework. In 2001, ITIL version 2 was released.
In this version the Service Support Book and the Service Delivery book were redeveloped into much more concise volumes. EMBED PowerPoint.Slide.8 ITIL is a pseudo Public Domain framework.
ITIL is copyright protected.
The ITIL Trademark is owned by the OGC.
However, any organisation can use the intellectual property to implement the processes in their own organisation.
Training, tools and consultancy services support this.
The framework is independent of any of the vendors. EXIN and ISEB are the examination bodies that organise and control the entire certification scheme.
They guarantee that the personal certification is fair and honest and independent from the organisations that delivered the course.
Both bodies accredit training organisations to guarantee a consistent level of quality in course delivery. At the time of writing the only generally recognised certification is awarded to individuals.
There is no independent tool certification or organisational certification. People and organisations that wish to discuss their experiences with ITIL Service Management implementation can become a member of the IT Service Management Forum (itSMF).
The itSMF is a meeting place for users and adopters of ITIL. Further research and reading on other models and frameworks: (web sites are active at time of writing – use the search topic on the left in your internet search engine for more information) ITIL website www.itil.co.uk OGC website www.ogc.gov.uk EXIN www.exin-exams.com ISEB www.bcs.org.uk Vendor sites HYPERLINK “http://www.itsmdirect.com” www.itsmdirect.com www.itilcollege.com HYPERLINK “http://www.itsm-learning.com” www.itsm-learning.com www.itilsurvival.com HYPERLINK “http://www.itil-itsm-world.com” www.itil-itsm-world.com ? — Implementing ITIL Service Management Introduction ITIL Service Management is something that impacts the entire IT organisation.
Implementation of end-to-end processes can have a big impact on the way things are done and can initiate a lot of uncertainty and resistance with staff. For these reasons, it is important to implement ITIL Service Management with a step-by-step and steady approach. The following model is an example of such an approach. SHAPE \* MERGEFORMAT Developing ITIL processes is a fairly easy job to do! Making sure everybody understands the processes and uses them is more difficult and requires serious planning. It is advisable to use a project management approach to ITIL Service Management implementation and stay focused on the clearly defined end results (many different Project Management methodologies exist.
The trademark owners of ITIL (the OGC) publish a widely used Project Management methodology, called PRINCE2 (Projects in Controlled Environments)). Cultural change A small part percentage of the implementation project will be about process design.
Most of the challenge lies in cultural change and personal motivation of staff to use the end-to-end processes as the better way to do business. Any change leads to feelings of vulnerability and loss of control.
These feelings generally manifest themselves through feelings of resistance.
The most important thing in this stage of the ITIL implementation is to keep the focus on the reason why your organisation needs ITIL Service Management in the first place. Implementation Checklist DO: Perform a feasibility study first Use what is already good in the organization Take it slowly and concentrate on small steps and quick wins Appoint a strong project manager with end-to-end focus to drive this implementation program Keep in mind that you are dealing with personal issues Keep communicating WHY your organization needs this Measure your successes continuously Enjoy the milestones and share them with the IT group DON’T: Try to mature all the processes at the same time Start with a tool Start without management commitment and/or budget ‘ITILISE’ your organization – it’s a philosophy, not an executable application Rush; take your time to do it well Go on without a reason Ignore the positive activities already in place ITIL Service Management Processes Service Delivery Set The following chapters describe in brief the Service Delivery processes.
These processes are generally referred to as “tactical” processes. Service Level Management This process provides the contact point between the IT organisation and the customer.
Within the ITIL books, ‘the customer’ is defined as being the person who pays for the services.
It should therefore be someone with decision-making authority, e.g.
Business manager. Service Level Management is the process that ensures that the IT organisation knows what services they can deliver and organises for the IT group and the customer to agree on the levels of service that need to be delivered. It also ensures that the IT group can consistently deliver these services to the customer by ongoing monitoring the service achievements and reporting these to the customer. Financial Management for IT Services When Service Level Management agrees with the customer on Service Levels, it has to be able know how much money is involved in delivering this service.
Especially when the cost for IT services is to be charged on to the customer. Financial Management for IT Services allows the IT organisation to clearly articulate the costs of delivering IT Services. There are 3 fundamental components with this process. Budgets IT Accounting — The ultimate choice of which option to choose, is made by the customer as part of the SLA agreements.
Price generally has a factor in selecting an appropriate recovery option. In the current global situation, a structured approach to IT Service Continuity Management has become more and more important.
Business processes rely more and more on IT Services and IT components are more under ‘attack’. Defining the pre-conditions that constitute a disaster is part of the ITSCM process.
Such definitions form an integral part of any Service Level Agreement relating to the provision of services. Service Support Set The following chapters describe in brief the Service Support processes.
These processes are generally referred to as “operational” processes. Service Desk The business users / end-users need IT services to improve the efficiency of their own business processes.
When they can’t use the IT services, they have trouble achieving their objectives. End-users of services need a single point of contact with the IT organisation. The Service Desk should be the single point of contact for all end-users.
This is where ALL questions, issues and requests are logged and recorded. The type of Service Desk you need depends on the requirements of your customer base. ITIL defines Service desk types in terms of skill and structure. Skill levels: Call Centre Unskilled Service Desk Skilled Service Desk Expert Service Desk Service Desk structures: Centralized Service Desk Distributed Service Desk Virtual Service Desk Split Function Service Desk Incident Management — More and more businesses are opening electronic gateways into their business.
This introduces the risk of intrusion.
What risks do we want to cover, and what measures should we take now and in the next budgeting round? Senior Management has to take decisions and these decisions can only be taken if a thorough risk analysis is undertaken.
This analysis should provide input to Security Management to determine the security requirements.
These requirements affect IT service providers and should be laid down in Service Level Agreements.
Security Management aims to ensure that the security aspects of services are provided at the level agreed with the customer at all times.
Security is now an essential quality aspect of management.
Security Management integrates security in the IT organisation from the service provider’s point of view.
The Code of Practice for Information Security Management (BS 7799) provides guidance for the development, introduction and evaluation of security measures. Basic concepts Security Management comes under the umbrella of Information Security, which aims to ensure the safety of information.
Safety refers to not being vulnerable to known risks, and avoiding unknown risks where possible.
The tool to provide this is security.
The aim is to protect the value of the information.
This value depends on confidentiality, integrity and availability. Confidentiality: protecting information against unauthorized access and use. Integrity: accuracy, completeness and timeliness of the information. Availability: the information should be accessible at any agreed time. This depends on the continuity provided by the information processing systems. Secondary aspects include privacy (confidentiality and integrity of information relating to individuals), anonymity, and verifiability (being able to verify that the information is used correctly and that the security measures are effective). Objectives In recent decades, almost all businesses have become more dependent on information systems.
The use of computer networks has also grown, not only within businesses but also between them, and between businesses and the world outside.
The increasing complexity of IT infrastructure means that businesses are now more vulnerable to technical failures, human error, intentional human acts, hackers and crackers, computer viruses, etc.
This growing complexity requires a unified management approach.
Security Management has important ties with other processes.
Other ITIL processes, under the supervision of Security Management, carry out some security activities. Security Management has two objectives: To meet the security requirements of the SLAs and other external requirements further to contracts, legislation and externally imposed policies. To provide a basic level of security, independent of external requirements Security Management is essential to maintaining the uninterrupted operation of the IT organization. It also helps to simplify Information Security Service Level Management, as it is much more difficult to manage a large number of different SLAs than a limited number. The process input is provided by the SLAs, which specify security requirements, possibly supplemented by policy documents and other external requirements.
The process also receives information about relevant security issues in other processes, such as security incidents.
The output includes information about the achieved implementation of the SLAs, including exception reports and routine security planning. At present, many organisations deal with Information Security at the strategic level in information policy and information plans and at the operational level by purchasing tools and other security products.
Insufficient attention is given to the active management of Information Security, the continuous analysis and translation of policies into technical options, and ensuring that the security measures continue to be effective when the requirements and environment change.
The consequence of this missing link is that, at the tactical management level, significant investments are made in measures that are no longer relevant, at a time when new, more effective measures ought to be taken.
Security Management aims to ensure that effective Information Security measures are taken at the strategic, tactical and operational levels. Benefits Information Security is not a goal in itself; it aims to serve the interests of the business or organisation.
Some information and information services will be more important to the organisation than others.
Information Security must be appropriate to the importance of the information.
Striking a balance between security measures and the value of the information, and threats in the processing environment develops tailor-made security. An effective information supply, with adequate Information Security is important to an organisation for two reasons: Internal reasons: an organisation can only operate effectively if correct and complete information is available when required.
The level of Information Security should be appropriate for this. External reasons: the processes in an organisation create products and services, which are made available to the market or society, to meet defined objectives.
An inadequate information supply will lead to substandard products and services, which cannot be used to meet the objectives and which will threaten the survival of the organisation.
Adequate Information Security is an important condition for having an adequate information supply.
The external significance of Information Security is therefore determined in part by the internal significance.
Security can provide significant added value to an information system.
Effective security contributes to the continuity of the organisation and helps to meet its objectives. Process — Activities Control – Information Security policy and organization The Control activity is the first activity of Security Management and relates to the organisation and management of the process.
This includes the Information Security management framework.
This framework describes the sub processes: the definition of security plans, their implementation, evaluation of the implementation, and incorporation of the evaluation in the annual security plans (action plans).
The reports provided to the customer, via Service Level Management, are also addressed.
This activity defines the sub processes, security functions, and roles and responsibilities.
It also describes the organisational structure, reporting arrangements, and line of control (who instructs who, who does what, how is the implementation reported). The following measures from the Code of Practice are implemented by this activity. Policy: Policy development and implementation, links with other policies. Objectives, general principles and significance. Description of the sub processes. Allocating functions and responsibilities for sub processes. Links with other ITIL processes and their management. General responsibility of personnel. Dealing with security incidents. Information Security organization: Management framework. Management structure (organizational structure). Allocation of responsibilities in greater detail. Setting up an Information Security Steering Committee. Information Security coordination. Agreeing tools (e.g.
For risk analysis and improving awareness). Description of the IT facilities authorization process, in consultation with the customer. Specialist advice. Cooperation between organizations, internal and external communications. Independent EDP audit. Security principles for access by third parties. — The Evaluation activity Reports about the sub process as such. Results of audits, reviews, and internal assessments. Warnings, identification of new threats. Specific reports To report on security incidents defined in the SLA, the service provider must have a direct channel of communication to a customer representative (possibly the Corporate Information Security Officer) through the Service Level Manager, Incident Manager or Security Manager.
A procedure should also be defined for communication in special circumstances. Apart from the exception in the event of special circumstances, reports are communicated through Service Level Management. Relationships with other processes Security Management has links with the other ITIL processes.
This is because the other processes undertake security-related activities.
These activities are carried out in the normal way, under the responsibility of the relevant process and process manager.
However, Security Management gives instructions about the structure of the security-related activities to the other processes.
Normally, these agreements are defined after consultation between the Security Manager and the other process managers. Configuration Management In the context of Information Security, Configuration Management is primarily relevant because it can classify Configuration Items.
This classification links the CI with specified security measures or procedures. The classification of a CI indicates its required confidentiality, integrity and availability.
This classification is based on the security requirements of the SLA.
The customer of the IT organisation determines the classification, as only the customer can decide how important the information or information systems are to the business processes.
The customer bases the classification on an analysis of the extent to which the business processes depend on the information systems and the information.
The IT organisation then associates the classification with the relevant CIs.
The IT organisation must also implement this set of security measures for each classification level.
These sets of measures can be described in procedures.
Example: ‘Procedure for handling storage media with personal data’.
The SLA can define the sets of security measures for each classification level.
The classification system should always be tailored to the customer’s organisation.
However, to simplify management it is advisable to aim for one unified classification system, even when the IT organisation has more than one customer. In summary, classification is a key issue.
The CMDB should indicate the classification of each CI.
This classification links the CI with the relevant set of security measures or procedure. Incident Management Incident Management is an important process for reporting security incidents.
Depending on the nature of the incident, security incidents may be covered by a different procedure than other Incidents.
It is therefore essential that Incident Management recognise security incidents as such.
Any Incident, which may interfere with achieving the SLA security requirements, is classified as a security incident.
It is useful to include a description in the SLA of the type of Incidents to be considered as security incidents.
An Incident that interferes with achieving the basic internal security level (baseline) is also always classified as a security incident.
Incidents reports are generated not only by users, but also by the management process, possibly on the basis of alarms or audit data from the systems.
It is clearly essential that Incident Management recognise all security incidents.
This is to ensure that the appropriate procedures are initiated for dealing with security incidents.
It is advisable to include the procedures for different types of security incidents in the SLA plans and to practice the procedure.
It is also advisable to agree a procedure for communicating about security incidents.
It is not unusual for panic to be created by rumours blown out of proportion. Similarly, it is not unusual for damage to result from a failure to communicate in time about security incidents.
It is advisable to route all external communications related to security incidents through the Security Manager. Problem Management Problem Management is responsible for identifying and solving structural security failings.
A Problem may also introduce a security risk.
In that case, Problem Management must involve Security Management in resolving the Problem.
Finally, the solution or workaround for a Problem or Known Error must always be checked to ensure that it does not introduce new security problems.
This verification should be based on compliance with the SLA and internal security requirements. Change Management Change Management activities are often closely associated with security because Change Management and Security Management are interdependent.
If an acceptable security level has been achieved and is managed by the Change Management process, then it can be ensured that this level of security will also be provided after Changes.
There are a number of standard operations to ensure that this security level is maintained.
Each RFCs is associated with a number of parameters, which govern the acceptance procedure.
The urgency and impact parameters can be supplemented by a security parameter.
If an RFCs can have a significant impact on Information Security then more extensive acceptance tests and procedures will be required. ?The RFCs should also include a proposal for dealing with security issues.
Again, this should be based on the SLA requirements and the basic level of internal security required by the IT organisation.
Thus, the proposal will include a set of security measures, based on the Code of Practice. Preferably, the Security Manager (and possibly also the customer’s Security Officer) should be a member of the Change Advisory Board (CAB). Nevertheless, the Security Manager need not be consulted for all Changes.
Security should normally be integrated with routine operations.
The Change Manager should be able to decide if they or the CAB need input from the Security Manager.
Similarly, the Security Manager need not necessarily be involved in the selection of measures for the CIs covered by the RFCs. This is because the framework for the relevant measures should already exist.
Any questions should only relate to the way in which the measures are implemented. ?Any security measures associated with a Change should be implemented at the same time as the Change itself, and be included in the tests.
Security tests differ from normal functional tests.
Normal tests aim to investigate if defined functions are available.
Security tests not only address the availability of security functions, but also the absence of other, undesirable functions as these could reduce the security of the system. — Security Management provides input and support to Service Level Management for activities 1 – 3.
Security Management carries out activities 4 and 5.
Security Management and other processes provide input for activity 6.
The Service Level Manager and the Security Manager decide in consultation that actually undertakes the activities. When defining an SLA it is normally assumed that there is a general basic level of security (baseline).
Additional security requirements of the customer should be clearly defined in the SLA. Availability Management Availability Management addresses the technical availability of IT components in relation to the availability of the service.
The quality of availability is assured by continuity, maintainability and resilience.
Availability Management is the most important process related to availability.
As many security measures benefit both availability and the security aspects confidentiality and integrity, effective coordination of the measures between Availability Management, IT Service Continuity Management, and Security Management is essential. Capacity Management Capacity Management is responsible for the best possible use of IT resources, as agreed with the customer.
The performance requirements are based on the qualitative and quantitative standards defined by Service Level Management.
Almost all Capacity Management activities affect availability and therefore also Security Management. IT Service Continuity Management IT Service Continuity Management ensures that the impact of any contingencies is limited to the level agreed with the customer.
Contingencies need not necessarily turn into disasters.
The major activities are defining, maintaining, implementing, and testing the contingency plan, and taking preventive action.
Because of the security aspects, there are ties with Security Management.
On the other hand, failure to fulfil the basic security requirements may be considered itself as a contingency. Security section of the Service Level Agreement The Service Level Agreement (SLA) defines the agreements with the customer.
The Service Level Management process is responsible for the SLA.
The SLA is the most important driver for all ITIL processes.
The IT organisation indicates to what extent the requirements of the SLA are achieved, including security requirements.
The security elements addressed in the SLA should correspond to the security needs of the customer.
The customer should identify the significance of all business processes.
These business processes depend on IT services, and therefore on the IT organisation.
The customer determines the security requirements on the basis of a risk analysis.
The security elements are discussed between the representative of the customer and the representative of the service provider.
The service provider compares the customer’s Service Level Requirements with their own Service Catalogue, which describes their standard security measures (the Security Baseline).
The customer may have additional requirements.
The customer and provider compare the Service Level Requirements and the Service Catalogue.
The security section of the SLA can address issues such as the general Information Security policy, a list of authorised personnel, asset protection procedures, restrictions on copying data, etc. The Security section of the Operational Level Agreement The Operational Level Agreement is another important document.
It describes the services provided by the service provider.
The provider must associate these agreements with responsibilities within the organisation.
The Service Catalogue gives a general description of the services.
The Operational Level Agreement translates these and general descriptions into all services and their components, and the way in which the agreements about the service levels are assured within the organisation. Example: the Service Catalogue refers to ‘managing authorisations per user and per individual’.
The Operational Level Agreements details this for all relevant services provided by the IT organisation.
In this way, the implementation of the measure is defined for the departments providing UNIX, VMS, NT, Oracle services, etc.
Where possible, the customer’s Service Level Requirements are interpreted in terms of the provider’s Service Catalogue, and additional agreements are concluded where necessary.
Such additional measurements exceed the standard security level.
When drafting the SLA, measurable Key Performance Indicators (KPI) and criteria must also be agreed for Security Management.
KPIs are measurable parameters (metrics), and performance criteria are set at achievable levels.
In some cases it will be difficult to agree on measurable security parameters.
This is easier for availability, which can generally be expressed numerically.
However, this is much more difficult for integrity and confidentiality.
For this reason, the security section of the SLA normally describes the required measures in abstract terms.
The Code of Practice for Information Security Management is used as a basic set of security measures.
The SLA also describes how performance is measured.
The IT organisation (service provider) must regularly provide reports to the user organisation (customer). Process control Critical success factors and performance indicators The critical success factors are: Full management commitment and involvement. User involvement when developing the process. Clear and separated responsibilities. The Security Management performance indicators correspond with the Service Level Management performance indicators, in so far as these relate to security issues covered by the SLA. Functions and roles In small IT organisations, one person may manage several processes.
While in large organisations, several persons will be working on one process, such as Security Management.
In this case there is normally one person appointed as Security Manager.
The Security Manager is responsible for the effective operation of the Security Management process.
Their counterpart in the customer’s organisation is the Information Security Officer, or Corporate Information Security Officer. Points of Attention and costs As with any process there are areas that could undermine the successful implementation.
The following section details some of the areas that must be covered to make the process implementation worthwhile. — ANECDOTE –Security Management Security Management in ITIL is a relatively new process in its own right.
Security in ITIL version 1 was one of the key concepts of Availability Management, now it is seen as an umbrella process which has responsibilities right across the board. Business processes can no longer operate without a supply of information.
In fact, more and more business processes consist purely of one or more information systems. Information Security Management ITIL Information Security Management is an important activity, which aims to control the provision of information, and to prevent unauthorized use of information.
For many years, Information Security Management ITIL was largely ignored. However, this is changing.
Security is now considered as one of the main management challenges for the coming years.
The interest in this discipline is increasing because of the growing use of the Internet and e-commerce in particular. Dealing with Risks More and more businesses are opening electronic gateways into their business.
This introduces the risk of intrusion.
What risks do we want to cover, and what measures should we take now and in the next budgeting round? Senior Management has to take decisions and these decisions can only be taken if a thorough risk analysis is undertaken.
This analysis should provide input to Security Management to determine the security requirements.
These requirements affect IT service providers and should be laid down in Service Level Agreements. Security Management ITIL Aims Security Management aims to ensure that the security aspects of services are provided at the level agreed with the customer at all times.
Security is now an essential quality aspect of management. Security Management integrates security in the IT organisation from the service provider’s point of view.
The Code of Practice for Information Security Management (BS 7799) provides guidance for the development, introduction and evaluation of security measures. ANECDOTE –….
Configuration Management Configuration Management – What exactly is it? The best way to describe it is that it is like Asset Management but also unlike it because it is far more than Asset Management. Configuration Management focuses on the relationships between items, to help us understand our infrastructure far more than we do now! Configuration Management – definition “The process of identifying and defining Configuration Items in a system, recording and reporting the status of Configuration Items and Requests for Change, and verifying the completeness and correctness of Configuration Items.” Configuration Management – benefits Configuration Management contributes to the economic and effective delivery of IT services in an organization by: Providing accurate information on CIs and their documentation. Controlling valuable CIs. Facilitating adherence to legal obligations. Helping with financial and expenditure planning. Making software Changes visible. Contributing to contingency planning. Supporting and improving Release Management. Improving security by controlling the versions of CIs in use. Enabling the organization to reduce the use of unauthorized software. Providing Problem Management with data on trends. ANECDOTE –ITIL and BS15000 BS (British Standards) 15000 is the first worldwide standard specifically aimed at IT Service Management.
It describes an integrated set of management processes for the effective delivery of services to the business and its customers. BS15000 is aligned with and complementary to the process approach defined within the IT Infrastructure Library (ITIL) from The Office of Government Commerce (OGC). BS 15000 consists of two parts: BS 15000-1 is the formal specification and defines the requirements for an organization to deliver managed services of an acceptable quality for its customers. The scope includes: Requirements for a management system; Planning and implementing service management; Planning and implementing new or changed services; Service delivery process; Relationship processes; Resolution processes; Control processes; and Release processes. BS 15000-2 is the Code of Practice and describes the best practices for Service Management processes within the scope of BS 15000-1.
The code of Practice is of particular use to organisations preparing to be audited against BS 15000-1 or planning service improvements. Key business drivers of the standard are: To provide a formal and auditable standard for the delivery of IT Services within an organization. To reinforce and provide accreditation based on the best practice as defined by the BSI Code of Practice for IT Service Management (PD0005) and the UK Governments Internationally adopted IT infrastructure Library (ITIL) best practice guidance. To be the foundation of a future ISO international standard. Reasons and History The reasons and history behind the standard: To provide a business focused ‘road map’ for implementing and maintaining a successful integrated Service Management strategy. To provide non-propriety and public domain guidance for the service industry. To define the processes required to identify and manage the level and quality of service being provided to customers, along with the resources and cost needed to achieve it (not re-inventing the wheel). Where ITIL fits in ITIL forms a layer between in house procedures and the code of practice, so imagine the metaphor of a five tiered pyramid, the bottom layer of building blocks are the in house procedures, the second layer of building blocks are ITIL Best practice.
The next layer is the code of practice which ITIL helps us achieve, then comes the standard (BS15000) and finally the pinnacle is ISO. ANECDOTE –Capability Maturity Model ITIL and CMMI are distinctly different but not mutually exclusive maturity models.
The main difference between the two is that CMMI focuses on software process maturity continuous improvement whereas ITIL helps us understand and develop all of the areas within our infrastructure. ITIL and CMMI – similarities The initial Capability Maturity Model (CMM v1.0) was developed by the Software Engineering Institute and specifically addressed software process maturity.
It was first released in 1990, and after its successful adoption and usage in many areas, other CMM’s were developed for other disciplines. ITIL and CMMI – which one should I choose? The answer to that question is that there is no single reason why you cannot have both.
You see, ITIL is not prescriptive and the process maturity framework that ITIL conforms to is very similar to CMMI’s model. ITIL and CMMI – both, as a structured approach. If CMMI is a structured approach for software development then, the ITIL Release Management process dovetails into it perfectly.
Release Management focuses on the release of software into the live environment. ANECDOTE –Software Changes “I updated that document yesterday, but it’s not appearing on the Intranet.
What happened?” “The new version’s wrong! Did we back up the old one?” “Chris and I were editing the same file at the same time, but I finished first.
His changes overwrote mine! “Who made that change?” — Problem classification – in terms of the impact on the business Problem investigation and diagnosis. When the root cause is detected the error control process begins. The Error control activity consists of: Error identification and recording Error assessment Recording the Error resolution Closes Error and associated problems ITIL Problem Management process flow – But that isn’t all folks! Now this is where problem management differs from being a simple flow – that is does it achieve x – yes now do this etc.
Problem Management has a Proactive side. Problem prevention ranges from prevention of individual Problems, such as repeated difficulties with a particular feature of a system, through to strategic decisions. Problem prevention also includes information being given to Customers that negates the need to ask for assistance in the future.
Analysis focuses on providing recommendations on improvements for the Problem solvers. The main activities within proactive Problem Management processes are trend analysis and the targeting of preventive action. ANECDOTE – More on Incident Management The line between the function of the Service Desk and the Incident Management process is perhaps the area of greatest confusion for most people regarding ITIL. It is best explained by making the point again that the Service Desk is a function and that Incident Management typically lies inside that function. If an end user calls the Service Desk they are making contact with a functional part of the IT Service Delivery.
What takes place after the call is made and the end user is being looked after is part of the Incident Management process. Generally, most organisations have their Service Desk staff conducting Level 1 incident management support.
However, this is not a caveat and the decision is dependant on the selected skill level of staff and Service Desk structure selected. Level 2 and beyond Incident Management staff can be tightly integrated into the Service Desk area, or they may be recognisable as a separate group of staff. In a lot of organisations who have adopted ITIL, the concept of Level 3 support has given way to the Problem Management process. The objective of Incident Management is to restore normal operations as quickly as possible with the least possible impact on either the business or the user, and at a cost-effective price. The definition of how “quickly” is “quickly”, should not be subject to interpretation.
The timeframes for Incident resolution should be defined in the Service Level Agreements (SLAs) that exist between the IT Department and the customer. The speed of resolution will affect the cost.
It is this cost-to-speed ratio that is often forgotten when a user faces problems.
Issues that are low priority during negotiations are “somehow” escalated to the status of requiring high levels of attention when the issue occurs. Often support staff will simply respond to user pressure in such situations and immediately the expectation is adjusted and anything less than immediate response to this otherwise low priority issue is considered as poor service ANECDOTE – The Expert Service Desk The “Expert” Service Desk extends the range of services and offers a more globally focused approach, allowing business processes to be integrated into the Service Management infrastructure. It not only handles Incidents, Problems and questions, but also provides an interface for other activities such as customer Change requests, maintenance contracts, software licenses, Service Level Management, Configuration Management, Availability Management, Financial Management for IT Services, and IT Service Continuity Management. Many Call Centres and Help Desks naturally evolve into Service Desks to improve and extend overall service to the Customers and the business. Why change from what you have? The Expert Service Desk provides a vital day-to-day contact point between Customers, Users, IT services and third-party support organisations.
Service Level Management is a prime business enabler for this function.
A Service Desk provides value to an organisation in that it: acts as a strategic function to identify and lower the cost of ownership for supporting the computing and support infrastructure — ANECDOTE – DID YOU KNOW…. Did you know that there is an ITIL text called Applications Management? As defined within this text the Application lifecycle focuses on six key phases. Requirements: This is the phase during which the requirements for a new application are gathered, based on the business needs of the organisation.
It is important to note that there are three types of requirements for any application – functional requirements, non-functional requirements, and usability requirements. Design: During this stage requirements are translated into feature specifications.
The goal for application designs should be to satisfy the organisation’s requirements.
Design includes the design of the application itself, and the design of the environment, or operational model, that the application has to run on. Build: In the build phase, both the application and the operational model are made ready for deployment.
Application components are coded or acquired, integrated, and tested.
Often the distinction is made between a development and test environment.
The test environment allows for testing the combination of application and operational model. Deploy: In this phase, both the operational model and the application are deployed.
The operational model is incorporated in the existing IT environment and the application is installed on top of the operational model, using the deployment processes described within ITIL ICT Infrastructure Management. Operate: Here we see the IT services organisation deliver the service required by the business.
The performance of the service is measured continually against the Service Levels and key business drivers. Optimize: The results of the Service Level performance measurements are analyzed and acted upon.
Possible improvements are discussed and developments initiated if necessary.
The two main strategies in this phase are to maintain and/or improve the Service Levels and to lower cost.
This could lead to iteration in the lifecycle or to justified retirement of an application. ANECDOTE – Why Bother? With cheap hardware prices, capacity planning may be seen to have lost its importance.
You can always upgrade later! The fact that hardware systems can be upgraded easily has, in recent times, diverted attention away from this key process area. There are two main concerns that make capacity planning critical. The first is the rate of technical change in the distributing computing sector.
We now measure progress in “Internet years” — equivalent to a fraction of a typical calendar year. The second is that today’s systems are primarily being developed within complex multi-tier architectures. This rapid change, coupled with the increase in complexity of 3-tier architecture, is causing system designers to pay closer attention to capacity. Five years ago, a designer could roll out a new system with a rough estimate of capacity and performance.
The system could then be tuned or more capacity added before all of the users had been converted to the new system.
The process was reasonable because the systems were typically not mission-critical. Today, there’s no time for this approach.
Once systems are in place they become an integral part of the overall operation.
Upgrade downtime is increasingly expensive in both time and resources.
In addition, the added complexity of the environment typically requires more care, due to the interdependency between various application components. Capacity planning is driven purely by financial considerations.
Proper capacity planning can significantly reduce the overall cost of ownership of a system.
Although formal capacity planning takes time, internal and external staff resources, software and hardware tools, the potential losses incurred without capacity planning are staggering. That is why we should bother!! ANECDOTE – More on MOF and ITIL ITIL is generally accepted as “best practice” ITIL was created to be adopted and adapted MOF’s prescriptive guidance in operating Microsoft technologies complements ITIL’s descriptive guidance ITIL’s development by a consortium of industry leaders allows Microsoft to participate in its evolution A prescriptive process model Introduce Service management functions (SMFs) Team Model Risk Model Guidance that is relevant and adaptable to client server and n-tier computing environments ANECDOTE – MOF vs.
ITIL – No Contest! ITIL & MOF are not quite the same thing.
That is the Microsoft Operational Framework (MOF) is based on and recognises that ITIL is still world’s best practice with respect to IT Service Management. The ITIL philosophy is to “adopt and adapt,” and that’s just what Microsoft did when it created Microsoft Operations Framework.
MOF is a set of publications providing both descriptive (i.e., what to do and why) and prescriptive (i.e., how to do) guidance on IT service management. Microsoft published the first elements of MOF in 2000 for customer, partner and internal use.
Microsoft created MOF with the following objective in mind: Create comprehensive operations guidance to help customers achieve mission-critical production system reliability, availability, and manageability on the Microsoft platform. The Microsoft Operations Framework provides in-depth technical guidance and consulting support for the operation of mission-critical systems on Microsoft technology. MOF is recognised for providing technical guidance that covers the entire spectrum of IT management, addressing the people, process, technology and management issues involved in complex, distributed and heterogeneous IT environments. To develop MOF, Microsoft worked with partners that have extensive experience with mission-critical computing.
The framework is built on best practices from the IT Infrastructure Library, a series of books that hundreds of organizations around the world use for comprehensive guidance on providing quality IT services. So there is no contest.
One is an extension of the other.
Without ITIL there would be no MOF. ANECDOTE – ITIL MANAGERS EXAM The ITIL Manager Certificate is awarded to those individuals who are capable of applying the ITIL theory to any Organisation.
The prerequisites and typical training outline is presented below: Pre-requisites for ITIL Manager Certificate In order to be eligible for attending the ITIL Manager Certificate Training Course a number of prerequisites are expected of potential participants: Knowledge for the ITIL Manager Certificate ITIL Foundations, EXIN (or ISEB) certificate obtained; Work and thinking capability at tertiary education level. Experience if looking to achieve the ITIL Manager Certificate 2 years of relevant practical experience; Manager’s role in IT service delivery (two years minimum); Experience in project-oriented work and/or (shared) project management. Target Group The training is targeted at those persons who will play an important role in the implementation and adoption of the IT Service Management processes: Managers in IT organizations who work in accordance with ITIL; Project staff and project leaders for ITIL implementation pathways; Management advisors looking at IT management and IT organizations; Future ITIL Service Managers. In-course Assessment The in-course Assessment is a requirement that EXIN has of its accredited training institutions that conduct ITIL Service Management courses.
Only applicants with a sufficient score on the in-course assessment are eligible to sit for the ITIL Service Management exams. Course duration The course for ITIL Manager Certificate can be conducted in several ways; 2×5 day blocks with a shorter 2 day block at the end is one method.
Another is to conduct 3 Blocks of 3 days (1 day each mod is a long day) and 2 days at the end. Both methods have merit so it comes down to your personal availability.
The bottom line is the requirement for sixty contact hours at least. Presentation-assignments The presentation assignments will be conducted within the context of the cases used during the course.
These tend to verbally based assignments with a substantial amount of group work. Written questions and assignments Written assignments are also required from each participant that are covered during each presentation assignment.
As a guide such assignments should be a summary view of approximately two A4 pages. These written test questions are aimed to test the participant on the ability to coherently express the core issues of each management process. WISE WORDS Why is business financial management important to the IT professional? Isn’t that the CFO’s responsibility? Competent financial management is critical to the success and very survival of a wide variety of organisations.
In the technology community, it is common to select the chief financial officer or the chief information officer for advancement to the CEO position.
For the CIO professional looking for a promotion or a greater understanding of the IT arena, an understanding of the basics of financial management has become invaluable. The goal of business financial management is to maximize value.
Successful financial management requires a balance of a number of factors, and there are no simple rules or solution algorithms that will ensure financial success under all circumstances.
The overall goal toward which corporate financial and IT managers should strive, is the maximization of earnings per share, subject to considerations of business and financial risk, timing of earnings, and dividend policy. The basic concepts of the fundamental principles of accounting, analytical techniques for interpretation of financial data, basic budgeting concepts, financial planning and control and the analysis of long-term investment opportunities are applicable to IT as well as finance.
Financial and IT professionals who can profitably harness the principles and techniques of financial and information resources will be able to manage their organisations more effectively than their competitors. Exchanging wooden dollars? Many organisations decide not to do a physical charge out to their internal clients because it would only add up to the administrative procedures within the organisation. — WISE WORDS To report or not to report A lot of the organisations that start implementing Service Level Management fall into the trap of over-reporting.
Everything is monitored, and all results are reported back to the client. Negotiate the reporting strategy with your customer during the SLA-negotiations.
A report is only valuable if your clients use it for their own work. Another pitfall is the fact that some people only report when things are going wrong.
The image you build with an agreement like that is a negative one.
The client only hears from IT when there is a problem or when service levels aren’t met.
ALWAYS report on the positive things as well! It’s OK to say NO… Often, when you start implementing Service Level Management in your organisation you’ll find that you can’t deliver a lot of the user’s requests.
You can’t deliver because you don’t have the underpinning processes in place, you don’t have enough budget and other required resources. Service Level Management is all about managing the expectations of your clients. Internal and external agreements The beauty of implementing ITIL is that everybody in the organisation speaks the same language, and therefore you need to be very strict with your choice of words.
A Service Level Agreement is an internal agreement with your clients.
An agreement with an external party is called an underpinning contract.
An agreement within the IT group itself is called an OLA (Operational Level Agreement). ANECDOTE ITIL processes are used by an ever increasing number of organizations to meet the growing demand on the IT service infrastructure.
These are some of the benefits of implementing ITIL processes. My IT organization is thinking of adopting ITIL processes – What do I get? Adopting ITIL processes can provide: Greater productivity and best use of skills and experience. Increased customer satisfaction with IT services which meet their needs. Reduced risk of not being able to meet the business requirements for IT services. Reduced costs in developing procedures and practices within an organization. Better communication and information flows between IT staff and customers. Assurances to the IT Director that staff are provided with appropriate standards and guidance. Quality approach to IT service provision. I am the Customer of an IT organization which is thinking of adopting ITIL processes – What do I get? The benefits to the customer of the IT services: Reassurance that IT services are provided in accordance with documented procedures (clear audit trail). Ability to rely upon IT services, enabling the customer to meet business objectives. Provision of clearly defined contact points within IT services for enquiries or discussions about changing requirements. Knowledge that detailed information is produced to justify charges for IT services and to provide feedback from monitoring of service level agreements. ANECDOTE The traditional quality management system for organizations is ISO9000.
In recent years, many major organizations have adopted the ITIL framework as their methodology for management of IT infrastructure. The ISO9000 and ITIL combination is in fact a very powerful one.
There are a growing number of people aware of the benefits of ISO9000 and ITIL.
The primary distinction between the two is that while ISO9000 requires structured processes to be in place, ITIL actually defines those structured processes for the IT environment. Both methodologies are in a state of continual update and improvement.
ISO9000 and ITIL both have well defined control mechanisms in place for ensuring that they reflect the current nature of business environments throughout the world. ISO is controlled by the International Services Organizations and ITIL is controlled by the Office of Government Commerce (OGC) in the United Kingdom. ANECDOTE The enhanced Telecom Operations MapTM (or eTOM), part of the NGOSS toolkit, delivers a business process model or framework for use by service providers and their suppliers within the telecommunications industry.
It offers a comprehensive set of enterprise processes required by a service provider and analyses them to varying levels of detail according to their significance and priority for the business. For service providers, it provides a neutral reference point as they consider internal process reengineering needs, partnerships, alliances, and general working agreements with other providers.
For suppliers, the eTOM Framework outlines potential boundaries of software components, and the required functions, inputs, and outputs that must be supported by products. Amazingly there are 154 components in the eTOM model. ITIL is a framework for the management of IT environments.
There are 10 key components to the ITIL framework. ITIL Processes Example of ETOM Components Service Delivery Set Advertising Service Level Management Advise and Negotiate Acceptable Terms Capacity Management Assurance Financial Management for IT Services Billing & Collections Management — ANECDOTE The itSMF is a member funded organisation for IT Service Management Professionals.
The IT Service Management Forum (itSMF) is a non-profit organisation wholly owned, and principally operated, by its members.
It is also a major influence on and contributor to Industry Best Practices and Standards across the world regarding IT Service Management standards and qualifications and has been for many years. Why do businesses and organizations need the itSMF? Businesses depend more and more on technology to promote and deliver their products to market.
Service Management has become the primary critical success factor focused on achieving this aim. Outsourcing, demands on IT to deliver more business value and partnerships all visualize the need of adopting Best Practice IT Service Management and of becoming part of the itSMF. Why do individuals need the itSMF? The itSMF provides an accessible network of industry experts; information sources and events to help you address IT Service Management issues.
As well as to assist you in the delivery of high quality, consistent IT service internally and externally through the adoption of Best Practice. You will be able to network among your peers and continually build your competence.
The benefits of being able to draw from the experiences of literally thousands of individuals and organisations involved in ITIL are incalculable. itSMF Aims To develop and promote Industry Best Practice in service management To engender greater professionalism within service management personnel To provide a vehicle for helping members improving their service performance To provide members with a relevant forum in which to exchange information and share experience with their peers on both sides of the industry Membership itSMF members are drawn from across industry, commerce and public sector.
Most members represent “user” organisations that are responsible for delivering quality IT services to their customers and the remainder represent the leading IT service and product providers.
Many of the leading blue chip companies are to be found amongst the user membership. Globally, the itSMF now boasts thousands of individual and corporate members ANECDOTE A lot of organisations are looking at ways of implementing ITIL and CMM.
The challenges of implementing ITIL and CMM tend to centre more on people issues, rather than the pure theoretical content of the frameworks. CMM of course is a framework established to guide software developers through the challenges of creating solutions that are truly aligned with business requirements. ITIL is a framework that has been developed to guide IT Managers through the challenges of managing their IT infrastructure. The two frameworks are complementary and those faced with implementing ITIL and CMM need not be concerned about any potential clash or duplication of effort between the two. The CMM measurement model is actually a 5 category measurement model.
Most people think that ITIL is also a 5 level model, but there are actually steps between the 5 levels in ITIL (making 9 measurement levels altogether). ANECDOTE The investment of time and money in preparing to sit for an ITIL Exam is perhaps a time for most adults that bring back the fear of sitting for tests of any kind. ITIL Exams are by their very nature designed to indicate if the participant can understand and apply the theory knowledge of the ITIL Framework.
ITIL Exam can be taken at a variety of levels. ITIL Exam – IT Service Management Foundations Certificate Most ITIL Exams taken around the world are at this level. ITIL Exam – IT Service Management Practitioner Certificate ITIL Exams at this level test individual process knowledge ITIL Exam – IT Service Management Managers Certificate ITIL Exams in this category are for those faced with challenges of implementation. ITIL Exams for the Foundations certificate can actually be taken at any Prometric test centre around the world.
ITIL Exams in the other two levels must currently be sat as a paper based test, facilitated independently. GPO Box 2673 Brisbane, QLD 4001 Australia Ph: +61 7 3289 5144 www.itsmdirect.com Version 6.0 GPO Box 2673 Brisbane, QLD 4001
Read more about ITIL : Beginner’s notes Foundation in ITIL Service Management Table of Contents….: