Date post: | 13-Nov-2014 |
Category: |
Documents |
Upload: | api-3695755 |
View: | 141 times |
Download: | 2 times |
11
ITIL Essentials forITIL Essentials forIT Service ManagementIT Service Management
ITIL Essentials forITIL Essentials forIT Service ManagementIT Service Management
22
ITIT isis the business the businessAndAnd
The businessThe business isis IT IT
The Philosophy of Service The Philosophy of Service ManagementManagement
33
Triple PTriple P Triple PTriple P
• PeoplePeople– Customers, Users, IT Staff & Top -Customers, Users, IT Staff & Top -
ManagementManagement
• ProcessesProcesses– ITILITIL
• ProductsProducts– Tools and IT technologyTools and IT technology
• PeoplePeople– Customers, Users, IT Staff & Top -Customers, Users, IT Staff & Top -
ManagementManagement
• ProcessesProcesses– ITILITIL
• ProductsProducts– Tools and IT technologyTools and IT technology
To let the philosophy work, we need:
44
Objective Result
Input Output
Operational Level
Decision Making Level: ITIL definition (s)
Activities
Process
Department X Department Y Department Z
IT ProcessIT Process
55
Deming Quality CircleDeming Quality Circle
PlanPlan
DoDoCheckCheck
ActAct
Time Scale
Mat
uri
ty
Quality
Continuous
Step by step
improvement
Plan (Project Plan)Do (Project)Check (Audit)Act (New actions)
66
The Objective of Service The Objective of Service ManagementManagement
• Align IT services in such a way that they Align IT services in such a way that they will always meet the business/ organization will always meet the business/ organization needs which will change in timeneeds which will change in time
• Quality Improvement of the IT services Quality Improvement of the IT services ProvidedProvided
• Reduce long-term costs of the IT services Reduce long-term costs of the IT services providedprovided
Service ManagementService Management:: is the delivery of customer-focused IT services, by using a process-oriented approach/ Method
77
ITIL (CCTA’s) Reference ModelITIL (CCTA’s) Reference Model
IT CustomerRelationshipManagement
Release Management
Change Management
Configuration Management
Capacity Management
Financial Managementfor IT Services
Security Management
IT ServiceContinuity Management
Service Level Management
Incident Management
Problem Management
Availability Management
Service Delivery
Service Support
Service Desk
88
Case Studies
ITIL Certification ProgramITIL Certification Program
ITIL Foundation (3-day Course)
ITIL Practitioners : -Configuration Management
-Service Desk
-Problem Management
-Change Management
-Capacity Management
-Availability Management
-Financial Management For IT Services
-Service Level management
Service Mgt. 1
Service
Mgt. 2
+ Exam
Service Delivery
Service Support
99
IT Business
BridgeBridge
ITIL in a Nutshell (1)ITIL in a Nutshell (1)
GAPGAP
1010
IT Business
BridgeBridge
ITIL in a Nutshell (2)ITIL in a Nutshell (2)
GAPGAP
SLA’sSLA’sOLA’sOLA’sSupplierUC’SUC’S
==SLMSLMBridgeBridge ==SLMSLM
GAPGAP
1111
IT Business
BridgeBridge
ITIL in a Nutshell (3)ITIL in a Nutshell (3)
GAPGAP
Supplier
==SLMSLM
GAPGAP
BridgeBridge ==SLMSLM
ServiceService
ServiceService
$$ PricingPricing
ServiceService ChargingCharging$$
SLA’sSLA’sOLA’sOLA’sUC’SUC’S
1212
IT Business
BridgeBridge
ITIL in a Nutshell (4)ITIL in a Nutshell (4)
GAPGAP
SLA’sSLA’sOLA’sOLA’sSupplierUC’SUC’S
==SLMSLM
GAPGAP
BridgeBridge ==SLMSLM
ServiceService$$
ServiceService
PricingPricing
$$Profit
ServiceService
IT Business
BridgeBridge
GAPGAP
Supplier
==SLMSLM
GAPGAP
BridgeBridge ==SLMSLM
ServiceService$$ PricingPricing
ServiceService ChargingCharging$$
SLA’sSLA’sOLA’sOLA’sUC’SUC’S
1313
IT Business
BridgeBridge
ITIL in a Nutshell (5)ITIL in a Nutshell (5)
GAPGAP
SLA’sSLA’sOLA’sOLA’sSupplierUC’SUC’S
==SLMSLM
GAPGAP
BridgeBridge ==SLMSLM
ServiceService
$$
$$
ServiceService ChargingCharging
PricingPricing
Profit
Suppliers
ServiceService
PricingPricing$$
ServiceService
1414
Goals of Configuration Goals of Configuration ManagementManagement
• Is to Provide information on the total IT Is to Provide information on the total IT Infrastructure for:Infrastructure for:– ITIL processesITIL processes– (IT) Management(IT) Management
• Keep in control of the IT infrastructure by Keep in control of the IT infrastructure by monitoring, maintaining and updating monitoring, maintaining and updating information on:information on:– All the resources needed to deliver All the resources needed to deliver
servicesservices– Status and history of the Status and history of the
Configuration Items(=CI’s)Configuration Items(=CI’s)– Relationships of the CI’sRelationships of the CI’s
• Is to Provide information on the total IT Is to Provide information on the total IT Infrastructure for:Infrastructure for:– ITIL processesITIL processes– (IT) Management(IT) Management
• Keep in control of the IT infrastructure by Keep in control of the IT infrastructure by monitoring, maintaining and updating monitoring, maintaining and updating information on:information on:– All the resources needed to deliver All the resources needed to deliver
servicesservices– Status and history of the Status and history of the
Configuration Items(=CI’s)Configuration Items(=CI’s)– Relationships of the CI’sRelationships of the CI’s
1515
Configuration Item (CI)Configuration Item (CI)
•A Configuration Item is:
– needed to deliver service
– uniquely identifiable
– subject to change
– Can be managed
1616
Assets Assets versusversus Configuration Configuration ItemsItems
• AssetAsset– Element/ part of a business/ Organization Element/ part of a business/ Organization
processprocess• Configuration Item (CI)Configuration Item (CI)
– Element/ part of an IT infrastructure - or an Element/ part of an IT infrastructure - or an item associated with an IT infrastructure which item associated with an IT infrastructure which is under the control of Configuration is under the control of Configuration Management Management
• Configuration Management DatabaseConfiguration Management Database ( (CMDBCMDB))– A database, which contains all relevant details A database, which contains all relevant details
of each CI and details of the important of each CI and details of the important relationships between CI’srelationships between CI’s
NOTE:NOTE:A CMDBA CMDB contains contains RELATIONSHIPS BETWEEN RELATIONSHIPS BETWEEN
CI’s CI’s , , DOCUMENTATIONDOCUMENTATION and goes much and goes much further than an Asset DB Toolfurther than an Asset DB Tool
• AssetAsset– Element/ part of a business/ Organization Element/ part of a business/ Organization
processprocess• Configuration Item (CI)Configuration Item (CI)
– Element/ part of an IT infrastructure - or an Element/ part of an IT infrastructure - or an item associated with an IT infrastructure which item associated with an IT infrastructure which is under the control of Configuration is under the control of Configuration Management Management
• Configuration Management DatabaseConfiguration Management Database ( (CMDBCMDB))– A database, which contains all relevant details A database, which contains all relevant details
of each CI and details of the important of each CI and details of the important relationships between CI’srelationships between CI’s
NOTE:NOTE:A CMDBA CMDB contains contains RELATIONSHIPS BETWEEN RELATIONSHIPS BETWEEN
CI’s CI’s , , DOCUMENTATIONDOCUMENTATION and goes much and goes much further than an Asset DB Toolfurther than an Asset DB Tool
1717
Configuration management Configuration management ProcessProcess
CMDB
Scope
(Category)
Detail
(Attributes)
ServicesEnvironmen
t
Procedures
Documentation
HW/ SW
Configuration Items =(CI’s)
Processes
WI (= Work Instructions)
Contracts
Relationships between CI’s
SLA’s, OLA’s UC’s
Manuals
Baseline Models
Register & Recoding of CI’s
Status Accounting
Controlling & Updating
Identification/ verification
Planning
Auditing
1818
How to Determine How to Determine IMPACTIMPACT of of IncidentsIncidents through the through the RelationshipsRelationships between the between the CI’sCI’s
Virus Scanners
DB
Backup
Pow
er
break
os
Security
1919
BaselineBaseline
• Configuration BaselineConfiguration Baseline– Configuration of a product or system established Configuration of a product or system established
at a specific moment in time, which captures at a specific moment in time, which captures both the structure and details of the product or both the structure and details of the product or systemsystem
– A snapshot or a position, which is recorded. A snapshot or a position, which is recorded. Although the position may be updated later, the Although the position may be updated later, the baseline remains unchanged and available as a baseline remains unchanged and available as a reference of the original state and as a reference of the original state and as a comparison against the current positioncomparison against the current position
2020
Status of CI’sStatus of CI’sPla
nned
Ord
ered
In T
est
In P
rodu
ctio
nBro
ke D
own
In M
aint
enan
ceIn
Rep
air
Archi
ved
Scope of the CMDB
……
……
.D
etail of th
e CM
DB
Life Cycle of a CI
2121
Goals of Incident ManagementGoals of Incident Management
• To restore the normal service operation(s) as To restore the normal service operation(s) as quickly as possible according to the agreed quickly as possible according to the agreed SLA’sSLA’s
• Minimize the impact on business operationsMinimize the impact on business operations
• Ensuring that the best possible levels of Ensuring that the best possible levels of service quality and availability are maintained service quality and availability are maintained according to the existing SLA’saccording to the existing SLA’s
• Managing Incidents and Service Request’s Managing Incidents and Service Request’s from beginning till end and communicate from beginning till end and communicate about them till the moment they can be closedabout them till the moment they can be closed
2222
Service Desk in an ITIL Service Desk in an ITIL EnvironmentEnvironment
• A more structured approach to controlling A more structured approach to controlling incidentsincidents
• Single Point Of Contact (Single Point Of Contact (=SPOC=SPOC))• The face of the IT organizationThe face of the IT organization• Not a process but a functionality in the ITIL Not a process but a functionality in the ITIL
MethodologyMethodology• Initiating escalation proceduresInitiating escalation procedures• Reports of different types arrive at the Service Reports of different types arrive at the Service
Desk (Desk (= Service Requests & Incidents= Service Requests & Incidents))• Responsible for supplying first-line support and Responsible for supplying first-line support and
assistance in daily use of IT Servicesassistance in daily use of IT Services• Local, Centralized & Virtual Service Desk(sLocal, Centralized & Virtual Service Desk(s)= )=
Structures!Structures!
2323
TerminologyTerminology• Incident
Any event / interruption, which is not part of the standard operation of a Service or causes a reduction in the quality of that service
• Work-Around Method/ temporary solution of avoiding an Incident, so that the normal standard operation can continue
• Service Request Every Incident not being a failure in the IT Infrastructure (=Password redefinition)
• Incident Any event / interruption, which is not part of the standard operation of a Service or causes a reduction in the quality of that service
• Work-Around Method/ temporary solution of avoiding an Incident, so that the normal standard operation can continue
• Service Request Every Incident not being a failure in the IT Infrastructure (=Password redefinition)
2424
Incident Management (=IM) Incident Management (=IM) ProcessProcess
UsersServiceDesk
Incident Management
Incident/ SRQ
Incident Detection and recording
Classification of Incident(s) & Service Request(s)
Prioritization
- Impact - Urgency
* * HighHigh
* Low* Low* * MediumMedium Knowledge out of
Configuration ManagementCMDB
Categorization- Hardware
- Software
=SPOC
2525
Matching of IncidentsOutstanding Incidents DB
K.E. / Workarounds DB
Problem DBRouting Incidents
1st Line-Support
2nd Line-Support
3rd Line-Support
Escalation
Inform / Support
(vertical escalation)
Knowledge (functional/horizontal escalation)
Service Requests are dealt within SRQ procedures
Knowledge out of
Problem Management
Service Desk
2626
GoalGoalss of Problem Management of Problem Management
• To make sure that we minimize the To make sure that we minimize the operational impact of Incidents and operational impact of Incidents and Problems, which are caused by errors within Problems, which are caused by errors within the IT Infrastructurethe IT Infrastructure
• To prevent repeated Incidents from To prevent repeated Incidents from
happening again, which are related to happening again, which are related to errors errors
• To Improve productive use of (IT) resources, To Improve productive use of (IT) resources, by knowing how to use them (Knowledge by knowing how to use them (Knowledge DB)DB)
2727
TerminologyTerminology
• ProblemProblem– When the root cause (=underlying cause) When the root cause (=underlying cause)
of one or more incidents is not knownof one or more incidents is not known• Known ErrorKnown Error
– A condition that exists after the A condition that exists after the successful diagnosis of the root cause of successful diagnosis of the root cause of an Incident or Incidents, when it is an Incident or Incidents, when it is confirmed that a CI is at fault. (We can confirmed that a CI is at fault. (We can remove the error by implementing a remove the error by implementing a change)change)
2828
Problem Management Process Problem Management Process (1)(1)
Assign Resources
Recording Escalated Incident(s)
Escalation of Incidents
Service
Desk
Problem Management
Establish Workaround first
Problem Record through PM Sub-Processes
2929
Sub-Processes Problem Sub-Processes Problem Management (2)Management (2)
Escalation Problem Record
Problem Control Error ControlError
Identification and Recording
Error Identification and
Recording
Error AssessmentError Assessment
Recording ErrorResolution (RFC)Recording ErrorResolution (RFC)
Error (Record) ClosureError (Record) Closure
Successful completion
RFC
EstablishKnown Error
EstablishKnown Error
Identification andregistration
Identification andregistration
ClassificationClassification
AssigningResourcesAssigningResources
Investigationand DiagnosisInvestigationand Diagnosis
Escalation Known Error
Record
Fin
d R
oot
Cause
Fin
d “B
EST”
Solu
tion
11 22
3030
From From Reactive Reactive Proactive Proactive Problem ManagementProblem Management
Delivering (2nd) & 3rd line support
Identify trends/ trend analysis
Problem identification & diagnosis
Prevention of problems on/ in IT- Infrastructure
Monitor Change Management
Initiating changes:• Fix Incidents• Control RFC
3131
GoalGoalss of Change Management of Change Management
To implement changes which are approved and authorized by change
management and which are proven efficient & effective, so that they can
be implemented with
acceptable risk in the existingIT-Infrastructure, or to the new IT
Service(s)
3232
• ChangeThe addition of…, the modification of…, or the removal of…, approved and supported CI’s or baseline CI’s
• Request for ChangeForm use to record details of a request for a change to any CI; can be submitted from each single ITIL Process
• Forward Schedule of ChangesSchedule that contains details of all the Changes authorized for implementation and their proposed implementation dates. It also shows the dependency of each change!!!
• ChangeThe addition of…, the modification of…, or the removal of…, approved and supported CI’s or baseline CI’s
• Request for ChangeForm use to record details of a request for a change to any CI; can be submitted from each single ITIL Process
• Forward Schedule of ChangesSchedule that contains details of all the Changes authorized for implementation and their proposed implementation dates. It also shows the dependency of each change!!!
TerminologyTerminology
3333
Impact of a ChangeImpact of a Change
• StandardThe change may be executed without contacting the Change Manager (Manual with standard Changes)
• Category 1Small Business impact on the Services. The Change Manager is entitled to authorize this RFC
• Category 2Medium Business Impact on the services. The RFC must be discussed in the CAB. The Change Manager requests advice on authorization and planning
• Category 3Large Business Impact on the services. Management is involved in the decision process
• StandardThe change may be executed without contacting the Change Manager (Manual with standard Changes)
• Category 1Small Business impact on the Services. The Change Manager is entitled to authorize this RFC
• Category 2Medium Business Impact on the services. The RFC must be discussed in the CAB. The Change Manager requests advice on authorization and planning
• Category 3Large Business Impact on the services. Management is involved in the decision process
3434
Priority of a ChangePriority of a Change
• UrgentChange necessary immediately, approval by CAB/Emergency Committee (CAB/CEC)
• HighChange needed as soon as possible
• MediumChange will solve annoying errors or missing functionalities (can be scheduled)
• LowChange leads to minor improvements (which is not contractually necessarily)
• UrgentChange necessary immediately, approval by CAB/Emergency Committee (CAB/CEC)
• HighChange needed as soon as possible
• MediumChange will solve annoying errors or missing functionalities (can be scheduled)
• LowChange leads to minor improvements (which is not contractually necessarily)
3535
Change Management Process Change Management Process
Implementation
RFC’sChange Manager does Registration & Classification of RFC’s
Project
Planning & Controlling the Project
Approval /Refusal by CAB (Change Advisory Board)
Built Phase
Test Phase of Roll Back & Project
Entering Change
Management Process
Authorization /Refusal for Implementation by the Change
Manager
Roll Out
Verification
Back-Out
3636
Periodic Audit within Change Periodic Audit within Change ManagementManagement
Audit Carried out by External (independent)(independent) Organization
P.I.RP.I.R
3737
The Change Advisory Board The Change Advisory Board (CAB)(CAB)
Change Manager (Chair Man)
Service Level Manager
Configuration Manager
Financial Manager
Problem Manager
Incident Manager
Release Manager
Business Representation
User /Dept. Manager
AA R
A
3838
Clarification Clarification
Release Manager
Change Manager
3939
GoalGoalss of Release Management of Release Management
• Plan and Manage the rollout of SW & HW • Design and implement efficient & effective
procedures • Manage customer expectations during
rollout• Agree upon the content and rollout plan for
a release• To implement new software & hardware
releases into the production environment• Secure all software masters in the
definitive software library • Use the configuration management process
to ensure that all hardware and licensed software which has been rolled out is changed in the CMDB, secured & traceable
• Plan and Manage the rollout of SW & HW • Design and implement efficient & effective
procedures • Manage customer expectations during
rollout• Agree upon the content and rollout plan for
a release• To implement new software & hardware
releases into the production environment• Secure all software masters in the
definitive software library • Use the configuration management process
to ensure that all hardware and licensed software which has been rolled out is changed in the CMDB, secured & traceable
4040
Definitive Software Library Definitive Software Library (DSL)(DSL)
DSL
Logical Storage
One or MorePhysical
File Stores
Distribution
Linkedwith CMDB
Base forReleases
Protectionof all Authorized
Software Versions
4141
Definitive Hardware Store Definitive Hardware Store (DHS)(DHS)
DHS
Componentsfor Changes
Linkedwith CMDB
Spares forRecovery
Protectionof Hardware Spares and
Components
One or MorePhysical
File Storages
4242
Form of ReleasesForm of Releases
Releasepolicies
Release Unit
Full, PackageAnd Delta Release
EmergencyRelease
VersionNumbering
ReleaseFrequency
4343
GoalGoalss of Capacity Management of Capacity Management
To determine the right Capacity, against the right costs and justifiable considerations of IT resources. So that the agreed Service Levels with business are achieved at the right time and at the right moment.
4444
Capacity Management ProcessCapacity Management Process
Business Capacity Management
Service Capacity Management
Resource Capacity Management
CapacityDatabase(INPUT)
CapacityPlan
Demand Management (INPUT)
4545
Sizing and Sizing and ModellingModelling
• Application Sizing
Determining the hardware capacity required to support new (or adapted) applications, according to the agreed SLA’s
• Modelling– Trend analysis – Simulation modelling – Baseline models
• Application Sizing
Determining the hardware capacity required to support new (or adapted) applications, according to the agreed SLA’s
• Modelling– Trend analysis – Simulation modelling – Baseline models
4646
GoalGoalss of Availability of Availability ManagementManagement
• To predict…, plan for… and manage… the availability of services provided by ensuring that:
– All services are sufficient, reliable and proper maintained, incl. CI’s
– Where CI’s are not supported by the Internal IT Organization, then there must be appropriate underpinning contracts with suppliers
– Request for Change’s must be submitted to prevent future loss of IT service(s)
• To predict…, plan for… and manage… the availability of services provided by ensuring that:
– All services are sufficient, reliable and proper maintained, incl. CI’s
– Where CI’s are not supported by the Internal IT Organization, then there must be appropriate underpinning contracts with suppliers
– Request for Change’s must be submitted to prevent future loss of IT service(s)
4747
Responsibilities of Availability Responsibilities of Availability ManagementManagement
• Optimize availability by monitoring, managing & reporting
• Determine availability requirements in business needs
• Predicting, planning & designing for expected levels of availability & security
• Developing of the Availability Plan• Collecting, analyzing and managing data• Monitoring the availability levels to
ensure that SLA’s & OLA’s are met• Continuously step by step improvement
of the availability levels
• Optimize availability by monitoring, managing & reporting
• Determine availability requirements in business needs
• Predicting, planning & designing for expected levels of availability & security
• Developing of the Availability Plan• Collecting, analyzing and managing data• Monitoring the availability levels to
ensure that SLA’s & OLA’s are met• Continuously step by step improvement
of the availability levels
4848
TerminologyTerminology
– Availability = MTBF (Mean Time Between Failures= Up Time)
– Maintainability = MTTR (Mean Time To Repair =Down Time)
– Serviceability = MTTR (Mean Time To Repair =Down Time)
– Reliability =MTBSI (Mean Time Between System Incidents)
– Resilience (Redundancy)
– Security = (Confidentiality, Integrity & Availability)
– Availability = MTBF (Mean Time Between Failures= Up Time)
– Maintainability = MTTR (Mean Time To Repair =Down Time)
– Serviceability = MTTR (Mean Time To Repair =Down Time)
– Reliability =MTBSI (Mean Time Between System Incidents)
– Resilience (Redundancy)
– Security = (Confidentiality, Integrity & Availability)
4949
The Unavailability Life-The Unavailability Life-CycleCycle
MMTTBBSSII==RReelliiaabbiilliittyy
TIME
MTTR=Service/ maintainability
MTBF=Availability
Unavailable=DowntimeAvailable=Uptime
WRestore
ITime
Time
5050
CRAMM= CCTA’s Risk Analysis CRAMM= CCTA’s Risk Analysis Management MethodologyManagement Methodology
Risk Analysis
Risk Management
Value of Assets
Threats
Vulnerabilities
Counter Measures
Planning for potential Outage
Managing an Outage
5151
When Is a Service When Is a Service Available?Available?
“IT Service(s) is/ are not available to a customer if the function(s) required during Service Hours at that particular Location can not be used. This does not necessarily means that the agreed SLA conditions are not being met”
To calculate the Availability we use the followingformula:
Availability= X 100%AST
(AST-DT)
5252
Availability FormulaAvailability Formula
Available only if both work =
A x B =
0.90 * 0.80 = 0.72 or 72%
Avail = 90%
PrintServer
Avail = 80%
In Series
Available = 1 - Not Available =
1 - both down =
1 - (Y Down) x (Z Down) =
1- 0.1 * 0.2 = 0.98 or 98%
Avail = 90%
Disk Z
Disk Y
Avail = 80%
In Parallel
NetworkPrinter
5353
• The Process of managing a appropriate The Process of managing a appropriate level of security on information and IT level of security on information and IT ServicesServices• Protection of Security in a more Protection of Security in a more structural an organized manner structural an organized manner • Managing and Controlling Security Managing and Controlling Security proceduresprocedures
Security ManagementSecurity Management
5454
Structure of Structure of Security ManagementSecurity Management Structure of Structure of Security ManagementSecurity Management
Business Requirements
Security Policy
SLA
IT Security Plan
5555
Security Definitions (1)Security Definitions (1)CIACIA
Availability
Integrity
Confidentiality
Protection of Sensitive Information
Safeguarding of the accuracy and completeness of Information
Ensuring that information and Vital IT Services stay Available
5656
Security Definitions(2)Security Definitions(2)
•Risks Analysis (Quantitative Process) & Risk Assessment (Qualitative Process); CRAMM
•Security Policy; why security is done
•Security Standard; What to do
•Security Procedures; How to do IT
•BS 7799 (Code of practice for Information Security Management) & ISO/IEC 17799 (Document Developed in the UK initially by the heads of six commercial Organizations, is not a Cookbook for Security)
5757
Security LifecycleSecurity Lifecycle
In
ci
de
nt
De
te
ct
io
n
Th
re
at
s
Da
ma
ge
Re
co
ve
ry
Pr
ev
en
ti
on
/
Re
du
ct
io
n
Re
pr
es
si
on
Co
rr
ec
ti
on
Ev
al
ua
ti
on
5858
Information Security ModelInformation Security Model(ISM)(ISM)
Information Security Policy
Risk Analysis
Planning
Operational Measures
Evaluation & Audit
Business D
rives
External Influence
5959
BS 7799 & ISO/IEC 17799BS 7799 & ISO/IEC 17799
The Code of Practice for Information Security Management
Security Policy
Compliance
Business Continuity ManagementSystems development & Maintenance
Access ControlCommunications & Operations Management
Physical & environmental Security Personnel Security
Asset Classification and Control
Security Organization
Th
e 10
Co
ntr
ol a
reas
def
ined
wit
hin
IS
O/IE
C 1
7799
(B
riti
sh S
tan
dar
d B
S 7
799
6060
Security ActivitiesSecurity Activities
• Assess (Analyze) Risk; Prerequisite to implement any security measures
•Manage Risk reactively; Quick action, Counter-measures
•Develop Security Policy; document that is easy to read & assimulate
•Manage Risk Proactively; to modify the security regime to achieve the optimum level of security commensurate with its cost & impact
•Monitor Security; Security must be monitored on an appropriate basis and on regular times
•Report; Periodic and ad hoc reporting is an important aspect of keeping security in the forefront of the organization’s collective mind
6161
BenefitsBenefits
• Corporate Management Receive Assurance
• Business Continuity is assured
• Risk Assessment is “Enforced”
• Management attention is focused on Value
• Everyone thinks differently about Information
6262
ChallengesChallenges
• Expensive and no BenefitsExpensive and no Benefits
• The ‘Ostrich Approach’, or “IT’ll never happen The ‘Ostrich Approach’, or “IT’ll never happen 2me!”2me!”
• You can not protect against all the threatsYou can not protect against all the threats
• Lack of Senior Management interestLack of Senior Management interest
• ““Entropy Rules”; Entropy Rules”; Security degrades over time!, Maintaining Security degrades over time!, Maintaining security at the agreed level is an imperativesecurity at the agreed level is an imperative
• No ‘Security by Design’; No ‘Security by Design’; Many ‘Legacy’ applications do Many ‘Legacy’ applications do not have security embedded in them. not have security embedded in them.
• Locks on grass huts; Locks on grass huts; There is no point securing one There is no point securing one aspect of an information system or IT Infrastructure, if the rest aspect of an information system or IT Infrastructure, if the rest is less secure. Similarly, failing in one small area of security is is less secure. Similarly, failing in one small area of security is failing overallfailing overall
• Expensive and no BenefitsExpensive and no Benefits
• The ‘Ostrich Approach’, or “IT’ll never happen The ‘Ostrich Approach’, or “IT’ll never happen 2me!”2me!”
• You can not protect against all the threatsYou can not protect against all the threats
• Lack of Senior Management interestLack of Senior Management interest
• ““Entropy Rules”; Entropy Rules”; Security degrades over time!, Maintaining Security degrades over time!, Maintaining security at the agreed level is an imperativesecurity at the agreed level is an imperative
• No ‘Security by Design’; No ‘Security by Design’; Many ‘Legacy’ applications do Many ‘Legacy’ applications do not have security embedded in them. not have security embedded in them.
• Locks on grass huts; Locks on grass huts; There is no point securing one There is no point securing one aspect of an information system or IT Infrastructure, if the rest aspect of an information system or IT Infrastructure, if the rest is less secure. Similarly, failing in one small area of security is is less secure. Similarly, failing in one small area of security is failing overallfailing overall
6363
• Risk Assessment ReportsRisk Assessment Reports
• Security Breaches with details of:Security Breaches with details of:1.1. type of Breaches type of Breaches
2.2. How causedHow caused
3.3. Counter-measures in place (and why failed)Counter-measures in place (and why failed)
4.4. Actions taken, and to what effectActions taken, and to what effect
5.5. Recommendations for action to avoid repetitionRecommendations for action to avoid repetition
• Recommendations for Changes to:Recommendations for Changes to:1.1. policypolicy
2.2. Procedures Procedures
3.3. StandardsStandards
• Recommendations for new guidelinesRecommendations for new guidelines
ReportingReporting
6464
IT Service Continuity IT Service Continuity ManagementManagement
SurvivalSurvival
Reduce CostsRecoveryReduce Time of
6565
ITSCM Process (1)ITSCM Process (1)
Organization andImplementation
Planning
DevelopRecovery Plans
ImplementStand-by
Arrangements
ImplementRisk Reduction
Measures
Develop Procedures
Initial Testing
Business ImpactAnalysis
Risk Assessment
Business ContinuityStrategy
InitiateContinuity MGT
Initiation
Requirements and Strategy
Implementation
6666
ITSCM Process (2) ITSCM Process (2) (=Operational)(=Operational)
Education & Awareness
Change Manageme
nt
Training
Testing
Review & Audit
AssuranceAssurance
6767
CRAMM= CCTA’s Risk Analysis CRAMM= CCTA’s Risk Analysis Management Methodology Management Methodology (=based on Business Impact)(=based on Business Impact)
Risk Analysis
Risk Management
Value of Assets
ThreatsVulnerabiliti
es
Counter Measures
Planning for potential Disaster
Managing a Disaster
6868
Recovery OptionsRecovery Options
HOT Standby
Cold Standby
Gradual Recovery
Warm StandbyIntermediate Recovery
Immediate Recovery
6969
Roles & Responsibilities in Normal Roles & Responsibilities in Normal Operation, Change during a Crisis Operation, Change during a Crisis SituationSituation
Does everybody know what role to play in a crisis situation
Does everybody know what the roles are and to whom they belong during a
crisis situation
7070
Extensive Testing & Extensive Testing & Reviewing of the ITSCM PlanReviewing of the ITSCM Plan
• Every 6 to 12 months and after each disaster!
• Test it under realistic circumstances!
• Move / protect any live services first!
• Review and change ITSCM plan!
• ALL change through the Change Advisory Board! (=Change Management Process)
• Every 6 to 12 months and after each disaster!
• Test it under realistic circumstances!
• Move / protect any live services first!
• Review and change ITSCM plan!
• ALL change through the Change Advisory Board! (=Change Management Process)
7171
Financial Management For Financial Management For IT Services IT Services
Feedback about proposed charges to Business
Business IT Requirements
IT OperationalPlan (Incl. Budgets)
Cost Analysis(IT
Accounting)
Charges
Charges
Charges
Financial Targets
Cost Models
Charging Policies
7272
IT- Accounting IT- Accounting
• Base IT decisions on cost-effective Base IT decisions on cost-effective assessments, in such a way that it is measured assessments, in such a way that it is measured service by serviceservice by service
• Provide Management with information to justify Provide Management with information to justify IT expenditures & investments to BusinessIT expenditures & investments to Business
• Plan and budget with confidence and Integrity, Plan and budget with confidence and Integrity, so that the ring of trust can not be brokenso that the ring of trust can not be broken
• Show under- or over-consumption of service(s) Show under- or over-consumption of service(s) in financial terms to Business / Customersin financial terms to Business / Customers
7373
ChargingCharging• Customers paying the full costs of the Customers paying the full costs of the
IT services provided in a fair manner IT services provided in a fair manner (“…what you use is what you pay (“…what you use is what you pay for……”)for……”)
• Ensure that customers are aware of the Ensure that customers are aware of the costs they spent on IT Services and costs they spent on IT Services and influence customer behavior by influence customer behavior by advising them how to spend their IT advising them how to spend their IT FundsFunds
• Make formal evaluations of IT services Make formal evaluations of IT services and plan for investments, based on cost and plan for investments, based on cost recovery and business benefitsrecovery and business benefits
• Customers paying the full costs of the Customers paying the full costs of the IT services provided in a fair manner IT services provided in a fair manner (“…what you use is what you pay (“…what you use is what you pay for……”)for……”)
• Ensure that customers are aware of the Ensure that customers are aware of the costs they spent on IT Services and costs they spent on IT Services and influence customer behavior by influence customer behavior by advising them how to spend their IT advising them how to spend their IT FundsFunds
• Make formal evaluations of IT services Make formal evaluations of IT services and plan for investments, based on cost and plan for investments, based on cost recovery and business benefitsrecovery and business benefits
7474
Charging & Pricing OptionsCharging & Pricing Options
ChargingCharging• No chargingNo charging• Notional Charging / Differential ChargingNotional Charging / Differential Charging• Actual/Real ChargingActual/Real Charging
PricingPricing• Recover of costsRecover of costs• Cost price plusCost price plus• Going RateGoing Rate• Market pricesMarket prices• Fixed PriceFixed Price
ChargingCharging• No chargingNo charging• Notional Charging / Differential ChargingNotional Charging / Differential Charging• Actual/Real ChargingActual/Real Charging
PricingPricing• Recover of costsRecover of costs• Cost price plusCost price plus• Going RateGoing Rate• Market pricesMarket prices• Fixed PriceFixed Price
7575
Service Level Service Level ManagementManagement
Balance between:Balance between:
Supply ofIT services
Demand forIT services
How???:How???:– Know Know the requirementsthe requirements of the businessof the business– KnowKnow the capabilitiesthe capabilities of the IT Organizationof the IT Organization
&
7676
GoalGoalss of Service Level of Service Level ManagementManagement
• IT CRM (between customer and IT supplier)IT CRM (between customer and IT supplier)
• Better Customer understanding of IT Better Customer understanding of IT services requirementsservices requirements
• More flexible and more responsiveness in IT More flexible and more responsiveness in IT services provisionservices provision
• Balance customer demands against cost of Balance customer demands against cost of services provisionservices provision
• Measurable service levels (Measurable service levels (SMART=Specific, SMART=Specific, Measurable, Achievable, Realistic, & Time Measurable, Achievable, Realistic, & Time BoundBound))
• Quality improvement (continuous review & Quality improvement (continuous review & Step by Step…)Step by Step…)
• IT CRM (between customer and IT supplier)IT CRM (between customer and IT supplier)
• Better Customer understanding of IT Better Customer understanding of IT services requirementsservices requirements
• More flexible and more responsiveness in IT More flexible and more responsiveness in IT services provisionservices provision
• Balance customer demands against cost of Balance customer demands against cost of services provisionservices provision
• Measurable service levels (Measurable service levels (SMART=Specific, SMART=Specific, Measurable, Achievable, Realistic, & Time Measurable, Achievable, Realistic, & Time BoundBound))
• Quality improvement (continuous review & Quality improvement (continuous review & Step by Step…)Step by Step…)
7777
Service Management Service Management ReportsReports
• Everything is measured from the Everything is measured from the customers perspectivecustomers perspective
• Data such as “reaction times, escalation Data such as “reaction times, escalation times and IT Service support” should be times and IT Service support” should be made measurablemade measurable
• Reports should be produced on regular Reports should be produced on regular bases, and they should be usedbases, and they should be used
• Reports contains measuring values Reports contains measuring values concerning the concerning the “NOW”“NOW” supporting Service supporting Service levels and the latest trend developmentslevels and the latest trend developments in that Service(s)in that Service(s)
• Everything is measured from the Everything is measured from the customers perspectivecustomers perspective
• Data such as “reaction times, escalation Data such as “reaction times, escalation times and IT Service support” should be times and IT Service support” should be made measurablemade measurable
• Reports should be produced on regular Reports should be produced on regular bases, and they should be usedbases, and they should be used
• Reports contains measuring values Reports contains measuring values concerning the concerning the “NOW”“NOW” supporting Service supporting Service levels and the latest trend developmentslevels and the latest trend developments in that Service(s)in that Service(s)
7878
The Service Level Management The Service Level Management ProcessProcess
Plan
ning
Impl
emen
tatio
nESTABLISH FUNCTION
Cat
alog
ueSe
rvic
es
Dra
ft
Neg
otia
teR
evie
w U
C’s
,
OLA
’s a
nd e
xist
ing
SLA’
s Ag
ree
IMPLEMENT SLA’sDefineExecuteControl
Mon
itor
Rep
ort
Rev
iew
MANAGE THE ONGOING PROCESS
Rev
iew
SLA
's
AUD
ITS
Rev
iew
SLM
Proc
ess PERIODIC REVIEW
1 2
3
4
7979
Contracts:Contracts:
Customer
SLA
IT Organization
Service Catalogue
Internal IT Departments
OLA’s
Supplier (s)
UC’s
OLA’sUC’s
SLA
UC’s
8080
Service Quality Plan Service Quality Plan (SQP)(SQP)
• Internal service description of responsibilities Internal service description of responsibilities and delivery times to meet the agreed service and delivery times to meet the agreed service level(s)level(s)
• Must be Focused on IT staff (performance & Must be Focused on IT staff (performance & delivery)delivery)
• Describes exactly what we need to do, to Describes exactly what we need to do, to deliver the desired quality of servicedeliver the desired quality of service
• Description based on the actions to be take Description based on the actions to be take when we do not deliver the correct quality when we do not deliver the correct quality agreed in the service level(s) “Written upfront” agreed in the service level(s) “Written upfront”
• Internal service description of responsibilities Internal service description of responsibilities and delivery times to meet the agreed service and delivery times to meet the agreed service level(s)level(s)
• Must be Focused on IT staff (performance & Must be Focused on IT staff (performance & delivery)delivery)
• Describes exactly what we need to do, to Describes exactly what we need to do, to deliver the desired quality of servicedeliver the desired quality of service
• Description based on the actions to be take Description based on the actions to be take when we do not deliver the correct quality when we do not deliver the correct quality agreed in the service level(s) “Written upfront” agreed in the service level(s) “Written upfront”
8181
Service Improvement Program Service Improvement Program (SIP)(SIP)
• Objective:Objective:– Controlled improvement of the IT Controlled improvement of the IT
Service providedService provided
• Used whenever there is a need in/ forUsed whenever there is a need in/ for– Deviation from agreed levelsDeviation from agreed levels– Strategic choiceStrategic choice– Continuous ImprovementContinuous Improvement
• More than one SIP’s can run More than one SIP’s can run simultaneouslysimultaneously
• Objective:Objective:– Controlled improvement of the IT Controlled improvement of the IT
Service providedService provided
• Used whenever there is a need in/ forUsed whenever there is a need in/ for– Deviation from agreed levelsDeviation from agreed levels– Strategic choiceStrategic choice– Continuous ImprovementContinuous Improvement
• More than one SIP’s can run More than one SIP’s can run simultaneouslysimultaneously
8282
Elements of a Service Level Elements of a Service Level AgreementAgreement
General
Introduction• Parties• Signatures• Service Description(s)
Reporting & reviewing• Content• Frequencies
Incentives & Penalties
Support
Service Hours
Support
Change Procedures
Escalation
Delivery
Availability
Reliability
Throughput
Transaction response times
Batch turnaround times
Contingency & Security
Charging
8383
Exam PreparationExam Preparation
8484
ITIL
FOUNDATIONS
BREAK A LEG!!!!!!!BREAK A LEG!!!!!!!
World Wide World Wide
RecognizedRecognized