ITIL[1] It is another certification similar to ITIL and PMP

License 413 COBIT 1 COBIT The Control Objectives for Information and related Technology (COBIT) is a certification created by ISACA and the IT Governance Institute (ITGI) in 1996, as a set of practices (framework) for information technology (IT) management.

Overview COBIT was first released in 1996.

Its mission is “to research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors”.[1] It is another certification similar to ITIL and PMP.123 Adoption No hard and fast numbers are publicly available.

Release history COBIT has had four major releases: • In 1996, the first edition of COBIT was released.

• In 1998, the second edition added “Management Guidelines”.

• In 2000, the third edition was released.

• In 2003, an on-line version became available.

• In December 2005, the fourth edition was initially released.

• In May 2007, the current 4.1 revision was released.

COBIT product family (version 4.0) The complete COBIT package consists of: • • • • • • Executive Summary Governance and Control Framework Control Objectives Management Guidelines Implementation Guide IT Assurance Guide COBIT and ISO/IEC 27002:2007 The table below describes the inter-relation of the two standards as well as how ISO/IEC 27002 can be integrated with COBIT.

COBIT — Information Quality Management is an information technology (IT) management discipline, which encompasses the COBIT Information Criteria of efficiency, effectiveness, confidentiality, integrity, availability, compliance, and reliability.

The idea is for companies to have the risks of using a program diminished to protect private and sensitive information.

It is held by some that the separation of software engineering, infrastructure management, and information security management leads to difficulties and failures.

These failures occur especially when communication is needed between these two sectors The future Thus, leading edge companies are starting to integrate these information quality management disciplines along with the discipline of information risk management.

These two disciplines ensure that Software Engineering Frameworks of the future have established information security controls in place before the project commences.

Information Technology Infrastructure Library 17 Information Technology Infrastructure Library The Information Technology Infrastructure Library (ITIL) is a set of concepts and practices for Information Technology Services Management (ITSM), Information Technology (IT) development and IT operations.

ITIL gives detailed descriptions of a number of important IT practices and provides comprehensive checklists, tasks and procedures that any IT organisation can tailor to its needs.

ITIL is published in a series of books, each of which covers an IT management topic.

The names ITIL and IT Infrastructure Library are registered trademarks of the United Kingdom’s Office of Government Commerce (OGC).

History Responding to growing dependence on IT, the UK Government’s Central Computer and Telecommunications Agency in the 1980s developed a set of recommendations.

It recognised that without standard practices, government agencies and private sector contracts were independently creating their own IT management practices.

The IT Infrastructure Library originated as a collection of books, each covering a specific practice within IT Service Management.

ITIL was built around a process-model based view of controlling and managing operations often credited to W.

Edwards Deming and his plan-do-check-act (PDCA) cycle.[1] After the initial publication in 1989–1996, the number of books quickly grew within ITIL v1 to over 30 volumes.

In 2000/2001, to make ITIL more accessible (and affordable), ITIL v2 consolidated the publications into 8 logical “sets” that grouped related process-guidelines to match different aspects of IT management, applications, and services.

However, the main focus was known as the Service Management sets (Service Support and Service Delivery) which were by far the most widely used, circulated, and understood of ITIL v2 publications.

• In April 2001 the CCTA was merged into the Office of Government Commerce (OGC), an office of the UK Treasury.[2] • In 2006, the ITIL v2 glossary was published.

• In May 2007, this organisation issued the version 3 of ITIL (also known as the ITIL Refresh Project) consisting of 26 processes and functions, now grouped under only 5 volumes, arranged around the concept of Service lifecycle structure.

• In 2009, the OGC officially announced that ITIL v2 certification would be withdrawn and launched a major consultation as per how to proceed.[3] Overview of the ITIL v2 library The eight ITIL version 2 books and their disciplines are: The IT Service Management sets 1.

Service Support 2.

Service Delivery Other operational guidance 3.

ICT Infrastructure Management 4.

Security Management 5.

The Business Perspective 6.

Application Management 7.

Software Asset Management To assist with the implementation of ITIL practices a further book was published (Apr 9, 2002) providing guidance on implementation (mainly of Service Management): Information Technology Infrastructure Library 8.

Planning to Implement Service Management And this has more recently (Jan 26, 2006) been supplemented with guidelines for smaller IT units, not included in the original eight publications: 9.

ITIL Small-Scale Implementation 18 Service Support The Service Support[4] ITIL discipline focuses on the User of the ICT services and is primarily concerned with ensuring that they have access to the appropriate services to support the business functions.

To a business, customers and users are the entry point to the process model.

They get involved in service support by: • • • • Asking for changes Needing communication, updates Having difficulties, queries Real process delivery The service desk functions as the single contact-point for end-users’ incidents.

Its first function is always to “create” an incident.

If there is a direct solution, it attempts to resolve the incident at the first level.

If the service desk cannot solve the incident then it is passed to a 2nd/3rd level group within the incident management system.

Incidents can initiate a chain of processes: Incident Management, Problem Management, Change Management, Release Management and Configuration Management.

This chain of processes is tracked using the Configuration Management Database (CMDB), which records each process, and creates output documents for traceability (Quality Management).

Service Desk / Service Request Management Tasks include handling incidents and requests, and providing an interface for other ITSM processes.

Features include: • • • • • • single point of contact (SPOC) and not necessarily the first point of contact (FPOC) single point of entry single point of exit easier for customers data integrity streamlined communication channel Primary functions of the Service Desk include: • incident control: life-cycle management of all service requests • communication: keeping the customer informed of progress and advising on workarounds The Service Desk function can have various names, such as: • Call Center: main emphasis on professionally handling large call volumes of telephone-based transactions • Help Desk: manage, co-ordinate and resolve incidents as quickly as possible at primary support level • Service Desk: not only handles incidents, problems and questions but also provides an interface for other activities such as change requests, maintenance contracts, software licenses, service-level management, configuration management, availability management, financial management and IT services continuity management The three types of structure for consideration: • Local Service Desk: to meet local business needs – practical only until multiple locations requiring support services are involved • Central Service Desk: for organisations having multiple locations – reduces operational costs and improves usage of available resources Information Technology Infrastructure Library • Virtual Service Desk: for organisations having multi-country locations – can be situated and accessed from anywhere in the world due to advances in network performance and telecommunications, reducing operational costs and improving usage of available resources Incident Management Incident Management aims to restore normal service operation as quickly as possible and minimise the adverse effect on business operations, thus ensuring that the best possible levels of service-quality and -availability are maintained.

‘Normal service operation’ is defined here as service operation within Service Level Agreement (SLA) limits.

Incident Management can be defined as : An ‘Incident’ is any event which is not part of the standard operation of the service and which causes, or may cause, an interruption or a reduction of the quality of the service.

The objective of Incident Management is to restore normal operations as quickly as possible with the least possible impact on either the business or the user, at a cost-effective price.

Problem Management Problem Management aims to resolve the root causes of incidents and thus to minimise the adverse impact of incidents and problems on business that are caused by errors within the IT infrastructure, and to prevent recurrence of incidents related to these errors.

A ‘problem’ is an unknown underlying cause of one or more incidents, and a ‘known error’ is a problem that is successfully diagnosed and for which either a work-around or a permanent resolution has been identified.

The CCTA(Central Computer and Telecommunications Agency) defines problems and known errors as follows A problem is a condition often identified as a result of multiple incidents that exhibit common symptoms.

Problems can also be identified from a single significant incident, indicative of a single error, for which the cause is unknown, but for which the impact is significant.

A known error is a condition identified by successful diagnosis of the root cause of a problem, and the subsequent development of a work-around.

Problem management differs from incident management.

The principal purpose of problem management is to find and resolve the root cause of a problem and thus prevent further incidents; the purpose of incident management is to return the service to normal level as soon as possible, with smallest possible business impact.

The problem-management process is intended to reduce the number and severity of incidents and problems on the business, and report it in documentation to be available for the first-line and second line of the help desk.

The proactive process identifies and resolves problems before incidents occur.

Such processes include: • Trend analysis; • Targeting support action; • Providing information to the organisation The Error Control Process iteratively diagnoses known errors until they are eliminated by the successful implementation of a change under the control of the Change Management process.

The Problem Control Process aims to handle problems in an efficient way.

Problem control identifies the root cause of incidents and reports it to the service desk.

Other activities are: • Problem identification and recording • Problem classification • Problem investigation and diagnosis A technique for identifying the root cause of a problem is to use an Ishikawa diagram, also referred to as a cause-and-effect diagram, tree diagram, or fishbone diagram.

Alternatively, a formal Root Cause Analysis method 19 Information Technology Infrastructure Library such as Apollo Root Cause Analysis can be implemented and used to identify causes and solutions.

An effective root cause analysis method and/or tool will provide the most effective/efficient solutions to address problems in the Problem Management process.

Change Management Change Management aims to ensure that standardised methods and procedures are used for efficient handling of all changes, A change is “an event that results in a new status of one or more configuration items (CIs)” approved by management, cost effective, enhances business process changes (fixes) – with a minimum risk to IT infrastructure.

The main aims of Change Management include: • Minimal disruption of services • Reduction in back-out activities • Economic utilisation of resources involved in the change Change Management Terminology • Change: the addition, modification or removal of CIs • Request for Change (RFC) or in older terminology Change Request (CR): form used to record details of a request for a change and is sent as an input to Change Management by the Change Requestor • Forward Schedule of Changes (FSC): schedule that contains details of all forthcoming Changes.

Release Management Release Management is used by the software migration team for platform-independent and automated distribution of software and hardware, including license controls across the entire IT infrastructure.

Proper software and hardware control ensures the availability of licensed, tested, and version-certified software and hardware, which functions as intended when introduced into existing infrastructure.

Quality control during the development and implementation of new hardware and software is also the responsibility of Release Management.

This guarantees that all software meets the demands of the business processes.

The goals of release management include: • Planning the rollout of software • Designing and implementing procedures for the distribution and installation of changes to IT systems • Effectively communicating and managing expectations of the customer during the planning and rollout of new releases • Controlling the distribution and installation of changes to IT systems Release management focuses on the protection of the live environment and its services through the use of formal procedures and checks.

A Release consists of the new or changed software and/or hardware required to implement approved changes.

Release categories include: • Major software releases and major hardware upgrades, normally containing large amounts of new functionality, some of which may make intervening fixes to problems redundant.

A major upgrade or release usually supersedes all preceding minor upgrades, releases and emergency fixes.

• Minor software releases and hardware upgrades, normally containing small enhancements and fixes, some of which may have already been issued as emergency fixes.

A minor upgrade or release usually supersedes all preceding emergency fixes.

• Emergency software and hardware fixes, normally containing the corrections to a small number of known problems.

20 Information Technology Infrastructure Library Releases can be divided based on the release unit into: • Delta Release: a release of only that part of the software which has been changed.

For example, security patches.

• Full Release: the entire software program is deployed—for example, a new version of an existing application.

• Packaged Release: a combination of many changes—for example, an operating system image which also contains specific applications.

Configuration Management Configuration Management is the management and traceability of every aspect of a configuration from beginning to end and it includes the following key process areas under its umbrella : Identification, Planning, Change Control, Change Management, Release Management, Maintenance, process that tracks all individual Configuration Items (CI) generated by applying all of the key process areas in a system.

— 22 IT service continuity management IT service continuity management covers the processes by which plans are put in place and managed to ensure that IT Services can recover and continue even after a serious incident occurs.

It is not just about reactive measures, but also about proactive measures – reducing the risk of a disaster in the first instance.

Continuity management is regarded by the application owners as the recovery of the IT infrastructure used to deliver IT Services, but as of 2009 many businesses practice the much further-reaching process of Business Continuity Planning (BCP), to ensure that the whole end-to-end business process can continue should a serious incident occur (at primary support level).

Continuity management involves the following basic steps: • Prioritising the activities to be recovered by conducting a Business Impact Analysis (BIA) • Performing a Risk Assessment (aka risk analysis) for each of the IT Services to identify the assets, threats, vulnerabilities and countermeasures for each service.

• Evaluating the options for recovery • Producing the Contingency Plan • Testing, reviewing, and revising the plan on a regular basis Availability Management Availability Management targets allowing organisations to sustain the IT service-availability to support the business at a justifiable cost.

The high-level activities are Realise Availability Requirements, Compile Availability Plan, Monitor Availability, and Monitor Maintenance Obligations.

Availability Management addresses the ability of an IT component to perform at an agreed level over a period of time.

• Reliability: Ability of an IT component to perform at an agreed level at described conditions.

• Maintainability: The ability of an IT component to remain in, or be restored to an operational state.

• Serviceability: The ability for an external supplier to maintain the availability of component or function under a third-party contract.

• Resilience: A measure of freedom from operational failure and a method of keeping services reliable.

One popular method of resilience is redundancy.

• Security: A service may have associated data.

Security refers to the confidentiality, integrity, and availability of that data.

Availability gives a clear overview of the end-to-end availability of the system.

Information Technology Infrastructure Library Financial Management for IT Services IT Financial Management comprises the discipline of ensuring that the IT infrastructure is obtained at the most effective price (which does not necessarily mean cheapest) and calculating the cost of providing IT services so that an organisation can understand the costs of its IT services.

These costs may then be recovered from the customer of the service.

This is the 2nd component of service delivery process.

23 ICT Infrastructure Management ICT Infrastructure Management[6] (“ICT” is an acronym for “Information and Communication Technology”) processes recommend best practice for requirements analysis, planning, design, deployment and ongoing operations management and technical support of an ICT Infrastructure.

The Infrastructure Management processes describe those processes within ITIL that directly relate to the ICT equipment and software that is involved in providing ICT services to customers.

• • • • ICT Design and Planning ICT Deployment ICT Operations ICT Technical Support These disciplines are less well understood than those of Service Management and therefore often some of their content is believed to be covered ‘by implication’ in Service Management disciplines.

ICT Design and Planning ICT Design and Planning provides a framework and approach for the Strategic and Technical Design and Planning of ICT infrastructures.

It includes the necessary combination of business (and overall IS) strategy, with technical design and architecture.

ICT Design and Planning drives both the Procurement of new ICT solutions through the production of Statements of Requirement (“SOR”) and Invitations to Tender (“ITT”) and is responsible for the initiation and management of ICT Programmes for strategic business change.

Key Outputs from Design and Planning are: • • • • ICT Strategies, Policies and Plans The ICT Overall Architecture & Management Architecture Feasibility Studies, ITTs and SORs Business Cases ICT Deployment Management ICT Deployment provides a framework for the successful management of design, build, test and roll-out (deploy) projects within an overall ICT programme.

It includes many project management disciplines in common with PRINCE2, but has a broader focus to include the necessary integration of Release Management and both functional and non functional testing.

ICT Operations Management ICT Operations Management provides the day-to-day technical supervision of the ICT infrastructure.

Often confused with the role of Incident Management from Service Support, Operations has a more technical bias and is concerned not solely with Incidents reported by users, but with Events generated by or recorded by the Infrastructure.

ICT Operations may often work closely alongside Incident Management and the Service Desk, which are not-necessarily technical, to provide an ‘Operations Bridge’.

Operations, however should primarily work from documented processes and procedures and should be concerned with a number of specific sub-processes, such as: Output Management, Job Scheduling, Backup and Restore, Network Monitoring/Management, System Monitoring/Management, Database Monitoring/Management Storage Monitoring/Management.

Operations are responsible for the following: Information Technology Infrastructure Library • • • • • • A stable, secure ICT infrastructure A current, up to date Operational Documentation Library (“ODL”) A log of all operational Events Maintenance of operational monitoring and management tools.

Operational Scripts Operational Procedures 24 ICT Technical Support ICT Technical Support is the specialist technical function for infrastructure within ICT.

Primarily as a support to other processes, both in Infrastructure Management and Service Management, Technical Support provides a number of specialist functions: Research and Evaluation, Market Intelligence (particularly for Design and Planning and Capacity Management), Proof of Concept and Pilot engineering, specialist technical expertise (particularly to Operations and Problem Management), creation of documentation (perhaps for the Operational Documentation Library or Known Error Database).

There are different levels of support under the ITIL structure, these being primary support level, secondary support level and tertiary support level, higher-level administrators being responsible for support at primary level.

Security Management The ITIL-process Security Management[7] describes the structured fitting of information security in the management organisation.

ITIL Security Management is based on the code of practice for information security management now known as ISO/IEC 27002.

A basic goal of Security Management is to ensure adequate information security.

The primary goal of information security, in turn, is to protect information assets against risks, and thus to maintain their value to the organisation.

This is commonly expressed in terms of ensuring their confidentiality, integrity and availability, along with related properties or goals such as authenticity, accountability, non-repudiation and reliability.

Mounting pressure for many organisations to structure their Information Security Management Systems in accordance with ISO/IEC 27001 requires revision of the ITIL v2 Security Management volume, and indeed a v3 release is in the works.

Application Management ITIL Application Management[8] set encompasses a set of best practices proposed to improve the overall quality of IT software development and support through the life-cycle of software development projects, with particular attention to gathering and defining requirements that meet business objectives.

This volume is related to the topics of Software Engineering and IT Portfolio Management.

Software Asset Management Software Asset Management (SAM) is the practice of integrating people, processes and technology to allow software licenses and usage to be systematically tracked, evaluated and managed.

The goal of SAM is to reduce IT expenditures, human resource overhead and risks inherent in owning and managing software assets.

SAM practices include: • Maintaining software license compliance • Tracking inventory and software asset use • Maintaining standard policies and procedures surrounding definition, deployment, configuration, use, and retirement of software assets and the Definitive Software Library.

Information Technology Infrastructure Library SAM represents the software component of IT asset management.

This includes hardware asset management because effective hardware inventory controls are critical to efforts to control software.

This means overseeing software and hardware that comprise an organisation’s computers and network.

25 Planning to Implement Service Management The ITIL discipline – Planning to Implement Service Management[9] attempts to provide practitioners with a framework for the alignment of business needs and IT provision requirements.

The processes and approaches incorporated within the guidelines suggest the development of a Continuous Service Improvement Program (CSIP) as the basis for implementing other ITIL disciplines as projects within a controlled program of work.

Planning to Implement Service Management focuses mainly on the Service Management processes, but also applies generically to other ITIL disciplines.

Components include: • • • • creating vision analyzing organisation setting goals implementing IT service management Small-Scale Implementation ITIL Small-Scale Implementation[10] provides an approach to ITIL framework implementation for smaller IT units or departments.

It is primarily an auxiliary work that covers many of the same best practice guidelines as Planning to Implement Service Management, Service Support, and Service Delivery but provides additional guidance on the combination of roles and responsibilities, and avoiding conflict between ITIL priorities.

Overview of the ITIL v3 library ITIL v3 is an extension of ITIL v2 and will fully replace it following the completion of the withdrawal period on 30 June 2011 [11].

ITIL v3 provides a more holistic perspective on the full life cycle of services, covering the entire IT organisation and all supporting components needed to deliver services to the customer, whereas v2 focused on specific activities directly related to service delivery and support.

Most of the v2 activities remained untouched in v3, but some significant changes in terminology were introduced in order to facilitate the expansion.

Five volumes comprise the ITIL v3, published in May 2007: 1.

ITIL Service Strategy[12] 2.

ITIL Service Design[13] 3.

ITIL Service Transition[14] 4.

ITIL Service Operation[15] 5.

ITIL Continual Service Improvement[16] Service Strategy As the center and origin point of the ITIL Service Lifecycle, the ITIL Service Strategy volume[12] provides guidance on clarification and prioritisation of service-provider investments in services.

More generally, Service Strategy focuses on helping IT organisations improve and develop over the long term.

In both cases, Service Strategy relies largely upon a market-driven approach.

Key topics covered include service value definition, business-case development, service assets, market analysis, and service provider types.

List of covered processes: • Service Portfolio Management [17] • Demand Management • IT Financial Management [18] Information Technology Infrastructure Library 26 Service Design The ITIL Service Design volume[13] provides good-practice guidance on the design of IT services, processes, and other aspects of the service management effort.

Significantly, design within ITIL is understood to encompass all elements relevant to technology service delivery, rather than focusing solely on design of the technology itself.

As such, Service Design addresses how a planned service solution interacts with the larger business and technical environments, service management systems required to support the service, processes which interact with the service, technology, and architecture required to support the service, and the supply chain required to support the planned service.

Within ITIL v2, design work for an IT service is aggregated into a single Service Design Package (SDP).

Service Design Packages, along with other information about services, are managed within the service catalogues.

List of covered processes: • • • • • • • • • • Service Catalogue Management Service Level Management Risk Management Capacity Management Availability Management IT Service Continuity Management Information Security Management Compliance Management IT Architecture Management Supplier Management Service Transition Service transition, as described by the ITIL Service Transition volume,[14] relates to the delivery of services required by a business into live/operational use, and often encompasses the “project” side of IT rather than “BAU” (Business as usual).

This area also covers topics such as managing changes to the “BAU” environment.

List of processes: • • • • • • Service Asset and Configuration Management Service Validation and Testing Evaluation Release Management Change Management Knowledge Management Service Operation Best practice for achieving the delivery of agreed levels of services both to end-users and the customers (where “customers” refer to those individuals who pay for the service and negotiate the SLAs).

Service operation, as described in the ITIL Service Operation volume,[15] is the part of the lifecycle where the services and value is actually directly delivered.

Also the monitoring of problems and balance between service reliability and cost etc.

are considered.

The functions include technical management, application management, operations management and Service Desk as well as, responsibilities for staff engaging in Service Operation.

List of processes: • • • • Event Management Incident Management Problem Management Request Fulfilment Information Technology Infrastructure Library • Access Management 27 Continual Service Improvement (CSI) Aligning and realigning IT services to changing business needs (because standstill implies decline).

Continual Service Improvement, defined in the ITIL Continual Service Improvement volume,[16] aims to align and realign IT Services to changing business needs by identifying and implementing improvements to the IT services that support the Business Processes.

The perspective of CSI on improvement is the business perspective of service quality, even though CSI aims to improve process effectiveness, efficiency and cost effectiveness of the IT processes through the whole lifecycle.

To manage improvement, CSI should clearly define what should be controlled and measured.

CSI needs to be treated just like any other service practice.

There needs to be upfront planning, training and awareness, ongoing scheduling, roles created, ownership assigned,and activities identified to be successful.

CSI must be planned and scheduled as process with defined activities, inputs, outputs, roles and reporting.

List of processes: • Service Level Management • Service Measurement and Reporting • Continual Service Improvement Criticisms of ITIL ITIL has been criticised on several fronts, including: • The books are not affordable for non-commercial users • Accusations that many ITIL advocates think ITIL is “a holistic, all-encompassing framework for IT governance” • Accusations that proponents of ITIL indoctrinate the methodology with ‘religious zeal’ at the expense of pragmatism • Implementation and credentialing requires specific training • Debate over ITIL falling under BSM or ITSM frameworks Rob England (also known as “IT Skeptic”) has criticised the protected and proprietary nature of ITIL [19].

He urges the publisher, OGC, to release ITIL under the the Open Government Licence (OGL)[20] CIO Magazine columnist Dean Meyer has also presented some cautionary views of ITIL,[21] including five pitfalls such as “becoming a slave to outdated definitions” and “Letting ITIL become religion.” As he notes, “…it doesn’t describe the complete range of processes needed to be world class.

It’s focused on …

managing ongoing services.” In a 2004 survey designed by Noel Bruton (author of “How to Manage the IT Helpdesk” and “Managing the IT Services Process”), organisations adopting ITIL were asked to relate their actual experiences in having implemented ITIL.

Seventy-seven percent of survey respondents either agreed or strongly agreed that “ITIL does not have all the answers”.

ITIL exponents accept this, citing ITIL’s stated intention to be non-prescriptive, expecting organisations to engage ITIL processes with existing process models.

Bruton notes that the claim to non-prescriptiveness must be, at best, one of scale rather than absolute intention, for the very description of a certain set of processes is in itself a [22] form of prescription.

While ITIL addresses in depth the various aspects of Service Management, it does not address enterprise architecture in such depth.

Many of the shortcomings in the implementation of ITIL do not necessarily come about because of flaws in the design or implementation of the Service Management aspects of the business, but rather the wider architectural framework in which the business is situated.

Because of its primary focus on Service Management, ITIL has limited utility in managing poorly designed enterprise architectures, or how to feed back into the design of the enterprise architecture.

Information Technology Infrastructure Library Closely related to the Architectural criticism, ITIL does not directly address the business applications which run on the IT infrastructure; nor does it facilitate a more collaborative working relationship between development and operations teams.

The trend toward a closer working relationship between development and operations is termed: DevOps.

This trend is related to increased application release rates and the adoption of Agile software development methodologies.

Traditional service management processes have struggled to support increased application release rates – due to lack of automation – and/or highly complex enterprise architecture.

Some researchers group ITIL with Lean, Six Sigma and Agile IT operations management.

Applying Six Sigma techniques to ITIL brings the engineering approach to ITIL’s framework.

Applying Lean techniques promotes continuous improvement of the ITIL’s best practices.

However, ITIL itself is not a transformation method, nor does it offer one.

Readers are required to find and associate such a method.

Some vendors have also included the term Lean when discussing ITIL implementations, for example “Lean-ITIL”.

The initial consequences of an ITIL initiative tend to add cost with benefits promised as a future deliverable.

ITIL does not provide usable methods “out of the box” to identify and target waste, or document the customer value stream as required by Lean, and measure customer satisfaction.

28 Frameworks Related to ITIL A number of frameworks exist in the field of IT Service Management alongside ITIL.

ITIL Descendants The Microsoft Operations Framework (MOF) is based on ITILv2.

While ITIL deliberatly aims to be platform agnostic, MOF is designed by Microsoft to provide a common management framework for its products.

Microsoft has mapped MOF to ITIL as part of their documentation of the framework.[23] The British Educational Communications and Technology Agency (BECTA) used ITIL as the basis for their development of Framework for ICT Technical Support [24] (FITS).

Their aim was to develop a framework appropriate for British schools which often have very small IT departments.

FITS became independent from BECTA in 2009.

Other Frameworks ITIL is generally equivalent to the scope of the ISO/IEC 20000 standard (previously BS 15000).


While it is not possible for an organization to be certified as being ITIL compliant, certification of an organisation is available for ISO20000 [26].

COBIT is an IT governance framework and supporting toolset developed by ISACA.

ISACA view ITIL as being complimentory to COBIT.

They see COBIT as providing a governance and assurance role while ITIL providing guidance for service management.[27] The enhanced Telecom Operations Map eTOM published by the TeleManagement Forum offers a framework aimed at telecommunications service providers.

In a joined effort, TM Forum and itSMF developed an Application Note to eTOM (GB921) that shows how the two frameworks can be mapped to each other.

It addresses how eTom process elements and flows can be used to support the processes identified in ITIL.[28] [29] IBM Tivoli Unified Process (ITUP) is aligned with ITIL, but is presented as a complete, integrated process model compatible with IBM’s products.

[25] Information Technology Infrastructure Library 29 Certification Individuals The certification scheme differs between ITIL v2 and ITIL v3 and bridge examinations let v2 certification owners transfer to the new program.

ITIL v2 offers 3 certification levels: Foundation, Practitioner and Manager.

These should be progressively discontinued in favour of the new ITIL v3 scheme.

ITIL v3 certification levels are: Foundation, Intermediate, Expert and Master.

The ITIL v3 certification scheme offers a modular approach.

Each qualification is assigned a credit value; so that upon successful completion of the module, the candidate is rewarded with both a certification and a number of credits.

At the lowest level – Foundation candidates are awarded a certification and 2 credits.

At the Intermediate level, a total of 15 credits must be earned.

These credits may be accumulated in either a “Lifecycle” stream or a “Capability” stream; or combination thereof.

Each Lifecycle module and exam is 3 An ITIL Foundation certificate pin.


Each Capability module and corresponding exam is 4 credits.

A candidate wanting to achieve the Expert level will have, among other requirements, to gain the required number of credits (22).

That is accomplished with two from Foundations, then 15 from Intermediate, and finally 5 credits from the “Managing Across the Lifecycle” exam.

Together, the total of 22 earned credits designates one as ITIL v.

3 Expert.

The ITIL Certification Management Board (ICMB) manages ITIL certification.

The Board includes representatives from interested parties within the community around the world.

Members of the Board include (though are not limited to) representatives from the UK Office of Government Commerce (OGC), APM Group (APMG), The Stationery Office (TSO), V3 Examination Panel, Examination Institutes (EIs) and the IT Service Management [30] Forum International (itSMF) as the recognised user group.

Since the early 1990s, EXIN and ISEB have been setting up the ITIL based certification program, developing and providing ITIL exams at three different levels: Foundation, Practitioner and Manager.

EXIN[31] and BCS/ISEB[32] (the British Computer Society) have from that time onwards been the only two examination providers in the world to develop formally acknowledged ITIL certifications, provide ITIL exams and accredit ITIL training providers worldwide.

These rights were obtained from OGC, the British government institution and owner of the ITIL trademark.

OGC signed over the management of the ITIL trademark and the accreditation of examination providers [31] , BCS/ISEB and other certification bodies, including to APMG in 2006.

Now, after signing a contract with EXIN PEOPLECERT Group [33], APMG is accrediting them as official examination bodies, to offer ITIL exams and accredit ITIL training providers.

On July 20, 2006, the OGC signed a contract with the APM Group [34] to become its commercial partner for ITIL accreditation from January 1, 2007.[35] APMG manage the ITIL Version 3 exams.

APMG maintains a voluntary register of ITIL Version 3-certified practitioners at their Successful Candidate Register.[36] A voluntary registry of ITIL Version 2-certified practitioners is operated by the ITIL Certification Register.[37] Information Technology Infrastructure Library 30 ITIL® pins It has been a well-known tradition for years that passing an EXIN exam in IT Service Management (based on ITIL®) does not only result in a certificate, but is also accompanied by the presentation of a metal pin which can be attached to a shirt or jacket.

This distinguishing badge with basic gold colour is set in the form of the internationally well-known ITIL®-logo.

The ITIL® pins consist of small diamond like structure that is accepted worldwide.

The meaning and the shape of the diamond depicts coherence in the IT industry (infrastructure as well).

The four corners of the pin symbolises service support, service delivery, Infrastructure Management and IT Management.

There are three colours of ITIL® V2 pins: 1.

green, for the Foundation Certificate 2.

blue, for the Practitioner’s Certificate 3.

red, for the Manager’s Certificate Exam candidates who have successfully passed the examinations for ITIL® version 2 will receive their appropriate pin from EXIN, PEOPLECERT Group or their certification provider, their EXIN, PEOPLECERT Group or their certification provider regional office, or an EXIN,PEOPLECERT Group or certification agent.

With the arrival of ITIL® V3, there are several new pins to display your achievements.

As of July 2008, EXIN and all certification providers such as PEOPLECERT Group will also provide ITIL® pins to exam candidates who have obtained ITIL® version 3 certificates.

The new pins are very similar to ITIL® V2 pins, but every level has a different color corresponding to the ITIL® V3 core books.

Organisations Organisations and management systems cannot claim certification as “ITIL-compliant”.

An organisation that has implemented ITIL guidance in IT Service Management (ITSM), may however, be able to achieve compliance with and seek certification under ISO/IEC 20000.

Note that there are some significant differences between ISO/IEC20000 and ITIL Version 3[38] • ISO20000 only recognises the management of financial assets, not assets which include “management, organisation, process, knowledge, people, information, applications, infrastructure and financial capital”, nor the concept of a “service asset”.

So ISO20000 certification does not address the management of ‘assets’ in an ITIL sense.

• ISO20000 does not recognise Configuration Management System (CMS) or Service Knowledge Management System (SKMS), and so does not certify anything beyond Configuration Management Database (CMDB).

• An organisation can obtain ISO20000 certification without recognising or implementing the ITIL concept of Known Error, which is usually considered essential to ITIL.

References [1] David Clifford, Jan van Bon (2008).

Implementing ISO/IEC 20000 Certification: The Roadmap.

ITSM Library.

Van Haren Publishing.

ISBN 908753082X.

[2] Office of Government Commerce (UK) CCTA and OGC (http:/ / www.



uk/ index.


Retrieved May 5, 2005.

[3] Office of Government Commerce (UK) (http:/ / www.



uk/ guidance_itil.


Retrieved August 19, 2009.

[4] Office of Government Commerce (2000).

Service Support.

The Stationery Office.

ISBN 0113300158.

[5] Office of Government Commerce (2001).

Service Delivery.

IT Infrastructure Library.

The Stationery Office.

ISBN 0113300174.

[6] Office of Government Commerce (2002).

ICT Infrastructure Management.

The Stationery Office.

ISBN 0113308655.

[7] Cazemier, Jacques A.; Overbeek, Paul L.; Peters, Louk M.


Security Management.

The Stationery Office.

ISBN 011330014X.

[8] Office of Government Commerce (2002).

Application Management.

The Stationery Office.

ISBN 0113308663.

[9] Office of Government Commerce (2002).

Planning to Implement Service Management.

The Stationery Office.

ISBN 0113308779.

[10] Office of Government Commerce (2005).

ITIL Small Scale Implementation.

The Stationery Office.

ISBN 0113309805.

[11] http:/ / www.



uk/ itil_ogc_withdrawal_of_itil_version2.

asp [12] Majid Iqbal and Michael Nieves (2007).

ITIL Service Strategy.

The Stationery Office.

ISBN 9780113310456.

[13] Vernon Lloyd and Colin Rudd (2007).

ITIL Service Design.

The Stationery Office.

ISBN 9780113310470.

Information Technology Infrastructure Library [14] Shirley Lacy and Ivor Macfarlane (2007).

ITIL Service Transition.

The Stationery Office.

ISBN 9780113310487.

[15] David Cannon and David Wheeldon (2007).

ITIL Service Operation.

The Stationery Office.

ISBN 9780113310463.

[16] George Spalding and Gary Case (2007).

ITIL Continual Service Improvement.

The Stationery Office.

ISBN 9780113310494.

[17] http:/ / wiki.



com/ index.

php/ Service_Portfolio_Management [18] http:/ / wiki.



com/ index.

php/ Financial_Management [19] http:/ / www.


org/ free-itil [20] http:/ / www.



uk/ doc/ open-government-licence/ open-government-licence.

htm [21] Meyer, Dean, 2005.

“Beneath the Buzz: ITIL” (http:/ / web.


org/ web/ 20050404165524/ http:/ / www.


com/ leadership/ buzz/ column.

html?ID=4186), CIO Magazine, March 31, 2005 [22] Survey: “The ITIL Experience – Has It Been Worth It”, author Bruton Consultancy 2004, published by Helpdesk Institute Europe, The Helpdesk and IT Support Show, and Hornbill Software.

[23] Microsoft Operations Framework; Cross Reference ITIL V3 and MOF 4.0 (http:/ / go.


com/ fwlink/ ?LinkId=151991).

Microsoft Corporation.

May 2009.


[24] http:/ / www.


org [25] Van Bon, Jan; Verheijen, Tieneke (2006), Frameworks for IT Management (http:/ / books.


com/ books?id=RV3jQ16F1_cC), Van Haren Publishing, ISBN 9789077212905, [26] http:/ / www.


com/ newsletters/ DITYvol2iss3.

htm [27] ISACA (2008), COBIT Mapping: Mapping of ITIL V3 With COBIT 4.1 (http:/ / www.


org/ Knowledge-Center/ Research/ ResearchDeliverables/ Pages/ COBIT-Mapping-Mapping-of-ITIL-V3-With-COBIT-4-1.

aspx), ITGI, ISBN 9781604200355, [28] Brooks, Peter (2006), Metrics for IT Service Management (http:/ / books.


com/ books?id=UeWDivqKcm0C), Van Haren Publishing, pp. 76–77, ISBN 9789077212691, [29] Morreale, Patricia A.; Terplan, Kornel (2009), “ Matching ITIL to eTOM” (http:/ / books.


com/ books?id=VEp0aMmH3iQC), CRC Handbook of Modern Telecommunications, Second Edition (2 ed.), CRC Press, ISBN 9781420078008, [30] APMG (2008).

“ITIL Service Management Practices: V3 Qualifications Scheme” (http:/ / www.


com/ nmsruntime/ saveasdialog.

asp?lID=572& sID=86).


Retrieved 24 February 2009.

[31] “EXIN Exams” (http:/ / www.


com/ ).

EXIN Exams.


Retrieved 2010-01-14.

[32] “ISEB Professionals Qualifications, Training, Careers BCS – The Chartered Institute for IT” (http:/ / www.


org/ server.





Retrieved 2010-01-14.

[33] http:/ / www.


org [34] http:/ / www.


com/ [35] Office of Government Commerce (2006).

“Best Practice portfolio: new contracts awarded for publishing and accreditation services” (http:/ / www.



uk/ About_OGC_news_4906.



Retrieved 19 September 2006.

[36] http:/ / www.



uk/ ITILSCRquery.

asp [37] http:/ / www.


org/ [38] Office of Government Commerce (2008).

“Best Management Practice: ITIL V3 and ISO/IEC 20000” (http:/ / www.


com/ gempdf/ ITIL_and_ISO_20000_March08.



Retrieved 24 February 2009.

31 External links • Official ITIL Website ( • The OGC website ( Information security management system 32 Information security management system An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks.

The idioms arose primarily out of ISO 27001.

The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

Plan-Do-Check-Act Cycle ISMS description As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment.

ISO/IEC 27001 therefore incorporates the typical “Plan-Do-Check-Act” (PDCA), or Deming cycle, approach: • The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.

• The Do phase involves implementing and operating the controls.

• The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.

• In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.

The best known ISMS is described in ISO/IEC 27001 and ISO/IEC 27002 and related standards published jointly by ISO and IEC.

Another competing ISMS is Information Security Forum’s Standard of Good Practice (SOGP).

It is more best practice-based as it comes from ISF’s industry experiences.

Other frameworks such as COBIT and ITIL touch on security issues, but are mainly geared toward creating a governance framework for information and IT more generally.

COBIT has a companion framework Risk IT dedicated to Information security.

There are a number of initiatives focused to the governance and organizational issues of securing information systems having in mind that it is business and organizational problem, not only a technical problem: • Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 that recognized the importance of information security to the economic and national security interests of the United States.[1] The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.[1] [2] • Governing for Enterprise Security Implementation Guide [3] of the Carnegie Mellon University Software Engineering Institute CERT is designed to help business leaders implement an effective program to govern information technology (IT) and information security.

Our objective is to help you make well informed decisions about many important components of GES such as adjusting organizational structure, designating roles and responsibilities, allocating resources (including security investments), managing risks, measuring results, and gauging the adequacy of security audits and reviews.

The intent in elevating security to a governance-level concern is to foster attentive, security-conscious leaders who are better positioned to protect an organization’s digital assets, its operations, its market position, and its reputation.

ENISA: Risk Management and Isms activities Information security management system • A Capability Maturity Model for system security engineering was standardized in ISO/IEC_21827.

• Information Security Management Maturity Model (known as ISM-cubed or ISM3) is another form of ISMS.

ISM3 builds on standards such as ISO 20000, ISO 9001, CMM, ISO/IEC 27001, and general information governance and security concepts.

ISM3 can be used as a template for an ISO 9001-compliant ISMS.

While ISO/IEC 27001 is controls based, ISM3 is process based and includes process metrics.

ISM3 is a standard for security management (how to achieve the organizations mission despite of errors, attacks and accidents with a given budget).

The difference between ISM3 and ISO/IEC 21827 is that ISM3 is focused on management, ISO 21287 on Engineering.

33 Need for a ISMS Security experts say and statistics confirm that: • information technology security administrators should expect to devote approximately one-third of their time addressing technical aspects.

The remaining two-thirds should be spent developing policies and procedures, performing security reviews and analyzing risk, addressing contingency planning and promoting security awareness; • security depends on people more than on technology; • employees are a far greater threat to information security than outsiders; • security is like a chain.

It is as strong as its weakest link; • the degree of security depends on three factors: the risk you are willing to take, the functionality of the system and the costs you are prepared to pay; • security is not a status or a snapshot but a running process.

These facts inevitably lead to the conclusion that: Security administration is a management and NOT a purely technical issue[4] The establishment, maintenance and continuous update of an ISMS provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks.

Furthermore such a company will be capable of successfully addressing information confidentiality, integrity and availability requirements which in turn have implications for: [4] • • • • • • business continuity; minimization of damages and losses; competitive edge; profitability and cash-flow; respected organization image; legal compliance Chief objective of Information Security Management is to implement the appropriate measurements in order to eliminate or minimize the impact that various security related threats and vulnerabilities might have on an organization.

In doing so, Information Security Management will enable implementing the desirable qualitative characteristics of the services offered by the organization (i.e.

availability of services, preservation of data [4] confidentiality and integrity etc.).

Large organizations or organizations such as banks and financial institutes, telecommunication operators, hospital and health institutes and public or governmental bodies have many reasons for addressing information security very seriously.

Legal and regulatory requirements which aim at protecting sensitive or personal data as well as general public security requirements impel them to devote the utmost attention and priority to information security risks.[4] Under these circumstances the development and implementation of a separate and independent management process namely an Information Security Management System is the one and only alternative.[4] As shown in Figure, the development of an ISMS framework entails the following 6 steps:[4] Information security management system 1.






Definition of Security Policy, Definition of ISMS Scope, Risk Assessment (as part of Risk Management), Risk Management, Selection of Appropriate Controls and Statement of Applicability 34 — Corporate governance of information technology not directly related to IT governance, Sarbanes-Oxley and Basel-II in Europe have influenced the development of information technology governance since the early 2000s.

Following Corporate collapses in Australia around the same time, working groups were established to develop standards for Corporate Governance.

A series of Australian Standards for Corporate Governance were published in 2003, these were: • • • • • Good Governance Principles (AS8000) Fraud and Corruption Control (AS8001) Organisational Codes of Conduct (AS8002) Corporate Social Responsibility (AS8003) Whistle Blower protection programs (AS8004) 36 AS8015 Corporate Governance of ICT was published in January 2005.

It was fast-track adopted as ISO/IEC 38500 in May 2008.Introduction to ISO 38500 [3] Problems with IT governance Is IT governance different from IT management and IT controls? The problem with IT governance is that often it is confused with good management practices and IT control frameworks.

ISO 38500 has helped clarify IT governance by describing it as the management system used by directors.

In other words, IT governance is about the stewardship of IT resources on behalf of the stakeholders who expect a return from their investment.

The directors responsible for this stewardship will look to the management to implement the necessary systems and IT controls.

Whilst managing risk and ensuring compliance are essential components of good governance, it is more important to be focused on delivering value and measuring performance.

Frameworks There are quite a few supporting references that may be useful guides to the implementation of information technology governance.

Some of them are: • AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology.

AS8015 was adopted as ISO/IEC 38500 in May 2008 • ISO/IEC 38500:2008 Corporate governance of information technology [4], (very closely based on AS8015-2005) provides a framework for effective governance of IT to assist those at the highest level of organizations to understand and fulfill their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT.

ISO/IEC 38500 is applicable to organizations from all sizes, including public and private companies, government entities, and not-for-profit organizations.

This standard provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations.

• Control Objectives for Information and related Technology (COBIT) is regarded as the world’s leading IT governance and control framework.

CobiT provides a reference model of 34 IT processes typically found in an organization.

Each process is defined together with process inputs and outputs, key process activities, process objectives, performance measures and an elementary maturity model.

Originally created by ISACA, COBIT is [5] now the responsibility of the ITGI (IT Governance Institute).

[6] • The IT Infrastructure Library (ITIL) is a high-level framework with information on how to achieve a successful operational Service management of IT, developed and maintained by the United Kingdom’s Office of Government Commerce, in partnership with the IT Service Management Forum.

While not specifically focused on IT governance, the process related information is a useful reference source for tackling the improvement of the service management function.

Others include: • ISO27001 – focus on IT security Corporate governance of information technology • CMM – The Capability Maturity Model – focus on software engineering • TickIT is a quality-management certification program for software development Non-IT specific frameworks of use include: • The Balanced Scorecard (BSC) – method to assess an organization’s performance in many different areas.

• Six Sigma – focus on quality assurance • TOGAF – The Open Group Architectural Framework – methodology to align business and IT, resulting in useful projects and effective governance.

37 Professional certification Certified in the Governance of Enterprise Information Technology (CGEIT) is an advanced certification created in 2007 by the Information Systems Audit and Control Association (ISACA).

It is designed for experienced professionals, who can demonstrate 5 or more years experience, serving in a managing or advisory role focused on the governance and control of IT at an enterprise level.

It also requires passing a 4-hour test, designed to evaluate an applicant’s understanding of enterprise IT management.

The first examination was held in December 2008.

Footnotes [1] Weill, P.

& Ross, J.

W., 2004, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results”, Harvard Business School Press, Boston.

[2] IT Governance Institute 2003, “Board Briefing on IT Governance, 2nd Edition”.

Retrieved January 18, 2006 from http:/ / www.


org/ Content/ ContentGroups/ ITGI3/ Resources1/ Board_Briefing_on_IT_Governance/ 26904_Board_Briefing_final.

pdf [3] http:/ / www.


nl/ imagesfile/ PRESENTATIES%20JC%2008%20tbv%20publicatie/ Christophe%20Feltus%20Introduction%20to%20ISO%2038500%20v1_0.

pdf [4] http:/ / www.


org/ iso/ pressrelease.

htm?refid=Ref1135 [5] http:/ / www.


org [6] http:/ / www.



uk/ Further reading • Lutchen, M.


Managing IT as a business : a survival guide for CEOs.

Hoboken, N.J., J.

Wiley., ISBN 0-471-47104-6 • Van Grembergen W., Strategies for Information technology Governance, IDEA Group Publishing, 2004, ISBN 1-59140-284-0 • Van Grembergen, W., and S.

De Haes, Enterprise Governance of IT: Achieving Strategic Alignment and Value, Springer, 2009.

• W.

Van Grembergen, and S.

De Haes, “A Research Journey into Enterprise Governance of IT, Business/IT Alignment and Value Creation”, International Journal of IT/Business Alignment and Governance, Vol.


1, 2010, pp.


• S.

De Haes, and W.

Van Grembergen, “An Exploratory Study into the Design of an IT Governance Minimum Baseline through Delphi Research”, Communications of AIS, No.

22, 2008, pp.443–458.

• S.

De Haes, and W.

Van Grembergen, “An Exploratory Study into IT Governance Implementations and its Impact on Business/IT Alignment”, Information Systems Management, Vol.

26, 2009, pp.123–137.

• S.

De Haes, and W.

Van Grembergen, “Exploring the relationship between IT governance practices and business/IT alignment through extreme case analysis in Belgian mid-to-large size financial enterprises”, Journal of Enterprise Information Management, Vol.

22, No.

5, 2009, pp.


• Georgel F., IT Gouvernance : Maitrise d’un systeme d’information, Dunod, 2004(Ed1) 2006(Ed2), 2009(Ed3), ISBN 2-10-052574-3.

“Gouvernance, audit et securite des TI”, CCH, 2008(Ed1) ISBN 978-289366577-1 See also the bibliography sections of IT Portfolio Management and IT Service Management Corporate governance of information technology • Renz, Patrick S.


“Project Governance.” Heidelberg, Physica-Verl.

(Contributions to Economics) ISBN 978-3-7908-1926-7 • Wood, David J., 2011.

“Assessing IT Governance Maturity: The Case of San Marcos, Texas”.

Applied Research Projects, Texas State University-San Marcos. 38 External links Institutes and associations • The IT Governance Institute ( • Informations Systems Audit and Control Association ( • International Association of Information Technology Asset Managers, Inc.

– IAITAM ( Corp_Bios.htm) • Australian Computer Society Governance of ICT Committee ( • IT Governance Network ( • ( • IT Governance Portal ( Risk IT Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.

Risk IT was published in 2009 by ISACA.[1] It is the result of a work group composed by industry experts and some academics of different nations, coming from organizations such as IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life, and KPMG.

Definition — Val IT 46 References [1] [2] [3] [4] [5] http:/ / www.


org/ Content/ ContentGroups/ Val_IT1/ Val_IT.

htm http:/ / www.


org/ Knowledge-Center/ Val-IT-IT-Value-Delivery-/ Pages/ Val-IT1.

aspx http:/ / isaca.

org/ Template.

cfm?Section=COBIT6& Template=/ ContentManagement/ ContentDisplay.

cfm& ContentFileID=18927 http:/ / isaca.

org/ Template.

cfm?Section=COBIT6& Template=/ ContentManagement/ ContentDisplay.

cfm& ContentFileID=18930 http:/ / www.


org/ Template.

cfm?Section=Home& Template=/ ContentManagement/ ContentDisplay.

cfm& ContentID=22334 ISO/IEC 20000 ISO/IEC 20000 is the first international standard for IT Service Management.

It was developed in 2005, by ISO/IEC JTC1 SC7.

It is based on and intended to supersede the earlier BS 15000 that was developed by BSI Group.[1] Formally: ISO/IEC 20000-1 (‘part 1’) “promotes the adoption of an integrated process approach to effectively deliver managed services to meet the business and customer requirements”.

It comprises ten sections: • • • • • • • • • • Scope Terms & Definitions Planning and Implementing Service Management Requirements for a Management System Planning & Implementing New or Changed Services Service Delivery Processes Relationship Processes Control Processes Resolution Processes Release Process.

ISO/IEC 20000-2 (‘part 2’) is a ‘code of practice’, and describes the best practices for service management within the scope of ISO/IEC 20000-1.

It comprises the same sections as ‘part 1’ but excludes the ‘Requirements for a Management system’ as no requirements are imposed by ‘part 2’.

ISO/IEC 20000, like its BS 15000 predecessor, was originally developed to reflect best practice guidance contained within the ITIL (Information Technology Infrastructure Library) framework, although it equally supports other IT Service Management frameworks and approaches including Microsoft Operations Framework and components of ISACA’s COBIT framework.

The differentiation between ISO/IEC 20000 and BS 15000 has been addressed by Jenny Dugmore.[2] [3] The standard was first published in December 2005.

Notes [1] BSI Group Fast Facts (http:/ / www.


com/ en/ About-BSI/ News-Room/ BSI-Fast-Facts2/ ) [2] Dugmore, Jenny (2006).

Achieving ISO/IEC 20000 – The Differences Between BS 15000 and ISO/IEC 20000.

BSI Group (http:/ / shop.


com/ en/ Browse-By-Subject/ ICT/ IT-service-management/ ).

p. 124.

ISBN 0580473481.

[3] Dugmore, Jenny (2006).

“BS 15000 to ISO/IEC 20000 What difference does it make?”.

ITNOW 48 (3): 30.


ISO20000-3:2009 Guidance on scope definition and applicability of ISO/IEC 20000-1 ISO20000-4:2010 Process reference model ISO20000-5:2010 Exemplar implementation plan for ISO/IEC 20000-1 ISO20000-1 updated at 2011-04-12 ISO/IEC 20000 47 Academic resources • International Journal of IT Standards and Standardization Research, ISSN: 1539-3054 (internet), 1539-3062 (print), Information Resources Management Association ISO2000-1:2011 released at 2011-04-12 External links • The ISO/IEC 20000 User Group ( KS X ISO/IEC 20000 — Assessment criteria The evaluation of a data center is carried out on the basis of a large questionnaire for the four categories: facilitiy, staff, technology and procedures as well as on the basis of a comprehensive inspection by the eco authorised auditors (eAA).

Criteria Facilities • • • • • • • • Topics Access control and security Protected zones and fire control Raised floors Position in the building Facility feedings Scalability Structure of the building Cleanliness of the data center Weight 25% Technology • • • • • • • Transformer / Main distribution for medium and low voltage 35% Power supplier AC and DC power supply Emergency power supply, emergency shutdown, lightning protection Air conditioning and air filtration Temperature and humidity Carrier Datacenter star audit Procedure • • • • • • • • • • ITIL conformity Continuity management Existing certifications Access procedure Data security Staff size Multilingual staff Accessibility and availability Qualifications Quality management 20% 68 Staff 20% Performance and fulfillment grades Performance grade 1 ? • • • • • • • • • • • • Basic air conditioning (n)[14] Basic power supply (n) A UPS (perpetual quality power, overvoltage protection, etc.) designed with (n) 5 minutes hold-up time to shut down the operation systems Devices for the detection of fire (smoke alarm) and for fire fighting (fire extinguisher) Architectural separation of the computer room from other spaces by the minimum F30/T30 (German-specific rating system for fire-resistance) Several fire sections in the data center are not necessary Heat dissipation performance: 220-320 W/m² Minimum physical access protection (steel doors/security locks/windowless room or secured window) and a warning system/break-in security Certified staff for the operation of the servers (network technology/operation system) Stable network connection (min.

1 internet access provider, 1 independent network connection) Basic supply routes Evaluation Period: 1 Year • Limited operation because of maintenance: 2 downtimes over 14 hours • Availability of the data center: 99.2% per year • 2-3 outages per year with a downtime of respectively 5 hours[15] Performance grade 2 ?? • • • • • • • • • • • Basic air conditioning (n) Basic power supply (n) A UPS (perpetual quality power, overvoltage protection, etc.) designed with (n) 8 minutes hold-up time to shut down the operation systems Devices for the detection of fire (smoke alarm) and for fire fighting (fire extinguisher) Architectural separation of the computer room from other spaces by the minimum F30/T30 (German-specific rating system for fire-resistance) Several fire sections in the data center are not necessary Heat dissipation performance: 220-320 W/m² Physical access protection (steel doors/security locks/windowless room or secured window) with a mental identification feature and a warning system/break-in security Certified staff for the operation of the servers (network technology/operation system) Stable network connection (min.

2 providers, 2 independent network connections) Datacenter star audit • Basic supply routes Evaluation Period: 1 Year • Limited operation because of maintenance: 2 downtimes over 12 hours • Availability of the data center: 99.671% per year, annual downtime 28.8 hours • 2-3 outages per year with a downtime of respectively 4 hours 69 Performance grade 3 ??? • • • • • • • • • • • • • • • Air conditioning (n) Redundant power supply (n+1) Diesel generator A UPS (perpetual quality power, overvoltage protection, etc.) designed with (n) 8 minutes hold-up time to shut down the operation systems Devices for the detection of fire (smoke alarm) and for fire fighting (fire extinguisher) Architectural separation of the computer room from other spaces by the minimum F30/T30 (German-specific rating system for fire-resistance) Several fire sections in the data center are not necessary Heat dissipation performance: 430-800 W/m² Process of an individualised authentication (biometrics or mental identification feature) ITIL process maturation grade 2 (mostly documented and adjusted to the ITIL model) Physical access protection (steel doors/security locks/windowless room or secured window) with logging and a warning system/break-in security Certified staff for the operation of the servers (network technology/operation system) Stable network connection (min.

2 Internet access providers, 2 independent network connections) Basic supply routes Evaluation Period: 2 Years • Limited operation because of maintenance: 3 downtimes for 12 hours • Availability of the data center: 99.671% per year, downtime 22 hours • 2 outages per year with a downtime of respectively 4 hours Performance grade 4 ???? • • • • • • • • • • • • • • Air conditioning (n+1) + UPS connection Redundant power supply (n+1) and 2 facility feedings Diesel generator A UPS (perpetual quality power, overvoltage protection, etc.) designed with (n) 8 minutes hold-up time to shut down the operation systems Devices for the detection of fire (smoke alarm) and for fire fighting (fire extinguisher) Architectural separation of the computer room from other spaces by the minimum F30/T30 (German-specific rating system for fire-resistance) Several fire sections in the data center are not necessary Heat dissipation performance: 430-1400 W/m² Process of an individualised authentication (biometrics or mental identification feature) Access to the data center: at least 2 door systems ITIL process maturation grade 2 (mostly documented and adjusted to the ITIL model) Physical access protection (steel doors/security locks/windowless room or secured window) with logging and a warning system/break-in security Certified staff for the operation of the servers (network technology/operation system) Datacenter star audit • Stable network connection (min.

2 Internet access providers, 2 independent network connections) • Basic supply routes Evaluation Period: 5 Years • Limited operation because of maintenance: 2 downtimes for 4 hours • Availability of the data center: 99.982% per year, downtime 1.6 hours • 2 outages per year with a downtime of respectively 4 hours 70 Performance grade 5 ????? • Air conditioning (n+2) + UPS connection (n+1) • Redundant power supply (n+2) and 2 facility feedings (n+2 can be realized with a technical circuit and substantiated by service level agreements) • 2 x diesel generator • A UPS (perpetual quality power, overvoltage protection, etc.) designed with a minimum of (n+1) • 20 minutes hold-up time to shut down the operation systems • Devices for the detection of fire (smoke alarm) and for fire fighting (fire extinguisher), VESDA system • Architectural separation of the computer room from other spaces by the minimum F60/T60 (German-specific rating system for fire-resistance) • Several fire sections in the data center are necessary • Heat dissipation performance: >= 1500 W/m² • Process of an individualised authentication (biometrics or mental identification feature) • Access to the data center: at least 2 door systems • Optical turnstile for customer entrance • ITIL process maturation grade 4 (completely documented and adjusted to the ITIL model) • Documented Procedures (e.g.

with the help of ISO 27001, ISO 20000, ISO 9001) • Physical access protection (steel doors/security locks/windowless room or secured window) with logging and a warning system/break-in security • Certified staff for the operation of the servers (network technology/operation system) • Stable network connection (min.

5 Internet access providers, 2 independent network connections) • Supply routes doubled Evaluation Period: 5 Years • No limited operation because of maintenance • Availability of the data center: 99.991% per year, downtime 0.8 h • 1 outage per year with a maximum downtime of 4 h Fulfillment grade In considering the calculated performance grade (%) derived from the questionnaire’s responses and the inspection, the result can be assigned to one of the five fulfillment grades (DC Stars).[16] Datacenter star audit 71 Fulfillment grade 1 2 3 4 5 Percent 35 – 54% 55 – 64% 65 – 74% 75 – 89% ? Stars ?? ??? ???? — To certify, auditors should have 3 years experience Emerging Issues There are also new audits being imposed by various standard boards which are required to be performed, depending upon your organization, which will affect IT and ensure that IT departments are performing certain functions and controls appropriately to be considered compliant.

An example of such an audit is the newly minted SSAE 16 [10].

References [1] Richard A.

Goodman; Richard Arthur Goodman; Michael W.

Lawless (1994).

Technology and strategy: conceptual models and diagnostics (http:/ / books.


com/ books?id=GIRdX9hIL1EC).

Oxford University Press US.

ISBN 9780195079494.


Retrieved May 9, 2010.

[2] http:/ / www.


org/ bookstore/ product/ it-auditing-an-adaptive-process-1263.

cfm [3] “Advanced System, Network and Perimeter Auditing” (http:/ / www.


org/ security-training/ auditing-networks-perimeters-and-systems-6-mid).


[4] “Institute of Internal Auditors” (http:/ / www.




[5] “The SANS Technology Institute” (http:/ / www.




[6] “ISACA” (http:/ / www.




[7] Hoelzer, David (1999-2009).

Audit Principles, Risk Assessment & Effective Reporting.

SANS Press.

p. 32.

[8] http:/ / www.


nl [9] “GIAC GSNA Information” (http:/ / www.


org/ certifications/ audit/ gsna.



[10] http:/ / www.


com External links • A career as Information Systems Auditor (

shtml), by Avinash Kadam (Network Magazine) • Federal Financial Institutions Examination Council (

pdf) (FFIEC) • Information Systems Audit & Control Association ( (ISACA) • Open Security Architecture- Controls and patterns to secure IT systems (http://www.opensecurityarchitecture.

org) • American Institute of Certified Public Accountants ( (AICPA) • IT Services Library ( (ITIL) Information technology audit process 94 Information technology audit process Information technology audit process: Generally Accepted Auditing Standards (GAAS) In 1947, the American Institute of Certified Public Accountants (AICPA) adopted GAAS to establish standards for audits.

The standards cover the following three categories: • General Standards – relates to professional and technical competence, independence, and professional due care.

• Field Work Standards – relates to the planning of an audit, evaluation of internal control, and obtaining sufficient evidential matter upon which an opinion is based.

• Reporting Standards – relates to the compliance of all auditing standards and adequacy of disclosure of opinion in the audit reports.

If an opinion cannot be reached, the auditor is required to explicitly state their assertions.

Information Technology Audit Process Overview The auditor must plan and conduct the audit to ensure their audit risk (the risk of reaching an incorrect conclusion based on the audit findings) will be limited to an acceptable level.

To eliminate the possibility of assessing audit risk too low the auditor should perform the following steps: 1.

Obtain an Understanding of the Organization and its Environment: The understanding of the organization and its environment is used to assess the risk of material misstatement/weakness and to set the scope of the audit.

The auditor’s understanding should include information on the nature of the entity, management, governance, objectives and strategies, and business processes.


Identify Risks that May Result in Material Misstatements: The auditor must evaluate an organization’s business risks (threats to the organization’s ability to achieve its objectives).

An organization’s business risks can arise or change due to new personnel, new or restructured information systems, corporate restructuring, and rapid growth to name a few.


Evaluate the Organization’s Response to those Risks: Once the auditor has evaluated the organization’s response to the assessed risks, the auditor should then obtain evidence of management’s actions toward those risks.

The organization’s response (or lack thereof) to any business risks will impact the auditor’s assessed level of audit risk.


Assess the Risk of Material Misstatement: Based on the knowledge obtained in evaluating the organization’s responses to business risks, the auditor then assesses the risk of material misstatements and determines specific audit procedures that are necessary based on that risk assessment.


Evaluate Results and Issue Audit Report: At this level, the auditor should determine if the assessments of risks were appropriate and whether sufficient evidence was obtained.

The auditor will issue either an unqualified or qualified audit report based on their findings.

Information technology audit process — References [1] Paolo Malinverno, Gartner Research Service-Oriented Architecture Craves Governance, January 2006 [2] Philip J.

Windley, SOA Governance: Rules of the Game (http:/ / akamai.


com/ pdf/ special_report/ 2006/ 04SRsoagov.

pdf),, 23 January 2006 [3] Frank Kenney, Daryl Plummer, Magic Quadrant for Integrated SOA Governance Technology Sets, 2007, January 2007 [4] http:/ / www.


com/ hpinfo/ abouthp/ 1.

Paolo Malinverno, Gartner Research Service-Oriented Architecture Craves Governance, January 2006 2.

Philip J.

Windley, SOA Governance: Rules of the Game ( 2006/04SRsoagov.pdf),, 23 January 2006 3.

Frank Kenney, Daryl Plummer, Magic Quadrant for Integrated SOA Governance Technology Sets, January 2007 External links Information about the Governance Interoperability Framework (https:/ / h10078.



com/ cda/ hpms/ display/main/hpms_content.jsp?zn=bto&cp=1-11-130-27^2804_4000_100__) IBM Tivoli Unified Process (ITUP) IBM Tivoli Unified Process (ITUP) is a knowledge base of widely accepted industry best practices and the accumulated experience from IBM’s client engagements.

The knowledge base comprises detailed, industry-wide IT service management processes, and is an integral part of the IBM Service Management solution family.[1] The knowledge base is structured on the IBM Process Reference Model for IT[2] (PRM-IT).

PRM-IT[3] describes the processes for exploiting IT in support of a business or enterprise.

ITUP is a free offering from IBM.[4] Its purpose is to make the benefits of service management best practice frameworks, like Information Technology Infrastructure Library (ITIL), more attainable for organizations through integrated process modeling.

Thus ITUP is closely aligned with ITIL (a series of books outlining a set of concepts for managing IT) and provides the guidance on how to implement IT service management using proven, predefined solutions.

Detailed process diagrams and descriptions provide further explanations of IT processes, the relationships between processes, and the roles and tools involved in an efficient process implementation.

ITUP is also mapped to other leading process models.[5] Context IT service management represents an evolution from managing IT as a technology to managing IT as a business.[6] As businesses move toward on-demand environments, IT organizations are faced with the challenge of increasing the quality of services provided to business, while simultaneously addressing faster rates of change, rising technical complexity, cost pressures, and compliance issues.

With traditional resource and system management approaches, providing effective support for business and efficient use of IT resources is proving impossible.

IT service management provides for the effective and efficient delivery of IT services in support of changing business needs.

Implementing IT service management requires the optimal intersection of people, process, information and technology.

When all of these components come together, they can make IT more efficient and effective.

IBM Tivoli Unified Process (ITUP) 146 Tivoli Unified Process tooling IBM Tivoli Unified Process (ITUP) Composer is the tool used to create tailored method libraries* using the ITUP knowledge base content.[7] Customization includes creating or modifying process definitions to extend and publish content to document an organization’s operational processes.

The Composer tool provides the option to select and deploy a comprehensive project, or only the process components needed for each stage of a project, so that those processes are consistently applied by all IT staff.

(See ITUP Composer for development, this article.) • A method library is a container for method plug-ins and method configuration definitions.

A method library has one or more method configurations that filter the library and provide smaller working sets of library content.

All method elements are stored in a method library.

Structure of the ITUP content knowledge database The knowledge base includes descriptions of and relationships between five significant elements: 1.

Process descriptions – detailed process diagrams and explicates to better understand processes and their relationships, making ITIL best-practice recommendations easier to implement.

This category also maps processes to other leading process models, such as Control Objectives for Information and related Technology (COBIT) and the enhanced Telecom Operations Map (eTOM).


Work products – artifacts produced as outputs or required as inputs by processes.

Includes information such as definitions for key terms and concepts.


Roles – as associated with the execution of specific tasks by IT staff typically responsible for one or more roles.

Roles and job responsibilities are described in detail and cross-referenced to guidance on how staff can use tools to perform their roles more efficiently and effectively.


Tools – in the form of tool mentors.

This category identifies products and solutions from IBM that can be used to automate or complete specific process activities.


Scenarios, or real-life examples – are provided as catalysts to make process content more comprehendible.

A scenario can relate to specific issues, such as deploying a new server or responding to an outage.

Scenarios describe, in a step-by-step format, the process workflow, roles, work products and tools involved in solving a specific problem.

The ITUP framework of process categories Governance and Management System The Governance and Management System process category ensures that a framework is in place to integrate processes, technologies, people, and data in a manner consistent with the IT goals.

This category also monitors the framework against the broader enterprise goals and quality metrics.

When specific goals and quality metrics are consistently unmet, decisions are made regarding the overall framework: whether it will be modified or restructured to ensure future success.

Governance considers and sets the fundamental direction for the management framework.

Governance is a decision rights and accountability framework for directing, controlling, and executing IT endeavors in order to determine and achieve desired behaviors and results.

Governance involves defining the management model and creating the governing or guiding principles.

Processes: • • • • IT Governance and Management System Framework IT Governance and Management System Capabilities IT Governance and Management Operation IT Governance and Management Evaluation Customer Relationships The Customer Relationships process category gives IT service providers a mechanism to understand, monitor, perform and compete effectively in the marketplace they serve.

Through active communication IBM Tivoli Unified Process (ITUP) and interaction with customers, this process category provides the IT enterprise with valuable, current information concerning customer wants, needs, and requirements.

Once these requirements are captured and understood, the process category ensures that an effective market plan is created to bring the various IT services and capabilities to the marketplace.

Further, customer satisfaction data is gathered and reported in order to find areas of the IT services that require improvement.

Overall, this process provides a means for the IT enterprise to understand customer requirements, market IT services to customers, ensure and monitor the quality of the delivered IT services, and contribute to the maximization of business value from technology usage.

Processes: • • • • • • • Stakeholder Requirements Management Service Marketing and Sales Service Catalog Management Service Level Management Demand Management IT Customer Transformation Management Customer Satisfaction Management 147 Direction The Direction process category provides guidance on the external technology marketplace, aligns the IT outcomes to support the business strategy, minimizes risk exposures, and manages the IT Architecture and IT Portfolio.

Using the business strategy, related business requirements, and overall technology trends as key inputs, this process category creates an IT Strategy within the manageable constraints of the existing architecture and portfolio.

In addition to the IT strategy, the IT Portfolio and IT Architecture are planned, created, implemented, monitored, and continuously improved within this process category.

Items put forward for inclusion in the IT Portfolio are managed throughout their life cycle using product management approaches well established in many industries.

Processes: • • • • • • • IT Strategy IT Research and Innovation Architecture Management Risk Management Product Management Portfolio Management Program and Project Management Realization In the Realization process category solutions are created to satisfy the requirements of IT customers and stakeholders, including both the development of new solutions and the enhancements or maintenance of existing ones.

Development includes options to build or buy the components of solutions, and the integration of them for functional capability.

This process category encompasses the engineering and manufacturing of information technology products and services, and includes the making or buying of solutions, systems, integration, and extensions to existing solutions.

Maintenance and end-of-life shutdown activities (requiring solution adjustment) are also addressed in this category.

Processes: • • • • • Solution Requirements Solution Analysis and Design Solution Development and Integration Solution Test Solution Acceptance IBM Tivoli Unified Process (ITUP) Transition The Transition category of processes supports any aspect related to a life cycle status change in solutions and services.

The processes provide defined and repeatable approaches to planning, effecting and recording these transitions, and can be applied to all stages of the life cycle.

They also serve to maintain control over the information technology (IT) resources that are subject to such status changes.

Further, the processes in this category provide vital enabling information to other process areas related to the management of IT.

Using these processes, developments in IT capabilities supporting the stake holding businesses and customers achieve their desired operational status from which value can be derived.

Processes: • • • • • Change Management Release Management Deployment Management Configuration Management Asset Management — Article Sources and Contributors Jimmy Pitt, Jitse Niesen, Jmh649, Julesd, Kromek, LeoNomis, Let99, Mandsford, Marbod Egerius, Martarius, Materialscientist, Midnightcomm, Mike Rosoft, MrOllie, Nakomaru, Nikhiltsa, Patrick, Peaceaz, Ppntori, Redsoxfan31, Redthoreau, Rodriguín, Rworsnop, SElefant, Smallman12q, Stockpotato, Tealwisp, The Red, Undejj, UnicornTapestry, Vegaswikian, Vexorg, Victor falk, Voidxor, Wiki907, Wikinaut, Winston Spencer, Wolfpack903, Zellin, 69 anonymous edits Surveillance  Source:  Contributors: A Taste of Terre Haute, Abdul2m, Abrech, Activenanda, Adambro, Agent X2, Ajuk, Alex earlier account, Alexanderhayes, Alvis, Andycjp, Arcadian, Artichoke-Boy, Ashton1983, Atalanta86, Atulsnischal, AxelBoldt, Babajobu, Badgerpatrol, Bakanov, Balaraat, Beetstra, Beland, Bigdoole, Bookandcoffee, Brankow, Brian Pearson, CCTVPro, CGroup, COMPFUNK2, Can’t sleep, clown will eat me, Canderson7, Ccacsmss, Chendy, Chris Roy, Chris the speller, ChrisCork, Ckatz, Clapaucius, Classic rocker, CommonsDelinker, Concaire, Contributor75, CoolIdeas, Coolhawks88, Crevox, Csabo, Csblack, Davegagner, David.Monniaux, DavidLevinson, Dawnseeker2000, DerHexer, Derek Ross, DexDor, Diamondrake, Discospinster, Doritosyeah, Download, Dp462090, Drozdp, Dysprosia, E-Kartoffel, Edward, Efortune, Ejstarchuk, El C, Elizabennet, Ellswore, Epbr123, Evil Monkey, Exhibitions.intern, Eysen, Foofighter20x, Foregone conclusion, Frap, Free0willy, Froid, G Clark, Gabriel1907, Gala.martin, GeorgHH, Gioto, Glogger, Gobonobo, GraemeL, Granpuff, Ground Zero, Guul, Harley peters, Hede2000, Hohum, Hq3473, Hu, Hu12, Humair85, Hydrargyrum, IHTFP, Impaciente, Interstates, Izayohi, Izzycohen, J-beda, J.delanoy, Jacklee, Jafet, Jcs45, Jcsurveillance, Jim.henderson, JoeSmack, Joel7687, Joseph Solis in Australia, Jrtayloriv, JulesH, JustPhil, K0Yaku, Kikbguy, Kingturtle, Kwamikagami, Laudak, Leif, Liftarn, LilHelpa, Linkspamremover, Londonlinks, Lowellian, MCG, MJBurrage, MacsBug, Madisonpadre, MagneH, Mahmudmasri, Maraparacc, Mashiah Davidson, Maziotis, McGeddon, Mdeets, Merlion444, Michael Hardy, Michael Shields, Michael Snow, Mike Christie, Mingacorn91, Mlduda, Moez, Moonraker12, MrJones, Mushroom, Mxn, N328KF, Nabeth, Nicksoda21, Night-vision-guru, No barometer of intelligence, Novum, Nv8200p, Nyenten, OOODDD, Ogranut, Ohconfucius, Ohnoitsjamie, Old Moonraker, Olegwiki, Oli Filth, OnBeyondZebrax, Ortolan88, PHenry, Paleorthid, PaperTruths, Patrick, Pedant, PeetMoss, Petri Krohn, PhDOnPoint, Piano non troppo, Pinethicket, Pol098, Popefauvexxiii, Quantumseven, Quevaal, Quuxplusone, Qxz, RW Marloe, Res2216firestar, Rich Farmbrough, Richard Arthur Norton (1958- ), Rjanag, Rjwilmsi, Rochdalehornet, Scdweb, Scranium, Scwlong, Sdorrance, SeaFox, Securiger, Shaddack, Shadowjams, Sillyfolkboy, Siobhan Hansa, SiobhanHansa, Slmvbs, Smurfjones, Snappa, Sociologo11, Solipsist, Spease, Spilla, Stefanomione, Stephenb, Suisui, SuperHamster, TRimester6, Tagishsimon, Tanglewood4, Tartarus, Tassedethe, The Anome, TheEgyptian, Tivedshambo, Tnyl, ToLLIa, Tobias Baccas, Toshimarise, Tristanb, Tulaneadam21, Veinor, Videoinspector, WLU, Walshga, Wavelength, Waytohappiness, Weregerbil, Wik, Wingover, Wireless friend, WojPob, Woohookitty, Xavier Giró, Yancyfry jr, YankeeDoodle14, ZayZayEM, ZeroOne, Zevschonberg, Zigger, ZimZalaBim, Zodon, Zzuuzz, ~shuri, Évangéline, 364 anonymous edits Daniella Tobar  Source:  Contributors: Dentren, Epbr123, Kawaputra, Rjwilmsi The Transparent Society  Source:  Contributors: Adamjcopeland, Are you ready for IPv6?, ChrisG, Culturejam, Dagonet, Edward Z.

Yang, Erich Schneider, Error, Evercat, Fcmk, Feia Hypno, Glogger, Gwern, Ike9898, Jrtayloriv, Junius49, Kai-Hendrik, Kevinalewis, Kikbguy, Lexor, Mangostar, Marudubshinki, Metamagician3000, Mion, Ofol, Patrick, Pwentzel, Rhobite, Rjanag, Standardfact, SusanLesch, The Cunctator, William Pietri, ZeroOne, Zoicon5, 39 anonymous edits Trial by media  Source:  Contributors: Adambro, Alvis, Anil1956, Appaiah, Aveekbh, Beland, BlastFurnaceCanada, Bonus Onus, Borispaul, Btljs, Chris the speller, DavidFarmbrough, Demogorgon’s Soup-taster, DivineAlpha, Dr Gangrene, DragonflySixtyseven, Emmett5, Expatkiwi, Fiveless, Fredrik, Funnyhat, GreenReaper, H7dders, Harshitpatel3, Hu12, Jb3, Joseph Solis in Australia, KerathFreeman, Longhair, Mal7798, Maurreen, Meelar, Mirror Vax, Moshe Constantine Hassan Al-Silverburg, Mufka, NaLaochra, Nightstallion, Ohiostandard, Patrick, Phayemuss, Pigman, Priyatu, Rintrah, Sam Hocevar, SoberEmu, Sophruhig [email protected], Telso, The Green Fish, Veron-F40, Woohookitty, Zordrac, 34 anonymous edits Trigger list  Source:  Contributors: Altenmann, Elsendero, Eugene126, HalfShadow, Kortaggio, Markles, OlEnglish, Pmagistro, R’n’B, 10 anonymous edits Visual privacy  Source:  Contributors: Hjweth, Jeremy schiff, Kevin, Kingturtle, RHaworth Webcam  Source:  Contributors: -Majestic-, 2fort5r, 5 albert square, ABF, ALargeElk, Aaron Brenneman, Abc123xyzlaw, Acather96, Aciddrop77, Acuman22, AdidasTrainers, Adjektiv, Adolphus79, Ahoerstemeier, Airconswitch, Aka042, Akadruid, Alansohn, Alf Boggis, AlistairMcMillan, Andy, AngLee, Angela, Angrysockhop, Appaloosas, Arctic Fox, Arielco, Arnero, Ashton1983, Astuishin, Auasr, Aude, Avelightss, Avenged Eightfold, Avono, BP7865, Baa, Bachrach44, Barek, Barekitty, Barry Fruitman, Barrylb, BassoonJoker, Beatles-Ramones, Benbest, Bender235, Bhadani, BiT, Biboy696, Bidabadi, BigDunc, Bigbuks999, Bigloveturkey, Bigsue1, BillFlis, Bjankuloski06en, Bodnotbod, Bonadea, Bongwarrior, BoomerAB, Boud92, Bovayjes, Bovineboy2008, Bratch, Brian0918, BryanG, ByOus, C3o, CIreland, Caknuck, CambridgeBayWeather, Cameron Dewe, Can’t sleep, clown will eat me, Cardsplayer4life, Cartman21, Ceyockey, Cgumas, Cham jamz, Changster308, Chensiyuan, Chris the speller, Christian List, Closedmouth, ClubIvy, Cmccormack1975, Colonies Chris, CommonsDelinker, Concaire, Coolaidboy, Cps group io 2006 07, Crazy Boris with a red beard, DARTH SIDIOUS 2, DJ LoPaTa, DJH47, DVD R W, Dancter, Danlev, Darkdotproductions, David100351, Dbc100, DeadEyeArrow, Dekisugi, Delldot, Dendodge, Digglyguy, Dina, DocWatson42, Doczilla, DoubleBlue, Drmies, ERobson, ESkog, Eagletron, Ede6772, Edmond22, Egil, Elirarey, Elvey, Emijrp, Emperorbma, Epbr123, Epeefleche, Epson291, Eragon01, Eric Kvaalen, Eric-Wester, Erick880, Eschimm, Ezhiki, F15x28, Fan-1967, Fartyharty101, Farvaz, Felts ray, Fg2, Flarkins, Flasher, Flewis, Flunky10, FlyingPenguins, FlyingToaster, Fortdj33, Frankwalker72, Frap, Frazzydee, Freakofnurture, Fudoreaper, Furrykef, Fæ, GDallimore, Gaia Octavia Agrippa, Gamekid, Geniac, Gioto, Glenn, Gogo Dodo, Googleer, GraemeL, Graham87, Greman Knight, Gsarwa, Gurch, Guticb, Haakon, Haikupoet, Hajor, HappySmith, HarisM, Harryzilber, Hintss, Hooperbloob, Hopper96, Hu12, Hut 8.5, Ignatzmice, Inkypaws, InnerJustice, IronGargoyle, Ixfd64, J.delanoy, JaGa, JamesBWatson, JenVan, Jennavecia, Jeremy Banks, Jfeldis, JiFish, Jim.henderson, John Lake, JohnCD, JonHarder, Jordanbmc, Jossi, Jrockley, Jtlessons, Justinfr, Jworld2, KJS77, Kesterrandy, Kestrel7e7, Kieff, King Lopez, Kingpin13, Kingstonjr, Kitchen Knife, KnowledgeOfSelf, Kpacquer, Krawi, Kubigula, Kuru, Law, LazyOaf, Ledford9332, Leibov, Leuko, Lightdarkness, LilHelpa, Logan, Loplod, Luna Santin, MMuzammils, Macic7, Malik Shabazz, Mandarax, Manop, Manumg, Manuontheblock, Marginprevent, MarkMLl, Martarius, MartinDK, Matt Deres, Mattythewhite, Mav, MaxSem, Mbertsch, Med-, Menschenfressender Riese, Metagraph, MichaelMcGuffin, Midgrid, Mike1024, Mlouns, Monkeyman, Morven, Mr pand, Mr.Z-man, Mrkynky, Mygerardromance, Mysticaloctopus, N0rbie, N1RK4UDSK714, NAHID, Nacimota, Nasukaren, NeilN, Neon white, Netalarm, Neverquick, Nightscream, Niners345, Nish81, Noddy71, Noncompliant one, Norm, NorthernThunder, NotAnonymous0, Nsaa, Nunquam Dormio, Nurg, Old Moonraker, Orange Goblin, Otzithecaveman, Owen, Owen214, Patrick, Pbhatman, Peter S., Peter.C, Pethr, Petiatil, Philip Trueman, PhilipO, Piemanmoo, Pigsonthewing, Pikazilla, Pinkfairy87, Pippyjimjam, Poi9999, Pol098, Pomte, Popcicles, Possum, Ppntori, Prashanthns, Pretzelphil, ProhibitOnions, Prolog, PrologFan, Prot?vis, Qwm, Radiorandy, RamsesII, RaseaC, Ray88ca, Raywil, Rdsmith4, Regibox, RenniePet, RexNL, Rhobite, Rich Farmbrough, Ridge Runner, Rjwilmsi, Rocastelo, Rpeh, Rtdrury, RyanCross, RyanLeiTaiwan, SH84, SNIyer12, Salamurai, Savirr, Savorie, ScAvenger, Sceptre, SchfiftyThree, Schissel, Schweiwikist, Sdlostboy, Seamonkey210, SeanMack, Seaphoto, Seb az86556, SecretDisc, Seglea, Selket, Seth Ilys, Sether, Seven of Nine, Shamir1, Shawnlin2006, Sheehan, ShijarnocDreams, Siamakfm, Silkroad111, Sjakkalle, Skew-t, Sklocke, Slakr, Softballangie12, Sonett72, Sortior, Spielz12345, Squiquifox, Srleffler, Steamrunner, Stefan, Stephenb, SunTzu2, Sverdrup, SwigmoreU, Switcher, Swordmaster113, T0ny, Tabletop, Tbonnie, Teemuk, The Anome, The JPS, The Nut, TheDJ, Theda, Thedjatclubrock, Thesadlife, Thingg, Thomas Gilling, Thumperward, Thunderfox933, Tobias Bergemann, Tombomp, Tommy2010, Torontodance, Tree1234qw, TrevorLSciAct, Triddle, Triwbe, Tulcod, Typochimp, Ukexpat, Uncle Dick, UniReb, Unyoyega, Valermos, Velella, VelvetSecret, Versageek, VickyF, VictorianMutant, Violace, Vipsco, Vivio Testarossa, Vsmith, Vzbs34, Waldir, Wavelength, WezGG, Wiki alf, WikiBone, Wikipelli, WilliamTJ, Willking1979, Witchteeth, Wwagner, Wyngate77, Wysprgr2005, Xmoogle, YaronSh, Yngvarr, Yonidebest, Yosri, ZeroOne, Zhanghia, Zhou Yu, Zvar, 840 anonymous edits White noise machine  Source:  Contributors: Aaron Kauppi, Aptdwn26, ArnoldReinhold, Discospinster, Doppler9000, Drawn Some, Electronsoup, Haggis mcgee, Jim.henderson, Jonathan.s.kt, Jonfischeruk, Kurt000, Litefantastic, Luna Santin, Margin1522, MauriceTrainer, Mnemo, Oli Filth, Teggles, Vidkun, Whitenoise2010, 20 anonymous edits Winston Smith Project  Source:  Contributors: Dlrohrer2003, Editor2020, Firsfron, Frap, Grawity, JaGa, Kay Dekker, Meetsquiet, ShelfSkewed, SimonTrew, Squids and Chips, 4 anonymous edits Woodhull Sexual Freedom Alliance  Source:  Contributors: AgnosticPreachersKid, Benjiboi, Brianfuss, Davewho2, DesmondRavenstone, Giraffedata, GoingBatty, Haymaker, Hmains, Infinity 8p, Jokestress, JonHarder, Keraunos, LiteratePervert, Mjpresson, Poetdancer, RicciJoy, Sardanaphalus, TAnthony, TheSuave, Ukexpat, VictoriaWoodhull, Wikignome0530, 7 anonymous edits Workplace privacy  Source:  Contributors: Mangostar, Penbat, SimonP, Zodon 410 Image Sources, Licenses and Contributors 411 Image Sources, Licenses and Contributors Image:Isaca-logo.png  Source:  License: unknown  Contributors: User:MBisanz Image:Wearer of an ITIL Foundation Certificate pin.jpg  Source:  License: Creative Commons Attribution-Sharealike 2.5  Contributors: User:IIVQ File:Risk Management Elements.jpg  Source:  License: Public Domain  Contributors: Original uploader was Mdd at en.wikipedia File:Isms framework.jpg  Source:  License: Attribution  Contributors: ENISA Image:ACL LOGO.png  Source:  License: unknown  Contributors: User:Balloonman, User:BetacommandBot, User:Efe, User:Wikidemon File:PersonalStorageDevices.agr.jpg  Source:  License: GNU Free Documentation License  Contributors: User:ArnoldReinhold Image:Portable forensic tableau.JPG  Source:  License: Public Domain  Contributors: User:ErrantX Image:Hpacreate.png  Source:  License: Creative Commons Attribution 2.5  Contributors: Frap, Kim Meyrick File:RF bag with iPhone.jpg  Source:  License: Public Domain  Contributors: User:Tmorton166 File:RTL Aceso with iPhone attached.jpg  Source:  License: Public Domain  Contributors: User:Tmorton166 File:PopcornBGA.jpg  Source:  License: GNU Free Documentation License  Contributors: User:Textbook File:WorldWideWebAroundWikipedia.png  Source:  License: unknown  Contributors: User:Chris 73 file:MCIT Premises.JPG  Source:  License: Public Domain  Contributors: User:DaliaHalawa Image:website_governance_roles.png  Source:  License: Public Domain  Contributors: User:Missylou2who File:IllinoisTelephoneAndTelegraphAd.png  Source:  License: Public Domain  Contributors: unknown, employed by the Illinois Telephone and Telegraph Co.

File:BEKB Muri.JPG  Source:  License: Creative Commons Attribution-Sharealike 3.0  Contributors: User:Aliman5040 File:Schalterhalle SKA 1856.png  Source:  License: Public Domain  Contributors: Credit Suisse File:UBS New York.jpg  Source:  License: Creative Commons Attribution 2.0  Contributors: Modesto del Río Image:Schweizerische Nationalbank Bern.jpg  Source:  License: Creative Commons Attribution-Sharealike 2.0  Contributors: Aliman5040, Baikonur, Dodo von den Bergen, J o, Lumijaguaari, Sandstein File:Swiss cap market.PNG  Source:  License: Creative Commons Attribution-Sharealike 3.0  Contributors: User:StudentG File:PD-icon.svg  Source:  License: Public Domain  Contributors: User:Duesentrieb, User:Rfl Image:NSALibertyReport.p13.jpg  Source:  License: Public Domain  Contributors: ArnoldReinhold, Cobatfor, Foroa, Kaihsu, TommyBee, 1 anonymous edits Image:GSAclass6SecurityContainer.jpg  Source:  License: Public Domain  Contributors: ArnoldReinhold, Monkeybait File:Goldwater casey nyt leak.png  Source:  License: Public Domain  Contributors: barry goldwater (senator) File:DNDsign.jpg  Source:  License: Public Domain  Contributors: User:Shaliya waya File:SignDoNotDisturb res.jpg  Source:  License: Creative Commons Attribution-Sharealike 3.0  Contributors: User:Phrontis Image:Security cameras 7 count birmingham new street station.jpg  Source:  License: Public Domain  Contributors: User:Mike1024 Image:Internet blackholes.svg  Source:  License: Creative Commons Attribution-Sharealike 3.0 Germany  Contributors: User:23prootie, User:Sebastienen File:Flag of Myanmar.svg  Source:  License: Public Domain  Contributors: *drew, AnonMoos, CommonsDelinker, Duduziq, Fry1989, Gunkarta, Homo lupus, Idh0854, Josegeographic, Klemen Kocjancic, Legnaw, Mattes, Neq00, Nightstallion, Pixeltoo, Rfc1394, SeNeKa, Stevanb, ThomasPusch, UnreifeKirsche, WikipediaMaster, Xiengyod, Zscout370, ? ? ? ? , 8 anonymous edits File:Flag of the People’s Republic of China.svg  Source:’s_Republic_of_China.svg  License: Public Domain  Contributors: User:Denelson83, User:SKopp, User:Shizhao, User:Zscout370 File:Flag of Cuba.svg  Source:  License: Public Domain  Contributors: see below File:Flag of Tunisia.svg  Source:  License: Public Domain  Contributors: AnonMoos, Avala, Bender235, Duduziq, Elina2308, Emmanuel.boutet, Flad, Fry1989, Gabbe, Juiced lemon, Klemen Kocjancic, Mattes, Meno25, Moumou82, Myself488, Neq00, Nightstallion, Reisio, Str4nd, Ö, ????? ????????, 8 anonymous edits File:Flag of Iran.svg  Source:  License: unknown  Contributors: Various File:Flag of North Korea.svg  Source:  License: unknown  Contributors: User:Zscout370 File:Flag of Saudi Arabia.svg  Source:  License: Public Domain  Contributors: Unknown File:Flag of Syria.svg  Source:  License: Public Domain  Contributors: see below File:Flag of Turkmenistan.svg  Source:  License: Public Domain  Contributors: User:Vzb83 File:Flag of Uzbekistan.svg  Source:  License: Public Domain  Contributors: User:Zscout370 File:Flag of Vietnam.svg  Source:  License: Public Domain  Contributors: user:L?u Ly File:Flag of Egypt.svg  Source:  License: Public Domain  Contributors: Open Clip Art Image:Gynaecology-1822.jpg  Source:  License: Public Domain  Contributors: Original uploader was Eloquence at en.wikipedia Image:NAI-logo.jpeg  Source:  License: unknown  Contributors: Npdoty, Sfan00 IMG, Svgalbertian Image:Printer Stenography Illustration.png  Source:  License: Public Domain  Contributors: User:Parhamr Image:Delaware Bridge Company Dollar.jpg  Source:  License: Public Domain  Contributors: ArpadGabor, Enantiodromie, TommyBee Image:The City Bank Of Sydney 20 pound note.jpg  Source:  License: Public Domain  Contributors: City Bank of Sydney, Original uploader was Terjepetersen at en.wikipedia Image:FasTrak transponder.jpg  Source:  License: GNU Free Documentation License  Contributors: Hohoho, JMPerez, Koman90, Kozuch, Pierre cb, Quadell, Roland zh, Sanbec, Stunteltje, TommyBee File:Sheep’s face, Malta.jpg  Source:’s_face,_Malta.jpg  License: Creative Commons Attribution 2.0  Contributors: John Haslam from Dornoch, Scotland File:Santa Gertrudis.jpg  Source:  License: Creative Commons Attribution 3.0  Contributors: User:Cgoodwin Image:EPC-RFID-TAG.svg  Source:  License: GNU Free Documentation License  Contributors: User:Sakurambo Image:Tags.jpg  Source:  License: Creative Commons Attribution 2.5  Contributors: Grika Image Sources, Licenses and Contributors File:Marathon Zeitnahme.JPG  Source:  License: GNU Free Documentation License  Contributors: File:2008 Nike+ Human Race in Taipei the ChampionChip.jpg  Source:  License: unknown  Contributors: User:BrockF5 Image:RFID hand 1.jpg  Source:  License: Creative Commons Attribution-Sharealike 2.0  Contributors: Edward, FlickreviewR, Midnightcomm Image:RFID hand 2.jpg  Source:  License: Creative Commons Attribution-Sharealike 2.0  Contributors: Edward, FlickreviewR, Midnightcomm Image:Stoprfid-logo.jpg  Source:  License: Public Domain  Contributors: Chris828, Padeluun, 1 anonymous edits Image:051118-WSIS.2005-Richard.Stallman – RFID.png  Source:  License: Creative Commons Attribution 2.5  Contributors: user:kocio Image:safeaccounts.jpg  Source:  License: unknown  Contributors: Although File:Backscatter x-ray image woman.jpg  Source:  License: Public Domain  Contributors: US w:Transportation Security AdministrationTransportation Security Administration part of w:U.S.

Department of Homeland SecurityU.S.

Department of Homeland Security File:Brijot millimeter wave.jpg  Source:  License: GNU Free Documentation License  Contributors: by Undejj (talk) Brijot Imaging Systems, Inc.

File:TSA- How It Works.ogv  Source:  License: Public Domain  Contributors: Transportation Security Administration File:Brijot SafeScreen.jpg  Source:  License: GNU Free Documentation License  Contributors: Undejj (talk), Brijot Imaging Systems, Inc.

File:Mmw large.jpg  Source:  License: Public Domain  Contributors: Transportation Security Administration.

File:Backscatter large.jpg  Source:  License: Public Domain  Contributors: Transportation Security Administration File:Ait safety demo.jpg  Source:  License: Public Domain  Contributors: Transportation Security Administration Image:Surveillance quevaal.jpg  Source:  License: GNU Free Documentation License  Contributors: User:Quevaal Image:IAO-logo.png  Source:  License: Public Domain  Contributors: Original uploader was Kwertii at en.wikipedia Image:Cairns-Lagoon.JPG  Source:  License: unknown  Contributors: Original uploader was Frances76 at en.wikipedia Image:Three Surveillance cameras.jpg  Source:  License: Creative Commons Attribution-Sharealike 3.0  Contributors: User:Hustvedt Image:DSTAMP Controp Camera.jpg  Source:  License: Creative Commons Attribution-Sharealike 3.0  Contributors: User:320i File:US-VISIT (CBP).jpg  Source:  License: Public Domain  Contributors: Gerald Nino/CPB Image:MicroAirVehicle.jpg  Source:  License: Public Domain  Contributors: w:United States Navy photo by Mass Communication Specialist 3rd Class Kenneth G.

Takada File:HURT concept drawing.jpg  Source:  License: Public Domain  Contributors: / Image:Social Security card.jpg  Source:  License: Public Domain  Contributors: Social Security Administration File:RFID hand 1.jpg  Source:  License: Creative Commons Attribution-Sharealike 2.0  Contributors: Edward, FlickreviewR, Midnightcomm File:Paypass chip front.png  Source:  License: GNU Free Documentation License  Contributors: Limulus, Nachcommonsverschieber, Saibo File:ConstellationGPS.gif  Source:  License: Public Domain  Contributors: Original uploader was El pak at en.wikipedia Image:Bansky one nation under cctv.jpg  Source:  License: Creative Commons Attribution-Sharealike 2.0  Contributors: oogiboig Image:Sur-veillance-trafficcam-glog.jpg  Source:  License: GNU Free Documentation License  Contributors: Original uploader was Glogger at en.wikipedia Image:David Brin at ACM CFP 2005dsc278c.jpg  Source:  License: unknown  Contributors: Glogger File:Webcam000c1.jpg  Source:  License: Public Domain  Contributors: User:Simon.zfn File:Webcam CT transmissions.OGG  Source:  License: Creative Commons Attribution-Sharealike 3.0  Contributors: User:SecretDisc File:TSgt Goodman inspects newest member of family.jpg  Source:  License: unknown  Contributors: United States Air Force graphic by Master Sergeant Sean Brennan Image:Sweex USB webcam PCB with without lens close up.jpg  Source:  License: Public Domain  Contributors: Original uploader was Mike1024 at en.wikipedia 412 File:A Video Interpreter sign used at videophone stations in public places where Deaf people can communicate with hearing people via a Video Relay Service New Image.JPG  Source:  License: Attribution  Contributors: SignVideo, London, U.K.

Image:Deaf or HoH person at his workplace using a Video Relay Service to communicate with a hearing person via a Video Interpreter and sign language SVCC 2007 Brigitte SLI + Mark.jpg  Source:  License: Attribution  Contributors: SignVideo, London, U.K.

File:A Video Relay Service session helping a Deaf person communicate with a hearing person via a Video Interpreter (sign language interpreter) and a videophone DSC 0073.JPG  Source:  License: Attribution  Contributors: SignVideo, London, U.K.

Image:Digital-clock-radio-premium.jpg  Source:  License: Public Domain  Contributors: User:Tysto License 413

Read more about ITIL:

Accredited ITIL Foundation, Intermediate and Expert Certifications

Accredited ITIL Foundation, Intermediate and Expert Certifications, Learn more about ITIL HERE:

ITIL and Accredited ITIL Foundation, Intermediate and Expert Certifications

ITIL - Accredited ITIL Foundation, Intermediate and Expert Certifications

ITIL and Accredited ITIL Foundation, Intermediate and Expert Certifications

ITIL - Accredited ITIL Foundation, Intermediate and Expert Certifications

Related Posts



  This ITIL report evaluates technologies and applications in terms of their business impact, adoption rate and maturity level to help users decide where and when to invest. The Predictive Analytics Scores below – ordered Read more…



Read online and subscribe to Predictive Analytics Email Updates HERE You can have a say in which analytics you need in which timeframe: simply add your (anonymous) need to the list at and we Read more…



  This Storage Technologies report evaluates technologies and applications in terms of their business impact, adoption rate and maturity level to help users decide where and when to invest. This predictive analytics evaluates 36 storage-related Read more…