Beginners notes Foundation in ITIL Service Management This document is a “Bonus” for Six Sigma Management Kit owners The Office of Government Commerce in the United Kingdom owns the ITIL Content.
However, the use of ITIL processes is permitted and encouraged. More information on ITIL can be found at “http://www.itil.co.uk” www.itil.co.uk The Art of Service (owners of this document) have a licensing arrangement in place with Ovitz Taylor Gates, that permits the supply of this document with the Six Sigma Management Kit.
The full ITIL toolkit can be purchased by visiting: “http://www.itil-toolkit.com” www.itil-toolkit.com e-Learning courses: www.itsm-learning.com The Art of Service support the purchase of further material supplied by The Stationary Office (a commercial outlet for Her Majesty’s Stationary Office (HMSO).
Such material can be purchased by visiting: “http://www.itsmdirect.com” www.itsmdirect.com. This document has been modified slightly. Table of Contents TOC \o “1-3” \h \z \l “36875572” 1 Table of Contents 36875572 \h 2 \l “36875573” 2 Start Here. 36875573 \h 4 \l “36875574” 3 Foundation Certificate in IT Service Management 36875574 \h 4 \l “36875575” 3.1 EXIN Exam requirements specifications 36875575 \h 4 \l “36875576” 3.1.1 The importance of IT Service Management and the IT Infrastructure 36875576 \h 4 \l “36875577” 3.1.2 The Service Management processes and the interfaces between them 36875577 \h 4 \l “36875578” 4 IT Service Management 36875578 \h 5 \l “36875579” 4.1 Introduction into IT Service Management 36875579 \h 5 \l “36875580” 4.1.1 ITIL Service Management 36875580 \h 6 \l “36875581” 4.1.2 Business Alignment 36875581 \h 6 \l “36875582” 4.1.3 Processes 36875582 \h 6 \l “36875583” 4.1.4 Function version processed based 36875583 \h 7 \l “36875584” 5 ITIL 36875584 \h 10 \l “36875585” 5.1.1 History 36875585 \h 10 \l “36875586” 5.1.2 Groups involved 36875586 \h 11 \l “36875587” 6 Implementing ITIL Service Management 36875587 \h 19 \l “36875588” 6.1 Introduction 36875588 \h 19 \l “36875589” 6.2 Cultural change 36875589 \h 19 \l “36875590” 6.3 Some of the do’s and don’ts 36875590 \h 20 \l “36875591” 6.4 Further reading 36875591 \h 20 \l “36875592” 7 The ITIL Service Management Processes 36875592 \h 21 \l “36875593” 7.1 Service Delivery Set 36875593 \h 21 \l “36875594” 7.1.1 Service Level Management 36875594 \h 21 \l “36875595” 7.1.2 Financial Management for IT Services 36875595 \h 23 \l “36875596” 7.1.3 Availability Management 36875596 \h 25 \l “36875597” 7.1.4 Capacity Management 36875597 \h 28 \l “36875598” 7.1.5 IT Service Continuity Management 36875598 \h 29 \l “36875599” 7.2 Service Support Set 36875599 \h 35 \l “36875600” 7.2.1 Service Desk 36875600 \h 35 \l “36875601” 7.2.2 Incident Management 36875601 \h 37 \l “36875602” 7.2.3 Problem Management 36875602 \h 38 \l “36875603” 7.2.4 Change Management 36875603 \h 43 \l “36875604” 7.2.5 Release Management 36875604 \h 48 \l “36875605” 7.2.6 Configuration Management 36875605 \h 49 \l “36875606” 8 Tools 36875606 \h 53 \l “36875607” 8.1.1 Type of tools 36875607 \h 53 — Start Here. This document is designed to answer many of the questions about IT Service Management and the ITIL Framework. The document has evolved over many years and offers the reader the chance to quickly learn through reading and re-reading a lot of the theory behind ITIL (IT Infrastructure Library).
It provides answers, but it will also raise some questions for the reader. It is a beginner’s document.
It tells stories. Foundation Certificate in IT Service Management Let’s begin with the end in mind.
A lot of readers are interested in achieving certification in ITIL.
This document combined with online learning will prepare you to sit for the “IT Service Management Foundations” exam. This chapter discusses the examination that is set by EXIN.
The exam is set and marked by this independent body.
You can book and take your exam at any Prometric Testing centre ( “http://www.prometric.com” www.prometric.com to locate a Test Centre in your area). EXIN Exam requirements specifications The importance of IT Service Management and the IT Infrastructure The candidate has understanding of the importance of IT Service Management and the IT Infrastructure Library (ITIL). The candidate is able to indicate the importance of a methodical and systematic approach to information technology service: for users and customers of IT Service for suppliers of IT Service. The Service Management processes and the interfaces between them The candidate has understanding of the Service Management processes and the interfaces between them. The candidate is able to: Mention the benefits of the Service Management processes for an organisation Distinguish between ITIL processes and organisational units Indicate which elements are needed for the ITIL processes. IT Service Management Introduction into IT Service Management Most organisations now understand the benefits of having Information Technology (IT) throughout their corporate structure.
Few realise the potential of truly aligning the IT department’s objectives with the business objectives.
More and more organisations start to recognize IT as being crucial to the service delivery to their customers. When the IT services are crucial to the organisation, you need to be absolutely positive that the IT group adds value and delivers consistent services. With this in mind as the ultimate goal for the IT organisation, we should look at the organisation’s objectives. To achieve these overarching, organisational objectives, the organisation has business processes in place.
These business processes can be anything: sales, admin support, financial processes, etc. Information systems and technology are fundamental requirements to providing capability for the organisation to achieve these business objectives by enabling the activities to be carried out in an effective an efficient manner. — Today, with online service delivery, the IT component of the service delivery can be much stronger.
The way of delivering the service is IT based and therefore internal and external clients measure the performance of the IT group. Consistent service delivery is more important than the glimpse of brilliance every now and then.
The internal clients (business processes) and external clients need availability of the IT services and to be able to expect a consistent performance. IT Service Management is a means to enable the IT group to provide reliable Information Systems to meet the requirements of the business processes, irrespective of the way these services are delivered to the external customers.
This in turn enables the organisation to meet its Business Objectives. Definition: IT Service Management provides effective and efficient process driven management of the quality of IT services ITIL Service Management Any organisation that delivers IT services to their customers with a goal to support the business processes, needs some sort of structure to achieve that.
Historically, that structure was based around functions and technical capabilities.
Currently, with the ever-increasing speed of changes, and the need for flexibility that is no longer an option. That is why IT organisations are looking for alternatives: TQM processes and continuous improvement projects Cobit as a control mechanism CMM for control and structure in software (and system) development ITIL for operational and tactical management of service delivery Which framework, model or tool you use is heavily reliant on the company: ‘horses for causes’ is the adagio you need to keep in mind. For many IT organisations, ITIL is a very good way of managing service delivery and to perform the IT activities in end-to-end processes. Business Alignment By implementing IT Service Management in your IT organisation you support the IT objectives of delivering those services that are required by the business.
You can’t do this without aligning your strategy with the business strategy.
You can’t deliver effective IT services without knowing about the demands, needs and wishes of your customer.
This is why IT Service Management supports the IT organisation in the business alignment of their IT activities and service delivery. Processes IT service Management helps the IT organisation to manage the service delivery by organising the IT activities into end-to-end processes.
These processes cross the functional areas within the IT group and improve the efficiency. A process is a series of activities carried out to convert an input into an output.
We can associate the input and output of each of the processes with quality characteristics and standards to provide information about the results to be obtained by the process.
This produces chains of processes which show what goes into the organisation and what the result is, as well as monitoring points in the chains to monitor the quality of the products and services provided by the organisation. Processes can be measured for effectiveness (did the process achieve its goal?) and efficiency (did the process use the optimum amount of resources to achieve its goal).
The measurement points are at the input, the activities or the output side of the process. — Advantages are: No boundaries, but interconnections Customer focused: what is the added value? Steering activities in stead of steering people Communication because it is useful (fulfilling the needs of the customer) Decision making is matching & customising IT service provision is a process ITIL The IT Infrastructure Library is a set of books with good practice processes on how to manage IT service delivery.
The library consists of the following books and CD-ROMs: Service Delivery Service Support Security Management The Business Perspective Applications Management ICT Infrastructure Management Planning to implement Service Management The Service Support, Service Delivery and Security Management books are regarded to be the core of the framework.
These books cover the processes you will need to delivery customer-focused IT services according to your customers’ needs, demands and wishes.
It helps the IT group to be flexible and reliable enough to ensure a consistent IT Service Delivery.
The other books in the library support the core processes. History During the late 1980’s the CCTA (Central Computer and Telecommunication Agency) in the UK started to work on what is now known as the Information Technology Infrastructure Library (ITIL). Large companies and government agencies in Europe adopted the framework very quickly in the early 1990’s and the ITIL framework has since become known as an industry best practice. ITIL has become the standard in delivering IT Services for all types of organisations.
Both government and non-government organisations benefit from the process driven approach, regardless of the size of the IT shop. ITIL is used globally; the majority of IT organisations in the following countries use it as their way of delivering IT services: UK The Netherlands Germany France USA South Africa Australia In 2000 the British Treasury set up the OGC – Office for Government Commerce – to deal with all commercial activities within the government.
This also includes all activities formerly done by CCTA (Central Computer and Telecommunications Agency).
Even though the CCTA no longer exists, we still mention it in this syllabus because they were the original developers of the ITIL framework. In 2000, Microsoft used ITIL as the basis of their Microsoft Operations Framework (MOF) to support the launch of their ‘Datacentre’ product. In 2001, ITIL version 2 was released with the Service Support Book and the Service Delivery book.
The other books (and CD-ROMs) are currently being published. Groups involved ITIL is a Public Domain framework, meaning that even though the copyright rests with OGC, every organisation can use the books to implement the processes in their own organisation.
This also supported the growth in the number of supporting services like training, tools and consultancy services.
The important part is that the framework is independent of any of the vendors. EXIN and ISEB are the examination bodies that organise and control the entire certification scheme.
They guarantee that the personal certification is fair and honest and independent from the organisations that delivered the course.
EXIN is based in the Netherlands and ISEB is part of the British Computer Society.
Both bodies give out accreditations for training organisations to guarantee a consistent level of quality in the course delivery. The personal certification is the only type of independent certification in regards to ITIL Service Management.
There is no independent tool certification or organisational certification (yet). People and organisations that wish to discuss their experience with ITIL Service Management implementation can become a member of the IT Service Management Forum.
The ITSMf should be independent, just like ISEB and EXIN, to stimulate the best practice component of ITIL and to support the sharing of ‘war stories’ and tips.
There is an ITSMf chapter in every country that is actively involved with ITIL Service Management. ? EXTRA READING (elective) Case study: Service Management implementation: British Telecom The Emergence of BT. British Telecom (BT) is an international private sector company operating in the field of telecommunications.
From 1912 telecommunications was as part of the Post Office, held in public ownership.
It was originally nationalised to ensure the provision of an integrated telegraphic and telephonic service .
British Telecom was split off from the Post Office in 1981 as a prelude to its own privatisation three years later.
The aim was to make it easier for the management of the two organisations to focus on the business strategies of their respective operations. Since 1981 BT has undergone major changes first with privatisation in 1984 and then because of Project Sovereign in the early 1990’s.
What follows concentrates on the build up to and changes associated with Project Sovereign from the late 1980’s.
It is arguable however that this represents some continuation of the earlier corporate restructuring that surrounded privatisation.
The climate for these changes continues to be shaped by several significant factors including: the development of new technology which has changed the nature of telecommunications work; the opening up of the market for telecommunications to competition and the requirement for BT to be able to exploit new international markets for information technology. BT no longer enjoys the monopoly it once had.
At home, competition from Mercury, the cable industry, and an increasing number of niche telephone operators is taking its toll.
For example, it is estimated that 40,000 customers v a month are being lost to the cable companies who offer cheaper calls, connections and rentals, as well as clearer lines and the advantages of new technology.
Cable firms claim to have won 470,000 customers in the three years since they were permitted to offer telephone services.
Internationally BT’s rivals, such as AT&T and France Telecom, are battling for the custom of the multinationals that want one supplier to service all their telecommunication needs. As well as new competitors such as Mercury and the cable companies who are attacking BT on price, the regulatory regime is also becoming harsher.
OFTEL have recently stated that prices on BT’s basic services must now be kept to 7.5% below the rate of inflation.
Although many of the same pressures affect BT’s rivals, BT argues that it suffers most because it maintains a network that runs the length and breadth of the UK. — Although all of this was now technically possible, some organisational problems remained as, in the past BT had relied on local expertise and each region had done things in a slightly different way.
CSS provided an infrastructure that was relatively tightly controlled in terms of what it allowed a manager to do.
However, in order to bring about some of the proposed new changes it would, in some senses, need to be even more tightly controlled as every region would now have to operate in the same way. The need to ensure consistency between regions lead to some dissatisfaction with the speed with which the system could be changed or modified.
In the past when the system needed to be changed or updated this could often be accommodated at a local level, now however, each change or update needed to be worked out and agreed across the whole of the national network. Implementing ITIL Service Management Introduction ITIL Service Management is something that impacts the entire IT organisation.
Implementing end-to-end processes can have a big impact on the way things are done and can initiate a lot of uncertainty and resistance with staff.
For these reasons, it is important to implement ITIL Service Management with a step-by-step approach that takes things slowly but steady. Developing ITIL processes is a fairly easy job to do… making sure everybody understands the processes and uses them is more difficult and requires serious planning. It is to be advised to use a project management approach to ITIL Service Management implementation and stay focused on the end result. Cultural change 10% of the implementation project will be about process design and the more instrumental things in organisational change; 90% will be about cultural change and personal motivation of staff to use the end-to-end processes as the better way to do business. People (YOU!) will feel vulnerable and out of control, the perfect breeding ground for resistance… know that it is coming and work with it. The most important thing in this stage of the ITIL implementation is to keep the focus on the reason why your organisation needs ITIL Service Management in the first place. Some of the do’s and don’ts DO: Perform a feasibility study first Use what is already good in the organisation Take it slowly Stay focused — Keep in mind that you are dealing with personal issues Keep communicating WHY your organisation needs this Measure your successes continuously Enjoy the milestones and share them with the IT group DON’T: Try to mature all the processes at the same time Start with a tool Start without management commitment and/or budget Force ITIL upon people ‘ITILISE’ your organisation, keep thinking… Rush, take your time to do it well ‘Do ITIL’ without a reason Blindly follow the herd Pretend you are a Greenfield site Further reading The OGC book: ‘Best Practice for Planning to Implement Service Management’. The ITIL Service Management Processes The following diagram represents the most well known components of ITIL.
Service Delivery and Service Support.
These processes are the discussed futher. Service Delivery Set Service Level Management This process provides the contact point (or hinge) between the IT organisation and the customer.
Within the ITIL books, ‘the customer’ is defined as being the person who pais for the services.
It should therefore be someone with decision-making authority, EG business manager. Service Level Management is the process that ensures that the IT organisation knows what services they can deliver and organises that the IT group and the customer agree on the levels of service that need to be delivered. It also ensures that the IT group can consistently deliver these services to the customer by ongoing monitoring the service achievements and report these to the customer Extra reading To report or not to report A lot of the organisations that start implementing Service Level management fall into the trap of over-reporting.
Everything is monitored, and all results are reported back to the client. Negotiate the reporting strategy with your customer during the SLA-negotiations.
A report is only valuable if your clients use it for their own work. Another pitfall is the fact that some people only report when things are going wrong.
The image you build with an agreement like that is a negative one.
The client only hears from IT when there is a problem or when service levels aren’t met.
ALWAYS report on the positive things as well! It’s OK to say NO… Often, when you start implementing Service Level Management in your organisation you’ll find that you can’t deliver a lot of the user’s requests.
You can’t deliver because you don’t have the underpinning processes in place, you don’t have enough budget and a lot of other reasons. And that’s OK, as long as you discuss it with your clients.
Service Level Management is all about managing the expectations of your clients. Internal and external agreements The beauty of implementing ITIL is that everybody in the organisation speaks the same language, and therefore you need to be very strict with your choice of words.
A Service Level Agreement is an internal agreement with your clients and an agreement with an external party is an underpinning contract. Don’t talk about service level agreements with vendors and suppliers because that is confusing everybody. Financial Management for IT Services When Service Level Management agrees with the customer on Service Levels, it has to know how much money is involved in delivering this service.
Especially when the cost for IT services is charged on to the customer. Financial Management creates awareness of the total cost of the service both within the IT group and with the customers, and provides opportunities to increase the efficiency of the IT organisation. This information comes from Financial Management for IT Services.
It basically deals with 3 areas: Budgets IT Accounting Charging The sub-process of charging is implemented, subject to the company policy of internal invoicing structures. — Basic concepts Security Management comes under the umbrella of Information Security, which aims to ensure the safety of information.
Safety refers to not being vulnerable to known risks, and avoiding unknown risks where possible.
The tool to provide this is security.
The aim is to protect the value of the information.
This value depends on confidentiality, integrity and availability. Confidentiality: protecting information against unauthorised access and use. Integrity: accuracy, completeness and timeliness of the information. Availability: the information should be accessible at any agreed time. This depends on the continuity provided by the information processing systems. Secondary aspects include privacy (confidentiality and integrity of information relating to individuals), anonymity, and verifiability (being able to verify that the information is used correctly and that the security measures are effective).? Objectives In recent decades, almost all businesses have become more dependent on information systems.
The use of computer networks has also grown, not only within businesses but also between them, and between businesses and the world outside.
The increasing complexity of IT infrastructure means that businesses are now more vulnerable to technical failures, human error, intentional human acts, hackers and crackers, computer viruses, etc.
This growing complexity requires a unified management approach.
Security Management has important ties with other processes.
Other ITIL processes, under the supervision of Security Management, carry out some security activities. Security Management has two objectives: To meet the security requirements of the SLAs and other external requirements further to contracts, legislation and externally imposed policies. To provide a basic level of security, independent of external requirements Security Management is essential to maintaining the uninterrupted operation of the IT organisation. It also helps to simplify Information Security Service Level Management, as it is much more difficult to manage a large number of different SLAs than a limited number. The process input is provided by the SLAs, which specify security requirements, possibly supplemented by policy documents and other external requirements.
The process also receives information about relevant security issues in other processes, such as security incidents.
The output includes information about the achieved implementation of the SLAs, including exception reports and routine security planning. At present, many organisations deal with Information Security at the strategic level in information policy and information plans, and at the operational level by purchasing tools and other security products.
Insufficient attention is given to the active management of Information Security, the continuous analysis and translation of policies into technical options, and ensuring that the security measures continue to be effective when the requirements and environment change.
The consequence of this missing link is that, at the tactical management level, significant investments are made in measures that are no longer relevant, at a time when new, more effective measures ought to be taken.
Security Management aims to ensure that effective Information Security measures are taken at the strategic, tactical and operational levels. Benefits Information Security is not a goal in itself; it aims to serve the interests of the business or organisation.
Some information and information services will be more important to the organisation than others.
Information Security must be appropriate to the importance of the information.
Striking a balance between security measures and the value of the information, and threats in the processing environment develops tailor-made security. An effective information supply, with adequate Information Security is important to an organisation for two reasons: Internal reasons: an organisation can only operate effectively if correct and complete information is available when required.
The level of Information Security should be appropriate for this. External reasons: the processes in an organisation create products and services, which are made available to the market or society, to meet defined objectives.
An inadequate information supply will lead to substandard products and services, which cannot be used to meet the objectives and which will threaten the survival of the organisation.
Adequate Information Security is an important condition for having an adequate information supply.
The external significance of Information Security is therefore determined in part by the internal significance.
Security can provide significant added value to an information system.
Effective security contributes to the continuity of the organisation and helps to meet its objectives.? Process Organisations and their information systems change.
Checklists such as the Code of Practice for Information Security Management are static and insufficiently address rapid changes in IT.
For this reason, Security Management activities must be reviewed continuously to ensure their effectiveness.
Security Management amounts to a never-ending cycle of plan, do, check, and act.
The activities undertaken by Security Management, or undertaken in other processes under the control of Security Management are discussed below.
Figure 21 shows the Security Management cycle.
The customer’s requirements appear at the top right, as input to the process.
The security section of the Service Level Agreement defines these requirements in terms of the security services and the level of security to be provided. The service provider communicates these agreements to his organisation in the form of a Security Plan, defining the security standards or Operational Level Agreements.
This plan is implemented, and the implementation is evaluated.
The plan and its implementation are then updated.
Service Level Management reports about these activities to the customer.
Thus, the customer and the service provider together form a complete cyclical process.
The customer can modify his requirements on the basis of the reports.
And the service provider can adjust the plan or its implementation on the basis of these observations, or aim to change the agreements defined in the SLA.
The control function appears in the middle of Figure 21.
This diagram will now be used to discuss the Security Management activities. ?Figure 23: Security Management Cycle Relationships with other processes Security Management has links with the other ITIL processes.
This is because the other processes undertake security-related activities.
These activities are carried out in the normal way, under the responsibility of the relevant process and process manager.
However, Security Management gives instructions about the structure of the security-related activities to the other processes.
Normally, these agreements are defined after consultation between the Security Manager and the other process managers. Configuration Management In the context of Information Security, Configuration Management is primarily relevant because it can classify Configuration Items.
This classification links the CI with specified security measures or procedures. The classification of a CI indicates its required confidentiality, integrity and availability.
This classification is based on the security requirements of the SLA.
The customer of the IT organisation determines the classification, as only the customer can decide how important the information or information systems are to the business processes.
The customer bases the classification on an analysis of the extent to which the business processes depend on the information systems and the information.
The IT organisation then associates the classification with the relevant CIs.
The IT organisation must also implement this set of security measures for each classification level.
These sets of measures can be described in procedures.
Example: ‘Procedure for handling storage media with personal data’.
The SLA can define the sets of security measures for each classification level.
The classification system should always be tailored to the customer’s organisation.
However, to simplify management it is advisable to aim for one unified classification system, even when the IT organisation has more than one customer. In summary, classification is a key issue.
The CMDB should indicate the classification of each CI.
This classification links the CI with the relevant set of security measures or procedure. Incident Management Incident Management is an important process for reporting security incidents.
Depending on the nature of the incident, security incidents may be covered by a different procedure than other Incidents.
It is therefore essential that Incident Management recognise security incidents as such.
Any Incident, which may interfere with achieving the SLA security requirements, is classified as a security incident.
It is useful to include a description in the SLA of the type of Incidents to be considered as security incidents.
An Incident that interferes with achieving the basic internal security level (baseline) is also always classified as a security incident.
Incidents reports are generated not only by users, but also by the management process, possibly on the basis of alarms or audit data from the systems.
It is clearly essential that Incident Management recognise all security incidents.
This is to ensure that the appropriate procedures are initiated for dealing with security incidents.
It is advisable to include the procedures for different types of security incidents in the SLA plans and to practice the procedure.
It is also advisable to agree a procedure for communicating about security incidents.
It is not unusual for panic to be created by rumours blown out of proportion. Similarly, it is not unusual for damage to result from a failure to communicate in time about security incidents.
It is advisable to route all external communications related to security incidents through the Security Manager. Problem Management Problem Management is responsible for identifying and solving structural security failings.
A Problem may also introduce a security risk.
In that case, Problem Management must involve Security Management in resolving the Problem.
Finally, the solution or workaround for a Problem or Known Error must always be checked to ensure that it does not introduce new security problems.
This verification should be based on compliance with the SLA and internal security requirements. — Availability Management Availability Management addresses the technical availability of IT components in relation to the availability of the service.
The quality of availability is assured by continuity, maintainability and resilience.
Availability Management is the most important process related to availability.
As many security measures benefit both availability and the security aspects confidentiality and integrity, effective coordination of the measures between Availability Management, IT Service Continuity Management, and Security Management is essential. Capacity Management Capacity Management is responsible for the best possible use of IT resources, as agreed with the customer.
The performance requirements are based on the qualitative and quantitative standards defined by Service Level Management.
Almost all Capacity Management activities affect availability and therefore also Security Management. IT Service Continuity Management IT Service Continuity Management ensures that the impact of any contingencies is limited to the level agreed with the customer.
Contingencies need not necessarily turn into disasters.
The major activities are defining, maintaining, implementing, and testing the contingency plan, and taking preventive action.
Because of the security aspects, there are ties with Security Management.
On the other hand, failure to fulfil the basic security requirements may be considered itself as a contingency. Security section of the Service Level Agreement The Service Level Agreement (SLA) defines the agreements with the customer.
The Service Level Management process is responsible for the SLA (see also Chapter 11).
The SLA is the most important driver for all ITIL processes.
The IT organisation indicates to what extent the requirements of the SLA are achieved, including security requirements.
The security elements addressed in the SLA should correspond to the security needs of the customer.
The customer should identify the significance of all business processes.
These business processes depend on IT services, and therefore on the IT organisation.
The customer determines the security requirements on the basis of a risk analysis.
The security elements are discussed between the representative of the customer and the representative of the service provider.
The service provider compares the customer’s Service Level Requirements with their own Service Catalogue, which describes their standard security measures (the Security Baseline).
The customer may have additional requirements.
The customer and provider compare the Service Level Requirements and the Service Catalogue.
The security section of the SLA can address issues such as the general Information Security policy, a list of authorised personnel, asset protection procedures, restrictions on copying data, etc.? The security section of the Operational Level Agreement The Operational Level Agreement is another important document.
It describes the services provided by the service provider.
The provider must associate these agreements with responsibilities within the organisation.
The Service Catalogue gives a general description of the services.
The Operational Level Agreement translates these and general descriptions into all services and their components, and the way in which the agreements about the service levels are assured within the organisation. Example: the Service Catalogue refers to ‘managing authorisations per user and per individual’.
The Operational Level Agreements details this for all relevant services provided by the IT organisation.
In this way, the implementation of the measure is defined for the departments providing UNIX, VMS, NT, Oracle services, etc.
Where possible, the customer’s Service Level Requirements are interpreted in terms of the provider’s Service Catalogue, and additional agreements are concluded where necessary.
Such additional measurements exceed the standard security level.
When drafting the SLA, measurable Key Performance Indicators (KPI) and criteria must also be agreed for Security Management.
KPIs are measurable parameters (metrics), and performance criteria are set at achievable levels.
In some cases it will be difficult to agree on measurable security parameters.
This is easier for availability, which can generally be expressed numerically.
However, this is much more difficult for integrity and confidentiality.
For this reason, the security section of the SLA normally describes the required measures in abstract terms.
The Code of Practice for Information Security Management is used as a basic set of security measures.
The SLA also describes how performance is measured.
The IT organisation (service provider) must regularly provide reports to the user organisation (customer).? EXTRA READING Central Command Releases Its Annual Computer Security Survey Results for 2002 Virus protection concerns continue to increase among P2P users; Cyber-warfare likely according to respondents MEDINA, Ohio, September 24, 2002 – Central Command, Inc., a leading provider of PC anti-virus software and computer security services announced today the findings of its annual security survey.
The survey, reflecting up-to-date industry trends, was e-mailed to 943,026 PC users worldwide and explored individual’s computer security settings and behaviours with known computer security vulnerabilities.
With a 7% response rate, the survey provides valuable insight on the constant battle with computer viruses. — Control – Information Security policy and organisation The Control activity in the centre of Figure 21 is the first sub process of Security Management and relates to the organisation and management of the process.
This includes the Information Security management framework.
This framework describes the sub processes: the definition of security plans, their implementation, evaluation of the implementation, and incorporation of the evaluation in the annual security plans (action plans).
The reports provided to the customer, via Service Level Management, are also addressed.
This activity defines the sub processes, security functions, and roles and responsibilities.
It also describes the organisational structure, reporting arrangements, and line of control (who instructs who, who does what, how is the implementation reported). The following measures from the Code of Practice are implemented by this activity. Policy: Policy development and implementation, links with other policies. Objectives, general principles and significance. Description of the sub processes. Allocating functions and responsibilities for sub processes. Links with other ITIL processes and their management. General responsibility of personnel. Dealing with security incidents. Information Security organisation: Management framework. Management structure (organisational structure). Allocation of responsibilities in greater detail. Setting up an Information Security Steering Committee. Information Security coordination. Agreeing tools (EG for risk analysis and improving awareness). Description of the IT facilities authorisation process, in consultation with the customer. Specialist advice. Cooperation between organisations, internal and external communications. Independent EDP audit. Security principles for access by third parties. — © The Art of Service Pty Ltd 2002 ‘All of the information in this document is subject to copyright.
No part of this document may in any form or by any means (whether electronic or mechanical or otherwise) be copied, reproduced, stored in a retrieval system, transmitted or provided to any other person without the prior written permission of The Art of Service Pty Ltd, who owns the copyright.’ Further reading on ITIL: ITIL website: “http://www.itil.co.uk” http://www.itil.co.uk OGC website: “http://www.ogc.gov.uk” http://www.ogc.gov.uk Buy the ITIL books: “http://www.itsmdirect.com” www.itsmdirect.com Examination boards: EXIN: http://www.exin-exams.com ISEB: “http://www.bcs.org.uk/iseb/” http://www.bcs.org.uk/iseb/ ITIL Portal: “http://www.itil-itsm-world.com/” http://www.itil-itsm-world.com/ Th Further reading on other models and frameworks: Cobit: “http://www.isaca.org/cobit.htm” http://www.isaca.org/cobit.htm
Read more about ITIL : Beginners notes Foundation in ITIL Service Management This document is….: