ITIL These examples can be found in ITIL Service Strategy, page 255

use them as defined. • Service improvement opportunities and plans will need to be assessed in terms of their impact on demand. (Service Strategy, page 253) Outputs Outputs of demand management include: • • • • • User profiles Patterns of business activity will be formally documented and included in the service and customer portfolios Policies for management of demand when resources are over-utilized Policies for how to deal with situations where service utilization is higher or lower than anticipated by the customer Documentation of options for differentiated offerings that can be used to create service packages (Service Strategy, page 253) Interfaces The major interfaces with Demand Management in PPO activities are: • • Capacity Management and Availability Management – Utilizes PBAs to determine and plan service requirements based on demand IT Service Continuity Management – Uses PBAs and user profiles to perform business impact analysis in creating continuity plans 6.1.9 Critical Success Factors and Key Performance Indicators Critical Success Factors are a function of the organization’s objectives for the process.

Key Performance Indicators are designed to support the Critical Success Factors.

KPIs should be monitored and used as evidence in supporting opportunities for improvement. Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 79 Below is a list of sample critical success factors and key performance indicator to provide a sense of how demand management can be measured.

The actual development of CSRs and KPIs by the organization should be performed with careful consideration on the organization’s needs.

These examples can be found in ITIL Service Strategy, page 255. • CSF: The service provider has identified and analyzed the patterns of business activity and is able to use these to understand the levels of demand that will be placed on a service. ?? ?? • KPI: Patterns of business activity are defined for each relevant service.

KPI: Patterns of business activity have been translated into workload information by capacity management.

CSF: The service provider has defined and analyzed user profiles and is able to use these to understand the typical profiles of demand for services from different types of user. ?? • KPI: Documented user profiles exist and each contains a demand profile for the services used by that type of user.

CSF: A process exists whereby services are designed to meet the patterns of business activity and to meet business outcomes. ?? • KPI: Demand management activities are routinely included as part of defining the service portfolio.

CSF: An interface with capacity management to ensure that adequate resources are available at the appropriate levels of capacity to meet the demand for services ?? ?? KPI: Capacity plans include details of patterns of business activity and corresponding workloads.

KPI: Utilization monitors show balanced workloads.

Minimal over-utilization and a maximum amount of unused capacity (this is to prevent technical groups from overinvesting in capacity to avoid being blamed for over-utilization). • CSF: There is a means to manage situations where demand for a service exceeds the capacity to deliver it. ?? ?? KPI: Techniques to manage demand have been documented in capacity plans and, where appropriate, in service level agreements.

KPI: Differential charging (as an example of one such technique) has resulted in a more even demand on the service over time. (Service Strategy, page 254) Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 80 ITIL® PLANNING, PROTECTION, AND OPTIMIZATION CERTIFICATION KIT—THIRD EDITION 6.1.10 Challenges and Risks While integrating Demand Management appropriately with all other aspects is challenging in itself, some other specific challenges typically faced include: • • • • When little or no trend information regarding PBAs and demand is available.

It is not possible to produce and stock service output before demand actually materializes.

Aligning capacity production cycles to PBA, especially when funding of IT has not been adequately planned and synchronized with business plans Customer resistance to Demand Management restrictions, especially in the case of additional costs incurred Loss of user productivity and business growth by too much restriction applied when managing demand 6.2 Capacity Management Capacity management is grouped as a Service Design process, but its activities extend across the entire service lifecycle.

Its presence in Service Design highlights is of critical importance as a consideration in developing and maintaining a service’s design.

Capacity management is a process that extends across the Service Lifecycle.

It provides a point of focus and management for all capacity and performance-related issues, relating to both services and resources. 6.2.1 Purpose and Objectives — 96 ITIL® PLANNING, PROTECTION, AND OPTIMIZATION CERTIFICATION KIT—THIRD EDITION Skills: Strategic business awareness, technical, analytical, consultancy Capacity Management is a critical aspect in ensuring effective and efficient capacity and performance of IT Services and IT components in line with identified business requirements and the overall IT strategic objectives.

It is essential for the Capacity Manager to ensure that the process is appropriately integrated with all aspects of the Service Lifecycle. Triggers Capacity Management is invoked whenever: • • • • • • New or changed capacity requirements are introduced to the environment A breach in service or capacity or performance related event and alert has occurred An exception is found in service reports Periodic review and revision of capacity and performance forecasts, reports, and plans Trending and modeling performed on a regular basis Review and revision of: ?? ?? ?? • Business and IT plans and strategies Designs and strategies SLAs, OLAs, contracts, or any other agreements Assisting SLM with capacity and/or performance targets and explanation of achievements Inputs A number of sources of information are relevant to the Capacity Management process.

Some of these are (ITIL Service Design, page 174): • • Business information: from the organization’s business strategy and financial plans, and information on their current and future requirements Service and IT information: from Service Strategy, the IT strategy and plans and current budgets, covering all areas of technology and technology plans, including the infrastructure, environment, data, and applications and the way in which they relate to business strategy and plans Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 97 • • • Component performance and capacity information: for both existing and new technology from manufacturers and suppliers Service performance issue information: the Incident and Problem Management processes, with incidents and problems relating to poor performance Service information: from the SLM process with details of the services from the Service Portfolio, the Service Catalog, and service level targets within SLAs and SLRs, and possibly from the monitoring of SLAs, service reviews, and breaches of the SLAs • Financial information: from Financial Management for IT services, the cost of service provision, the cost of resources, components and upgrades, the resultant business benefit, and the financial plans and budgets, together with the costs associated with service and component failure.

Some of the costs of components and upgrades to components will be obtained from procurement, suppliers, and manufacturers. • • • • Change information: from the Change Management process, with a change schedule and a need to assess all changes for their impact on the capacity of the technology Performance information: from the CMIS on the current performance of both all existing services and IT infrastructure components CMS: containing information on the relationships between the business, the services, the supporting services, and the technology Workload information: from the IT operations team, with schedules of all the work that needs to be run and information on the dependencies between different services and information and the interdependencies within a service Outputs The outputs of Capacity Management are (ITIL Service Design, page 175): • CMIS: This holds the information needed by all sub-processes within Capacity Management.

For example, the data monitored and collected as part of Component and Service Capacity Management is used in Business Capacity Management to determine what infrastructure components or upgrades to components are needed and when. • Capacity plan: This is used by all areas of the business and IT management and is acted on by the IT service provider and senior management of the organization to plan the capacity of the Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 98 ITIL® PLANNING, PROTECTION, AND OPTIMIZATION CERTIFICATION KIT—THIRD EDITION IT infrastructure.

It contains information on the current usage of service and components and plans for the development of IT capacity to meet the needs in the growth of both existing services and any agreed new services.

The capacity plan should be actively used as a basis for decisionmaking. • Service performance information and reports: This is used by many other processes.

For example, the Capacity Management process assists SLM with the reporting and reviewing of service performance and the development of new SLRs or changes to existing SLAs.

It also assists the Financial Management for IT services process by identifying when money needs to be budgeted for IT infrastructure upgrades or the purchase of new components. • Workload analysis and reports: This is used by IT operations to assess and implement changes in conjunction with Capacity Management to schedule or reschedule when services or workloads are run to ensure that the most effective and efficient use is made of the available resources. • • • • Ad hoc capacity and performance reports: these are used by all areas of Capacity Management, IT, and the business to analyze and resolve service and performance issues.

Forecasts and predictive reports: These are used by all areas to analyze, predict, and forecast particular business and IT scenarios and their potential solutions.

Thresholds, alerts, and events Improvement actions: for inclusion in an SIP Interfaces Capacity Management interfaces with the following processes: • • • Availability management: Ensures that the proper number of capacity resources to maintain availability for a service is maintained Service level management: Determines all service-based capacity targets and aids in the investigation of all missed targets ITSCM: Capacity information is used to assess the impact and risk to the business of a severe disruption to service, as well as the development of a plan to reduce the risk and recovery from a severe disruption. • Incident and problem management: Capacity information is used to determine and manage capacity and performance-related incidents and problems to ensure that a proper resolution Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 99 is found and implemented. • Demand management: Provides the demand-related information to enable capacity management to plan and respond to increases or decreases in service demand requirements. 6.2.7 Critical Success Factors and Key Performance Indicators Critical Success Factors are a function of the organization’s objectives for the process.

Key Performance Indicators are designed to support the Critical Success Factors.

KPIs should be monitored and used as evidence in supporting opportunities for improvement. Below is a list of sample critical success factors and key performance indicator to provide a sense of how Capacity Management can be measured.

The actual development of CSRs and KPIs by the organization should be performed with careful consideration on the organization’s needs.

These examples can be found in ITIL Service Operation, page 108. • CSF: Accurate business forecasts ?? ?? ?? ?? • ?? ?? ?? • KPI: Production of workload forecasts on time KPI: Percentage accuracy of forecasts of business trends KPI: Timely incorporation of business plans into the capacity plan KPI: Reduction in the number of variances from the business plans and capacity plans KPI: Increased ability to monitor performance and throughput of all services and components KPI: Timely justification and implementation of new technology in line with business requirements (time, cost, and functionality) KPI: Reduction in the use of old technology, causing breached SLAs due to problems with support or performance CSF: Ability to demonstrate cost effectiveness ?? ?? KPI: Reduction in last-minute buying to address urgent performance issues KPI: Reduction in the over-capacity of IT CSF: Knowledge of current and future technologies Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 100 ITIL® PLANNING, PROTECTION, AND OPTIMIZATION CERTIFICATION KIT—THIRD EDITION ?? ?? ?? • ?? ?? ?? ?? ?? KPI: Accurate forecasts of planned expenditure KPI: Reduction in the business disruption caused by a lack of adequate IT capacity KPI: Relative reduction in the cost of production of the capacity plan KPI: Percentage reduction in the number of incidents due to poor performance KPI: Percentage reduction in lost business due to inadequate capacity KPI: All new services implemented match SLRs KPI: Increased percentage of recommendations made by capacity management are acted on KPI: Reduction in the number of SLA breaches due to either poor service performance or poor component performance (Service Design, page 178) CSF: Ability to plan and implement the appropriate IT capacity to match business need — The goal of the restaurant is to remain open during their defined business hours.

The purpose of the Availability Management process is to ensure that the level of availability delivered to all IT services matches to the agreed need for availability or defined service level targets.

This must be done in a cost effective and timely manner.

Availability Management is concerned with the current and future availability needs of the business. Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 102 ITIL® PLANNING, PROTECTION, AND OPTIMIZATION CERTIFICATION KIT—THIRD EDITION For Availability Management to fulfil its purpose, the process must define, analyze, plan, measure, and improve all aspects of the availability of IT services and its components in accordance to the agreed availability service level targets.

The process is point of focus and management for all availability-related issues. The objectives of Availability Management are to (ITIL Service Design, page 125): • • • • • • Produce and maintain an appropriate and up-to-date availability plan that reflects the current and future needs of the business Provide advice and guidance to all other areas of the business and IT on all availability-related issues Ensure that service availability achievements meet all their agreed targets by managing services and resources-related availability performance Assist with the diagnosis and resolution of availability-related incidents and problems Assess the impact of all changes on the availability plan and the availability of all services and resources Ensure that proactive measures to improve the availability of services are implemented wherever it is cost-justifiable to do so Availability management should ensure the agreed level of availability is provided.

The measurement and monitoring of IT availability is a key activity to ensure that availability levels are being met consistently.

Availability management should look to continually optimize and proactively improve the availability of the IT infrastructure, the services, and the supporting organization in order to provide cost-effective availability improvements that can deliver business and customer benefits. Why could users be happy with a 60-minute outage and yet be unhappy with 30-minute outage? • • 30min outage during peak time, overtime being paid to staff, urgent report required 60min outage on weekend, holiday, off peak, when service not required Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 103 • • 30min outage on critical IT Service, 60min outage on non-critical IT Service 30mins unplanned outage, 60mins planned outage (eg, maintenance) For a consumer/user of an IT service, its availability and reliability can directly influence both the perception and satisfaction of the overall IT service provision.

However, when disruptions are properly communicated and managed effectively, the impact on the user population’s experience can be significantly reduced. 6.3.2 Scope The availability of a service is dependent on the capabilities of the components used to deliver the service, and not just a by-product of running the component continuously.

For this reason, availability must be designed, implemented, measured, and improved.

The Availability Management process is involved in every aspect of availability throughout the service lifecycle and down to the component level of the service solution.

The process is initiated when the availability requirements for the IT service are understood and clearly defined, and remains active until the service is decommissioned or retired. — Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 104 ITIL® PLANNING, PROTECTION, AND OPTIMIZATION CERTIFICATION KIT—THIRD EDITION The service and component availability requirements must be understood from the business perspective and can be influenced by current business processes and operations, future business plans, service targets and the current capabilities of IT operations and delivery, and the demand on the service, including its impact and priority in the business. The Availability Management process is applied to all current services and technology being covered by SLAs, all new IT services or existing services with established SLRs, all supporting services and suppliers, and all aspects of the service and components that may potentially impact availability. The Availability Management process should include (ITIL Service Design, page 126): • Monitoring of all aspects of availability, reliability, and maintainability of IT services and the supporting components with appropriate events, alarms, and escalation, with automated scripts for recovery • • • • • • Maintaining a set of methods, techniques, and calculations for all availability measurements, metrics, and reporting Actively participating in risk assessment and management activities Collecting measurements and the analysis and production of regular and ad hoc reports on service and component availability Understanding the agreed current and future demands of the business for IT services and their availability Influencing the design of services and components to align with business availability needs Producing an availability plan that enables the service provider to continue to provide and improve services in line with availability targets defined in SLAs, and to plan and forecast future availability levels required, as defined in SLRs • • • Maintaining a schedule of tests for all resilience and fail-over components and mechanisms Assisting with the identification and resolution of any incidents and problems associated with service or component unavailability Proactively improving service or component availability wherever it is cost-justifiable and where Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 105 it meets the needs of the business While Availability Management may provide substantial information to Business Continuity Management (BCM) and IT Service Continuity Management (ITSCM), the process is not responsible for the resumption of business or IT processes after a major disaster. 6.3.3 Benefits When business systems and services are available, the customer is able to remain productive and profit.

From a customer perspective, loss of availability is a financial loss.

In this situation, availability management becomes a pivotal aspect of service management.

Many benefits of availability management are the same as capacity management, but from an availability standpoint. 6.3.4 Policies and Principles of Availability Management In many instances, the principles of Availability Management are lost when the process is implemented in an organization that may not have developed a “service focus” centered on the experience of customers and users.

In situations like these, it is common to see the level of availability calculated by such criteria as “the ability to ping the XYZ server”.

While this server may well be a vital component for a given service, there are many other factors that can also affect and disrupt service, all of which impact the user experience of availability.

To avoid this approach, Availability Management should be implemented with a strong emphasis on understanding and meeting the needs of the business and customers.

Principles that should underpin such an approach include the following: • Service availability is at the core of customer and user satisfaction, and, in many cases, business success. — 6.3.8 Triggers Capacity Management is invoked whenever: • • • • New or changed capacity requirements are introduced to the environment.

There are new or change targets within SLRs, SLAs, OLAs, or contracts.

A breach in service or availability-related event and alert has occurred.

Review and revision of: ?? ?? ?? ?? • • Forecasts, reports, and plans Business and IT plans and strategies Designs and strategies SLAs, OLAs, contracts, or any other agreements There is a new risk or change of risk or impact to a business process, VBF, IT service or component.

Assisting SLM with availability targets and explanation of achievements Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 135 Inputs A number of sources of information are relevant to the Capacity Management process.

Some of these are (ITIL Service Design, page 153) • • • • Business information: From the organization’s business strategy, plans and financial plans, and information on their current and future requirements Business impact information: From BIAs and assessment of VBFs underpinned by IT services Reports and registers: Previous risk assessment reports and a risk register Service Information: From the SLM process, with details of the services from the service portfolio and the service catalog, service level targets within SLAs and SLRs, and possibly from the monitoring of SLAs, service reviews and breaches of the SLAs • • Financial information: From financial management for IT services, the cost of service provision, the cost of resources and components Change and release information: From the Change Management process, with a change schedule, the release schedule from release and deployment management and a need to assess all changes for their impact on service availability • • • • • • • Service asset and configuration management: containing information on the relationships between the business, the services, the supporting services, and the technology Service targets: From SLAs, SLRs, OLAs, and contracts Component information: On the availability, reliability, and maintainability requirements for the technology components that underpin IT service(s) Technology information: From the CMS on the topology and the relationships between the components and the assessment of the capabilities of new technology Past performance: From previous measurements, achievements and reports and the availability management information system (AMIS) Unavailability and failure information: From incident and problem management Planning information: From other process such as the capacity plan from capacity management Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 136 ITIL® PLANNING, PROTECTION, AND OPTIMIZATION CERTIFICATION KIT—THIRD EDITION Outputs The outputs of Capacity Management are (ITIL Service Design, page 154): • • • • • • • The availability MIS (AMIS) The availability plan for the proactive improvement of IT services and technology Availability and recovery design criteria and proposed service targets for new or changed services Service availability, reliability, and maintainability reports of achievements against targets, including input for all service reports Component availability, reliability, and maintainability reports of achievements against targets Revised risk assessment reviews and reports and an updated risk register Monitoring, management, and reporting requirements for IT services and components to ensure that deviations in availability, reliability, and maintainability are detected, acted upon, recorded, and reported • • • • An availability management test schedule for testing all availability, resilience, and recovery mechanisms The planned and preventive maintenance schedules Contribution for the PSO to be created by the change in collaboration with release and deployment management Details of the proactive availability technique and measures that will be deployed to provide additional resilience to prevent or minimize the impact of component failures on the IT service availability • Improvement actions from inclusion within the SIP Interfaces Capacity Management interfaces with the following processes.

The key interfaces that availability management has with other processes are: • • SLM: This process relies on availability management to determine and validate availability targets and to investigate and resolve service and component breaches.

Incident and problem management: These are assisted by availability management in the resolution and subsequent justification and correction of availability incidents and problems. Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 137 • Capacity management: This provides appropriate capacity to support resilience and overall service availability.

The process also uses information from demand management about patterns of business activity and user profiles to understand business demand for IT services, and provides this information to availability management for business-aligned availability planning. • Change management: This leads to the creation of the PSO with contributions from availability management.

When changes are proposed to a service, availability must assess the change for availability-related issues, including any potential impact on achievement of availability service levels. • IT service continuity management (ITSCM): Availability management works collaboratively with this process on the assessment of business impact and risk and the provision of resilience, failover, and recovery mechanisms.

Availability focuses on normal business operation, and ITSCM focuses on the extraordinary interruption of service. • Information security management (ISM): If the data becomes unavailable, the service becomes unavailable.

ISM defines the security measures and policies that must be included in the Service Design for availability and design for recovery. • Access management: Availability management provides the methods for appropriately granting and revoking access to services as needed. (Service Design, page 154) 6.3.9 Key Performance Indicators (KPIs) of Availability Management Critical Success Factors are a function of the organization’s objectives for the process.

Key Performance Indicators are designed to support the Critical Success Factors.

KPIs should be monitored and used as evidence in supporting opportunities for improvement. Below is a list of sample critical success factors and key performance indicator to provide a sense of how availability management can be measured.

The actual development of CSRs and KPIs by the organization should be performed with careful consideration on the organization’s needs.

These examples can be found in ITIL Service Operation, page 156. Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 138 • ITIL® PLANNING, PROTECTION, AND OPTIMIZATION CERTIFICATION KIT—THIRD EDITION CSF: Manage availability and reliability of the IT service ?? ?? ?? ?? ?? ?? ?? ?? KPI: Percentage reduction in the unavailability of services and components KPI: Percentage increase in the reliability of services and components KPI: Effective review and follow-up of all SLA, OLA, and underpinning contract breaches relating to availability and reliability KPI: Percentage improvements in overall end-to-end availability of service KPI: Percentage reduction in the number and impact of service breaks KPI: Improvement in the MTBF KPI: Improvement in the MTBSI KPI: Reduction in the MTRS KPI: Percentage reduction in the unavailability of services KPI: Percentage reduction of the cost of business overtime due to unavailable IT KPI: Percentage reduction in critical time failures – for example, specific business peak and priority availability needs are planned for ?? KPI: Percentage improvement in business and users satisfied with service (by customer satisfaction surveys) • CSF: Satisfy business needs for access to IT services ?? ?? ?? • — Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 140 ITIL® PLANNING, PROTECTION, AND OPTIMIZATION CERTIFICATION KIT—THIRD EDITION 6.4.1 Purpose and Objectives The primary goal of IT Service Continuity Management (ITSCM) is to support the overall Business Continuity Management practices of the organization by ensuring that the required IT Infrastructure, and the IT service provision, can be recovered within the required and agreed business time scales. The objectives of ITSCM are to (ITIL Service Design, page 179): • • • Produce and maintain a set of IT service continuity plans that supports the overall business continuity plans of the organization Complete regular BIA exercises to ensure that all continuity plans are maintained in line with the changing business impacts and requirements Conduct regular risk assessment and management exercises to manage IT services within an agreed level of business risk in conjunction with the business and the Availability Management and Information Security Management processes • • • • • Provide advice and guidance to all other areas of the business and IT on all continuity-related issues Ensure that appropriate continuity mechanisms are put in place to meet or exceed the agreed business continuity targets Assess the impact of all changes on the IT service continuity plans and supporting methods and procedures Ensure that proactive measures to improve the availability of services are implemented wherever it is cost-justifiable to do so Negotiate and agree contracts with suppliers for the provision of the necessary recovery capability to support all continuity plans in conjunction with the Supplier Management process Note: ITSCM is often referred to as Disaster Recovery planning. Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 141 6.4.2 Scope The scope of ITSCM can be said to be focused on planning for, managing, and recovering from “IT disasters”.

These disasters are severe enough to have a critical impact on business operations and, as a result, will typically require a separate set of infrastructure and facilities to recover.

Less significant events are dealt with as part of the Incident Management process in association with Availability Management.

The disaster does not necessarily need to be a fire, flood, pestilence or plague, but any disruption that causes a severe impact to one or more business processes.

Accordingly, the scope of ITSCM should be carefully defined according to the organization’s needs, which may result in continuity planning and recovery mechanisms for some or all of the IT services being provided to the business. There are longer-term business risks that are out of the scope of ITSCM, including those arising from changes in business direction, organizational restructures or emergence of new competitors in the market place.

These are more the focus of processes, such as Service Portfolio Management and Change Management. So, for general guidance, the recommended scope for any ITSCM implementation includes: • • • • • • The agreement of the scope of the process and the policies adopted Business Impact Analysis (BIA) to quantify the impact a loss of IT service would have on the business Risk Analysis Production of an overall ITSCM strategy that must be integrated into the BCM strategy Production and testing of ITSCM plans Ongoing education and awareness, operation, and maintenance of plans Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 142 — Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 161 problems within the environment.

Clear criteria must be established and agreed describing when a major incident becomes a continuity event. • • • • Availability management: It works with ITSCM to assess risk and implement the appropriate response to mitigate risk in the operating environment.

Service level management: Within SLAs, the recovery requirements sued by ITSCM are documented and modified SLAs when a continuity event occurs, if applicable.

Capacity management: It manages the resources needed to recover from a continuity event.

Service asset and configuration management: Documents the components in the infrastructure and their relationships with each other; Information which is invaluable in planning and executing a continuity response • Information security management: In addition to recognizing a major security breach as a possible continuity event, ISM also serves to ensure that the continuity plans and responses consider the impact on the security of the customer and the service provider. 6.4.8 Critical Success Factors and Key Performance Indicators Critical Success Factors are a function of the organization’s objectives for the process.

Key Performance Indicators are designed to support the Critical Success Factors.

KPIs should be monitored and used as evidence in supporting opportunities for improvement. Below is a list of sample critical success factors and key performance indicator to provide a sense of how IT Service Continuity Management can be measured.

The actual development of CSRs and KPIs by the organization should be performed with careful consideration on the organization’s needs.

These examples can be found in ITIL Service Operation, page 108. • CSF: IT services are delivered and can be recovered to meet business objectives. ?? KPI: Increase in success of regular audits of the ITSCM plans to ensure that, at all times, the Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 162 ITIL® PLANNING, PROTECTION, AND OPTIMIZATION CERTIFICATION KIT—THIRD EDITION agreed recovery requirements of the business can be achieved ?? ?? ?? ?? ?? ?? ?? • ?? ?? ?? KPI: Regular successful validation that all service recovery targets are agreed and documented in SLAs and are achievable within the ITSCM plans KPI: Regular and comprehensive testing of ITSCM plans achieved consistently KPI: Regular reviews are undertaken, at least annually, of the business and IT continuity plans with the business areas KPI: Regular successful validation that IT negotiates and manages all necessary ITSCM contracts with third party KPI: Overall reduction in the risk and impact of possible failure of IT services KPI: Increase in validated awareness of business impact, needs, and requirements throughout IT KPI: Increase in successful test results ensuring that all IT service areas and staff are prepared and able to respond to an invocation of the ITSCM plans KPI: Validated regular communication of the ITSCM objectives and responsibilities within the appropriate business and IT service areas (Service Design, page 195) CSF: Awareness throughout the organization of the business and IT service continuity plans 6.4.9 Challenges The greatest challenge to ITSCM is the lack of a BCM process, which will lead to incorrect assumptions about the customer’s needs and the criticality of their business processes.

Often, customers are reluctant to see the need for BCM because they view ’disaster recovery’ to be a responsibility of IT.

This is especially true when IT services are being outsourced. If a BCM process is in place, the challenge to ITSCM is in seeking alignment and integration with BCM.

Both the customer and the service provider must be equally committed and invested in a successful relationship between the two processes.

Anything less can lead to lack of communication and the initiation of plans based on wrong or out-of-date information. Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 163 6.5 Information Security Management Information security is part of the corporate governance framework, providing strategic direction for security activities and ensuring that strategic objectives for the business are achieved.

Information Security Management also ensures the management of information security risks and the responsible use of information resources. ‘Information’ in this context is used as a general terms and includes all data stores, databases, and metadata used by the enterprise. 6.5.1 Purpose and Objectives Information security is a critical part of the warranty of a service.

The process establishes controls that prevent or mitigate disruptions from security threats impacting the IT environment.

This allows IT services to perform as expected and ensures that value is generated for the business.

Information security also ensures that the users can access the utility of the service.

The primary purpose of Information Security Management is to align IT security with business security, ensuring the agreed business needs regarding the confidentiality, integrity, and availability of the organization’s assets information, data, and IT services are matched.

The objective of Information Security Management is to protect the interests of those people and groups from failures of confidentiality, integrity, and availability specifically when accessing information, systems, and communications that deliver the information.

For most organizations, the security objective is met when (ITIL Service Design, page 196): • • • • Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 Information is observed by or disclosed to only those who have a right to know (confidentiality) Information is complete, accurate, and protected against unauthorized modification (integrity) Information is available and usable when required, and the systems that provide it can appropriately resist attacks and recover from or prevent failures (availability) Business transactions, as well as information exchanges between enterprises or with partners, can be trusted (authenticity and non-repudiation) 164 ITIL® PLANNING, PROTECTION, AND OPTIMIZATION CERTIFICATION KIT—THIRD EDITION 6.5.2 Scope The Information Security Management process is the focal point for all IT security issues and ensures an information security policy is produced, maintained, and enforced.

The information security policy covers the use and misuse of all IT systems and services.

The entire IT and business security environment must be understood, specifically (ITIL Service Design, page 197): • • • • • • Business security policy and plans Current business operation and its security requirements Future business plans and requirements Legislative and regulatory requirements Obligations and responsibilities with regard to security contained within SLAs The business and IT risks and their management Understanding all of this will enable Information Security Management to ensure that all the current and future security aspects and risks of the business are cost-effectively managed. Information Security Management ensures that the confidentiality, integrity, and availability of an organization’s assets, information, data, and IT services are maintained.

Information Security Management must consider the following four perspectives: • • • • Organizational – Defines security policies and staff awareness of these policies Procedural – Defines procedures used to control security Physical – Controls used to protect any physical sites against security incidents Technical – Controls used to protect the IT infrastructure against security incidents As a guide, the Information Security Management process should include activities to: • • Produce, maintain, distribute, and enforce the ISM policy and supporting security policies Understand the agreed current and future security requirements of the business and the existing Business Security Plans Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 165 • • • • • • Implement a set of security controls that support the ISM policy and manage associate risks Document all security controls, together with the operation and maintenance of the controls and their associated risk Manage all suppliers and contracts regarding access to systems and services in conjunction with Supplier Management Manage all security breaches and incidents associated with all systems and services Proactively improve security controls and security risk management and the reduction of security risks Integrate security aspects with all other IT Service Management processes 6.5.3 Benefits At the core of Information Security Management is the Information Security Policy.

The process maintains and enforces the policy, and as such, the organization obtains its benefits.

The primary benefit of the information security policy is a heightened awareness of security in IT services and the organization.

By enforcing the security policy, ISM will place controls to provide security and maximize the organization’s defense against potential risks. — New or change targets within SLRs, SLAs, OLAs, or contracts The occurrence of a service or component security breach or warning Review and revision of: ?? ?? ?? ?? Business and IT plans and strategies Information security management policies, reports, or plans Designs and strategies SLAs, OLAs, contracts, or any other agreements • • A new risk or change of risk or impact to a business process, VBF, IT service or component Assisting SLM with security targets and explanation of achievements Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 175 Inputs Information Security Management will need to obtain input from many areas, including (ITIL Service Design, page 204): • • • • Business information: from the organization’s business strategy, plans and financial plans, and information on its current and future requirements Governance and security: from corporate governance and business security policies and guidelines, security plans, risk assessment, and responses IT information: from the IT strategy and plans and current budgets Service information: from the SLM process with details of the services from the Service Portfolio and the Service Catalog, service level targets within SLAs and SLRs and possibly from the monitoring of SLAs, service reviews, and breaches of the SLAs • • • • • Risk assessment processes and reports: from ISM, Availability Management, and ITSCM Details of all security events and breaches: from all areas of IT and ITSM, especially Incident Management and Problem Management Change information: from the Change Management process with a change schedule and a need to assess all changes for their impact on all security policies, plans, and controls CMS: containing information on the relationships between the business, the services, supporting services, and the technology Details of partner and supplier access: from Supplier Management and Availability Management on external access to services and systems Outputs The outputs produced by the Information Security Management process are used in all areas and should include (ITIL Service Design, page 204): • • • An overall information security management policy, together with a set of specific security policies A Security Management Information System (SMIS), containing all the information relating to Information Security Management Revised security risk assessment processes and reports Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 176 • • • • • • ITIL® PLANNING, PROTECTION, AND OPTIMIZATION CERTIFICATION KIT—THIRD EDITION A set of security controls, together with details of the operation and maintenance and their associated risks Security audits and audit reports Security test schedules and plans, including security penetration tests and other security tests and reports A set of security classifications and a set of classified information assets Reviews and reports of security breaches and major incidents Policies, processes, and procedures for managing partners and suppliers and their access to services and information Interfaces Information security management will interface with any service management, which has a need for security controls.

This can assist in identifying and implementing those security controls with minimal impact on the environment. • • • Service level management: Works to determine and document security requirements and procedures in SLAs and SLRs Access management: Enforces all security requirements and controls relevant to providing and managing access to systems and assets Change management: Performs an assessment of every change to determine the impact on security and security controls, as well as informs ISM of all unauthorized changes resulting from a security breach • • Incident and problem management: Information security management assists in the identification, investigation, and resolution of security-related incidents and problems.

IT service continuity management: Assists in the assessment of business impact and risk, as well as in identifying potential areas for building resilience, failover solutions, and recovery mechanisms • • Service asset and configuration management: Utilizes configuration information to build security classifications Availability management: ISM is an enabler of availability management to ensure that all data is available and uncompromised when needed. Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 177 • • • • Capacity management: The procurement of new technology must meet the minimal security guidelines required by policy.

Financial management for IT services: Ensures that security solutions have adequate funding to meet requirements Supplier management: Ensures that security policies and guidelines are documented and agreed in supplier contracts Legal and human resources issues: Works with ISM to investigate security issues 6.5.8 Critical Success Factors and Key Performance Indicators Critical Success Factors are a function of the organization’s objectives for the process.

Key Performance Indicators are designed to support the Critical Success Factors.

KPIs should be monitored and used as evidence in supporting opportunities for improvement. Below is a list of sample critical success factors and key performance indicator to provide a sense of how information security management can be measured.

The actual development of CSFs and KPIs by the organization should be performed with careful consideration on the organization’s needs.

These examples can be found in ITIL Service Operation, page 205. • CSF: Business is protected against security violations. ?? ?? ?? • ?? • KPI: Percentage decrease in security breaches reported to the service desk KPI: Percentage decrease in the impact of security breaches and incidents KPI: Percentage increase in SLA conformance to security clauses KPI: Decrease in the number of non-conformances of the information security management process with the business security policy and process CSF: Security procedures that are justified, appropriate, and supported by senior management ?? KPI: Increase in the acceptance and conformance of security procedures CSF: The determination of a clear and agreed policy, integrated with the needs of the business Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 178 ITIL® PLANNING, PROTECTION, AND OPTIMIZATION CERTIFICATION KIT—THIRD EDITION ?? • KPI: Increased support and commitment of senior management CSF: Effective marketing and education in security requirements and IT staff awareness of the technology supporting the services ?? ?? ?? KPI: Increased awareness of the security policy and its contents throughout the organization KPI: Percentage increase in completeness of supporting services against the IT components that make up those services KPI: Service desk supporting all services KPI: The number of suggested improvements to security procedures and controls KPI: Decrease in the number of security non-conformance detected during audits and security testing — Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 292 ITIL® PLANNING, PROTECTION, AND OPTIMIZATION CERTIFICATION KIT—THIRD EDITION Information Security Management process 164, 175, 177 information security management system 166, 170, 241, 255 information security policy 164-6, 168-72, 186, 226, 241, 255 information technology 14, 194, 241-3, 268 infrastructure 24, 26-7, 60-1, 73, 83, 87, 90-1, 94, 106, 140-1, 155-7, 172-3, 215, 228-30, 242-3, 247-8 infrastructure components 90, 97, 100, 144 Infrastructure Library 11, 20-1 infrastructure performance 110, 254 instances 11, 43, 63, 67, 73-4, 76, 105, 132, 144, 181, 191 instructions 2, 4, 266 integration 51, 57, 160, 162, 188-9 integrity 60, 156, 163-4, 186, 230, 241 interfaces 7, 38, 47-50, 57, 77-9, 98, 136, 160, 176, 182-4, 198, 224-6 intermediate recovery 146, 148, 155, 242, 252, 265 interruption 110, 246, 252-3 investments 21, 29, 47, 62, 88, 171, 179, 200, 223, 269-70 invocation 145-6, 158, 162, 185, 232, 242-3 ISMS (Information Security Management System) 166-8, 170-1, 241, 255, 268 ISO 10, 20, 149, 167, 253, 255, 261, 273 ISPs (Internet Service Providers) 33, 35, 242 IT Service Management (ITSM) 1, 6, 12, 14-17, 19-20, 25, 27, 36, 60, 81, 112, 165, 231, 243-4, 268, 272-3 Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 293 items 24, 143, 157, 189 ITIL 1, 10-13, 15-16, 20-6, 40, 46-8, 52, 68, 84-6, 108-12, 144-6, 168-70, 196-8, 226-66, 270-3, 280-2 ITIL Service Design 96-7, 102, 104, 135-6, 140, 163-4, 175 ITIL Service Operation 99, 137, 161, 177 ITSCM (IT Service Continuity Management) 8-9, 40, 60, 78, 105, 121-3, 137, 139-40, 142-4, 147-9, 152, 158-62, 175-6, 185-6, 243, 268 ITSCM plans 141, 158-62 ITSCM process 142, 157, 160 ITSM processes 17, 88, 178 K key performance indicator 79, 99, 137, 161, 177, 245-6 knowledge 15, 58, 99, 171, 181, 209, 220, 228, 250-1, 269, 272 KPI (Key Performance Indicators) 7-9, 61, 78-9, 99-100, 137-8, 161-2, 177-8, 235, 245 L levels 61, 64, 70, 73, 90-1, 106, 108, 113, 121, 139, 149, 151-2, 165, 189-90, 207, 278 license 11, 17, 21, 26, 29-32, 39-40, 45, 49, 57, 65, 68, 70, 84, 86, 130-1, 151-2 lifecycle 36, 55, 106, 142, 228, 235, 245, 250-1, 257, 259-61 lifecycle stages 23, 43, 52, 148, 244 likelihood 143-4, 154 locations 67, 181, 205, 212, 219 logs 3-4, 153 Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055 294 ITIL® PLANNING, PROTECTION, AND OPTIMIZATION CERTIFICATION KIT—THIRD EDITION loss 2, 105, 111, 114, 141, 143, 147, 150, 169, 230, 254 loss of service 143, 146, 150, 240 M maintainability 48, 104, 108-11, 114, 132-3, 136, 184, 229, 246, 260 maintenance 103, 107, 121-2, 141, 165, 171, 176, 190, 239, 248 management 8, 14, 26, 43, 56, 60-1, 80, 82-3, 89, 95, 97, 102, 120-1, 163-5, 170-1, 209-10 management architectures 9, 50, 192, 195 management system, service knowledge 86, 109, 170, 229, 233, 255 manages 38, 87, 161-2, 185-6, 190 manual workaround 146, 155, 246, 252 manufacturers 2, 97, 232 market space 25, 48, 52, 220, 222 matrix 117, 173, 234 medium 71, 74-5, 83 memory 23, 76, 87, 95 methodology 58, 152, 154, 239 metrics 50, 68, 104, 223, 237-8, 245-6, 249 model 215, 251, 259 modeling 86, 91-2, 96, 223-4, 247 money 12, 18, 26, 28, 98, 101, 149, 203, 254 monitor 54, 89, 93, 123, 180, 184, 186, 204, 215, 242, 249 Copyright The Art of Service I Brisbane, Australia I Email: [email protected] Web: http://store.theartofservice.com I eLearning: http://theartofservice.org I Phone: +61 (0) 7 3252 2055

Read more about These examples can be found in ITIL Service Strategy, page 255:

Accredited ITIL Foundation, Intermediate and Expert Certifications

Accredited ITIL Foundation, Intermediate and Expert Certifications, Learn more about ITIL HERE:

ITIL and  These examples can be found in ITIL Service Strategy, page 255

ITIL - These examples can be found in ITIL Service Strategy, page 255

ITIL and  These examples can be found in ITIL Service Strategy, page 255

ITIL - These examples can be found in ITIL Service Strategy, page 255

Categories: News

Related Posts

News

ITIL PREDICTIVE ANALYTICS REPORT

  This ITIL report evaluates technologies and applications in terms of their business impact, adoption rate and maturity level to help users decide where and when to invest. The Predictive Analytics Scores below – ordered Read more…

News

Cybersecurity PREDICTIVE ANALYTICS REPORT

Read online and subscribe to Predictive Analytics Email Updates HERE You can have a say in which analytics you need in which timeframe: simply add your (anonymous) need to the list at https://theartofservice.com/predictive-analytics-topics-reports-urgency and we Read more…

News

Storage Technologies PREDICTIVE ANALYTICS REPORT

  This Storage Technologies report evaluates technologies and applications in terms of their business impact, adoption rate and maturity level to help users decide where and when to invest. This predictive analytics evaluates 36 storage-related Read more…