Professional Documents
Culture Documents
Structure of the training ISO/IEC 20000 certification and course outline Examination format Agenda
Examination Format
Already available in English, Dutch, French, Portuguese, Japanese, Chinese, German, Italian, Latin-American Spanish and European Spanish. This is a closed book exam. No materials are permitted in the examination room. Duration: 1 hour Number of questions: 40 Multiple-choice with four options: A, B, C or D and a single answer Score minimum of 65 percent (26 of 40) to pass the exam.
Course Material
10
11
12
Date of Publication: December 15, 2005 - Developed using a fast-track approach by adoption of BS 15000 during 14 months Changes to BS 15000
Formally 450 changes (renumbering, etc.) In terms of content, just slight differences (sole terms, etc.)
No other official publications by ISO/IEC but increasing number of secondary publications by BSI (BIP 0030-0039, BIP 0015) Two Parts: ISO/IEC 20000-1: Requirements Information Technology Service Management Part 1: Specification shall Recommendations should
ISO/IEC 20000-2:
Information Technology Service Management Part 2: Code of Practice
13
ISO/IEC 20000-1
ISO/IEC 20000-2
Basics: IT Service Management (e.g. ITIL , MOF, CobiT) & Quality Management (e.g. ISO 9000)
14
ISO/IEC 20000
ITIL V2
ITIL V3
Legend
MOF
Quality Management
standard / methodology
CobiT
CMM
Adoption of concepts
ISO/IEC 15504
Predecessor
15
16
What is a Process?
Hammer, Champy (Reengineering the Corporation): A business process is a bundle of activities, which requires one or several inputs and which creates value for the customer. Office of Government Commerce (ITIL Version 3): A structured set of Activities designed to accomplish a specific Objective. () DIN/ISO (ISO 9000): A business process is a collection of interrelated resources and activities, that transform inputs into outputs. Resources could be personnel, buildings, machinery, technology and methodology.
17
18
Input
Activity
Output
Activity
Output
Activity
Input Control factors
Output
Input
Control factors
Control factors
Domain 1
Domain 2
Domain 3
19
Qualitative consideration
Calculation based on parameter values measured during process execution Does the process actually operate (now, last month, last quarter, etc.) effectively and efficiently?
Quantitative consideration
20
21
Components of an IT Service
Information System:
- People, Processes, Technology, Partners - Used to manage information
Support:
- Changes, system restoration in case of failure - Maintenance - To ensure performance according to the agreed requirements
Quality:
- Availability, Capacity, Performance, Security Scalability, Adjustability, Portability - Quality attributes of the information system to be specified and agreed upon
22
23
Business Processes are supported by IT Services. Delivering IT Services is the key task of an IT provider. Customers of the IT provider are basically organizations that are involved in business processes. Users use IT Services to carry out day-to-day activities. ITSM Frameworks describe Best Practices of IT Service Management.
Customer
is responsible User
Business Process
supports use Management
IT Service
delivers
IT Provider
24
25
26
Process owner is responsible for process results. Process manager is responsible for realization of the process, day-to-day control and management. Process operatives (professionals) are responsible for defined activities.
Results assessed based upon agreed performance indicators. One person or team may have multiple roles.
27
Role of Tools
Automated support aids in the performance of tasks/activities Purpose:
Increased efficiency = cost reduction Provide evidence of the process activities performed
Examples:
Monitoring tools Software distribution tools Service Management / workflow tools Remote infrastructure management tools
28
Service Quality
Quality of Service is a measure that indicates the overall effect of service performance that determines the degree of satisfaction of a user of the service. The measure is derived from the ability of the resources to provide different levels of services. The measure can be both quantitative and qualitative. Quality of service is a critical part of customer and end user satisfaction Measure of the ability of a service to provide the intended value to a customer Specific to the individual customer; quality metrics should be defined from the customers perspective Customer perception of service quality may vary over time
29
Quality Policy
The Quality Policy recognizes that there is always the potential to increase effectiveness and efficiency (continual improvement). The Quality Policy determines the general quality goals of an organization. The Quality Policy however does not cover:
Legal Requirements Customer specific requirements in quality (cp. SLAs) Requirements of ISO/IEC 20000
30
31
32
Process
33
Right products
Right Suppliers
Good communication
34
Identify customers requirements and expectations. Define and assign required resources to achieve the committed quality goals. Launch procedures to measure effectiveness and efficiency.
35
Based on:
Best Practices in IT Service Management (as per description in ITIL e.g.) Principles of Quality Management (as per description in ISO 9000 e.g.)
36
37
Revision Course
What is IT Service Management? What is a Management Process? What is ISO/IEC 20000?
Content? Structure? Processes and process clusters? History? Relationship to ITSM Frameworks?
What is the advantage of process-oriented management? What are the risks? What is a QM System?
38
39
Section 1: Scope
Objective
Description of ISO/IEC 20000 Standards and its content
[1] Scope
[2] Terms and Definitions [3] Management System [4] Planning & Implementing SM
Management responsibility Documentation requirements Competencies, awareness & training Plan, Do, Check, Act
40
41
42
43
44
45
Availability (6.3) Baseline (9.1) Change Record (9.2) Configuration Item (9.1) Configuration Management Database (9.1) Document Incident (8.2) Problem (8.3)
Record Release (10.1) Request for Change (9.2) Service Desk Service Level Agreement (6.1) Service Management Service Provider
Grey highlighted terms: Definitions - see the following slides All other terms: See Specification Sheet Section 7.5 for full list
46
47
Service
Service Desk
Interface function for communication of provider and user, which covers the bigger part of the first level support.
Service Management
Management of IT Services in order to support and meet business requirements.
Service Provider
Supplier of IT Services (target object of ISO/IEC 20000 certification).
48
Service Desk
Tasks To take over tasks of service support (e.g. particularly within Incident Management Process)
Communication to users
Service Desk is a Core Definition, but not part of the ISO/IEC 20000 requirements.
49
[1] Scope [2] Terms and Definitions [3] Management System [4] Planning & Implementing SM
Management responsibility Documentation requirements Competencies, awareness & training
50
51
Management Systems
What is a management system?
A possible definition: A management system is the framework of processes, tools and resources (personnel and machinery) used to plan, execute, document and continually improve management tasks in a target-oriented, customer-oriented and quality-oriented way.
Important Aspects: Quality (cp. Quality Management) Management responsibilities Documentation Competence, Awareness and Training
52
Management Responsibilities
Management shall:
prove commitment to development, implementation and improvement of service management capabilities by appropriate leadership behavior and appropriate measures; establish policy, objectives and plans; communicate the importance of meeting the objectives and the need for continual improvement; ensure that customer requirements are determined and are met; appoint a member of management responsible for the coordination and management of all services.
53
54
55
Documentation
Documentation and records shall be provided to support effective planning, operation and control. Including at least:
Documentation of Service Management guidelines and plans Documentation of Service Level Agreements Documentation of processes required by ISO/IEC 20000 Records required by ISO/IEC 20000
Procedures and responsibilities shall be established for the creation, review, approval, maintenance, disposal, and control.
56
Documents should be in a medium suitable for their purpose. Documents should be protected from damage due to circumstances (e.g. environmental conditions, computer disasters).
57
58
59
60
Continual Improvement
1. Necessary in order to improve the performance of the organization and increase customer satisfaction. 2. Needs to be a permanent objective of the organiation. 3. Continual activity which keeps the wheel of the PDCA cycle turning. 4. Ensures improvement activities at all levels are aligned to the organizations strategy. 5. Increases flexibility to act quickly on opportunities. 6. Applying the principle leads to a company culture and organization-wide approach to continual improvement. 7. Leads to more business in the mid-term by actively improving the relationship with customers.
61
maturity
time
Process model of quality management according to W. Edwards Deming Cyclical optimization of quality leads to continual improvement Plan-Do-Check-Act is applicable to all processes defined in ISO/IEC 20000
62
Management of Services
Business results
Management Responsibility
Customer satisfaction
New/changed Services
Other processes (e.g. business, supplier, customer) Team and people satisfaction
63
64
65
66
67
68
69
PLAN
ACT
CHECK
DO
70
71
PLAN
ACT
CHECK
DO
72
Achievement of Objectives
Appropriate methods shall be applied for monitoring and measuring processes to disclose achievement of targets. Management shall conduct reviews at planned intervals to determine whether: Service management requirements conform with the Service Management Plan and requirements of ISO/IEC 20000 Service management requirements are effectively implemented and maintained An audit program shall be planned. Objectives of reviews, assessments and audits shall be documented together with the results and detected resolutions. In case of failure to fulfill obligations and other problematical concerns, all relevant parties shall be informed.
73
74
Objectiveness
75
Audit Program
To be considered by internal audit program:
Status and importance of the audited processes and organizations Results of previous audits
Criteria, scope, frequency and methods shall be defined in a procedure. Selection of auditors shall take into consideration:
Audit has to be objective and impartial. Auditors shall not audit their own work.
76
Management Review
Management Reviews should focus on:
Achievements compared to service objectives (e.g. from audit results) Customer satisfaction Resource utilization Trends Certain service discrepancies
77
Continual Improvement
Objective "Act"
To improve the effectiveness and efficiency of service delivery and management.
PLAN
ACT
CHECK
DO
78
Policy
A published policy for service improvement is required. Any non-compliance with ISO/IEC 20000 or with service management plan shall be remedied. Roles and responsibilities for service improvement shall be defined clearly.
79
Management of Improvement
All suggested service improvements shall be evaluated, documented, prioritized and authorized. Monitoring these activities shall be planned. A specific process is required for continually identifying, measuring, reporting and managing improvement. This encompasses:
Improvements concerning individual processes that can be implemented by process owners means Organization-wide or cross-process improvements
80
81
82
83
84
Minimum Requirements
The costs, commercial and organizational impact of any proposed new or changed services shall be considered by operations and management of these services. New or changed services, including closure of service, shall be planned and authorized/approved through change management. Planning of new/changed services shall consider aspects of funding and allocation of resources. New/changed services require acceptance by service provider before deployment to live environment. Post implementation review (including target-performance comparison) through change management process.
85
86
87
88
89
90
91
92
93
94
Code of Practice
Classification Incident vs. Problem Management
Incident Management: Quickest possible service recovery Problem Management: Root cause identification and resolution
95
ISO/IEC 20000 Code of Practice
Code of Practice
Staff skills Competing requests for resource allocation Costs of implementing the resolution Approximated time to implement the resolution
96
Incident Management
Objective:
Resolve incidents as quickly as possible and minimize the adverse impact on business operations.
[6] Service Delivery Processes
Capacity Management Service Continuity & Availability Management Service Level Management Service Reporting Information Security Management
97
Fundamental terms
Incident
An unplanned interruption to a service or reduction in the quality of an service.
Further Terms
Service Request:
Request for documentation User Request for Change
98
Process
Activities:
Detection and Recording - description of symptoms, creation of ticket Classification and Initial Support - if possible, resolution through first level support (Service Desk); incident prioritization and categorization Investigation and Diagnosis - find a resolution to restore the service as quickly as possible Resolution and Recovery - initiation of required recovery measures Closure - resolution documentation, user confirmation, close ticket
99
BEST according to PRACTICE ITIL Version 2 & 3
Functional Escalation
Co-ordination of support units 2nd Level Support
Service Desk
Detection Yes
Request? No 1st Support No Diagnosis No Diagnosis No Resolvable? Yes Resolution Resolvable? Yes Resolution Resolvable? Yes Resolution
Request Fulfillment
Closure
100
Service Request for a storage upgrade Service Request for a cartridge change or a printer failure Performance Incident Service Request for a password or account reset E-mail service failure
101
Minimum Requirements
All Incidents shall be recorded. Procedures for detection, impact analysis, prioritization, classification, escalation, resolution and closure of incidents shall be defined. Customers shall be kept informed of the process progress and alerted BEFORE SLA is breached or at risk of being breached. All staff involved in incident management shall have access to relevant information such as: Known errors Problem resolutions Configuration Management Database (CMDB) Major Incidents shall be managed according to a process.
102
Code of Practice
Process closure Prerequisite - Final closure of an incident should only take place when the initiating user has confirmed that the service is restored. Major incidents Important - There should be a clear definition of what constitutes a major incident. All major incidents should have a clearly defined responsible manager at all times. The process for a major incident should include review.
103
8.2
8.2
8.2
8.2
104
Problem Management
Objective:
To avoid disruption by proactive and reactive analysis of the cause of potential incidents.
105
Fundamental terms
Problem
An unknown cause of one or more incidents
Additional terms:
Known Error - root cause of one or more incidents for which work-arounds exist, if applicable. Reactive and proactive problem management
106
BEST PRACTICE
Process
Problem
Known Error
Problem Management
107
Process
108
Trend Analysis
Definition: Analysis of data of various sources to identify timerelated patterns. Examples of sources: Ticket system - number of similar incidents Monitoring tools - resource utilization peaks Examples of time-related patterns: Each Monday between 7:30-9:30 p.m. noticeable accumulation of submitting network incidents Problem identification (reactive problem management since incidents already occured) Every day between 2-5 a.m. marginally high utilization of an information system Problem identification (proactive problem management since incidents should be avoided)
109
Minimum Requirements
All identified problems shall be recorded. Procedures shall be adopted to identify, minimize or avoid the impact of incidents and problems. They shall define the recording, classification, updating, escalation, resolution and closure of all problems. Preventive action shall be taken to reduce potential problems. Changes required in order to correct the underlying cause of problems shall be passed to the change management process.
110
Minimum Requirements
Problem resolution shall be monitored, reviewed and reported on for effectiveness. Problem management shall be responsible for ensuring up-todate information on known errors and corrected problems is available to incident management. Actions for improvement identified during this process shall be recorded and implemented.
111
Code of Practice
Communication
All processes and people involved in service support particularly incident management should be informed of:
Work-arounds Permanent fixes Progress of problems
112
113
All identif ied problems shall be recorded Procedures shall be adopted to identif y, minimize or avoid the impact of incidents and problems. Procedures shall def ine the recording, classif ication, updating, escalation, resolution and closure of all problems Preventive action w ill be taken to reduce potential problems, eg. Follow ing trend analysis of incident volumes and types Changes required in order to correct the underlying cause of problems shall be passed to change management process Problem resolution shall be monitored, review ed and reported on f or ef f ectiveness Problem management shall be responsible f or ensuring upto-date inf ormation on know n errors and corrected problems is available to incident management Actions f or improvement identif ied during this process shall be recorded and input into the service improvement plan
8.3
8.3
8.3 8.3
e f
8.3
8.3
114
Revision Course
Trend analysis is important during what activity of problem management process? What is the difference between a problem and an error? What are the sub-processes of problem management? How is problem management linked to change management? What is the next step within problem management after a change was implemented to resolve an error? What kind of information does problem management provide for the incident management process?
115
116
117
Configuration Management
Objective:
To define and control the components of the service and infrastructure and maintain accurate configuration information. [6] Service Delivery Processes
Capacity Management Service Continuity & Availability Management Service Level Management Service Reporting Information Security Management
118
Fundamental terms
Configuration Item (CI) Any IT infrastructure component or other element that is recorded and maintained by configuration management process
Configuration Management Database (CMDB) A database used to store: all relevant information of all CIs relationships with other CIs
119
Fundamental terms
BEST PRACTICE according to ITIL IL Version 3
Additional terms
Attribute - a piece of information about a CI (e.g. asset id, location) Baseline - a benchmark used as a reference point. Configuration Management System (CMS) - a set of tools and databases that are used to manage configuration information:
includes one or more CMDBs Federated CMDB manages relationships with other CIs and related incidents, problems, known errors, changes, etc.
120
Process
BEST PRACTICE
Activities
Planning of: CMDB targets (e.g. Which processes have to be supported? How?) Scope of CMDB Identification - define types of CIs, name conventions, versioning Recording and Control: record new CIs update existing CIs Status Accounting - record/update lifecycle status of each CI Verification - mapping CMDB and actual situation
121
BEST PRACTICE
Process
Planning
Status Accounting
Update CI Status
Difference between CMDB and reality
Verification
CMDB
122
Minimum Requirements
There shall be an integrated approach to change and configuration management planning Scope of CMDB = Scope of change management! Configuration management shall have an interface to financial asset accounting processes. There shall be a configuration management policy on what is defined as a configuration item and its constituent components. The information to be recorded for each item shall be defined and shall include the relationships and documentation necessary for effective service management.
123
Minimum Requirements
Configuration management shall provide the mechanisms for identifying, recording, controlling and tracking versions of CIs. It shall be ensured that the process meets the business needs, risk of failure and service criticality. Configuration management shall provide information to the change management process:
Supporting Change Management in risk and impact analysis of planned changes Tracking of hardware/software changes
124
Minimum Requirements
A baseline of the appropriate configuration items shall be taken before a release to the live environment. Master copies of digital CIs (software, documents) shall be controlled in secure physical or electronic libraries (cp. release management: definitive software library) and referenced to the configuration records. All configuration items shall be uniquely identifiable and recorded in a CMDB to which update access shall be strictly limited and controlled. Audit procedures shall include process and CMDB.
125
126
9.1
9.1 9.1
e f
9.1
9.1
9.1 9.1
i j
127
Service Knowledge Management System (SKMS): A set of tools and databases that are used to manage knowledge and information. The SKMS includes the:
CMDBs CMS
128
Change Management
Objective:
To ensure all changes are assessed, approved, implemented and reviewed in a controlled manner. [6] Service Delivery Processes
Capacity Management Service Continuity & Availability Management Service Level Management Service Reporting Information Security Management
129
Fundamental terms
Request for Change (RfC) Form to register all relevant details of a required change to a CI.
130
Fundamental terms
BEST PRACTICE according to ITIL Version 2 & 3, MOF
Additional terms:
Change Advisory Board (CAB) - A group of people that advises in the assessment, prioritization and scheduling of changes. Emergency Change Advisory Board (ECAB) - A subset of the Change Advisory Board put together on demand that plans and makes decisions about emergency changes. Forward Schedule of Change (FSC) - Schedule of all planned changes.
131
Process
BEST PRACTICE
Activities:
Records all RfCs Review and Filter - decide on RfC acceptance by defined formal criteria Classification:
Priority (impact, urgency) Category (Risks)
Authorize and Plan - release changes for development, budgeting and resource planning Coordination of change development and change release Post implementation review (PIR)
132
Process
BEST according to PRACTICE ITIL Version 2 & 3, MOF
No
RfC rejected
No
Change rejected
Yes
Release Management
Coordination
Assess (PIR)
133
Minimum Requirements
Changes shall have a clearly defined and documented scope. All requests for change shall be recorded and classified and assessed for their risk, impact and business benefit. The process shall include the manner in which the change shall be reversed or remedied if unsuccessful. All changes shall be reviewed after implementation (PIR). There shall be policies and procedures to control the authorization and implementation of emergency changes.
134
Minimum Requirements
The scheduled implementation dates of changes shall be documented including details of all the changes (FSC). Change records shall be analyzed regularly to detect increasing levels of changes, frequently recurring types and other trends.
135
Code of Practice
Standard Change
Established, documented and practiced procedure Pre-authorized by Change Management
Emergency Change
Emergency change procedure will follow the normal change procedure as far as possible. Regular requirements can be relaxed for time-critical steps, e.g.
Testing may be reduced, or in extreme cases forgone completely Documentation may be deferred
Emergency changes should be reviewed after the change to verify that it was a true emergency.
136
9.2
d e f g h
9.2
9.2 9.2
j k
9.2
137
138
139
Fundamental terms
Release
A collection of new or changed CIs required to be tested together and deployed to live environment.
Definitive Hardware Store (DHS): Physical storage location of approved and registered hardware
140
BEST PRACTICE
Process
according to MOF
141
Process
BEST PRACTICE
according to MOF
142
Exemplary Workflow
BEST PRACTICE according to MOF
Record
Review & filter Change Management Classification Authorization
approved Change approved Change approved Change
Release planning Release building Release Management Acceptance test Readiness Review Roll-out Planning Roll-out preparation
Asses (PIR)
Roll-out
143
Minimum Requirements
The release policy stating the frequency and type of releases shall be documented and agreed upon. The service provider shall plan with the business the release of services, systems, software and hardware. Plans on how to roll out the release shall be agreed to by all relevant parties (e.g. customers, users and support staff). The process shall include the manner in which the release shall be reversed or remedied if unsuccessful. Plans shall record the release dates and deliverables and refer to related change requests, known errors and problems. Requests for change shall be assessed for their impact on release plans.
144
Minimum Requirements
Release management process requires update and change procedures for configurations items. To test releases before distribution requires a controlled test environment. Release and distribution shall be designed and implemented so that the integrity of hardware and software is maintained at all times. Success and failure of releases shall be measured. Measurements shall include incidents related to a release in the period following a release. Analysis shall provide input to a plan for improving the service.
145
Code of Practice
Release Policy
A document to define general requirements for release management. A Release Policy should include: frequency and type of release (release types) roles and responsibilities for process authority for the release into acceptance test unique identification and description of all releases approach to grouping changes into a release approach to automating the plan, build and release distribution processes verification and acceptance of a release (e.g. error-free or covered by known error database)
146
Code of Practice
Release and Roll-out Plan
Objective of Release Planning:
Compatible with CIs in target environment Ensure that all changes are authorized by Change Management (feedback)
Release Plan:
Detailed document to plan a concrete release (important: differs from release policy) The planning for a release and roll-out should typically include (abstract): release dates related changes problems and known errors closed or resolved by this release known errors that have been identified during testing of the release the manner in which the release will be reverted or remedied if unsuccessful detailed description of the required test communication training (particularly for customer and support staff) resources required for release
147
148
10.1 10.1
c d
e f g
10.1
10.1
10.1
10.1
149
150
151
152
Fundamental terms
Service Level Agreement (SLA)
An agreement between an IT service provider and a customer which describes the IT service and service level targets.
Additional terms
Service Level - Acceptable quality level of a
service
153
Service B
Service C
Service Provider
IT Systems Service Agreements / OLAs Contracts Contracts
Internal Organizations
Suppliers
154
155
Minimum Requirements
The full range of services to be provided together with the corresponding service level targets and workload characteristics shall be agreed to by the parties and recorded. Each service provided shall be defined, agreed upon and documented in one or more service level agreements (SLAs). SLAs, together with supporting service agreements, supplier contracts and corresponding procedures, shall be agreed to by all relevant parties and recorded. The SLAs shall be under the control of the change management process. The SLAs shall be maintained by regular reviews. Service levels shall be monitored and reported as compared to targets.
156
157
6.1
6.1
6.1
6.1
6.1
6.1
158
Service Reporting
Objective:
To produce agreed, timely, reliable and accurate reports for informed decision making and effective communication. [6] Service Delivery Processes
Capacity Management Service Continuity & Availability Management Service Level Management Service Reporting Information Security Management
159
Minimum Requirements
There shall be a clear description of each service report including its identity, purpose, audience and details of the data source. Service reports shall be produced to meet identified needs and customer requirements. Service reporting shall include: performance against service level targets non-compliance and issues (e.g. against the SLA, security breech) workload characteristics (e.g. volume, resource utilization) performance reporting following major events (e.g. major incidents and changes) trend information satisfaction analysis Management decisions and corrective actions shall take into consideration the findings in the service reports and shall be communicated to relevant parties.
160
6.2
Para-1 Para-2
a b c d e f
6.2
Para-3
161
Event Management
BEST PRACTICE according to ITIL Version 3
Service reports are based on events and event statistics respectively. Event - a change of state that has significance for the management of a Configuration Item or IT Service. Classification of events: Informational Event purely informative, for reporting purpose no action required Warning A service or device is approaching a threshold notify the appropriate persons, process or tool Exception currently operating abnormally, SLA breach Reaction required Exceptions can cause incidents and/or requests for change.
162
163
Fundamental terms
Availability
Ability of a component or service to perform its agreed function when required.
Additional terms
Availability Plan - a document to define aspects of service availability in day-to-day operations Service Continuity - the capability to continue service operations in exception cases Service Continuity Plan - a document to manage risks of exceptional events in order to continue or recover IT services
164
Average Availability
165
BEST PRACTICE
Process
according to ITIL Version 2 & 3
Plan availability:
Average Availability Serviceability Maintainability
Measure availability
166
Process
BEST PRACTICE
167
Process
BEST PRACTICE according to ITIL Version 2 & 3
Common Activities
Component Failure Impact Analysis (CFIA) Analyze IT infrastructure dependencies Identification of Single Point of Failures (SPOFs) Business Impact Analysis (BIA) Analyze dependencies between services and business processes Quantification of business impact of service failure Risk Analysis Assets Vulnerabilities Assets Vulnerabilities Risk Threats
Countermeasure
Threats
168
Minimum Requirements
Availability and service continuity requirements shall be identified on the basis of business priority, SLAs and risk assessments. Availability and service continuity plans shall be developed and reviewed at least annually. The availability and service continuity plans shall be re-tested at every major change to the business environment. The change management process shall assess the impact of any change on the availability and service continuity plan.
169
Minimum Requirements
Availability shall be measured and recorded. Unplanned non-availability shall be investigated and appropriate actions taken. Service continuity plans, contact lists and the CMDB shall be available when normal office access is prevented. The service continuity plan shall include the return to normal working. The service continuity plan shall be tested in accordance with business needs. All continuity tests shall be recorded and test failures shall be formulated into action plans.
170
6.3
6.3
6.3
d e f g
h i j
171
172
173
Basic Activities
Budgeting - predicting demand behavior to forecast costs of service and to manage expenditures Accounting - identify actual costs Charging - requiring payment for IT services from customers Charging is not part of ISO/IEC 20000 requirements.
174
Cost classifications
Direct and indirect costs Fixed and variable costs
175
Minimum Requirements
There shall be clear policies and processes for:
budgeting, and accounting for all components including IT assets, shared resources, overheads, externally supplied service, people, insurance and licenses; apportioning indirect costs and allocating direct costs to services; effective financial control and authorization.
Costs shall be budgeted in sufficient detail to enable effective financial control and decision making. Costs shall be monitored and reported as compared to the budget. Review the financial forecasts and manage costs accordingly. Changes to services shall include cost estimates and be approved through the change management process.
176
177
Charging
BEST PRACTICE according to ITIL Version 2 & 3
178
6.4
b c Para-1
6.4
Para-2
6.4
Para-3
179
Capacity Management
Objective:
To ensure that the service provider has, at all times, sufficient capacity to meet the current and future agreed demands of the customers business needs. [6] Service Delivery Processes
Capacity Management Service Continuity & Availability Management Service Level Management Service Reporting Information Security Management
180
Fundamental terms
Capacity Plan:
Current infrastructure performance Future needs Documentation of cost-calculated options to achieve requirements and recommendations Shall be produced at least annually
Capacity Predictions:
Modeling, Application Sizing Trend analysis Customer and business-related forecast
181
Minimum Requirements
Capacity management shall produce and maintain a capacity plan. Capacity management shall address the business needs and include:
current and predicted capacity and performance requirements; identified timelines, thresholds and costs for service upgrades; evaluation of effects of anticipated service upgrades, requests for change, new technologies and techniques on capacity; predicted impact of external changes, e.g. legislative; data and processes to enable predictive analysis. Methods, procedures and techniques shall be identified to monitor service capacity, tune service performance and provide adequate capacity.
182
183
Para-1 a b
c d e
6.5
Para-2
184
185
Fundamental terms
Information security:
Information security is the result of a system of policies and procedures. Designed to protect information and any equipment used in connection with its storage, transmission and processing.
ISO/IEC 27000:
Bundle of information security ISO/IEC standards ISO/IEC 27001: Information Security Management Systems Requirements ISO/IEC 27002: former ISO/IEC 17799 Code of Practice for Information Security Management
186
Minimum Requirements
Management with appropriate authority shall approve an information security policy that shall be communicated to all relevant personnel and customers where appropriate. Appropriate security controls shall operate to: implement the requirements of the information security policy; manage risks associated with access to the service or systems. Security controls shall be documented: The documentation shall describe the risks to which the controls relate and the manner of operation and maintenance of the controls.
187
188
189
6.6
P ara-1
6.6 6.6
a b
6.6
P ara-2
6.6
P ara-2
6.6
P ara-3
6.6 6.6
P ara-4 P ara-5
6.6
P ara-6
190
191
192
Supplier
Service Provider
Business
193
194
Minimum Requirements
The service provider shall identify and document the stakeholders and customers of the services. A service review shall be conducted:
with the participation of provider and customer; other stakeholders may also be invited to the meetings; to discuss any changes to the service scope, SLA, contract (if present) or the business needs at least annually; and results shall be documented.
195
Minimum Requirements
The service provider shall remain aware of business needs and major changes in order to prepare to respond to these needs. There shall be a complaints process: The definition of a formal service complaint shall be agreed up on with the customer. All formal service complaints shall be recorded and managed. Where a complaint is not resolved, escalation shall be available to the customer. There shall be a named individual who is responsible for managing customer satisfaction. A process shall exist for obtaining customer satisfaction information (shall be input for Service Improvement Plan).
196
7.2
c d e f
g h i
7.2
197
Supplier Management
Objective:
To manage suppliers to ensure the provision of seamless, quality services.
[6] Service Delivery Processes
Capacity Management Service Continuity & Availability Management Service Level Management Service Reporting Information Security Management
198
Fundamental Terms
Supplier Lead Supplier - A supplier who obtains parts of delivered services from a third-party Subcontracted Supplier - Supplier of a lead supplier
Supplier 1 Supplier 2 Subcontracted Supplier 4 Lead Supplier 3 Service Provider (internal or thirdparty) Business
199
Minimum Requirements
There shall be documented supplier management processes and a contract manager responsible for each supplier. The scope, level of service and communication processes of the delivered services shall be documented in SLAs. SLAs with suppliers shall be aligned with the SLAs for the customers. The interfaces between processes used by each party shall be documented and agreed upon. All roles and relationships between lead and subcontracted suppliers shall be clearly documented. Lead suppliers shall be able to demonstrate processes to ensure that subcontracted suppliers meet contractual requirements.
200
Minimum Requirements
A process shall be in place for a major review of the contract:
at least annually to ensure that business needs are still being met to ensure that contractual obligations are still being met
Changes to the contracts, if present, and SLAs shall follow from these reviews as appropriate and shall be subject to the change management process. Processes shall exist:
to deal with contractual disputes to deal with the expected end of service, early end of the service to deal with transfer of service to another party
201
7.3
7.3
c d e
7.3
7.3
7.3 7.3
h i
202
203
204
Prepare Certification
Choose a Registered Certification Body (RCB) Define Scope of certification together with RCB Conduct initial assessment: Internal or third-party Methodology e.g. Self-Assessment Workbook PD0015 Pre-audit of RCB / Certifier Apply maturity model, degree model All requirements considered? Arrange a time and date for audit.
205
Scoping
The Scope defines the effective range of the management system. Scoping Statement includes:
Services Geographical and local restrictions Organizational and functional restrictions Infrastructural restrictions
206
207
208
Certification
Prerequisite: Ownership and control of all processes defined within ISO/IEC 20000
Certification audit: The audit typically consists of:
Verification of documents on-site inspection reporting Evidence of reviewed and approved procedures (process descriptions): Knowledge and control of process input Knowledge, usage and interpretation of process output Metric definition and evaluation Accountability for process functionality according to ISO/IEC 20000 standard Define, measure and review process improvements Required effort: Depends on number of people and locations Related to ISO (effort scale)
209
210
211
Initial Roadmap
GAP Analysis
Communication Plan
Report Presentation
Documentation of Processes
Documentation on Planning
Implementation Facilitation
Internal Audit
212
213
214
ISO/IEC 20000
ITIL V2
ITIL V3
Legende
MOF
Quality Management standard/methodology IT Management Framework CMMI Software Engineering maturity degree model
Adoption of concepts
CobiT
CMM
ISO/IEC 15504
predecessor
215
ISO 9000
Owner: ISO Field of application / audience: industry and service providers / management, customers Objective: International quality management standard, certified companies Publication media / source: Standard (printout, PDF) / via ISO Miscellaneous: ISO 9000 comprises a series of documents. Best known: ISO 9001 - Quality management systems - Requirements ISO 9000 process approach
216
ISO/IEC 27000
Owner: ISO/IEC Field of application / audience: All types of organizations / management, customers Objective: International information security standard, certified companies Publication media / source: Standard (printout, PDF) / via ISO Miscellaneous: ISO 27000 comprises a series of documents. Best known: ISO 27001 Information Technology -Security techniques -- Information security management systems -- Requirements ISO 27000 process approach, PDCA implemented
217
218
IT Infrastructure Library
(ITIL )
Owner: Office of Government Commerce (OGC) Field of application / audience: IT Service Provider / Management Objective: Best Practice Guidance for IT Service Management Publication media / source: Books and CDs published by TSO (The Stationary Office) / book trade Miscellaneous: ITIL Version 2 is the most popular ITSM framework Since Summer 2007, fully revised version 3 (ITIL V3) available
219
ITIL
Version 2
Content of ITIL V2
Service Support Book: Operational processes Service Delivery Book: Tactical processes Security Management Book Some additional books
Planning to implement Service Management B u s i n e s s Infrastructure Management
Business Perspective
Application Management
Suppliers
Security Management
T e c h n o l o g y
220
ITIL Version 3
Service lifecycle-oriented approach
221
Service Design:
Planning and Implementing New or Changed Services Other disciplines (e.g. Availability Management, Capacity Management, Service Level Management)
Service Transition:
Change, Configuration and Release Management
Service Operation:
Incident and Problem Management
222
Do:
Service Transiton Service Operation
223
Software, tools
Formal models and templates for: processes relations information artifacts
Evaluation hints:
Critical success factors Key performance indicators
224
225
226
Process model divided in four quadrants Process model extended and substantiated from ITIL V2
227
228
229
Capability Assessments
Compares the performance of a process against a performance standard, such as:
agreements in a SLA a maturity standard a benchmark (comparison to average in the industry) an ISO standard
Assessments will help in identifying where are we now? and the gap with where we want to be Crucial to define clearly what is being assessed
230
231
ISO/IEC 15504
Owner: ISO/IEC Field of application / audience: Software and system developing organizations / management, customers Objective: International standard of organizational maturity assessment Publication media / source: Standard (printout, PDF) / via ISO Miscellaneous: The standard results from the European project SPICE (Software Process Improvement and Capability Determination)
232
CobiT
CobiT Control Objectives for Information and Related Technology Owner: ISACA/ITGI (Information Systems Audit and Control Association / IT Governance Institute) Field of application / audience: IT service provider / management, customers, IT auditors Objective: IT Governance Control of IT Source: Core documents free from ISACA website (www.isaca.org/cobit.htm, registration required)
233
CobiT: Framework
34 processes, structured in four lifecycle domains For each process:
High-Level Control Objective Detailed Control Objectives Management Guidelines Maturity Model
234
235
236
analyze, assess, create
237
Incident Manage ment section 8.2 Problem Manage ment section 8.3
Planning & Implementing New or Changed Services section 5 Configuration Management section 9.1 Change Management section 9.2 Release Management section 10
Business Relationship Management section 7.2 Service Level Management section 6.1 Service Reporting section 6.2 Supplier Management section 7.3 Budgeting and Accounting for IT Services section 6.4
Service Continuity & Availability Management section 6.3 Capacity Management section 6.5 Information Security Management section 6.6
Case Study
Introduction 7BLUES was set up in 1981 to provide aid to customers whose PCs have broken down in the form of Annual Maintenance Contracts (AMC) based services. This service has been achieved by a mix of 7BLUESs own technicians and outsourced partners. Over the last 1 year they have begun to grow their business on three fronts by: 1. Expanding their customer base, by moving into new areas of operation and by achieving a reputation of providing a quality service 2. 3. Expanding their service portfolio into other Desktop related services that will appeal to their existing customers. Introducing a web-site offering membership applications and other cloud based Services.
238
The services are supplied by a structure based upon a strong Head office, in Bangalore, India, and satellite offices throughout their area of operation. Until recently the local offices, whilst bound to the practices lay down by Head Office, took calls from customers needing assistance in their area and arranged to get help to them. This has been changing over the last 6 months as a new centralized Service Desk has been setup and a new Remote Management Centre has been implemented in the Head Office. Accordingly, the future of the local offices is under review. The number of such offices will certainly be reduced and a revised role for those that remain is not yet certain.
239
At present there are 180 people working in the HQ, 60 of them work in the IT department. There are 24 regional offices, each with between 4 and 12 staff. Field staffs of approximately 920 are supported by about 60 staffs who are responsible for training, supervision and maintenance. Contracts exist with 5 outsourced service providers for the provisioning of spares.
The organization is successful in an increasingly competitive field. They realize that versatility is the order of the day and they are looking at offering cloud based services as a future set of service offerings. They also plan to expand into new geographical areas, into new services by means of co-operations with other organizations where possible. The organization has set itself a target of 15% annual growth, to be achieved with a maximum increase in costs of 5% per year in real terms. A part of the growth is related to cost effective service provisioning by incorporating latest technologies and looking at automation of routine activities.
240
Exercise
IT services The infrastructure consists of a mainframe in the Head office, together with an extensive LAN supporting a PC on almost every desk. Each regional office has PCs, most have a LAN and all have links via a WAN into the head office. Key IT services are: Desktop/PC Support Services (PCSS) This is the legacy of the 7BLUES IT unit. The Core Asset Tracker runs on the mainframe and keeps a track of all existing customer data including the systems supported including their configuration details and is mostly accessed via PCs through the LAN and/or WAN. The system should be running 24 hours x 7 days including all public holidays. Direct Stock and Sales (DSS) This system supports the (relatively) new direct sales to customers. It resides on a network server within HQ, although use is made of the customer data held on the mainframe, as discounts are available to those taking AMC with 7BLUES. Since sales are made directly from shops at the regional sites, access to the central stock and pricing is made over the WAN. Personnel and Administration Control (PAC) Basically Personnel and Finance, much of the input is directly from paperwork and the service is used mostly within the PAC section at Head Office. Pay slips etc produced in Head Office are posted to remotely based staff. This system was developed by Finance Systems an independent software company based in Delhi, India - who maintain the system under an external contract.
241
Insurance Services System (ISS) Holds local data on policies and customers and provides links via modems to underwriting companies for quotes. Insurance is dealt with by telesales from Head Office and by direct over the counter transactions at some of the local offices. Office Systems 7BLUES have recently adopted Open Office as their preferred office system, although there are still pockets of staff other software purchased locally. Traditionally, staffs have been able to acquire software for specific requirements on local and low level sign off. Accordingly there is a diversity of schedulers, graphics, and even project management software around the organization. Web-site The web-site is increasingly important as the percentage of business done by this method is continuing to increase. There is a 7 x 24 x 365 requirement for the availability of this web-site. The 7BLUES hardware is maintained by a third party Maintenance Company, IIHS. They have staff based across all over India.
242
IT Service Management As an organization whose core business is built around responding to customer contacts and delivering a committed level of service, the ethos of help desk and service level agreements are well understood by managers and most of the staff. Service Level agreements are in place across the organization. In view of the critical nature of the IT services to 7BLUES central functions, a team dealing with Availability and IT Contingency has recently been established. The IT Service Continuity elements are considered as part of the organizations overall Business Continuity Management. A Centralized Service Desk has recently been formulated and the customers have been made aware of the 1800-7BLUES-INDIA toll free number. The new Service Support Manager has been slowly increasing the formalization of referring calls to second line and specialist support groups through pre-defined escalation procedures. Formal Change Management procedures exist and an up to date CMS is in place.
It is well realized that 7BLUES are becoming ever more dependent upon the PCSS system for their operational effectiveness - if that fails they can not function. This has perhaps diverted attention from the rest of the IS provision and made those working on enhancing and maintaining the PCSS system into an elite who sometimes feel above the rules. There is a commitment to training and most of the IT Service Management staff has received some ITIL based training.
243
Some Constraints There appears to be a breakdown of communication between the IT department of 7BLUES and the business units. Due to a lack of understanding about systems and processes within the IT organization the day-to-day operation of the business is being affected. The business feels that there is a lack of internal cohesion within IT and this is causing the channels of communication to be confused and disorganized. The introduction of Incident and Problem Management have highlighted issues around the poor control of changes made to the IT infrastructure. In the previous 4 months 43% of changes released have resulted in Incidents being raised. Currently, each Regional Offices has its own ad hoc process for change coordinated through the Project Delivery Managers. Each Regional Office have their own CMDB and process. However, there is no standard product or process to manage configurations throughout the organization. All audits are carried out internally by each Regional Office. The CIO has communicated a desire to keep moving towards a best practice approach with process-oriented systems. However, some teams are continuing to resist and work in isolation.
244
Exercise
Considering the case study ISO 20000 Implementation Approach: Make two groups of participants. Group No 1: Presentation of 30 Mins include details of 1) Planning phase 2) Gap Analysis Group No: 2 Presentation of 30 mins include details of 1) Enablement 2) Internal Audit
245
Contact Information
EXIN International Godebaldkwartier 365, 3511 DT Utrecht P.O. box 19147, 3501 DC Utrecht The Netherlands tel: +31 30 234 48 25 fax: +31 30 234 31 11 e-mail: info@exin-exams.com web: www.exin-exams.com
This documentation was developed in collaboration with Leibniz-Rechenzentrum. Responsible authors: Dr. Michael Brenner, Thomas Schaaf Leibniz-Rechenzentrum der Bayerischen Akademie der Wissenschaften Boltzmannstrae 1 D-85748 Garching www.lrz.de
Copyright 2008 EXIN/TUV SuD Akademie All rights reserved. No part of this publication may be published, reproduced, copied or stored in a data processing system or circulated in any form by print, photo print, microfilm or any other means without written permission by EXIN/TUV SuD Akademie.
ITIL is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office. IT Infrastructure Library is a Registered Trade Mark of the Office of Government Commerce.