ITIL HandBook

ITSM HANDBOOK

Copyright Statement

the information contained in this classroom material is subject to change without notice. this material contains proprietary information that is protected by copyright.

no part of this material may be photocopied, reproduced, or translated to another language without the prior consent of itpreneurs B.V.

© Copyright 2006 by itpreneurs Nederland B.V. all rights reserved.

itiL® is a registered trademark of office of government Commerce (ogC), rosebery Court, St. andrew’s Business park, norwich, norfolk, nr7 ohS, UK.

Foreword

as you embark on your next step in your it Service management journey, i hope that this book is useful to you. it represents essential information that forms the basis for any Service management project.

when we first set out to create, educate and permeate best practices in our industry, we never imagined how popular and successful this venture would become. the ever increasing number of positive case studies around the application of service quality management should reassure you that your investment in this course is a good one.

we now have a very solid worldwide certification scheme for individuals as well as organizations.

as you complete this course, i would urge you to ensure that it is part of a roadmap to complete competence in this exciting field. there is Foundation, practitioners, Service managers, Service Quality management, institute of it Service management, CoBit, and iSo/ieC 20000 certification. every step in the roadmap is supported by roi for you and your employer/clients, and will enable you to take your rightful place in the worldwide network of experts that shape the future of it.

thank you for taking this course, thank you for continuing your journey and welcome again to the brother/sisterhood!

Alan Nance FISMa Founding Brother of the it Service management movement

1. INTrODucTION1.1 introdUCtion to itSm

1.1.1 Commonly used terms

1.1.2 pre-requisites to implement itSm

1.1.3 Components of a process

1.1.4 roles in a process

1.1.5 principles of quality

1.2 introdUCtion to itiL1.2.1 Commonly used terms

1.2.2 Structure of itiL

1.2.3 itiL Framework

1.2.4 Common problems

2. ServIce SuppOrT2.1 SerViCe deSK 2.1.1 Commonly used terms

2.1.2 activities

2.1.3 roles and responsibilities

2.1.4 relationship with other processes

2.1.5 Common problem areas

2.1.6 Key performance indicators

2.1.7 Critical Success Factors

2.2 inCident management 2.2.1 Commonly used terms

2.2.2 process






2.3 proBLem management 2.3.1 Commonly used terms

2.3.2 process






2.4 ConFigUration management 2.4.1 Commonly used terms

2.4.2 process






2.5 Change management 2.5.1 Commonly used terms

2.5.2 process






2.6 reLeaSe management 2.6.1 Commonly used terms

2.6.2 process






3. ServIce DelIvery3.1 SerViCe LeVeL management

3.1.1 Commonly used terms

3.1. 2 process


cONTeNTS





3.2 FinanCiaL management 3.2.1 Commonly used terms

3.2.2 activities






3.3 CapaCity management 3.3.1 Commonly used terms

3.3.2 process






3.4 aVaiLaBiLity management 3.4.1 Commonly used terms

3.4.2 process






3.5 SeCUrity management 3.5.1 Commonly used terms

3.5.2 process






3.6 it SerViCe ContinUity management 3.6.1 Commonly used terms

3.6.2 process






1.1 introdUCtion to itSm

7itSm handBooK^

Á

Chapter 1.1

INTrODucTION TO ITSM

the following terms and concepts are integral to it Service management (itSm).

OBJecTIve

the primary objective of it Service management is to ensure that it Services are aligned to business needs. this can be achieved by:

® providing high quality, reliable, and cost–effective services ® maintaining effective it customer-supplier relationships® Continuously improving the quality of it services® Using the it services effectively to meet the current and changing business

requirements

BeNeFITS

implementing it Service management has the following benefits for an organization:® Business benefits: itSm provides business benefits, such as enhanced quality,

increased productivity, and improved working relationships.® Financial benefits: itSm provides financial benefits, such as cost justification

for the following elements:¨ implemented changes¨ planned it service continuity expenditure¨ estimated capacity requirements

® innovation benefits: itSm provides clarity of understanding, flexibility, and improved adaptability as part of its innovation benefits to organizations.

® employee benefits: itSm provides employee benefits, such as increased productivity, motivation, and transparency.

1.1.1 cOMMONly uSeD TerMS

IT Infrastructure Library (ITIL) is a generic framework created by using the practical experience of professional users to manage it infrastructure and services.

Quality is defined by all the characteristics of a product or service that has the ability to satisfy the stated and implied needs of the customer.

Service quality refers to the degree of service that fulfills the customers’ expectations and requirements.

Ongoing dialog is a continuous communication between the Customer and the provider/supplier. it is used to refine the service and ensure that both parties are aware of the expected results of the service.


� itSm handBooK


�itSm handBooK^

in Department-oriented organizations the departments, processes, and tasks are usually based on specific customers, products, disciplines, or regions.

in Process-oriented organizations, all departments together perform different activities of one process. roles and responsibilities are assigned according to the activities defined to deliver a particular service.

1.1.2 pre-requISITeS TO IMpleMeNT ITSM

® good it infrastructure in terms of tools and technology® well-defined organization mission, objectives, and policies ® Competent and trained people to improve service culture® effective and efficient itSm processes

1.1.3 cOMpONeNTS OF A prOceSS

each process has a clear-cut objective, set of activities, and defined inputs and outputs. these activities are executed using a set of procedures and working instructions.

POLICY

MISSION

OBJECTIVES

MEASURE/STEER

MEASURE/USER

PURCHASEA

PRODUCEB

SELL C

INPUT OUTPUT RESULT

KEY PERFORMANCE INDICATOR’s for efficiency

KEY GOAL INDICATOR's for effectiveness

COMPONENTS OF A PROCESS

FEEDBACK


10 itSm handBooK


11itSm handBooK^

1.1.4 rOleS IN A prOceSS

process ownerthe process owner is accountable for the results of the process. they define the activities in the process. the process owner also determines that the actual performance matches the expected results. depending on many factors, such as the size of the it organization, the amount of cultural change and therefore levels of sponsorship required, the process owner role may or may not be combined with the process manager role.

process managerthe process manager is accountable for structuring the process. they control the day-to-day activities and operations. the process manager also generates the reports to help the process owner compare the actual and expected results, when these roles are separated.

roles Unique to each processother process roles, unique to each process, are responsible for executing the defined activities. they may or may not have a direct organizational reporting line to the relevant process manager.

1.1.5 prINcIpleS OF quAlITy

Quality management the principle of Quality management involves cost-effective and systematic management of all the organizational activities, such as design, development, and implementation.

Quality assurancethe principle of Quality assurance specifies the complete set of measures and procedures for ensuring quality. these procedures help organizations ensure that the it services continuously and consistently fulfill the expectations of the customers.

Quality System

the principle of Quality System specifies the organization-wide processes that specify the:

Quality requirementsSteps for meeting these requirementsprocedures for improving the quality standardsmethods for assuring the service quality levels

the European Foundation Quality Model (EFQM) is used to determine the maturity of an organization. organizational maturity is defined by the levels of technology, processes, and organizational culture. the eFQm model helps identify areas on which an organization needs to focus while managing services. typically, a plan is developed to define the improvement areas in the organization. it also specifies the follow-up procedures for reviewing these areas. therefore, this cyclic process of self-assessment and planning helps the organiztion in systematically improving its service quality.

1.2.3.4.


12 itSm handBooK


13itSm handBooK^

EFQ

MM

OD

EL

OR

GA

NIZ

ATIO

NR

ESU

LTS

PE

OP

LE

PO

LIC

YA

ND

STR

ATE

GY

PA

RTN

ER

SH

IPA

ND

RE

SO

UR

CE

S

PE

OP

LER

ES

ULT

S

CU

STO

ME

RR

ES

ULT

S

SO

CIE

TYR

ES

ULT

S

LEA

DE

RS

HIP

PR

OG

RE

SS

KE

YP

ER

FOR

MA

NC

ER

ES

ULT

S

deming Circle

the deming Circle is a tool used for assuring quality and tracking improvement efforts.

® plan: this stage lists the planned actions for a service.® do: this is the implementation stage in which all the planned activities are

executed.® Check: this stage specifies the measures to check whether or not the

implemented actions have delivered the expected results.® act: this stage suggests techniques to improve the service and current plans.

these suggestions are based on the information that was collected during the check stage.

THE DEMING CYCLE

MAT

UR

ITY

LEV

EL

TIME SCALE

Effective Quality ImprovementEffective Quality Improvement

Consolidate the level reached

ACT

CHECK

PLAN

DO

1.2 introdUCtion to itiL

15itSm handBooK^

Chapter 1.2

INTrODucTION TO ITIl

Á

the following terms and concepts are integral to itiL.

OBJecTIve

the information technology infrastructure Library (itiL) provides an effective it Service management approach, which increases service quality and ensures consistent improvement in it strategy, design, development, and delivery requirements.

BeNeFITS

® Customers/Users¨ improves the quality of service as the provision of it services

becomes more customer-focused and agreements about service quality improve the relationships with the customer.

¨ minimizes the disruptions in service delivery to the customers. therefore, the costs at the customer end are also reduced because of effective and consistent it service. also, the customer gets a clear insight into the costs of the it services needed.

¨ itiL defines the roles in each process. this helps to channel communication in the organization in a structured manner. in addition, itiL also provides a better description of services.

® it organizations¨ process-oriented approach: itiL provides clear and defined processes

to help the organization:∏ easily implement changes∏ Focus on corporate objectives∏ effectively outsource it services∏ monitor the quality of services∏ introduce a Quality management system

¨ Common terminology: itiL provides detailed definitions of terms to help the people in it organizations understand each other and easily exchange information

¨ Standardization: itiL provides a uniform frame of reference for internal and external communication and procedure identification


16 itSm handBooK


17itSm handBooK^


ITIL is a generic framework created by using the practical experience of professional users to manage it infrastructure and services.

ITIL Organizations include the office of government Commerce (ogC) and the it Service management Forum (itSmF). these forums help improve the services by promoting the use of the itiL best practices and publishing a series of books written by experts from various leading companies and organizations. the itSmF also provides a platform for the organizations to share, discuss, and exchange information. exchange of information enables the organizations in standardizing the quality of services.

itiL Certification examsthe dutch exam Foundation (eXin) and the UK information Systems examination Board (iSeB) jointly provide a professional certification system in association with ogC and itSmF. organizations can apply for the following certifications:

® Foundation-level Certification in itiL® practitioner-level Certification in itiL® Service manager-level Certification in itiL

1.2.2 STrucTure OF ITIl

the itiL structure has five elements:

Business perspective: the business perspective element of itiL provides information that helps bridge the gap between the organizations’ working needs and the customer’s requirements.

Service deliverythe Service delivery element provides information that helps identify the services that are required to provide adequate support to the business.

Service Supportthe Service Support element ensures that the customer has the appropriate access to the required services that support business functions.

information Communication technology (iCt) infrastructure managementthe iCt infrastructure management element provides information on:

® network Service management® operations management® Systems management® Local processes management

applications managementthe applications management element helps redefine business requirements according to the changes in the business. it also helps the organization in incorporating these changes in its processes and functions.

Context diagram is represented below:

The

Bus

ines

s

The

Tech

nolo

gy

Suppliers

Planning To Implement Service Management

Service Management Core

ServiceDelivery

ServiceSupport

Business Perspective

ICTInfrastructureManagement

Application Management

SecurityManagement


1� itSm handBooK


1�itSm handBooK^

these elements interface with each other and overlap to a certain extent. the boundaries of each element at these overlapping points cannot be clearly demarcated. in fact, these points are from the domains where the majority of the Service management problems occur. it is, therefore, critical for the organization to identify and effectively manage these boundaries.

1.2.3 ITIl FrAMeWOrK

the main focus of the itiL framework is on Service Support and Service Delivery.

ServIce SuppOrT prOceSSeS

Service deskthe Service desk is a function in the organization and not a process. the Service desk serves as the single point of contact between service providers and users. effectiveness of the Service desk determines the smooth functioning of the business operations.

® the Service desk can have multiple functions, such as: ¨ Facilitating the incident management process¨ performing Standard Changes¨ informing users about upcoming changes¨ performing operational activities such as backups

incident managementan incident is an external event in the standard business operations that affects or may affect the service quality. the incident management process helps in resolving incidents to restore it services to the agreed service levels with minimum impact on business operations.

problem managementa problem is an undesirable situation created in the infrastructure, for which the causes are not known. the problem management process involves identifying, checking, eliminating, and controlling errors within the it infrastructure, preventing the recurrence of incidents.

CUSTOMER RELATIONSHIP MANAGEMENT

SECURITYMANAGEMENT

ManagingConfidentility

Manage confidentility, integrity and

availability

SE

RV

ICE

PLA

NN

ING

INTE

GR

ATE

D S

ER

VIC

E D

ES

K

CHANGE MANAGEMENT

SERVICE LEVEL MANAGEMENT

IT S

ER

VIC

E D

ELI

VE

RY

IT S

ER

VIC

E S

UP

PO

RT

Manage servicesDefining agreements between the IT organizations and thebusiness and managing the relationship with the business

AVAILABILITYMANAGEMENT

CAPACITYMANAGEMENT

CONTINUITYMANAGEMENT

FINANCIALMANAGEMENT

Optimizetoday

Managetomorrow

Manage the unthinkable

Managecosts

Manage changes

(Optimize the current IT

infrastructure and cater to Availability

requirements)

(Project future expectations and

tune into new developments)

(Incorporate a disaster recovery

plan, platform survival, reduce

user impact or majorunexpected failure

risk and vulnerability)

(Define the budget and create

transparency of the cost of services)

Ensure changes are fast, easy, consistent and authorized

PROBLEMMANAGEMENT

Manageerrors

INCIDENTMANAGEMENT

Manageincidents

RELEASEMANAGEMENT

Managesoftware

distributions

CONFIGURATION MANAGEMENTManage Configuration Items

(Remove repetitive problems from

the infrastructure)

(Get users backonline up and running and

satisfied)

(Control software,updates and batch

processes)

Long term planning andimprovementof IT services

provision

Day to dayoperations

and supportof IT services


20 itSm handBooK


21itSm handBooK^

Change managementa Change is regarded as a modification or addition to any part of the infrastructure, such as hardware, software, network, environment, or related documentation. the Change management process describes standard methods and procedures for implementing Changes with minimum adverse impact on it services, preventing change-related incidents.

Configuration managementthe entire it infrastructure can be broken down into logical units called Configuration items (Cis). the attributes and location of each Ci is defined in a database called the Configuration management database (CmdB). the Configuration management process provides information to all other itiL processes by managing and controlling the Cis and their inter-relationships.

release managementa release is a new or changed software or hardware (Ci) that is introduced in the it infrastructure. the release management process controls the distribution of hardware and software, including integration, testing, and storage. it also ensures that only the correct and tested versions of the authorized software and hardware are implemented.

ServIce DelIvery prOceSSeS

Service Level managementthe Service Level management process defines the services to be delivered to the Users. the service levels negotiated and agreed with the Customers are recorded in the Service Level agreements (SLas). the process involves ensuring that services are delivered at the agreed levels.

Financial management for it Servicesthe Financial management process aims at managing the financial dependencies between the it services and the it resources that are being used by each service.

availability managementthe availability management process ensures uninterrupted business operations by measuring and maintaining the availability levels of it resources.

Capacity management the Capacity management process aligns the resource levels with the requirements of the organization and the customers. the process also aims at providing the required it resources at acceptable costs.

it Service Continuity managementthe it Service Continuity management process attempts to ensure Business Continuity by restoring it services immediately after any disasters.

Security managementthe Security management process protects the it infrastructure against unauthorized access. this is achieved by specifying security requirements in terms of Service Level agreements, legislations, contractual requirements, and policies. the process is focused on Confidentiality, integrity, and availability.

1.2.4 cOMMON prOBleMS

Common problems encountered while implementing the itiL processes:

® organizational culture, such as attitude of the employees to change, work culture, and values of the people employed in the organization affect process implementation.

® Bureaucracy, as processes might have rigorous time-consuming aspects. ® Lack of understanding of processes, business strategy, and process objectives

can hinder process implementation. ® Lack of management support by not providing additional personnel,

finances, and support tools, such as training programs can hamper process implementation.

® Staff resistance can lead to non-acceptance of processes by employees, which can lead to a failure in process implementation.

2.1 SerViCe deSK

23itSm handBooK^

Chapter 2.1

ServIce DeSK

Á

the following terms and concepts are integral to the Service desk function.

OBJecTIve

the main objectives of Service desk are to:® Serve as a single point of contact for users that have it-related queries and

complaints® ensure restoration of normal services to users for uninterrupted operation

of business activities by facilitating the incident management process and providing ownership of the incident through the incident lifecycle

® guarantee access for all users to the it organization to ensure required service support

® reduce workload on other it departments by routing only specific and relevant queries to each department

BeNeFITS

the Service desk function offers many benefits to the it organization, such as:® reducing the time and effort spent by users to resolve their it-related issues

by prompt handling of user queries.® Serving as an information source for other it departments by providing data

and metrics about customers’ queries® ensuring long-term customer retention for the it organization by providing

the required services to users


Call CentersCall Centers typically manage high volume call environments, such as financial business call centers. in some call centers, recording and routing of calls might be automated by using voice response systems. therefore, it is possible that the Service desk personnel do not have any role to play in these types of call centers.

Help Desk Help Desk facilitates the incident management process. help desk staff typically have access to CmdB information.

2.1 SerViCe deSK

24 itSm handBooK

2.1 SerViCe deSK

25itSm handBooK^

Service Desk types:

® Unskilled or Call recording Service deskthis Service desk only records the call and immediately assigns the records to the appropriate solution group.

® Skilled Service deskthis Service desk has the competencies and the knowledge to resolve incidents until a certain level.

® expert Service deskthis Service desk resolves the majority of all incidents.

Service Desk Structuresdepending on the business requirements, Service desks can be structured into the following three basic types:

® Centralized Service deskall user queries are received and recorded at a central physical location. User queries can be divided into technical and business-related queries. depending on their approach to handle queries, it organizations can address these queries by using either a central entity or two separate entities.

® Local Service deskmultiple Service desks are spread across various locations to support local users with diverse cultural backgrounds.

distributed Service desks have three different types of points of contact with the user: ¨ Central point of Contact¨ Local points of Contact¨ Call Centers

® Virtual Service deskVirtual Service desk uses network and telecom technologies to integrate a widespread network of Service desks. For instance, Service desks in different time zones around the world can ensure round-the-clock support to users by coordinating their activities and time differences.

Technologyit organizations use various technologies to:® enhance interaction between Service desks and users® track user data to provide inputs to other itiL processes

Service Desk technologies include: ® Computer telephony integration (Cti) ® Voice over internet protocol (Voip) ® interactive Voice response systems (iVr) ® internet gateways® automated System management tools® networking tools® Call forwarding facilities® e-mails, telephones, and fax servers

2.1.2 AcTIvITIeS

responding to User Callswhen a user contacts the Service desk, it is termed as a call to the Service desk. all calls are logged and recorded by the Service desk to enable: ® monitoring of the progress on user queries and resolving controllable delays® provision of metrics on customer queries to other organizational

departments® resolving of complaints at the first level by referring to a set of standards and

pre-existing solutions

providing information to Usersthe Service desk is the main source of information for users of it services. it proactively informs users about: ® Current or expected errors® new and existing services® SLa provisions® Change schedules ® order procedures and associated costs

2.1 SerViCe deSK

26 itSm handBooK

2.1 SerViCe deSK

27itSm handBooK^

Communicating with Suppliersthe Service desk manages a two-way communication process between the it organization and its maintenance suppliers. a key responsibility of the Servicedesk is to ensure the repair and replacement of infrastructure components, such as printers, workstations, and telecommunication equipment.

performing operational management tasksin addition to resolving complaints, the Service desk performs various tasks for managing business operations of the it organization. these operational management tasks include:® providing system backups ® managing the disk space on local servers® Creating user accounts authorizing and resetting passwords® installing Lan connections

monitoring the iCt infrastructurethe Service desk might be equipped with tools that detect faults in software and hardware. these tools examine equipment, such as routers, servers, and gateways, for defects. these tools can also estimate the possible impact of the detected defects. then, the Service desk notifies the incident management process.

2.1.3 rOleS AND reSpONSIBIlITIeS

the responsibilities and functional skills of the Service desk personnel vary according to the type of Service desk to which they are attached. the various Service desks can be categorized as:

Unskilled or Call recording Service desks: Unskilled or Call recording Service desk personnel record the user’s call, describe it in general terms, and then route the call to the concerned department. this Service desk is efficient in incident recording, but has low first call resolution percentages.

Skilled or problem Solving Service desks: Skilled or problem Solving Service desk personnel have the required technical skills to handle users’ incidents. they usually resolve incidents by using documented or previously recorded solutions. only the unresolved incidents are routed to specialist support teams for incident resolution.

expert Service desks: expert Service desks have personnel with specialist knowledge of the entireit infrastructure. these personnel also have the expertise to resolve most incidents on their own.

2.1.4 relATIONSHIp WITH OTHer prOceSSeS

with incident managementmost calls received by the Service desk are related to incidents. it reports these incidents to incident management. it also matches similar previous incidents and if possible, applies existing solutions to the newly reported incidents as part of the incident management process. in this regard, incident management provides solution-related information. the process also refers to the Service desk records for resolving and managing the incidents and restoring services to Users.

with Change/release managementthe Service desk is responsible for activities, such as:® installing software and hardware® Standard Changes – for example relocating workstations, setting up Lan

connections, etc.

these activities are closely coordinated with Change management and release management to: ® evaluate Changes in terms of development and distribution of applications

and it infrastructure® ensure that the timing of implementing the Changes has a very low impact

on the existing service quality

2.1 SerViCe deSK

2� itSm handBooK

2.1 SerViCe deSK

2�itSm handBooK^

with Configuration managementwhen responding to calls, the Service desk records the details of the users and their it resources. then, the Service desk validates these user-provided details with the records in the CmdB. Verifying the user details enables the Service desk to:® ensure the accuracy of users’ details® determine the level of service to be provided to users

with Service Level managementif a particular user request cannot be met, Service Level management is informed of the request. the Service desk also provides information to Service Level management on: ® Users’ perception of service quality® Users’ feedback on service interruptions and response times

2.1.5 cOMMON prOBleM AreAS

effective performance of a Service desk is often interrupted by bottlenecks, such as: ® Limited understanding of business needs by the it organization® inadequate investment in training® Unrealistic service levels® insufficient significance attributed to the Service desk

2.1.6 Key perFOrMANce INDIcATOrS

the key performance indicators for the Service desk are:® average duration and answer time per call® average time to resolve an incident® percentage of incidents resolved without referring to other departments® number of calls processed per workstation® total number of calls to the Service desk

2.1.7 crITIcAl SucceSS FAcTOrS

the following critical success factors enhance the effectiveness of the Service desk function. ® User should be able to easily access the desk for resolving their issues. ® Users should be encouraged to approach the desk for recording and

resolving each incident. ® Users should be discouraged from bypassing the desk. ® Users should clearly understand the Service desk function through effective

use of SLas and product and service catalogs.

2.2 inCident management

31itSm handBooK^

Chapter 2.2

INcIDeNT MANAgeMeNT

Á

the following terms and concepts are integral to the incident management process.

OBJecTIve

the incident management process ensures that breakdowns and errors related to it infrastructure and services are resolved quickly and efficiently in an organization. the incident management process resolves these breakdowns (referred to as ‘incidents’) without adverse impact on the business processes, at affordable costs.

BeNeFITS

an organization that implements the incident management process derives dual benefits for its:® it services:¨ improved monitoring, allowing performance against SLas to be

accurately measured¨ accurate recording of incidents and Service requests¨ elimination of lost or incorrect incidents and Service requests¨ organized and efficient use of personnel for resolving incidents¨ availability of information on it errors for effective management¨ more accurate CmdB information for ongoing audit while registering

incidents¨ improved user and customer satisfaction

® Business¨ timely solution of incidents to reduce their impact on business¨ proactive identification of beneficial system enhancements and

amendments¨ Customer-specific monitoring of incidents¨ availability of business-focused management information related to the

SLa¨ increased productivity


32 itSm handBooK


33itSm handBooK^


Incident refers to any event that is not part of the standard operation of a service, and that may cause an interruption or a reduction in the quality of that service.

Service Requests are requests from a User to the Service desk for support, delivery, information, advice, or documentation. a password reset is also an example of a Service request.

a Standard Change is a change where the risk and costs are known, are fairly repetitive, and are pre-approved by the Change management process. the Service desk often performs these Standard Changes, for example, basic moves, adds and deletions.

Functional Escalation occurs when incidents are reported to higher Supportgroup levels to be solved.

Hierarchical Escalation occurs when the resources or authority required to resolve the incidents are not adequate, and the incident is passed on to higher authorities or departments until solved.

Impact of the incident refers to its adverse effect on a business process.

Urgency of the incident refers to the necessary speed (high, medium, low) for solving an incident of a certain degree of impact.

Priority of the incidents is based on the impact of the incident on the business and the urgency of the incident to be solved.

Known Error refers to a problem for which the root cause is known, and for which a temporary workaround or a permanent solution has been identified.

a workaround is either a temporary fix or technique to solve the incident. it is used to eliminate the customer’s dependency on the particular aspect of a service that is known to have a problem.

Service Level Agreement (SLA) is a written agreement between a service provider and customer(s). this agreement defines the agreed levels for a service.

2.2.2 prOceSS

process inputsincidents reported from various parts of the infrastructure by the: ® Users ® it departments ® automatically reported through System management tools

process outputs® information related to the incidents of other processes and departments® information related to the solution of the incidents of other departments

and processes

detecting and recording incidents® accepting the reported incident and assigning a unique incident number to

each incident by the Service desk® recording the details of the incidents, such as the user details, symptoms,

time of occurrence, and location® alerting the users and management about the incidents having a high

impact on business® automatic recording of incidents from System management tools


34 itSm handBooK


35itSm handBooK^

ACTIVITIES

OWNERSHIP, MONITORING,

TRACKING, AND COMMUNICATON

INCIDENT DETECTION AND RECORDING

REQUEST?

CLASSIFICATION AND INITIAL SUPPORT

ANALYSIS ANDDIAGNOSIS

RESOLUTION AND RECOVERY

INCIDENT CLOSURE

MATCH?

Incident Management process

Service Request

Procedure

NO

NO

YES

Classifying incidents and providing initial First-line Support® Sorting the incidents into categories, such as networking, workstations, and

procedures ® assigning priority to each incident ® identifying the services related to the incidents® identifying the Support groups for resolving the incidents ® informing the Users about the time for resolving the incident® identifying the status of the incident® providing First-line Support by the Service desk to solve incidents ® matching the incidents with the previously reported incidents, problems and

Known errors® applying solutions or workarounds to the incidents® informing the User about the solution of the incident once it is solved

investigating and diagnosing incidentsthe Support group with the required expertise and resources investigates the cause of the incident, diagnoses the cause, and solves the incident.

resolving and recovering incidentsrecord the solution of the incident and submit a request for Change (rFC), if necessary, to ensure correct implementation of the solution.

monitoring and tracking the incidents® all the unresolved or open incidents are monitored and tracked at each

stage by the Service desk ® the Service desk informs the Users about the status of the open incidents® the Service desk maintains ownership of the incident throughout its

lifecycle

Closure of incidents® after resolving the incident, the Support group routes the incident back to

the Service desk after implementing the solution® the Service desk contacts the User who reported the incident ® the Service desk records the incident as closed after the User agrees to the

solution and ensures all incident data is complete


36 itSm handBooK


37itSm handBooK^


the roles defined to perform the activities and tasks of the incident management process are: ® Incident Manager® Service Desk (Level 1 support)® Support Groups and external vendors (Level 2, 3, “n” support groups)

the Incident Manager is the owner of the incident management process. the incident manager’s responsibilities include: ® preparing the process reports that detail the performance and efficiency

trends of the incident management process® organizing the management information required for the implementation of

incident management. For example, collecting information, such as number of resources and inter-relationships with other processes

® recommending measures for improvements in incident management® developing and maintaining the incident management system® monitoring the responsibilities of the incident Support groups

the incident Support groups resolve incidents at different levels. the different levels of the Support groups include: ® First-line Support groups comprising the Service desk ® other Support groups that include the Second-line, third-line, Fourth/n-line

Support groups

the responsibilities of the First-line Support group include: ® recording the reported incidents® Classifying the incidents and providing initial Support® routing incidents to other Support groups® monitoring, tracking, and owning the incident ® resolving incidents® Closing the solved incidents

the responsibilities of other Support groups include: ® handling incidents that are not solved by the First-line Support group® investigating the incident details® diagnosing the cause of the incidents® recovering the solved incidents


with the Service deskthe Service desk assists incident management by recording the reported incidents. the Service desk also provides First-line Support to the Users by applying pre-identified solutions to the reported incidents. Similarly, incident management solves incidents and informs the Service desk, which further communicates these solutions to the Users.

with the Configuration management processto classify the incidents, incident management requires details of the affected it components (Cis) like version number, date of purchase, license, and location. these details are stored in the Configuration management database (CmdB) of Configuration management.

with the problem management processall the incidents for which the root cause is unknown can be defined as problems. incident management refers these unknown errors to problem management. problem management provides workarounds and permanent fixes for these problems to incident management.

with the Change management processto implement the solutions for the incidents, certain Changes might be required in the infrastructure. these Changes are communicated to Change management, which records the Changes related to the it infrastructure components. Change management provides details of the scheduled Changes to the incident management process.

with the Service Level management processthe Service Level agreements (SLas) of Service Level management define service levels for solving incidents for the incident management process. the incident records assist Service Level management in generating reports related to the incident management process.

with the availability management processavailability management requires information from incident management about the availability of the levels of the it services agreed in the SLas. incident management informs availability management about the lifecycle of the incidents, which specifies the time duration right from when the incident was first detected to when it was solved. this time duration is referred to as downtime or mean time to repair (mttr).


3� itSm handBooK


3�itSm handBooK^

with the Capacity management processCapacity management provides information related to diagnostic tools like simulation models and scripts to solve incidents. incident management ensures that the incidents are solved within the capacity levels mentioned in the SLas. incident management also provides Capacity management information about Capacity-related incidents.


® if the Users are not properly trained on the process, they might not follow the proper procedures and try to resolve the incidents themselves

® there might be an overload of incidents if the categories of incidents are not clearly defined or if the procedures for allocating and routing incidents are not followed

® if the First-level Support groups do not have adequately skilled resources, more incidents might get escalated quickly to higher Support groups

® if the services and products that are supported by incident management are not clearly defined in the SLa, the incident management personnel do not know which reported errors or requests qualify as incidents

® a higher level of commitment, responsibility, and discipline is expected from the personnel. there can be resistance to such changes among personnel


the key performance indicators of the incident management process are:® number of recorded incidents by group, by type, by service, etc. ® average time to resolve the prioritized and non-prioritized incidents® number of resolved incidents per workstation or per Service desk, within the

time duration specified in the SLas® percentage of incidents resolved by the First-line support® average support cost per incident® total incidents solved without the Support groups needing to visit the user’s

location


the critical success factors for the incident management process are:® an up-to-date CmdB to estimate the impact and the urgency of incidents ® a knowledgebase is necessary to record incidents, their solutions or

workarounds and to link it with the problem management process® an automated system is necessary for recording, tracking, and monitoring

incidents ® Close ties with Service Level management to ensure appropriate

prioritization and resolution times for the incidents

2.3 proBLem management

41itSm handBooK^

Chapter 2.3

prOBleM MANAgeMeNT

Á

the following terms and concepts are integral to the problem management process.

OBJecTIve

the problem management process aims at identifying the root causes of errors or incidents in the it infrastructure and provides permanent solutions to remove these errors from the infrastructure. this eliminates recurring incidents and prevents incidents from occurring in the first place.

BeNeFITS

the problem management process helps in rapidly improving the it service quality by:® documenting and eliminating errors® reducing the number of incidents ® providing permanent solutions to the problems in the it infrastructure

the problem management process enables a better first-time-fix-rate (first-line resolution rate) of incidents at the Service desk. the efficiency of the Service desk is improved by capturing the incident resolution and workaround data.


Known Errors are problems where the root cause is known, and for which a temporary workaround or a permanent solution has been identified.

Workarounds are temporary fixes or techniques for resolving an incident. they are used to eliminate the customer’s dependency on that aspect of the service, which is known to have a problem.

Reactive Problem Management activities help in identifying the root causes of the incidents and in identifying permanent solutions for incidents.

Proactive Problem Management activities aim at preventing incidents before they occur, by identifying weaknesses in the it infrastructure and suggesting methods to eliminate these weaknesses.

problems are categorized into various groups or domains, such as hardware,software, and support software. problems can be allocated to the support staffon the basis of these categories.


42 itSm handBooK


43itSm handBooK^

the problem management team identifies the impact of the problem on thebusiness process of the organization.

the problem management team defines the urgency of a problem. Knowing theurgency of the problem helps determine the time for which solutions can bedeferred.

the problem management team assigns the priority to a problem on the basisof its urgency, impact, risk, and resource availability. priority indicates the relativeorder in which a series of problems should be addressed.

2.3.2 prOceSS

process inputs® incident details from incident management® workarounds defined by incident management® Configuration details from the CmdB® details of products (hardware and software) used in the it infrastructure

from the suppliers® details about the it infrastructure and its behavior, for example, registration

of capacity and performance monitoring® information about Known errors from the development environment

process outputs® Known errors (root cause and workarounds)® requests for Changes (rFCs)® Up-to-date problem records® Closed problem records for resolved problems® management information to help monitor the effectiveness of problem

management

activities® problem Control, which includes activities, such as trend analysis, defining,

and investigating problems® error Control, which includes activities, such as monitoring Known errors and

submitting rFCs

problem Control® identifying and recording problems® Classifying problems based on its impact on the existing service levels by

assigning Category, impact, Urgency, and priority® investigating and diagnosing the root cause, such as hardware and software

errors, documentation errors, or human or procedural errors, behind each problem. Formal methodologies, such as Kepner-tregoe or ishikawa can be used


44 itSm handBooK


45itSm handBooK^

TRACKING AND MONITORING

IDE

NTI

FIC

ATI

ON

AN

D R

EC

OR

DIN

G

CLA

SS

IFIC

ATI

ON

INV

ES

TIG

ATI

ON

AN

D D

IAG

NO

SIS

ES

TAB

LIS

H K

NO

WN

ER

RO

R

PR

OB

LEM

TRACKING AND MONITORING

ER

RO

R ID

EN

TIFI

CA

TIO

NA

ND

RE

CO

RD

ING

ER

RO

R A

SS

ES

SM

EN

T

RE

CO

RD

ER

RO

R R

ES

OLU

TIO

N

CLO

SU

RE

ER

RO

R

PIR

RA

ISE

RFC

aCtiVitieS

error Control® error identification (from the Known error identified in the output of problem

Control)® error assessment to identify the best solution to remove the error from the

infrastructure ® recording the resolution for each Known error and raising a request for

Change (rFC)® post implementation review (pir) to confirm the effectiveness of the

solution prior to final closure® monitoring the progress of problems and Known errors during all stages of

problem Control and error Control (continuous activity)

proactive problem management ® perform trend analysis to identify and remove repetitive incidents and

to provide high-quality management information about the behavior of infrastructure

® perform preventative maintenance to prevent incidents from occurring® perform major problem reviews to identify: ¨ what was done right? ¨ what was done wrong? ¨ what could be done better next time? ¨ how to prevent problems?


the Problem Manager is responsible for all the problem management activities. the responsibilities of the problem manager include:® developing and maintaining the problem Control and error Control

processes® assessing the effectiveness of the problem Control and error Control

activities® providing problem-related information to the management ® managing the problem support staff® allocating resources for the support activities® evaluating the effectiveness of the proactive problem management process


46 itSm handBooK


47itSm handBooK^

the Support Group personnel assist the problem manager and have the following two types of responsibilities:® Reactive responsibilities¨ identifying and recording problems by analyzing incident details¨ investigating problems based on their priority¨ Submitting rFCs to remove errors¨ monitoring the resolution of Known errors¨ advising the incident management team about workarounds and quick

fixes® proactive responsibilities¨ identifying trends and potential sources of problems¨ Submitting rFCs to prevent the recurrence of incidents¨ preventing the replication of problems across multiple systems


with Service Level managementthe Service Level management team provides information about the agreed service levels to the problem management team. the problem management team uses this information to classify the problems.

with Change managementthe problem management team suggests Changes in the it components and submits them as rFCs to eliminate errors. Change management assesses the impact of the proposed Change and informs the problem management process about the progress and completion of the suggested Changes.

with Configuration managementConfiguration management provides details about the components of the it infrastructure, such as the hardware and software configurations, services, and other relationships. problem management uses this information for identifying the impact and urgency of the problems.

with incident managementthe problem management team uses incident records to identify the problems and suggests workarounds to the incident management team until permanent solutions for the incidents can been found.

with availability management availability management specifies the availability levels to the problem management team. problem management identifies the problems causing the disparity between the actual and agreed availability levels and attempts to diagnose and eliminate these problems. the availability management team uses information from the problem management process to prevent such problems and incidents by optimizing availability planning.

with Capacity managementCapacity management provides capacity-related information to problem management. the problem management team helps the Capacity management team by identifying the causes of capacity-related problems and rectifying them.


® if the incident management team does not properly record the details of the incident and the related it components, the problem management team will not be able to accurately classify the problem.

® For software applications that are transferred from the development environment to the live environment, details of Known errors should be properly communicated otherwise problem management will need to redefine these errors, leading to duplicate effort.

® if there is a lack of managerial commitment, the support staff might tend to ignore the proactive aspects of problem management.

® Strong management support is required in order to allow the time needed for the Support staff to perform the problem management activities.


the key performance indicators for an effective problem management process include trends in the:® number of incidents resolved by closed problems® time needed to resolve problems® Costs (people, material, and resources) incurred during resolving a problem® reduction in the number of recurring incidents


4� itSm handBooK


the following critical success factors improve the performance of the problem management process:® effective automated registration and classification of incident records® Setting feasible objectives and making the best possible use of the expertise

of personnel® effective coordination between the incident management and the problem

management processes

Chapter 2.4

cONFIgurATION MANAgeMeNT

Á

2.4 ConFigUration management

50 itSm handBooK


51itSm handBooK^

the following terms and concepts are integral to the Configuration management process.

OBJecTIve

the Configuration management process ensures that all details about the it infrastructure components are accurately stored and updated in the Configuration management database (CmdB). this information is provided to other processes and departments for handling it infrastructure-related issues.

BeNeFITS

® Effective problem-solving: the Configuration management process helps identify the it components (Cis) related to problems. after determining the affected items you can easily trace the cause and identify the solution for the problem.

® Rapid implementation of changes: the Configuration management process facilitates rapid and accurate analysis of the possible impact of a Change on other it components and their services. this helps in implementing Changes with minimum disruption to it services.

® Better control of software and hardware releases: the Configuration management process ensures better control of software and hardware by:¨ Combining hardware and software packages so that the whole

combination can be tested for effectiveness before implementation.¨ Using the Configuration management database (which is a repository

of all relevant details of a Ci and its relationship with other Cis) and standard configuration (Baselines) to develop testing and distribution plans.

¨ Storing details about software versions that can be used for backouts.® Improved security: the Configuration management process stores information

about the authorized changes in it components and the different software versions. this helps maintain security of the it infrastructure by blocking unauthorized changes and preventing use of incorrect software versions. the Configuration management process also assists in monitoring licenses to identify any unlicensed components.

® High-quality commercial services: the Configuration management process helps the organization by providing the required information about all it components and services. this information aids the management in taking decisions about modifying the components and services as required. also, the information helps in reducing costs by preventing duplication of effort.

® Effective management of IT components: the Configuration management process helps control all the it components (Cis) that are essential to the services. it helps maintain records of any changes in the it components and services.

® Support for other ITIL processes: the Configuration management process helps, for example, the availability management and the Capacity management processes by providing correct configuration details for analyzing and planning the it services.

® Identification of hidden costs: the Configuration management process identifies the unused it components that are still adding to the cost. also, most departments maintain records about the parts for which they are responsible. this leads to overlap of information between departments. the Configuration management process provides a way to store information in a central location and reduce workload for all other it departments.

® Expected expenditure planning: the Configuration management process provides information about maintenance costs and contracts, licenses, and expiry dates to create the expenditure plans for the organization.

® Compliance with legal requirements: the Configuration management process helps in identifying illegal copies when audit results are compared with the existing records. then, the identified illegal copies are destroyed or removed from the it infrastructure. this ensures compliance with legal requirements.


Configuration Baseline is the configuration of a product or system established at a specific point in time. the Configuration Baseline captures both the structure and details of that product or system, and enables that product or system to be rebuilt later.

Configuration Management is the process of identifying and defining the it components and services in a system, recording and reporting the status of Cis and rFCs, and verifying the completeness and correctness of Cis.

the Configuration Management Database (CMDB) contains all the relevant details of all Cis and details of the important relationships between Cis.

a Configuration Item (CI) is an infrastructure component or item, such as an rFC, associated with the infrastructure. Cis can be hardware, software, documentation, and sometimes people related (such as process roles and job specifications).

a Variant is a small differentiation between versions of Cis, for example the same versions of microsoft word for different languages.


52 itSm handBooK


53itSm handBooK^

Asset Management is an accounting process for monitoring assets. asset management does not hold relationships between assets, whereas Configuration management does maintain relationships between Cis.

2.4.2 prOceSS

process inputs® information about changes in the organization® information about the new it components

process outputs® reports to other itiL processes and to the it management® new and updated records in the CmdB, which other processes access for

their activities

activitiesPlanning¨ defining the strategy, policy, and objectives of the process¨ analyzing the information that is available for the process ¨ identifying the tools and resources required for the process¨ Creating interfaces with other itiL processes, projects, and third party

suppliers

Identification¨ identify the associated it services and components, which need to be

controlled by Configuration management ¨ define the scope of Configuration management¨ Specify the level of detail for recording the information¨ identify the relationships of the Cis¨ determine the depth of information that needs to be recorded¨ Create naming conventions¨ assign attributes

SCOPE AND CI LEVEL

INFRASTRUCTURE INTERFACEAPPLICATIONSDESIGNDOCUMENTS

ENVIRONMENT DOCUMENTATIONSTAFF SKILL SETS

Scope

Level(Depth)

KEYBOARD

CPUMONITOR

SERVER

DISK


54 itSm handBooK


55itSm handBooK^

Control® Controlling all the it components received by the organization® ensuring accurate representation of Cis in the CmdB through physical access

security procedures and technology and through links with the Change management process

Status accounting® assigning a status code to each of the status of the Cis for easy identification® managing the lifecycle of the Ci

Verification and audits® Verifying and auditing the details in the CmdB against the physical

infrastructure

management of reports and performance indicators® assessing the efficiency and effectiveness of Configuration management

using regular management reports

STATUS ACCOUNTING: EXAMPLE OF CI STATUS MONITORING

PLANNED/ON ORDER

RECEIVED/IN STOCK

TESTED

IMPLEMENTED

OPERATIONAL

MAINTENANCE

ARCHIVED

TIME


the Configuration Manager is the owner of the Configuration management process. the Configuration manager’s responsibilities include:® making proposals on the scope of Configuration management® planning and populating the CmdB® evaluating existing and implementing new Configuration management

systems® developing identification system and naming conventions for the Cis® developing interfaces to other processes® Creating reports and audits® Communicating the process and conducting training


with incident managementto solve incidents, the incident management team needs to know the dependencies of each Ci related to the incident. the team uses data from the CmdB to identify: ® the Cis related to the incident® the dependencies of each Ci related to the incident in order to assess impact

and assigned priority

with problem managementto solve problems, the problem management team needs to know the dependencies of each Ci related to the problem. the problem management team also needs to link any existing problems and Known errors to the related Cis. the team uses data from the CmdB to identify: ® the Cis related to the problem® the dependencies of each Ci related to the problem® any history for the problem

with Change managementFor accurate impact analysis, the Change management team needs data about each Ci affected by a Change. Using this data, the Change management team determines the Changes that can be implemented with minimum disruption to the services. after the Changes have been implemented, the Change management team ensures the updates to the CmdB are completed with the information about all the new and modified Cis.


56 itSm handBooK


57itSm handBooK^

with release managementBefore implementing a release, the release management team queries Configuration management for information about the status of the affected Cis. For example, the release management team needs to know the status, location, source code, etc., of an existing Ci.

with Service Level managementthe Service Level management team needs information about the service characteristics, relationships between the services, and the underlying infrastructure. Configuration management provides the recorded documentation about the agreed levels of service and the relationships between the recorded Cis and it services.

with Financial managementthe Financial management team needs to know the services being used by the customers so that they can Charge the customers accordingly. Configuration management provides this information to the Financial management team. the Financial management team combines this information with the SLas to determine the prices to charge the customer.

with availability managementthe availability management team needs to know the Cis that are critical for providing a service. Using this information, the team can identify Cis that need to be immediately upgraded or phased out and to perform various analysis activities, such as Component Failure impact analysis (CFia).

with it Service Continuity managementthe it Service Continuity management team uses the standard configurations(Configuration Baselines) from the CmdB to identify the disaster recoveryrequirements. the team also needs to know if these configurations are availableat a particular back-up location (known as the disaster recovery site). Using this data, the it Service Continuity management team can ensure continuous flow of services to the users and customers.

2.4.5 cOMON prOBleM AreAS

® a considerable effort is required to maintain a Configuration management database (CmdB) with a high level of detail. too little effort might lead to recording insufficient information.

® Configuration management involves various manual processes that can cause delays and drain the organization’s resources.

® if the CmdB is not updated immediately after Changes, a number of problems, such as inaccurate information being stored in the CmdB, might result.

® over-ambitious scope can make Configuration management look like a bottleneck in the smooth functioning of an organization’s activities.

® Sometimes the management can unrealistically expect the Configuration management tool to deliver a total solution.

® Lack of commitment might lead to issues, such as incomplete and uncontrolled process implementation.

® individuals and groups might use the fact that Configuration management is a bureaucratic process as an excuse for not following the complete process.

® omitting activities in the Configuration management process affects the functioning of the organization.

® isolated implementation of the Configuration management process can result from inadequate analysis and design.

if the Configuration management process is not supported by software toolsthat are flexible, it is not easy to cater to new requirements and support all Ci categories


Key performance indicators related to Cis and CmdB:® number of occasions on which a “Configuration” was found to be

unauthorized® number of refused rFCs as a result of incomplete data in the CmdB® number of Changes to the CmdB per month because of identified errors in

the CmdB® Unauthorized it components detected in use


5� itSm handBooK

Key performance indicators related to the Service desk:® the change in the ratio of calls that are received at the Service desk per

month to the calls that are resolved immediately® the change in the average time and cost of diagnosing and resolving the

Service desk calls that cannot be immediately resolved

Key performance indicators related to other itiL processes:® the change in the number and seriousness of incidents and problems ® incidents and problems that can be tracked back to incorrect Changes® the cycle time to approve and implement Changes® the change in the number and seriousness of occasions when a Service

Level agreement has been breached® Licenses that have been wasted or not used at a particular location® number of observed differences between the Ci records and the actual

situation found during an audit


the following critical success factors improve performance of the Configuration management process:® identify clear process objectives® ensure implementation of all stages in the process® review all existing records before introducing the process to avoid duplicate

data® ensure that the Configuration management team has the required skills and

attitude® Close coordination with the Change management process to ensure

accuracy of the information in the CmdB

Chapter 2.5

cHANge MANAgeMeNT

Á

^

2.5 Change management

60 itSm handBooK


61itSm handBooK^

the following terms and concepts are integral to the Change managementprocess.

OBJecTIve

the Change management process is a standard method for implementingChanges while minimizing the introduction of Change-related incidents inthe infrastructure and it services. it also ensures quick and efficient handlingof Changes with minimum impact on the day-to-day operations of theorganization.

BeNeFITS

® Change management improves the quality of the it services by enabling risk assessment and analysis

® Change management provides information about the services affected by the Change. this information helps in taking preventive measures and eliminating risks to ensure a stable environment

® Change management helps in increasing the productivity of user and it personnel

® Change management provides a systematic process to allow frequent changes without adversely affecting the functioning of the organization


a modification or addition to any part of the infrastructure (Ci), such ashardware, software, network, environment, or related documentation is called aChange.

a Request for Change (RFC) is a form or screen used to record details of therequested changes to the configuration, procedures, and items associated withthe infrastructure.

Service Requests are requests from a User to the Service desk for support,delivery, information, advice, documentation. a password reset is also an example of a service request.

a Standard Change is a change where the risk and costs are known, are fairlyrepetitive, and are pre-approved by the Change management process. theService desk often performs these Standard Changes, for example, basic moves,adds and deletions.

Urgent Changes are Changes that may not immediately follow the normalChange implementation procedures. Some steps of the Change managementprocess may be performed after the completion of the Urgent Change.

Change Advisory Board (CAB) is a body that approves Changes after assessing therisk of the Changes.

The Forward Schedule of Change (FSC) contains details of all the Changes approved for implementation and their proposed implementation dates.

The Projected Service Availability (PSA) contains details of Changes to agreed SLas and service availability based on the current FSC.

2.5.2 prOceSS

process inputs® rFC (request For Change)® FSC (Forward Schedule of Change)® information from the CmdB® information from other processes

process outputs® Change management reports® FSC (Forward Schedule of Change)® pSa (projected Service availability)® CaB agenda and minutes

activities® the Recording activity involves recording and logging all rFCs® the Accepting activity rejects or accepts an rFC based on the completeness

of the rFC and an initial assessment of risk associated with the Change.® the Classifying activity categorizes and prioritizes Changes or rFCs. this

helps in identifying the significance of each Change and the sequence of the Changes. this activity also assists in identifying the required approval levels, for example, Change manager, CaB or executive Committee.

® the Planning activity involves estimating the cost, required and available personnel and resources, impact, and cycle time required to implement a Change.

® the Coordination activity involves coordinating the creation of hardware and software changes with new documentation, manuals, installation procedures, and back out plans. Closely aligned with release management.


62 itSm handBooK


63itSm handBooK^

® the Evaluating activity involves evaluating the implemented Change to determine its success. if the Change implementation is successful, the rFC is closed. if the Change implementation is unsuccessful, the backout plan procedure is followed.

Working?

Rejection,New RFCs?

Con

figur

atio

n M

anag

emen

t pro

cess

es in

form

atio

n an

d m

onito

rs th

e st

atus

of c

onfig

urat

ion

item

s. RFC Submission/

Recording

Acceptance:Filtering RFCs

Urgent?

Planning/Approval:Impact and Resources

Evaluation and Closure

Coordination

YES

NO

Release Management

Normal:Change Mgr

Significant:CAB

Major:Exec. Comm. Build

Test

Implement

StartBack-out

plan

Classification:Category and Priority

Urgency Procedure

aCtiVitieS


Change management involves two key roles:® the Change manager is the Chairperson of the CaB and is primarily

responsible for planning and implementing the Change management process. the responsibilities of the Change manager include:¨ Filtering, accepting and classifying all rFCs ¨ obtaining the required authorization for a Change ¨ planning and coordinating the implementation of the Changes¨ reviewing all implemented Changes to ensure that the objective is

achieved¨ generating regular and accurate Change management reports ¨ issuing the FSC through the Service desk ¨ Convening urgent CaB meetings for all urgent rFCs¨ Closing rFCs

® the CaB member belongs to the CaB, which is a body that approves the Changes and assists the Change management team in the assessment and prioritization of the Changes. the responsibilities of a CaB member include:¨ attending all CaB meetings¨ participating in scheduling the Changes¨ reviewing all submitted rFCs to estimate their impact, implementation

resources, and costs


with Capacity managementthe Capacity Manager is a member of the CaB. the CaB assesses the impact of all Changes on the existing Capacity and identifies additional Capacity requirements. if required, rFCs are then submitted for any planned upgrades, tuning activities, and additional use of monitoring tools in the it infrastructure.

with incident managementthe Change management team informs the incident management team about the implemented Changes, so that it is possible to identify and differentiate between Incidents, Known Errors, and Change-related incidents.


64 itSm handBooK


65itSm handBooK^

with problem management to resolve problems, the problem management team suggests Changes in the it components. the Change management process assesses the impact of the proposed Changes and informs the problem management process about the progress and completion of the suggested Changes.

with availability management the Change management team estimates the potential impact of the Changes based on the inputs provided by the availability management process. the availability management process identifies potential Changes that can improve the service availability. these Change requirements are sent in the form of an rFC to the Change management process.

with release management the Change management process provides inputs, such as approved change plans to the release management process. the release management process can plan the releases for implementing these Changes. in addition, the Change management team also coordinates with release management in activities, such as building, testing, and rollout. the Change management process also advises on best packing structure of releases.

with Configuration management the Configuration management database (CmdB) provides information about the infrastructure components. Based on this information, the Change management process determines the potential impact of a proposed Change.

with it Service Continuity management it Service Continuity management process is responsible for risk-reduction measures and recovery options including back-up facilities. these measures and plans might fail due to an infrastructure-related Change that alters the production environment. therefore, the it Service Continuity management process assesses the potential impact of Changes on the recovery plan.

with Service Level management the Service Level management process assesses the impact of the Changes according to the Service Level agreements (SLa). Based on the agreed service levels, the feasibility of the proposed Change is determined.


® the lack of coordination between Change and Configuration management leads to inaccurate analysis of the impact of Change.

® generally, the responsibilities of the individuals involved in implementing the Change are not clear. thus, the process might not be implemented correctly.

® wide Scope of Changes. to resolve this bottleneck, routine Changes, which are clearly defined and covered by procedures, should be identified as Standard Changes in the Change management process. development environment Changes should not be included in the Change management process.

® at times, to avoid an adverse impact on the business, certain Urgent changes might be implemented by Change management, resulting in errors.

® the lengthy activities and excessive paperwork make Change management a bureaucratic process.


to measure the effectiveness of the Change management process, you need to compare the actual output with the following key performance indicators: ® number of implemented Changes with respect to a Ci, during a specific

period ® number of unsuccessful Changes ® number of successfully executed Changes ® number of Changes backed out

the following key performance indicators help you in determining the impact of a change: ® number of incidents resolved by the implementation of a Change ® workload reduction after the Change is successfully implemented ® average time needed to implement a Change ® average time required for a reduction in the related incidents after the

implementation of a Change

in addition to reviewing the key performance indicators for Changes, you need to consider the following indicators for rFCs: ® number of rFCs and their impact on Ci ® number of rejected rFCs ® number of Change-related incidents


66 itSm handBooK


the following critical success factors improve the functioning of the Change management process: ® management support to ensure adherence to the Change management

process ® Coordination with the it staff and suppliers through proper communication ® evaluation of a Change and its repercussions on it service stability ® Coordination with Configuration management to get updated Ci-related

information

Chapter 2.6

releASe MANAgeMeNT

Á

^

2.6 reLeaSe management

6� itSm handBooK


6�itSm handBooK^

the following terms and concepts are integral to the release management process.

OBJecTIve

release management takes a holistic view of a Change in an it service (hardware and software elements) and ensures that all aspects of a release, both technical and non-technical, are considered together. the focus of release management is the protection of the live environment and its services by using formal procedures and checks.

BeNeFITS

implementing the release management process increases the effectiveness and efficiency of the it services. Some benefits of release management are: ® risk optimization ® release implementation in a manageable period of time with minimum

disruption® Few individual implementations® Less chance of using illegal copies ® increased user involvement for testing a release ® Standardization of hardware and software versions


the term release is used to describe a collection of approved Changes in an it service authorized by Change management. a release is defined by the rFCs that it implements. depending on the size, the release can be divided into: ® emergency release® minor Software release or hardware Upgrade ® major release

a Release Unit describes the portion of the it infrastructure that should be released together. depending on the type or item of software and hardware, the size of the unit can vary.

the status of a release alters according to its current environment. release Identification refers to determining the status of a release in different environments. the environments in which a release can be categorized are:® development environment® test environment® Live environment® archive

depending on the number of Changes that should be included in one release,a release can be of the following type:® delta release - only those Cis within the release unit that have actually

changed or are new since the last Full or delta release ® Full release - all components of the release unit that are built, tested,

distributed, and implemented together ® package release - a bundle of Full and/or delta releases of related

applications and infrastructure that are released at longer time intervals. it provides longer periods of stability for users.

Delta Release Full Release

Module 1

Package Release

Full Release

Component 1

Component 2

Component 3

Component 4

Component 5

Module 1

Module 2

Module 3

Module 4

Module 5

reLeaSe typeS


70 itSm handBooK


71itSm handBooK^

during the development phase, the software items should be physically located in the Definitive Software Library (DSL). the dSL includes all the original versions of software items used during production and development. the dSL can also include several versions of software.

a standardized hardware configuration can be used to replace or repair similar configuration in the it infrastructure. the standardized hardware configuration is available in the Definitive Hardware Store (DHS).

2.6.2 prOceSS

process inputs ® approved Changes from Change management

process outputs ® new released software in the dSL ® new hardware in the dhS

release policy the release policy for an organization should include such items as: ® release units ® Frequency of releases ® dSL management standards ® Versioning/naming standards ® process roles and responsibilities

preparing the release plan Consider the following issues for creating a release plan: ® type of release ® hardware and software required for the release® Cost of the release, for example, obtaining quotes from the suppliers for new

hardware and software® roles and responsibilities for implementing the release

Dev

elop

men

t Env

ironm

ent

Con

trolle

d Te

st E

nviro

nmen

tLi

ve E

nviro

nmen

t

Rel

ease

P

olic

yR

elea

se

Pla

nnin

gD

esig

n an

d de

velo

p, o

r or

der a

nd

purc

hase

the

softw

are

Bui

ld a

nd

conf

igur

e th

e R

elea

se

Fit-f

or-

Pur

pose

te

stin

g

Rel

ease

ac

cept

ance

Rol

l-out

plan

ning

Com

mun

icat

ion

Pre

para

tions

and

Trai

ning

Dis

tribu

tion

and

Inst

alla

tion

Con

figur

atio

n M

anag

emen

t Dat

abas

e (C

MD

B) a

nd D

efin

itive

Sof

twar

e Li

brar

y (D

SL)

Rel

ease

Man

agem

ent

aCtiVitieS


72 itSm handBooK


73itSm handBooK^

designing, Building, and Configuring the release after preparing the release plan, the release team sets up standard procedures for designing, building, and configuring releases. these procedures include:® installation instructions ® operating instructions to ensure that the same set of components are

combined every time® Setting up a test laboratory to test all software and hardware before

installation on site® Configuring and recording of hardware and software components so that

they are reproducible® Standardizing hardware and software requirements

testing and acceptance all release Units should be thoroughly tested for errors before being introduced in the Live environment. the release units should be tested by the: ® representative of the users® it management personnel

after successful testing, the users and developers should formally accept and sign-off the release. the formal acceptance helps in certifying that the release Unit has been adequately tested and is ready for the live environment.

preparing the rollout plan a rollout plan includes: ® a schedule and a list of tasks for the release ® List of Cis to be installed and phased out® activity plan for each implementation site ® release memos and other communication to relevant people ® plans for purchasing hardware and software ® Schedules of meetings with management departments, Change

management teams, and user representatives

Communication all teams communicating with the customers, such as Service desk, Service Level manager, as well as operational personnel, and representatives of users should be aware of the release plans. release plans help them estimate the impact of the release on their routine activities. all relevant it staff and Users should be trained in the functionality of the new release.

distribution of the release it is advisable to use automated tools for software distribution and installation. the actual conditions in which the software is to be implemented should be compared to the planned conditions before installing the new software, for example, Capacity requirements. after installation, information in the CmdB should also be updated.


the Release Manager creates the release plan and coordinates the implementation process with other teams. the responsibilities of the release manager include: ® defining the release policy for the organization® preparing the release plan ® authorizing the release build and configuration® Communicating with other groups, such as Users, Service Level manager,

Service desk, and Change manager ® Coordinating the final implementation of the release

the Test Manager ensures that the release is tested and signed off by proper authorities. the responsibilities of a test manager include: ® Successful testing of the release before signing off ® ensuring that the test environment is the same as the live environment ® preparing the rollout plan along with the release manager

Key Skills typically, a release manager should have: ® a sound technical background ® good understanding of the it infrastructure and the services it provides ® good working knowledge of support tools and utilities ® good grasp of the principles and practices of it infrastructure management

processes, especially the Change management and Configuration management processes

® an awareness of the organization’s business strategy and its priorities ® project management skills


74 itSm handBooK


75itSm handBooK^


with Change management Change management provides inputs, such as approved Changes to release management. in addition, the Change management team also coordinates with the release management team in activities, such as building, testing, and rollout.

with incident management incident management logs the errors or bugs reported by the Users in the new release. Based on the data reported by incident management, release management is able to determine the success of the release.

with problem management Some of the errors reported in a release might not have a known solution. the problem management team analyzes these errors to provide a solution. then, the team sends the solution as an RFC to the Change management team. the approved rFCs are submitted to the release management team for implementation. therefore, problem management helps in further improving the release. Known errors in releases are recorded in the problem management process.

with Configuration management the software added to the dSL and the hardware for the dhS are recorded in the CMDB. the CmdB provides crucial information about the existing Cis as inputs to release management. Based on this information, release management can determine the impact of the release and the required testing conditions.

with Service Level management an it service is typically a combination of hardware and standard or in-house software. release management is responsible for making the hardware and software available to Users. this process also monitors the agreements defined for the availability of software in Service Level management.


® resistance to change on part of the staff ® implementation problems in distributed environments ® problems in testing the release


the following key performance indicators help assess the effectiveness of the release management process: ® number of incidents caused by a release ® Software in the dSL that has not been subjected to a quality check® number of accurate and timely distributed releases at remote sites® number of unused software that have unnecessary costs, such as license fees ® number of times that unauthorized software is used ® number of times when the status of the release-associated Cis in the CmdB

was accurately updated


the aim of the release management process is to implement releases without disrupting the normal business. to ensure successful implementation, you should keep the critical success factors in mind. the critical success factors are:® piloting new releases in an environment that replicates the Live

environment ® automating detection of the need for software updates ® automating the build, distribution, and implementation of new software ® maintaining permanent build machines for specific platforms ® Creating appropriate test environments and having user representatives test

the release

3.1 SerViCe LeVeL management

77itSm handBooK^

Chapter 3.1

ServIce levelMANAgeMeNT

Á

the following terms and concepts are integral to the Service Level management process.

OBJecTIve

ensure that it services are provided to customers at the agreed quality levels and costs and that the agreed levels of service are maintained, monitored, and improved continuously.

BeNeFITS

the Service Level management process helps the it organization: ® design services based on customer requirements ® provide measurable performance indicators for it services ® Balance the required quality of services with costs ® reduce costs in the long run ® improve relationships with customers


a modification or addition to any part of the infrastructure (Ci), such as hardware, software, network, environment, or related documentation is called a Change.

a Request for Change (RFC) is a form or screen used to record details of the requested changes to the configuration, procedures, and items associated with the infrastructure.

Service Requests are requests from a User to the Service desk for support, delivery, information, advice, documentation. a password reset is also an example of a service request.

the it organization that supplies an it service is termed as a Provider. the organization that uses an it service is regarded as a Customer.

End Users are a part of the organization that uses the it services. they are the individuals who actually use the it services in their daily operations.

the Service Level Requirements (SLR) is a blueprint that provides all specifications listing the acceptable levels for each service requirement as conveyed by the customer.


7� itSm handBooK


7�itSm handBooK^

the Service Specsheet translates the customers’ service requirements into technological specifications required in the it organization to implement the service.

the Service Catalog is used to present the it organization as a service provider to its customers. it describes the services and the associated levels of service that the it organization can provide to its customers.

when the Customer and the provider reach an agreement about the specifications of the it services, the Service Level Agreement (SLA) is drafted.

the structure of an SLa depends on the following aspects: physical aspects including: ® Size or scale of the organization’s activities ® Complexity levels of the activities and functions of the it organization ® geographical distribution of the organization’s offices

Cultural aspects including: ® Language(s) for documentation ® relationship between the it organization and customers ® policy used to charge customers ® profit targets of the organization

nature of the business activities including: ® general terms and conditions ® Business hours

an Operational Level Agreement (OLA) is an arrangement between the it organization and other internal departments for providing it services to customers.

the Underpinning Contract (UC) includes details for the service elements provided by the external providers rather than internal departments.

the Service Improvement Program (SIP) specifies the it organization’s plans for improving all the implemented it services. it defines the activities, stages, and specific activity-wise time periods that are required for improving the services.

3.1.2 prOceSS

® identify customer requirements ® detail these requirements and define them in measurable terms ® Formulate the technical details required for implementing the it service by

drafting the Service Specsheets (specifications) ® negotiate the terms for providing the it services based on the SLr and

Service Specsheets ® Formalize the terms of the contract in the form of SLas, UCs, oLas, and the

Service Catalog ® monitor the performance of each implemented it service using the it service

levels documented in the SLas ® document the results in the Service Level reports to provide a comparison

between the agreed and actual achieved service levels ® review service levels at regular intervals and record areas for improvement

in the Sip

SERVICE LEVELMANAGEMENT

CUSTOMERSSERVICE LEVELREQUIREMENTS

(SLR)

SERVICE IMPROVEMENTPROGRAM (SIP)

OPERATIONAL LEVEL

AGREEMENT(OLA)

UNDERPINNINGCONTRACTS (UC)

SERVICE LEVELAGREEMENT

INTERNAL ITORGANIZATION

EXTERNAL ORGANIZATIONS

SERVICECATALOG


�0 itSm handBooK


�1itSm handBooK^

Rep

ort

Rev

iew

Cus

tom

er D

eman

d

Iden

tify:

Nee

ds

Def

ine:

In

tern

ally

and

Ext

erna

lly

Con

tract

:1.

Neg

otia

te2.

Dra

ft3.

Am

end

4. C

oncl

ude

Mon

itor:

Ser

vice

Lev

els

Ser

vice

Lev

el A

chie

vem

ent

Ser

vice

Lev

elR

epor

t

Ser

vice

Im

prov

emen

t Pro

gram

Ser

vice

Lev

el

Spe

cific

atio

n S

heet

Ser

vice

Cat

alog

Ope

ratio

nal

Leve

l Agr

eem

ent

Und

erpi

nnin

gC

ontra

ct

SLA

Ser

vice

Lev

elR

equi

rem

ents

aCtiVitieS


the Service Level manager is the owner of the Service Level management process. their responsibilities include: ® Creating and updating the Service Catalog with details of the existing it

services® maintaining an effective Service Level management process by defining

SLas, oLas, and UCs ® Updating and managing the existing Sips ® Updating and managing the existing SLas, oLas, and UCs® reviewing and improving the performance of the it organization to meet

agreed service levels


with Service desk Service desk provides Service Level management with information about the response and solution times if a service is interrupted. it also aids Service Level management in gathering customer feedback about it services through customer satisfaction surveys.

with availability management availability management provides Service Level management with information about the actual availability of services. Service Level management provides availability management with information about the Customer Service Level requirements regarding availability.

with Capacity management Service Level management informs Capacity management about the requirements proposed in the SLA and then uses inputs from Capacity management to ascertain whether or not the resources are being utilized within agreed limits. Capacity management analyzes the it resource requirements for providing the new or improved services and submits the analysis results to Service Level management.

with incident management Service Level management informs incident management about the agreed turnaround times for resolving service-related Incidents. incident management ensures that all it services are restored within the turnaround times specified in the SLa.


�2 itSm handBooK


�3itSm handBooK^

with problem management problem management helps the it organization optimize and stabilize it services by taking long-term error-prevention measures. Service Level management records the steps taken to optimize the it services in the SIP.

with Change management Service Level management constantly monitors and reviews service levels and records any necessary changes in the SLa via the Change management process. Change management ensures that requests for service changes, such as costs and cycle time of services, are processed as agreed in the SLa.

with it Service Continuity management Service Level management collects the Service Level requirements from the Customer regarding service continuity. it Services Continuity management defines the measures to be followed for the recovery of an it service in the event of a disaster and these are agreed upon in the SLa through Service Level management.

with Security management Security management provides inputs about customers’ security requirements for the provision of it services to Service Level management. Service Level management uses these specifications of security measures and costs involved while formulating the SLa. Service Level management collects the Service Level requirements regarding external Security from the Customer and passes this information to Security management.

with Configuration management Configuration management records all details about the Cis and the SLa for an it service in the CMDB. Service Level management accesses the CmdB to identify the Cis required to provide the agreed services documented in the SLa.

with Financial management Financial management provides Service Level management with information about the costs associated with a service, charging methods, and rate to be charged for a service. Service Level management uses these details while negotiating with customers and then records the agreed items in the SLa so that Financial management follows these guidelines to design the organization’s budget.

with release management release management provides Service Level management with details about the hardware and software release plans. Service Level management records details of the release plans in the SLa.

3.1.5 cOMMON prOBleM AreAS ® Cultural changes are required within the it organization to realize the

importance of understanding customer requirements for providing it services.

® Customers are not always able specify their requirements clearly thus making it difficult to formulate SLrs.

® Service Level managers are not always able to translate all customer requirements into measurable terms.

® Service Level manager might be pressured by customers, superiors, or peers to agree to unfeasible service levels.

® Underestimation of overhead costs for monitoring and reviewing service levels.

® Lack of time or knowledge can lead to non-conformance to the Service Level management process.


® details mentioned in the SLa that help in quantifying agreed service levels ® Clearly defined oLas and UCs that help maintain the service levels agreed in

the SLas ® number of monitored elements of the SLa ® reported number of deviations from agreed service levels ® elements of the SLa that meet the agreed service levels ® Shortfalls in meeting the agreed service levels and the related improvement

measures included in the Sip


® technical and business expertise of the Service Level manager ® accurate formulation of the mission and objectives of the Service Level

management process ® awareness of the Service Level management process among the employees

of the it organization ® Clear definition of the tasks and roles within the Service Level management

process

3.2 FinanCiaL management

�5itSm handBooK^

Chapter 3.2

FINANcIAl MANAgeMeNT

Á

the following terms and concepts are integral to the Financial management process.

OBJecTIve

Financial management aids the it organization in implementing a cost-effective strategy for delivering it services. it breaks down the costs for it services into service-specific components in order to categorically associate costs with each individual service and department.

BeNeFITS

the Financial management process needs to be implemented in a uniform manner throughout the organization. in addition to maximizing efficiency, the Financial management process helps the organization in: ® Determining the costs of IT services: the Financial management process helps

breakdown the overall expenditure in the it department and assigns the various cost components to specific services

® Identifying the cost structure: it management uses the cost structure for each service to accurately estimate the costs for future budgets. this reduces the time spent on deliberation for assigning costs to each service.

® Recovering costs from customers: the Financial management process helps the organization recover part of its total cost by passing the costs for providing the service to customers in the form of charges. accurate estimation of the costs for each it service enables the organization in appropriately and fairly charging the customers.

® Operating the IT department as a business unit: the Financial management process ensures that all services rendered to both internal and external customers are assigned appropriate costs. this process helps identify the expenditure incurred for each service.

® Verifying that charges for IT services are realistic: the Financial management process ensures that all charges applied for services rendered are realistic and allocated fairly to the customers. this task is performed for the it service charges applied to both internal and external customers.


�6 itSm handBooK


�7itSm handBooK^


Budgeting defines the way to plan and control the expenditure within an organization by laying down limits on the intended expenditure for providing an it service. Budgets are prepared to ensure that actual expenditure does not exceed planned expenditure and ensure a balance between the two.

Accounting enables business units to justify the costs incurred by the it organization for providing it services to its customers. it involves maintaining detailed ledgers of the daily expenditure incurred during the implementation and the delivery of an it service.

Charging encourages business-like relationships between the organization and its customers. it helps the organization recover its expenditure from its customers after the time periods agreed by the customers at the time of purchase of service.

Costs that are unambiguously linked to a specific service, customer, or location are called direct costs.

the costs that are not specifically associated with a single it service, customer or location are called indirect costs.

Fixed costs are constant costs that are necessary for the operation of a business.

Variable costs are related to the it services being provided by an it organization. these costs vary with changes in production volume.

Capital costs are generated by the purchase of assets that are intended for long-term use by an it organization. the value of these assets depreciates over time.

Operational costs are generated by the day-to-day activities of the it organization. these costs are not directly linked to the production-related resources.

Under Incremental Budgeting, the previous year’s financial data is used as the basis for creating the current year’s budget. Factors such as the activities, costs, and prices of the previous year are mentioned in the new budget.

Under Zero-Base Budgeting, business managers need to justify the cost of each service in the budget by specifying its requirements. this method does not use past years’ data as the base for the current year’s budget.

Pricing (fixing a rate) for a service is done to recover costs and affect the demand for the service.

3.2.2 AcTIvITIeS

process inputs Financial management receives inputs from the Service Level management process describing the customer’s service requirements. these requirements are submitted as requests for approval of funds for meeting infrastructure requirements, staff requirements, or even process changes.

process outputs Financial management scrutinizes the submitted requests and determines their viability for the it organization by assessing the cost-effectiveness.

phaSeS

1. Budgeting identify the it needs of an organization. Based on these requirements, business heads plan their it budgets and financial objectives.

2. accounting identify and set up the cost control methods by analyzing the cost for the service.

3. Charging Charge appropriate amounts from the customers, according to the services they are using

4. request and receive feedback from customers about the planned charges


�� itSm handBooK


��itSm handBooK^

Fina

ncia

l tar

gets

Cos

ting

mod

els

Cha

rgin

g po

licie

s

IT o

pera

tiona

l pla

n(in

cl. B

udge

ts)

Cos

t ana

lysi

s(A

ccou

ntin

g)B

usin

ess

ITR

equi

rem

ent

Feed

back

of p

ropo

sed

char

ge to

bus

ines

s

Cha

rges

Cha

rges

Cha

rges

aCtiVitieS

Budgeting ® defining the long-term objectives of an organization ® Creating the financial plans for specific time periods ® determining the Budgeting method to be implemented¨ incremental Budgeting ¨ Zero-Base Budgeting

® developing the budget ¨ identifying the factors that might hinder the growth prospects of the

organization ¨ determining the period for the budget

accounting ® identifying how costs are defined and divided into different categories® tracking the organization’s outflow of capital by determining the cost of

each service (cost structure)

Note: The cost structure helps identify and track the costs for the hardware, software, and support of a service. An ideal cost structure should reflect the cost of each service even if the total amount of the cost is not passed on to customers. The cost structure is generally fixed for a period of one year.

Charging ® deciding the objectives of Charging for a service ® determining direct costs, indirect costs, and market rates ® analyzing the demand for services® analyzing the number of customers for the service® determining the most suitable charging policy¨ no Charging, notational Charging, or Full Charging

® Setting the pricing policy¨ Cost, cost plus, going rate, market rate, or fixed price

® invoicing

Benefits of Charging ® encourages the it organization to operate as a business unit ® helps recover all costs incurred in the process of providing a service ® is implemented throughout the organization for all the rendered services (it

and non-it) ® reduces the overall cost of providing a service® highlights the areas that are not cost effective® enables subsidization of a new service for certain customers by using the

revenue generated from other services


�0 itSm handBooK


�1itSm handBooK^

Note: A service should be charged at a fair and reasonable rate because customer demand for the service might reduce with incorrect pricing.

The various aspects of costs are:

Cost TypesHardware, Software, People, Accommodation,External Services, and Transfers

Cost Calculation Basis Cost-by-Service Unit Cost

Cost Classifications Capital or Operational Direct or Indirect Fixed or Variable

Cost Elements People Payroll, Staff Benefits, Expenses, Overtime, Consultancy, Training, and Statutory Costs

aSpeCtS oF CoSt


the it Finance Manager is the owner of the Financial management process. the it Finance manager’s responsibilities include: ® managing the it organization’s budget ® reporting to it managers and Customers about conformance to budget ® gathering cost data for all implemented services ® implementing suitable accounting policies ® providing justifications for it service charges ® preparing regular bills for it services

Key Skills ® good numerical and financial skills ® ability to work successfully with all levels of it management ® thorough documentation skills ® excellent communication and negotiation skills ® good presentation skills


with Service Level management Financial management helps Service Level management determine the cost-effectiveness and viability of a proposed service. Financial management provides Service Level management with details about the costs and proposed charges for a service before the service is actually implemented. Service Level management uses this information to draft the SLA with customers.

with Capacity management Capacity management sends the proposed service requirements and estimated resource descriptions for the services to Finance management for its approval. Financial management provides Capacity management with cost descriptions for each service by sending the approved service requirements after verifying the monetary feasibility of the services.


�2 itSm handBooK


�3itSm handBooK^

with Configuration management Configuration management provides Financial management information related to infrastructure components used for services provided to customers. this information is then combined with SLas to determine the prices and rates to be charged from the customer. Financial management provides details about the costs calculated for the infrastructure to Configuration management.


® process implementation is affected because of lack of clearly documented guidelines

® difficulty in obtaining planning details for non-it services from other processes

® improper documentation of corporate strategy and objectives can lead to inaccurate estimation of capacity requirements

® difficulty in locating skilled personnel qualified to handle both it and financial accounts related activities

® insufficient cooperation due to unclear understanding of the growth opportunities provided by Financial management

® Lack of managerial commitment can result in resistance to the process by the staff


® Cost-benefit analysis comparing the relative benefits of a service with its costs

® Feedback from customers about implemented it services® Financial targets achieved by the it organization as defined by the budgets® Changes in the use of services® plans, budgets, and reports produced on time

3.2.7 crTIcAl SucceSS FAcTOrS

® Create awareness among users about the cost of implementing services ® implement a detailed cost monitoring system that justifies all expenditure ® provide effective services at reasonable costs ® Create complete awareness about the impact and cost of implementing the

Financial management process® provide access to relevant information from the Configuration management

process

3.3 CapaCity management

�5itSm handBooK^

Chapter 3.3

cApAcITy MANAgeMeNT

Á

the following terms and concepts are integral to the Capacity management process.

OBJecTIve

Capacity management aims to consistently provide the required it resources at an acceptable cost, and in line with the current and future requirements of the Customer and end Users.

the objective of the Capacity management process is to help maintain a balance between:

BeNeFITS

implementing the Capacity management process has the following benefits for the organization: ® reduced risks related to existing and new services ® accurate forecasts of future demands ® higher efficiency by balancing the supply and demand of it resources ® reduced Capacity-related expenditure

DEMANDSUPPLY

CAPACITYCOST

COST AND CAPACITY

SUPPLY AND DEMAND


�6 itSm handBooK


�7itSm handBooK^


Performance Management helps in measuring, monitoring, and tuning the it infrastructure components of an organization.

Application Sizing helps in determining the hardware Capacity required to support new and modified applications.

the Modeling process enables you to use mathematical models for determining the benefits and costs of different Capacity configurations. these parameters also help in identifying the new or modified resources required for each Capacity configuration.

a Capacity Plan is an essential element of Capacity management. a Capacity plan helps determine the current resources and predict the future resource requirements. the plan also specifies the associated costs for these resource requirements.

the Capacity Database (CDB) includes the technical specification of the procured or amended Cis, such as disk space, speed of processor, service performance requirements and expected workloads, and demands that are to be placed on the it resources.

3.3.2 prOceSS

process inputs ® technology requirements® Business requirements® project plans ® incidents and problems ® Financial plans and Budgets® Capacity related SLrs

process outputs ® Capacity plan and audit reports® Updated Capacity database® Service level recommendations ® Costing and Charging recommendations® revised operational schedules

Sub-processes ® Business Capacity management is a proactive sub-process that helps in

understanding the future needs of the User. to identify the users’ needs, the process helps you collect the required information. Using this information, you can understand and support the business strategies and analyze the trends.

® the Service Capacity management sub-process helps you understand the functioning of the it resources to ensure that appropriate service agreements can be designed and delivered.

® the resource Capacity management sub-process is related to using and monitoring the internal it resources. Some examples of internal it resources are network bandwidth, processing capacity, and disk capacity.

activities ® a Capacity plan is developed to determine the current capacity and the

future requirements of the it resources ® modeling helps estimate the best alternative for Capacity deployment ® application Sizing helps estimate the hardware required for running the

new or modified applications ® monitoring the performance of it resources ® analyzing the data collected from monitoring ® tuning the resource based on the analyzed data® implementing and adding new hardware® Creating and maintaining the Capacity database


�� itSm handBooK


��itSm handBooK^

STORAGE OF CAPACITY MANAGEMENT DATA

MODELING

DEMAND MANAGEMENT

ITERATIVE ACTIVITIESP

RO

DU

CTI

ON

OF

THE

CA

PA

CIT

Y P

LAN

CO

VE

RIN

G A

LL A

SP

EC

TSO

F B

CM

, SC

M,

AN

D R

CM

Ope

ratio

nal

Bus

ines

s C

apac

ityM

anag

emen

t (B

CM

)

Ser

vice

Cap

acity

Man

agem

ent (

SC

M)

Res

ourc

e C

apac

ityM

anag

emen

t (R

CM

)

APPLICATION SIZING

CD

B

Stra

tegi

c

Tact

ical

aCtiVitieS


the Capacity Manager monitors the various activities of the Capacity management process. the responsibilities of a Capacity manager include: ® monitoring Capacity management ® ensuring that the Capacity plan is developed and maintained ® ensuring that the Capacity database is updated regularly

the System, Network, and Application Managers are responsible for monitoring the performance of it services. the responsibilities of the System, network, and application managers include: ® optimizing the performance of the it services by tuning operating systems

and applications® Using their expertise, to help the Capacity manager in translating the

business demand into workload profiles® determining the required capacity, such as processor configurations,

memory requirements, disk space, and bandwidth of the network


with incident management incident management involves maintaining a log of the Capacity-related Incidents. this information is a crucial input to Capacity management. Based on these inputs, Capacity management helps in providing solutions for the Capacity-related incidents.

with problem management Capacity management provides mathematical tools, such as simulation models to problem management . these simulation tools help problem management in detecting possible Capacity-related Problems.

with Change management members of Capacity management are also members of the Change advisory Board (CaB). they assess the impact of all Changes on the existing Capacity and identify additional Capacity requirements. then, these members submit request for Change (rFCs) for any planned upgrades, tuning activities, and additional use of monitoring tools in the it infrastructure.


100 itSm handBooK


101itSm handBooK^

with release management Capacity management helps release management in implementing and distributing a Release efficiently by determining the distribution strategy of the release.

with Configuration management the Cis and the attributes that are relevant to the Capacity management process are stored in both the CMDB and CdB.

with Service Level management Capacity management helps Service Level management in deciding the feasibility of service levels set in the SLA. these attributes are essential for Capacity management to calculate and monitor performance thresholds.

with Financial management Capacity management provides the information about the capacity-related Charges for the customers to Financial management.

with it Service Continuity management Capacity management helps determine the minimum Capacity needed to handle a disaster. this process also helps in determining the capacity requirements for all recovery options.


® high expectations of the developers, management, and customers might result in the management setting unfeasible Capacity targets.

® Unavailability of reliable information of expected workload and the problem of customer plans not known in advance can lead to a lack of information for preparing capacity plans.

® insufficient and inaccurate inputs from various suppliers using different benchmarks and testing methods result in misleading information for measuring the actual performance of the system.

® implementing Capacity management can be difficult in a complex technical environment due to large number of dependencies.

® if several departments are responsible for the management of resources, this can lead to conflicts regarding responsibilities.


® performance trends of all it services as a result of the estimates made in the Capacity management process

® reduction in the number of rushed purchases ® reduction in unnecessary or expensive overcapacity ® reduction in the number of incidents due to performance problems

3.3.7 crTIcAl SucceSS FAcTOrS

® accurate business forecasts ® Knowledge of it strategies and plans and the accuracy of these plans ® a proper understanding of the current and future technologies ® Close interaction with other itiL processes ® ability to plan and implement the appropriate it infrastructure required for

meeting the estimated business needs

3.4 aVaiLaBiLity management

103itSm handBooK^

Chapter 3.4

AvAIlABIlITy MANAgeMeNT

Á

the following terms and concepts are integral to the availability management process.

OBJecTIve

availability management ensures that it service organizations provide a predetermined level of service availability to customers. it also ensures that service availability is cost-effective and fulfills customers’ business objectives.

BeNeFITS

the essential benefits of the availability management process include:® a single point of contact is provided within it to resolve availability issues ® new products and services comply with existing availability standards® the occurrence and duration of unavailability are reduced using effective

remedial actions® availability standards are monitored and improved continuously within

associated cost restrictions


Availability denotes performing a required function over a specified period of time. high availability implies that services are continuously available to customers, with little downtime and rapid service recovery. availability of a service depends on:® Complexity of the it infrastructure components ® reliability of the components ® ability to respond quickly to faults® Quality of maintenance and support organizations

Reliability of an it service implies that the specified service is available for the required period without any interruptions or failures. the reliability of a service depends on: ® dependability of the service components ® ability of a service to operate despite failure ® Quality of maintenance to prevent service downtime


104 itSm handBooK


105itSm handBooK^

Serviceability defines the contractual obligations of external it service providers, who pledge support to outsourced services.

Maintainability and Recoverability refer to the ease with which an it service or component can be maintained or brought back to an operational state.

the Component Failure Impact Analysis (CFIA) method enables an it organization to depict the impact of each it component on various services, using an availability matrix.

CCTA Risk Analysis and Management Methodology (CRAMM) is a risk assessment and management technique that enables it organizations to evaluate risks. once the risks are identified, organizations can implement countermeasures to reduce the impacts of risk.

Mean Time to Repair (MTTR) is the sum of the time taken to detect a fault (detection time) and the time taken to resolve the fault (resolution time). in other words, mttr directly denotes the downtime of the system.

Mean Time Between Failures (MTBF) is the average time between recovery from one fault (or incident) and the occurrence of the next fault. it is a measure of the reliability of the service and denotes the uptime of the system.

Mean Time Between System Incidents (MTBSI) is the average time between the occurrence of two consecutive faults. thus, it is the sum of the mttr and mtBF metrics.

Vital Business Function (VBF) is the Customer defined key business function(s) required to enable core business delivery.

3.4.2 prOceSS

process inputs ® impact assessment reports for all business processes ® Configured and monitored data® reliability and maintainability requirements for all it infrastructure

components® data about faults from previous incident and problem records® Service levels, both desired and achieved, listed in the SLa and SLrs from the

Customer

process outputs ® availability design criteria for new and improved it services ® technology requirements for infrastructure resilience ® reports about achieved availability and reliability ® an availability plan for proactive service availability improvements

planning ® determining the availability requirements of the Customer for both existing

and new services ® Based on derived availability requirements, the it organization creates a

design plan for implementing service availability ® designing for recoverability of service so that when an it service fails, every

effort should be made to restore normal operations quickly and effectively ® evaluating key security issues to prevent unauthorized personnel from

accessing secure areas ® planning maintenance management through the implementation and

verification of preventive and remedial actions ® developing the availability plan to depict a long-term strategy for

implementing optimal service availability. internal it resources are network bandwidth, processing capacity, and disk capacity.

monitoring ® measuring the service response time for verifying service agreements,

resolving potential availability problems, and suggesting proposals for service improvements

® preparing availability reports based on the metrics derived from measuring the service response time


106 itSm handBooK


107itSm handBooK^

SO

FTW

AR

E D

EV

ELO

PE

RS

SO

FTW

AR

E M

AIN

TEN

AN

CE

US

ER

S

AVA

ILIB

ILIT

Y (S

ER

VIC

E L

EV

EL

MA

NA

GE

ME

NT)

IT S

ER

VIC

E

SE

RV

ICE

AB

ILIT

Y(U

ND

ER

PIN

NIN

G C

ON

TRA

CTS

)

IT S

YS

TEM

S

Ext

erna

l S

uppl

iers

And

M

aint

aine

rs

Inte

rnal

S

uppl

iers

And

M

aint

aine

rs

US

ER

S

IT S

ER

VIC

E

PR

OV

IDE

RIT

SY

STE

MS

RE

LIA

BIL

ITY

AN

D M

AIN

TAIN

AB

ILIT

Y(O

PE

RAT

ION

AL

LEV

EL

AG

RE

EM

EN

T)

OTH

ER

MA

INTE

NA

NC

E

HA

RD

WA

RE

SO

FTW

AR

E S

UP

PLI

ER

S

OTH

ER

S/T

ELE

CO

MS

US

ER

SU

SE

RS

US

ER

S

aVaiLaBiLity management ConCeptS


the Availability Manager is the owner of the availability management process. the availability manager’s responsibilities include: ® managing availability management in terms of time, cost, and delivery® ensuring that the delivered it services match the agreed service levels® optimizing the it infrastructure to lower service costs to customers ® monitoring it service response time for reporting to customers ® Creating a proactive availability plan to balance future availability

management needs

other responsibilities ® promoting availability management awareness and understanding within

the it service organization® auditing and reviewing each activity in the availability management process

in terms of cost and delivery® determining the availability requirements for delivering new or enhanced it

services to customers® Creating availability and recoverability design criteria to enhance it

infrastructure design

Key Skills ® good understanding of available and emerging it technologies® practical experience of various availability management activities and

techniques® good interpersonal skills for written, oral, and direct communication® Understanding of statistical, analytical, and cost management principles


with Capacity management Changes in capacity often affect the availability of a service and changes to the availability will affect the capacity. these two processes often exchange information about scenarios for upgrading or phasing out it components and about availability trends that may necessitate changes to capacity requirements. Capacity management provides availability management with the Capacity plan detailing how capacity requirements can be balanced to provide additional it infrastructure to customers.


10� itSm handBooK


10�itSm handBooK^

with incident management incident management provides availability management with information about the recovery and repair times for various incidents, in terms of their priority levels.

with problem management problem management provides availability management with information about the: ® Critical problems linked to the unavailability of an it service® Critical problems identified and resolved® availability levels recommended to avoid critical failures® Structure of availability planning and monitoring to reach required

availability levels

with Change management availability management provides Change management with information about various maintenance issues related to it components. Change management provides availability management with information about: ® how planned maintenance activities for it components are arranged ® which components and it services will be affected ® what will be the impact levels and duration of the maintenance schedule

with it Service Continuity management availability management provides availability and recovery design criteria to it Service Continuity management to quickly restore critical business functions in case of failure. it Service Continuity management provides availability management with all vital business functions dependent on it infrastructure availability.

with Configuration management Configuration management provides information about the efficiency of each it component in the it infrastructure. availability management refers to the CmdB to identify the weaknesses of the affected components (or Cis) and then rectifies them.

with Financial management availability management provides Financial management with the cost of non-availability, which is incurred due to loss of it services to customers. Financial management provides availability management with the cost of upgrades to the it infrastructure for increasing service availability levels.

with Service Level management availability management provides Service Level management with an assessment of the it infrastructure availability required to support a new service. these are used for negotiating SLas. availability management then uses these agreed SLrs as inputs that indicate the required service availability levels.


® Lack of effective measurement and reporting tools. this bottleneck can be resolved by implementing a standard set of tools and techniques for measuring each quantifiable sub-activity.

® Failure to understand business objectives of customers. to resolve this bottleneck, each availability solution should map with customer’s business needs and should be based on cost/benefit analysis.

® Lack of clearly defined roles and responsibilities for senior management. to resolve this bottleneck, a management team with appropriate functional skills and experience should be selected. additionally, clearly defined responsibilities and targets are assigned to managers.

® insufficient empowerment and coordination between managers of various itiL processes. to resolve this bottleneck, managers need to communicate activities of related processes to one another.


it organizations identify possible bottlenecks and resolve them to successfully implement availability management. an important criterion for identifying effectiveness of the process is determining and controlling quantifiable performance indicators for service availability.

the key performance indicators for the availability management process are: ® Uptime per service or group of users ® downtime duration ® rate of availability® number of failures within a specified time interval


110 itSm handBooK


the following are some of the critical success factors required for implementing the availability management process. ® Both the customer and it service organization should have quantifiable

availability objectives. ® all desired availability requirements should be specified in terms of time,

cost, duration, and performance parameters. ® the Service Level management process should provide realistic formalized

SLas for service delivery. ® Both parties should use common definition for availability and downtime.

Chapter 3.5

SecurITy MANAgeMeNT

Á

^

3.5 SeCUrity management

112 itSm handBooK


113itSm handBooK^

the following terms and concepts are integral to the Security management process.

OBJecTIve

Security management is the process that secures confidential information from unauthorized access. it provides a basic level of security to the information System, independent of the external requirements. it ensures compliance with the security requirements of the Service Level Agreements (SLAs). it also ensures that effective security measures are taken at strategic, tactical, and operational levels.

BeNeFITS

implementing the Security management process provides the following benefits for an it organization:® providing correct and complete information to relevant people when

required® maintaining standards of products and services ® ensuring continuity of the it services® enhancing the value of information systems® helping the organization meet its security-related objectives


Security is the safety of information from known and unknown risks.

Confidentiality is protecting organizational information against unauthorized access and use.

Integrity is accuracy, completeness, and timeliness of the information to the appropriate users.

Availability is the accessibility of organizational information, whenever required.

Privacy of the organizational information is maintained by allowing the information owners to restrict unauthorized users.

Verifiability is regular verification of the Security management process to ensure correct usage of information and effective implementation of security measures.

Exception Reports are the reports indicating exceptional situations in which specific security measures (in addition to the routine plans) are required.

Routine Security Plans are the plans specifying the routine security measures that need to be a part of all process implementations.

3.5.2 prOceSS

process inputs ® SLas ® policies ® external requirements

process outputs ® routine security plans ® Security policy® Updates to SLas, oLas, and UCs® exception reports

activities Based on the inputs, the Security management process can be divided into the following activities: ® planning ® implementation ® evaluation® maintenance® reporting® Controlling

plan the planning activity is done with close interaction between Security management and the Service Level management processes. this activity defines and updates the compliance requirements outlined in the security section of the SLa. the Service Level manager coordinates the interaction between the Security and Service Level management processes.


114 itSm handBooK


115itSm handBooK^

IT SERVICE PROVIDER IMPLEMENTS SLA DEMANDS ON SECURITY MANAGEMENT

REPORTS BASED ON SLA

CUSTOMER-DEFINED REQUIREMENTS

SLA/SECURITY PARAGRAPH

CONTROL

MAINTAINLearnImprovePlanImplement

EVALUATEInternal auditsExternal auditsSelf-assessmentsSecurity incidents

IMPLEMENTAwarenessClassificationSecurity staffManagement of authorization

PLANSLAsOLAsUCsPolicy

aCtiVitieS

Security measures can be physical, technical and/or procedural. these include: ® preventative – access controls, firewalls, identification, and authentication ® reductive – regular backups, testing, and maintenance of contingency plans® detection – virus detection software and network intrusion monitoring® repression – (no continuation or repetition) blocking an id after failed login

attempts – card retention after pin attempts ® Correction – restoring a backup and fallback

implement the purpose of the implementation activity is to implement all the measures specified in the plans. a checklist that lists the steps for classification and management of it resources, personnel security, managing security, and access control, can be used to support the implementation activity. the implementation results are compared against the measures specified in the security plans to assess successful implementation.

evaluate evaluation of the implemented measures is essential for assessing the implementation performance. evaluations can be through self-assessments and internal or external audits.

maintain Frequent changes in the it infrastructure and business processes might result in increased security risks in an organization. therefore, organizational security requires constant maintenance. Security maintenance includes the security section of the SLa and the security plans detailed in the oLa.

reporting reporting is an output of other activities. reports are produced to provide information about the security performance and security issues. these reports are required according to the agreements signed by the customers. Customers must be correctly informed about the security measures and the status of security incidents.

Control the Controlling activity involves the organization and management of Security management. this activity defines the security functions, organizational structure, roles and responsibilities, reporting structures, and the procedures to manage security-related incidents.


116 itSm handBooK


117itSm handBooK^


the two key roles in the Security management process are the:® Security manager: the Security manager monitors the various activities of

the Security management process.® Security officer: the Security officer is appointed to manage the security

issues at the customer end. they serve as the point of contact for the Security manager for the issues at the customer end.

the Security Manager’s responsibilities include:® monitoring the Security management process® developing and maintaining the Security plan according to the

organization’s security requirements® handling Problems and Incidents related to security® ensuring that the security demands specified in the SLa are met® generating reports containing results of progress, self-assessment, and

internal audits

the Security Officer’s responsibilities include:® acting as a mediator between the Security manager and the customer® Coordinating escalations for security incidents® managing the security measures to be implemented at the customer-end


with incident management the Security management process specifies the measures for preventing security incidents. these measures are included in the SLa. to ensure that the security incidents are promptly resolved, distinct procedures are defined by Security management for incident management to follow.

with problem management all problems that might introduce security risks must be resolved by consulting Security management. after the problem is fixed, Security management needs to verify that the solution does not introduce any security problems. the verification process is based on the security requirements defined in the SLas and internal organizational procedures.

with Configuration management Configuration management helps link the Cis with the specified security procedures. Cis are classified based on the confidentiality, integrity, and availability requirements. these requirements are defined as security requirements in the SLas. Security measures must be specified for each classification level as defined in the SLa.

with Change management all security measures associated with a Change should be implemented with the Change. also, the level of security defined for Change management has to be maintained even after the Change has been implemented.

with release management the release management process must comply with the security standards defined for the testing and acceptance phases of a release. these security standards are identified by the Security management process according to the security requirements and measures defined in the SLa.

with Service Level management the Service Level agreements specify the security requirements according to the service levels agreed with the Customers. the Security management team verifies the feasibility of these security requirements and correspondingly informs Service Level management, which then uses this information while negotiating service agreement terms with the Customers.

with Capacity management the objective of Capacity management is to align the resource levels with the organizational and customer requirements. Security management helps in assessing the security measures to be considered while making Capacity plans for meeting these resource levels.

with availability management availability management ensures uninterrupted business operations by measuring and maintaining the availability levels of it resources. Security management ensures that the required resources are available to the authorized users and adequate security levels are maintained.

with it Service Continuity management it Service Continuity management creates and maintains contingency plans for handling disasters. these contingency plans also define security requirements, determined after consultation with Security management. Security management also needs to monitor that the security measures are correctly followed while implementing the contingency plans.


11� itSm handBooK


® after ensuring the initial compliance with the security measures, the management might adopt a relaxed attitude towards security implementation.

® Some security violations might occur due to lack of awareness about the security systems.

® implementing security restricts information access and users might feel inconvenienced and threatened by the security constraints.

® Sometimes, it organizations try to implement all security measures immediately. these implementations occur because the organizations are determined to comply with all the set security measures simultaneously.

® typically, after the Security measures have been implemented, verification checks are not made to ensure that all the systems are security-compliant. when assessing the impact of any Changes, the security aspect might be ignored.

® a number of new systems, such as the internet, reduce the security management aspect and increase possible points of intrusions.


the performance of the Security management process is considered to be effective if the following elements show an increase over time: ® Security elements in SLa® Security elements supported by oLa and UCs® Security elements monitored ® Security elements reviewed® Security elements where agreed services levels are fulfilled


the aim of the Security management process is to protect important information about unauthorized access. to ensure successful implementation of the Security management process, the following factors are critical: ® total commitment from the management® User involvement in the process development ® Clarity in the division of employees’ responsibility

Chapter 3.6

IT ServIce cONTINuITy MANAgeMeNT

Á

^

3.6 SerViCe ContinUity management

120 itSm handBooK


121itSm handBooK^

the following terms and concepts are integral to the it Service Continuity management process.

OBJecTIve

the it Service Continuity management (itSCm) process enables organizations to continue to provide the pre-determined and agreed level of it Services even after a calamity or disaster, thus ensuring Business Continuity.

BeNeFITS

implementing the itSCm process provides the following benefits to it organizations:® Business Continuity: the it Service Continuity management process helps in

reducing risks to an acceptable level by developing plans for immediately restoring business activities if they are interrupted by a disaster.

® organizational credibility: the it Service Continuity management process helps develop contingency facilities to increase an organization’s credibility and reputation with customers, business partners, and users.

® infrastructure recovery: the it Service Continuity management process eases faster recovery and management of it services if any disasters or calamities occur.

® Compliance to legislative and/or insurance requirements may result in lower insurance premiums


the IT Service Continuity Management process helps in reducing risks to an acceptable level by developing plans for restoring business activities if they are interrupted by a disaster.

Business continuity ensures smooth functioning of business operations by developing plans for immediately restoring business activities if they are interrupted by a disaster.

Recovery initiation is a section in the recovery plan, which describes when and under what conditions the plan is invoked.

a Fortress approach is one where no continuity plan is required as the complete it infrastructure is redundant in case of a disaster.

Do nothing option is applicable to departments in an organization that can continue their operations without it Services.

Return to manual-paper based system option is based on the assumption that the organization has sufficient experienced personnel to handle operations in the absence of the it services or resources.

Reciprocal agreements option is applicable to two organizations having similar hardware and software requirements. in this option, an agreement is signed to provide each other the use of facilities in case of a disaster.

Gradual recovery option is applicable to an organization that can operate without it services for a fixed time period. a contract is signed with an external supplier to ensure that the it components are replaced within the specified time period.

in Intermediate recovery option similar operational environments are created at different physical locations to continue services normally after a short changeover period.

in Immediate recovery option services are rapidly recovered, normally involving hot stand by arrangements enabled by technology.

Recovery plans provide recovery options to ensure that all business activities and it services continue to function smoothly without any disruptions.

Risk Analysis helps in identifying the risks that are likely to occur in a business. this analysis provides valuable information, such as details about the it components. Cramm (CCta risk analysis and management methodology) is an example of a risk analysis technique.

3.6.2 prOceSS

process inputs ® inputs from Service Level management in the form of an SLa ® inputs from other processes, such as: ¨ availability management process ¨ Capacity management process ¨ Configuration management processes ¨ Change management process


122 itSm handBooK


123itSm handBooK^

process outputs ® recovery plan® test results® education and awareness programs

phases the it Service Continuity management process can be divided into the following phases: ® initiation® requirements and strategy® implementation® operational management

initiation phase: the primary activity in the initiation phase is determining the scope of itSCm. determining the scope involves the following sub-activities:® defining the organizational policy ® identifying the relevant areas to apply itSCm ® allocating resources® Setting up the recovery projects in the organization

requirements and Strategy phase: the objective of this phase is to identify the requirements for the itSCm process and the strategy that should be adopted to maintain business continuity:® Business impact analysis® risk assessment® it Service Continuity Strategy

implementation: the objective of this phase is to implement the itSCm strategy. the following activities help in the implementation of the itSCm strategy: ® organizational and implementation planning® preventive measures and recovery options ® developing plans and procedures

BCM INITIATION

aCtiVitieS


124 itSm handBooK


125itSm handBooK^

operational management: the objective of this phase is to train personnel and ensure effective implementation of the prevention and recovery measures. the activities in this phase are: ® training and awareness has to be created in the organization regarding the

itSCm strategy® review and audit of the recovery plans need to be done regularly to ensure

that the plans are up-to-date. ® testing the recovery plan should be in place to identify any loopholes that

might have been introduced in the plan with Changes in the it infrastructure.® Change management serves as an input to the itSCm process.

3.6.3 rOle AND reSpONSIBIlITIeS

the key roles in it Service Continuity management are the:

IT Service Continuity Manager: accountable for the end-to-end performance and deliverables of the process.

Board: the Board comprises a group of people, such as Chief operating officer, directors, and Chief executive officer. the Board officiating members define the organizational policies and strategies.

Senior Management: the Senior management of an organization includes personnel, such as Business Unit managers and regional managers. they manage business processes and set departmental targets.

Management: personnel, such as department heads and project managers are a part of management. these people are involved in defining client deliverables, analyzing risks, and preparing contracts with the Customers, Users, and Suppliers. team Leaders and team members: they are the key people involved in developing project deliverables and implementing procedures.

the responsibilities of the Board include: ® managing crises, thus, controlling any further impact of the disaster ® taking timely decisions that are critical for business continuity. For example,

identifying the right time for executing the recovery plan

the responsibilities of the Senior Management include:® Coordinating the execution of the recovery plan ® managing the personnel and managers involved in the execution of the plan® resolving any conflicts that might arise during the execution of the plan® providing funds, personnel, and resources required to execute the recovery

plan

the responsibilities of the Management include:® initiating the activities to be performed while executing the plan ® Leading the teams, allocating their responsibilities, and specifying clear

guidelines for carrying out the plans® reporting on the progress of the execution of the plan to the Senior

management

the responsibilities of the Team Leaders and Team Members include:® executing the activities mentioned in the recovery plan® reporting the issues faced during the execution of the recovery plan® providing implementation-level details for formulating future plans


with Service Level management itSCm specifies the time and resources required to resume services in case of a disaster. Service Level management uses this information while negotiating SLa terms with the Customers. these requirements are included in the SLa. itSCm is responsible for the agreed turnaround times and restoring the services to the Customer according to the SLas.

with availability management availability management specifies risk reduction measures, such as high quality level of it components and resilience measures. high availability measures reduce vulnerability to threats and reduce risks. therefore, itSCm requires less recovery planning. it identifies the resource levels that are required to ensure business continuity in case of a disaster.

with Configuration management Configuration management defines the minimum configuration and it infrastructure components necessary for restoring services after a disaster. itSCm defines the resources that underline the continuity of the business services.


126 itSm handBooK


127itSm handBooK^

with Capacity management Capacity management determines the minimum Capacity needed to continue business operations after a disaster. it also determines the capacity requirements for the recovery options. itSCm provides information to Capacity management about the capacity requirements and the service levels that need to be maintained.

with Change management all Changes must be communicated to itSCm so that it can assess the potential impact of these Changes on the recovery plan. the recovery plan needs to be modified and retested if the Change will affect the business services. itSCm communicates the Changes to Change management. this helps Change management in implementing changes to ensure business continuity.

with Security managementSecurity management provides information about the minimum-security requirements to be implemented while setting up the recovery plan. itSCm includes these security requirements in the plan. then it tests the plans to verify that the requirements are met and that the plan conforms to the security guidelines.


® the management and process implementers are not always totally committed to the process.

® the it department does not always communicate the implementation of the plan to the management.

® the personnel are not always aware of the importance of itSCm.® the required resource capacity might not be provided.® the organization might fail to recognize the need to budget for the process

activities and expenditure. thus, it might fail to allocate finances necessary to meet the costs arising out of the process.

® it is possible that the recovery facilities, such as backups are not tested regularly.

® Sometimes, the business management might have unrealistic expectations from the process and expect instantaneous restoration of services after process implementation.

® organization might face damages that are immeasurable.


the following key performance indicators help assess the effectiveness of the itSCm process. ® number of shortcomings identified in the recovery plan ® Cost to the company because of the loss in the business, if the recovery plan

had not been executed ® Cost incurred in terms of time, resources, and money to restore it services

after a disaster ® test results


the critical success factors for itSCm are: ® Cooperation and commitment within the organization to create and execute

the recovery plan ® effective installation and backup tools, such as tapes, Cds and zip drives to

transfer business-critical information from disaster site to the recovery site ® effective implementation of the Configuration management process® training on procedures for executing the recovery plan ® Unexpected testing of the recovery plan

ITIL HandBook

Documents

Transcript of ITIL HandBook