SERVICE STRATEGY
Service
strategy shows organisations how to transform service management from an
organisational capability into a strategic asset, and to then think and act in
a strategic manner.
Service
strategy helps clarify the relationships between various services, systems or
processes and the business models, strategies or objectives they support.
The Objectives of Service
Strategy
Service
strategy shows organisations how to transform service management from an
organisational capability into a strategic asset, and to then think and act in
a strategic manner.
Service
strategy helps clarify the relationships between various services, systems or
processes and the business models, strategies or objectives they support.
Other objectives include:
- Provide business stakeholder
value
-Differentiate the organisation
-Make solid cases for investment
-Resolve conflicting demands for services
- Improve service quality by
strategic planning
Value to the
Organisation/Business of Service Strategy
-Provides guidance on how to design, and put
in place service management as a strategic asset
- Sets the principles for
developing service management policies, guidelines and processes across the
service lifecycle
-Sets objectives and expectations of
performance towards serving customers and market spaces
- Identifies and prioritises
opportunities
-Ensures that organisations can manage the
costs and risks associated with their service portfolios
-Asks questions and plans a strategy for how
to do something before progressing
The Service
Strategy volume provides guidance on how to design, develop, and implement
service management not only as an organizational capability but also as a
strategic asset. Guidance is provided on the principles underpinning the
practice of service management that are useful for developing service
management policies, guidelines and processes across the ITIL Service
Lifecycle. Service Strategy guidance is useful in the context of Service
Design, Service Transition, Service Operation, and Continual Service
Improvement. Topics covered in Service Strategy include the development of
markets, internal and external, service assets, Service Catalogue, and
implementation of strategy through the Service Lifecycle. Financial Management,
Service Portfolio Management, Organizational Development, and Strategic Risks
are among other major topics. Organizations use the guidance to set objectives
and expectations of performance towards serving customers and market spaces,
and to identify, select, and prioritize opportunities. Service Strategy is
about ensuring that organizations are in a position to handle the costs and
risks associated with their Service Portfolios, and are set up not just for
operational effectiveness but also for distinctive performance. Decisions made
with respect to Service Strategy have far-reaching consequences including those
with delayed effect.
Organizations
already practising ITIL may use this publication to guide a strategic review of
their ITIL-based service management capabilities and to improve the alignment
between those capabilities and their business strategies. This volume of ITIL
encourages readers to stop and think about why something is to be done before
thinking of how. Answers to the first type of questions are closer to the customer’s
business. Service Strategy expands the scope of the ITIL framework beyond the
traditional audience of IT Service Management professionals.
The Following Processes are part of the ITIL
Stage Service Strategy:
Strategy Management for IT
Services
Process
Objective: To assess the service provider’s offerings, capabilities,
competitors as well as current and potential market spaces in order to develop
a strategy to serve customers. Once the strategy has been defined, Strategy
Management for IT Services is also responsible for ensuring the implementation
of the strategy.
Service Portfolio Management
Process
Objective: To manage the service portfolio. Service Portfolio Management
ensures that the service provider has the right mix of services to meet
required business outcomes at an appropriate level of investment.
Demand Management
Process
Objective: To understand, anticipate and influence customer demand for
services. Demand Management works with Capacity Management to ensure that the
service provider has sufficient capacity to meet the required demand.
Financial Management for IT
Services
Process
Objective: To manage the service provider’s budgeting, accounting and charging
requirements.
Business Relationship
Management
Process
Objective: To maintain a positive relationship with customers.
Business Relationship Management identifies the needs of existing and potential
customers and ensures that appropriate services are developed to meet those
needs.
1. STRATEGY GENERATİON
For
positive results, service provider needs to plan his services strategically. A
good service strategy defines a unique approach for delivering better value.
Service Strategy Manager is the
process owner of this process.
For long term success the service provider has to be able to think and
act strategically. According to ITIL the service straregy proces incorporates
four incorporates four fundamental activities:
·
Defining the market
·
Developing offerings
·
Developing strategic assets
·
Measuring and Preparation for implementation of strategy
Defining the
market
It is necessary to take survey of services available in the market. It
gives a clear perspective of cost and quality of services already present and
what new service can be offered in competitive environment.
Developing offerings
In this service
provider develops a portfolio which contain all the services that are visible
and available for the customer. Service portfolio is developed in order to
represent all binding service investments towards the market.
Developing
strategic assets
It deals with
buying new technologies, resources and capabilities to offer law-cost and
high-value service to the customer.
Measuring
and Preparation for implementation of strategy
In order to
measure success or failure of the strategy, all critical success factors are
measured. Also the completion in the market is observed and priorities are
adjusted accordingly.
2. DEMAND MANAGEMENT
Demand Management is very important and critical process in service strategy. It
helps to understand customer demand for services so that appropriate capacity
can be provisioned to meet those demands.
According to ITIL, the purpose of demand
management is to understand, anticipate, and influence customer demand for
services. As a process, it is part of the ITIL service strategy stage of the ITIL
lifecycle. Service strategy determines which services to offer to prospective
customers or markets. The decisions that are made in the service strategy stage
affect the service catalog, the business processes, the service desk, the
required capacity, and the financial requirements of the service provider.
As part of the service strategy stage, demand management rationalizes and optimizes the use of IT resources. It ensures that the amount of technical and human resources that has been budgeted matches the expected demand for the service. If the prediction is too low, the agreed-upon service levels may not be delivered. If the predictions are too high, resources will have been allocated to a service that will not be used (or paid for). Demand management bridges the gap between service design, capacity management, and business relationship management to ensure that the predictions are accurate.
Demand management is a process within ITIL that is more supportive of other processes than a self-contained process. Unlike incident management, for example, the activities inside demand management are not visible to the customer. When service demand is not properly balanced, it affects nearly every part of the ITIL lifecycle.
As part of the service strategy stage, demand management rationalizes and optimizes the use of IT resources. It ensures that the amount of technical and human resources that has been budgeted matches the expected demand for the service. If the prediction is too low, the agreed-upon service levels may not be delivered. If the predictions are too high, resources will have been allocated to a service that will not be used (or paid for). Demand management bridges the gap between service design, capacity management, and business relationship management to ensure that the predictions are accurate.
Demand management is a process within ITIL that is more supportive of other processes than a self-contained process. Unlike incident management, for example, the activities inside demand management are not visible to the customer. When service demand is not properly balanced, it affects nearly every part of the ITIL lifecycle.
Demand Management Objectives and
Activities
The purpose of demand management
is to detect and influence the demand that customers have on IT services.
This process involves three main actions:
·
Analyzing current
customer usage of IT services: The easiest way
to do this is to analyze service desk data regarding incidents, requests, and
problems. Network usage and uptime can be measured via a service dashboard,
such as the kind used in a network operations center (NOC) environment.
·
Anticipating future customer
demands for IT services: Here, the
business relationship manager comes into play. He or she may speak with the
customer directly about forecasted needs, will analyze trends in usage or
tickets, and will make educated projections about future usage based on similar
customers trends.
·
Influencing consumption as
necessary by financial or technical means:
For example, if a customer uses more service than anticipated in the SLA, a
service provider may charge fees for the excessive consumption to offset the
costs of the unforeseen demand. Demand management also makes sure that the
appropriate costs are included in the service design.
3. SERVİCE PORTFOLİO
MANAGEMENT
What is Service Portfolio
Management from an ITIL perspective?
A Service Portfolio describes
the services of a provider (internal, outsourced etc) in terms of value to the
business.
It is an ever changing method used to manage
investments in Service Management across
the organization, in terms of financial values. Service Portfolio Management (SPM) enables Managers to assess the
quality requirements and associated costs.
The primary goal of SPM is to
realize maximum value whilst managing accompanying risks and costs.
So how can
SPM help when decide what services clients require? There are 5 basic
questions that need to be answered:
§ Why
should a client buy these services?
§ Why
should a client buy these services from our organization?
§ What
are the price and charge back models?
§ What
are our strengths and weakness, priorities and risks?
§ How
should our resources and capabilities be allocated?
Product
Managers play a key role in Service Portfolio Management. Their main
responsibility is to manage services as products during their entire
lifecycle. Other roles include the co-ordination and focus of the
organization as well as owning the Service Catalogue.
The Service Portfolio covers 3 subsets:
§ Service
Pipeline-The service pipeline represents the strategic outlook that you, the
service provider, should take. Services begin their lifecycle in the service
pipeline, starting with the strategic assessment of the marketplace and/or
customers to be served. The pipeline includes the services that have
been requested and are currently being evaluated. Here, you
identify the requirements of the requested services. You then define and
analyze the services based on a number of factors, including cost, risk,
and expected business value. Based on the analysis, you either approve or reject
requested services. Approved services proceed from the service pipeline to the
service catalog. Service pipeline processes are defined in the ITIL V3 Service
Strategy book.
§ Service
Catalog-The service catalog is the subset of the service portfolio that is
visible to customers. The service catalog includes all services that have been
approved and are either in development or currently deployed.Services include
outsourced, co-sourced, and managed services. ITIL V3 defines several
attributes to be maintained by the service catalog for each service, such as
the following:
v
Service description
v
Policies
v SLAs
v
Ordering and request procedures
v
Support terms and conditions
v
Pricing and chargeback
Here, you assess the feasibility of the services that
come into the service catalog from the service pipeline, and either charter or
reject them. Chartered services move to the design and development phases.
Developed services are then built, tested, released, and deployed. At this
point, services become operational, and you engage resources to support them.The service
catalog is used to develop requestable services that customers can purchase and
consume. A mature service catalog is a very powerful tool for decision making.
By analyzing the demand and fulfillment capabilities a service provides, a
service portfolio management approach can
assist you in
making decisions to expand a service or the marketplace to serve to meet future
demands.
§ Retired
Services – It is necessary to review the service portfolio periodically to determine
whether any services should be retired. Services targeted for retirement may
include those that are no longer needed by the business, those that have been
superseded by other services, and those that are no longer
cost-effective.Retire these services and identify them as “retired” in the
service portfolio.
Finally, Service Portfolio provides input for refreshing services in the Service Catologue.
Implementing and Leveraging the
Service Portfolio
Solutions can
facilitate the implementation and management of the service portfolio. For
example, some include an automatic discovery capability that initially
populates the CMDB and keeps it updated with changes. This ensures that your
service catalog is always providing up-to-date information about available
services. Solutions can be used to implement a business service catalog as well
a technical service catalog and can provide tools to manage them. Gaining
Control of Development Projects.Project portfolio management solutions leverage
information in the service portfolio to permit more effective planning and management
of service development projects. They can help you in a number of
importantareas, including the following:
v Project portfolio
business value and risk analysis
v Project portfolio
prioritization
v Project management with
customizable processes and workflow
v Project financials
management
v Program management
These
solutions give you increased visibility into development projects across the
enterprise. With this visibility, you can determine the most valuable projects
to pursue, and you can execute those projects as efficiently as possible.
In addition, you can make more accurate budget forecasts and build
collaborative relationships with IT clients. As a result, you will achieve the
optimum balance between market needs and your agility and ability to respond,
and ultimately, can determine the Return on Investment (ROI) or Return on Value
(ROV) of your projects.Automating Service Request Management. A major problem
faced by many IT departments is that users do not know what services are available
to them, let alone the details of those services, such as how to order them and
what they cost. Typically, users contact the service desk to obtain this
information, adding to an already high service desk workload.
Once users determine the services they want, they also
havea difficult time procuring them, often because they need to deal with
several different sources to complete a single business service. For example, a
manager onboarding a new employee may have to deal with several departments to
provision the employee with a furnished office, including computer equipment.
After requesting services, the manager has to track delivery status across the
multiple departments involved.Automated service request management systems can
leverage the service catalog to provide automated service request management
and fulfillment. The user consults an online service catalog to determine what
services are available. The catalog contains all the information the user needs
to know to order a service, such as service description,terms and conditions of
use, performance and availability, warranties, price, and request procedure. A
well-designed system displays only those services that the user is authorized
to request, based on his or herrole.The user
selects the service and enters the required information into the online service
request form. The service request management system automatically triggers the
required actions to process and fulfill the request. The system tracks the
progress of each task and notifies the user when fulfillment has been
successfully completed. In addition, the user can determine the status of a
request at any time by consulting the system.It’scommon knowledge that
20 percent of all the services provide 80 percent of all the value and
work effort. By automating these high-intensity services, you can create a very
strong ROI. Automated service request management makes it easy for users
to request a service. In addition, it incorporates best practices to help IT
process requests in a timely manner, reducing service desk workload and
enforcing company policies and standards. Extending Beyond IT Services Once you
have put in place a strong IT service portfolio management capability, you can
extend it beyond the management of IT services. This gives you the ability to
apply service portfolio management principles and processes to other services
that the enterprise provides and consumes, both internally and externally.
4.
ITIL FINANCIAL MANAGEMENT
It is
important to spend money wisely. Financial Management is a strategic tool that
is relevant to all three service provider types. Increasingly, internal service
providers are asked to operate with the same levels of financial visibility and
accountability as their external counterparts. In the case of external service
providers, the innovative provision of technology is the core revenue
generating capability of their company.
Financial
Management allows an organisation to understand the worth of their IT services
in financial terms. It will also aid the understanding of the value of the
assets provisioning those services and allows us to set realistic budgets. The
key thing is to be able to attribute a value to the services being offered.
This will cause a change in perception of IT and its value to the business.
As part of
Financial Management we should be asking questions such as:
Which
services cost us most to deliver and why?
What services
are we offering, what is the demand for these services and how much does it
cost us to provide them?
How efficient
is the way we deliver service compared with the alternatives?
Where are our
greatest service inefficiencies?
Which areas
represent the highest priority opportunities for us to focus on in terms of
Continual Service Improvement?
And after
applying ITIL based financial management, both the client and the service
provider aims to have the following capabilities:
* Enhanced
decision making
* Speed of change
* Service portfolio management
* Financial compliance and control
* Operational control
* Value capture and creation
* Speed of change
* Service portfolio management
* Financial compliance and control
* Operational control
* Value capture and creation
The Business Case
For each and
every service offered there should be adequate business justification. A good
business case will consider both qualitative and quantitative dimensions. In
the case of the latter financial analysis is often key. A business case may
take many forms but broadly speaking all will include objectives and impact and
will take the following form:
An introduction
This serves
to present the objectives addressed by the service. What is the proposal about
and what do we hope to achieve?
Methods and assumptions
It is
important to state any assumptions so that these may be compared later against
reality. If there is a variance then this may identify why the expected outcome
did not materialise. It is also important to document methods. These may help
to identify scope, time periods and costs which will help with the evaluation.
The likely beneficiary will also need to be identified.
The business impact.
This is where
the beneficial outcomes, both financial and non-Âfinancial are identified.
Clearly a commercial service provider will mostly be concerned with
profitability of service whereas the not for profit organisation may propose a
business case which focuses on altruism. Nevertheless both providers will need
to show a degree of financial and organisational performance.
Risks and contingencies
The
identification of possible alternate outcomes which might be experienced and
the identification of ways of reducing the likelihood or accommodation of the
outcome if it occurs.
SERVICE DESİGN
Provides a blueprint for the services. It not only includes designing of
new service but also devises changes and improvements to existing ones.It also
let the service provider know how the design capabilities for service
management can be developed and acquired.
It is necessary for services to be adaptable to changing business
requirements on dynamic basis. For this a balance must be maintained between
following three factors:
·
Functionality with the required quality.
·
Resources i.e. staff, technologies, and available finances.
·
Timetable
Service Design focuses on the following aspects:
·
IT Services designed to meet business objectives.
·
Services designed to be both fit for purpose and fit for use.
·
Cost of ownership planed to achieve return on investment.
·
Balanced functionality, cost and performance.
·
IT services more stable and more predictable.
·
Potential risk mitigated, so the IT service is protected from security
threats.
·
Design technology architectures, management architectures, and system
management tools.
·
Design of the measurement systems, methods, and metrics for services,
processes, architectures and underlying components.
·
Design of the service solution including all agreed functional
requirements, resources and capabilities.
1. SUPPLIER MANAGEMENT
Supplier
Management ensures that external services and configuration items, which are
necessary for the service delivery, are available as requested and as agreed at
the service level.
Supplier
Management is responsible for consolidating requirements for external services
and supplies, scanning the market for providers, negotiating with a chosen
supplier, and for the contracting and monitoring of external services and
service providers. Management of supplier relationships and supplier performance
are additional tasks. Supplier Management is also responsible for establishing
and updating the basic supplier framework, which is a Supplier Strategy and
Supplier Policies.
Supplier
Management is triggered from the Service Portfolio Management whenever a new
supplier is necessary.
Supplier
Management in
ITIL
V3: part of Service Design
COBIT:
part of Acquire and Implement
ISO/IEC
20000: Supplier Management
In ITIL V3, Supplier Management is part of the Service Design process to allow for a better integration into the Service Lifecycle - Supplier
Management was covered within "ICT Infrastructure Management" in the
previous ITIL version.
ITIL Supplier Management
Following the introduction of Design Coordination
in ITIL 2011 the information flows have been adapted slightly. The process overview of ITIL Supplier Management (.JPG) is
showing the most important interfaces (see Figure 1).
All suppliers and contracts are managed through
the Supplier and Contract Management Information System (SCMIS), which in
ITIL V3 was known as the Supplier & Contract Database (SCD).
2. SERVİCE CATALOG MANAGEMENT
Service Catalogue Management was added as a new
process in ITIL V3.
In the previous ITIL version, the Service Level
Management process mentioned the concept of a Service Catalogue.
ITIL V3 takes this concept further, introducing a
dedicated process to ensure that the Service Catalogue is up-to-date and
contains reliable information.
A clear distinction exists between Business Services
in the Service Catalogue (services visible to the customer, defined
by SLAs) and Supporting Services (services visible only inside the IT
organization, defined by OLAs orUCs).
In ITIL 2011 the process
interfaces have been adapted slightly following the introduction of the Design Coordination process. The process overview of Service Catalogue Management (.JPG) is
showing the most important interfaces (see Figure 1).
Each service in the catalogue contains the following elements:
·
A identification label for the service
·
Description of services
·
Related service request types
·
Any supporting or underpinning services
·
Service categorization or type that allows it to be grouped with other
similar services
·
Interfaces and dependencies between all services, and supporting
components and configuration items (CIs) within the service catalogue and the
CMS
·
Clear ownership of and accountability for the service
·
Associated costs
·
How to request the service and how its delivery is fulfilled
·
Escalation points and key contracts
·
Service level agreement (SLA) data
3. INFORMATION SECURITY
MANAGEMENT
Description/Summary
Information Security Management
deals with the implementation and monitoring of a predefined security level for
the IT environment. In particular, it addresses areas such confidentiality,
integrity and availability. Risk analysis, as the starting point, helps to
define the customer requirements on a security level. An internal, minimal
security requirement is named IT basic protection. Additional security
requirements of the customer are to be defined on an individual basis.
Objectives
To introduce and maintain a
required level of security, as defined by law, contracts or other agreements.
Information Security Management
contributes to an integrated Service Management approach by achieving the
following activities:
·
Identifying and defining the
internal and external security requirements
·
Planning of security
procedures
·
Creating a security chapter
in the SLA and Service Description
·
Managing the implementation
of security actions
·
Evaluating the security
procedures and security measures
·
Security Reporting
·
Security Improvement
·
Roles &Functions
Security Management specific roles
Static Process Roles
Security Process Owner
Initiator of the process, accountable for
defining the process strategic goals and allocating all required process
resources. See Continual Process
Improvement Management for a detailed description of these
activities.
Security Process Manager (Security Manager)
IT Security Management Process is
controlled by the Security Manager. The Security Manager can delegate tasks to
specialized staff. Should it be necessary to use external staff, an approval of
the budget by the responsible person is required.
IT Security Management Team
Team in Security Management
perform mandatory tasks for the Security Manager.
Dynamic Process Roles
Security Auditor
Security Auditor is providing the
verification of security policies, processes and tools. Auditor should be
altering an external and internal resource to provide independent and reliable
audit.
Service Specific Roles
Roles depending on the affected
service are found in the Service Description. The Service Description,
including the service specific roles, is delivered from the Service Portfolio Management.
·
Service Expert/Service
Specialist:
·
Service Owner:
·
Service User:
Customer Specific Roles
Roles depending on the affected
customer(s) are found in the Service Level Agreement. The Service Level
Agreement for the customer specific roles is maintained by the Service Level
Agreement Management.
Customer(s)
Customers of the affected service
with a valid SLA
Information artifacts
Security Policy
The process depends on general
security rules. Moreover, this process is responsible for the permanent
improvement and adjustment of general security policies and rules.
Security Design Record
·
Security Design ID
·
Security Design Requester
·
Security Design Description
·
Security Design Agent
·
Security Design Owner
·
Service: The Service which
has to be (re)designed
·
Service Integrity
·
Service Confidentiality
Security Transition Record
·
Security Transaction ID
·
Security Transition
Requester
·
Security Transition
Description
·
Security Transition Agent
·
Security Transition Owner
·
Service: Services affected
by the Change
·
Configuration Items: CI
affected by the Change
Security Verification record
·
Security Verification ID
·
Security Verification
Requester
·
Security Verification
Description
·
Security Verification Agent
·
Security Verification Owner
·
Security Verification
Auditor
·
Service: Services affected
by the Security Audit
·
Configuration Items: CI
affected by the Security Audit
·
Customer: Customer affected
by the Security Audit
·
User: User affected by the
Security Audit
·
Expert/Specialists:
Expert/Specialists affected by the Security Audit
Key Concepts
Availability
Information and the service must
be accessible to authorised users.
Integrity
Information must not be modified
by unauthorized users. Following levels of integrity are possible:
·
0: it can not be proven if
integrity was violated
·
1: it can be proven if
integrity was violated
·
2: it can be proved if
integrity was violated and the violation can be reversed
Confidentiality
Information must not be accessible
by unauthorized users. Following levels of confidentiality are possible:
·
public: information is
available for all
·
confidential: information is
available for authorised personnel only and assigned external partners
·
confidential - for intern
use only: information is available for authorised personnel only
·
top secret: information is
available for senior management only
The Confidentiality Levels can be
expanded or adjusted.
Authentication
Verification of identity of a user
or information.
Authorization
Methods and tools used to decide
if user or information is allowed to have access other devices or sources of
information.
Severity Breach Levels
Severity levels here indicate the
importance of an optimization proposal or security incident. The following
levels can be defined as:
Critical
The level "critical"
needs to be implemented, including changes, as soon as possible.
High
The level "high" needs
to be implemented, including changes, within next 2 days.
Low
The level "low" needs to
be implemented, including changes, within next 7 days.
Process
Critical Success Factors
Critical Success Factors (CSF) define a limited amount of factors
which influence the success of a process. For Security Management,
the following factors can be defined as CSF:
·
Right dimension of security,
by avoiding too strict or too lax security
·
Management support for
security issues
·
Security awareness in the
company
·
Definition of
responsibilities between security implementation and security control
activities and roles
Security Manager must review the CSFs and must define and implement measures to
fulfill the process success.
Security Policy
High Level Process Flow Chart
This chart illustrates the
Security Policy Creation and Control
Performance
Indicators (KPI)
·
Number of changes to Security policy
·
Number of awareness programs
Process
Trigger
Event
Trigger
·
The process is is not time triggered
Time Trigger
·
Security Policy is activated periodically
Process
Specific Rules
·
Each Change to the Security Policy has to be documented
·
Each Change to the Security Policy has to be published
Process
Activities
Security
Policy Definition
Security Policy Definition is
dealing with definition of
·
Basic security rules collected in a Security Policy
Basic Security rules define the
Security vision, organization and are business strategy aligned. Main
orientation rule is the balance between high security standard for internal IT
services, services provided and external supplied services and required
services and good commercial “value for money” proposition.
Activity Specific Rules
·
Security Manager is set to the person who is responsible for security process
·
Security Process Owner Manager is set to the person who is accountable
for security process
·
The Security Policy is created or updated
·
add new Rules
·
modify existing rules
·
delete unnecessary rules
·
The Security Policy is signed by the Senior Management and published
Security
Policy Controlling
Security Policy Implementation and
Monitoring is responsible for the implementation, communication, monitoring and
update of security rules and policies.
Activity Specific Rules
·
Communicate Security Policy
·
Check for new Security Threats
·
trigger Security Policy update when necessary
·
Assure that staff understands and the rules by auditing and teaching
staff
Security
Design Assistance
Sub process Design in
Security Management is responsible for the initial planing or planning of
optimizations of the security process. If a change proposal on security process
is classified the change needs to be planned as well. This is performed by an
expert out of the responsible expert group in coordination with a member of the
IT security staff. This sub process is triggered by Service Design. After the
activity is finished, the status needs to be changed to planned.
The Process owner is the Security
Manager. The Process agent is an expert assigned by "Security
Staff".
High Level
Process Flow Chart
This chart illustrates the Security
Management Design process and its activities
Performance
Indicators (KPI)
·
Number of new Security Design Assistance Requests
·
Number of "approved - successful" and "approved -
unsuccessful" Security Design Assistance Requests
·
Ratio of "approved - successful" and "approved -
unsuccessful" Security Design Assistance Requests
Process Trigger
Event
Trigger
·
The process is initiated by the Change Management.
Time Trigger
·
Security Design Assistance is not time triggered
Process
Specific Rules
·
Each Security Design assistance Request must be recorded
·
The Security Design Agent has to document the request and result of the
design request
·
The Security Design Owner has to control the Agent
·
The Security Design Agent has to coordinate his work with other Design
Agents
·
The Security Design Requester has to be informed
Process
Activities
Design of
Security Part in Service Design Package
Within this activity, the security
section of the service design package is designed. This includes information on
accessibility, security actions and measures, relevant passwords and policies
etc.
Activity Specific Rules
·
set the Security Design Owner to a member of the IT security Management
Staff
·
set the Security Design Agent to a member of the Service Expert or
Specialist Group
·
Design Security according to the Security Requirements and the Security
Policy
·
coordinate Security Design package with the activity "Service
Design" and other relevant Service Designer
·
document in the Service Design package and fill out the Security Design
Record
·
go to control activity "designed^"
Approval of
Security Design Package
With this activity, the Security
Manager approves the Security Design Package.
·
Security Design Package is finally neglected
·
Approval of the Security Design Package is temporarily refused and
returned to the security expert for the improvement or optimization
·
Security Design Package is accepted.
Activity Specific Rules
·
set the Security Design Agent to Security Manager
·
Approval the Security Design Package and the documentation in the
Security Design Record
·
If approval is posit iv go to control activity "approved -
successful"
·
else
·
go to control activity "new" for a redesign of the Security
Design Package
·
or "approved - unsuccessful" for final abortion
Security
Transition Assistance
This activity, in cooperation
with Change Management, supports the implementation and testing of
security improvements by designing, testing, implementing and then testing the
implementation again. These actions are headed by Change Management.
If a security improvement proposal
is authorized and approved by Change Management, all action's
functional descriptions and implementation procedures, which are described in
the improvement proposal need to be detailed, tested and approved in
cooperation with theChange Management. Afterwords the implementation
should be assisted to provide help in case emergency or implementation issues.
A final PIR, conducted together
with Change Management also includes testing.
High Level
Process Flow Chart
This chart illustrates the
Security Transition Assistance process and its
Performance
Indicators (KPI)
·
Number of Security Transition Assistance Request
·
throughput time (min/average/max) for a Transition Assistance Request
until "assisted - closed"
Process
Trigger
Event
Trigger
·
Process is triggered by different activities in the Change Management.
Time Trigger
·
Security Transition Assistance is not time triggered
Process
Specific Rules
·
Each Security Transition Assistance Request must be recorded
·
The Security Transition Agent has to document the request and result of
the design request
·
The Security Transition Owner has to control the Agent
·
The Security Transition Agent has to coordinate his work with other
Transition Agents
·
The Security Transition Requester from the Change Management has to be
updated
Process
Activities
Creation
Risk Analysis and Feasibility Study
If a Security Transition Assistance
is requested by Change Management the following 2 documents need to be defined:
·
Feasibility Study
·
Risk Analysis
Following aspects need to be
addressed within a Feasibility Study:
·
Feasibility of proposal
·
Risk of implementation
·
Risk of neglecting proposal
·
Costs
A Feasibility Study is based on
high level planning and should not address detailed planning because of the
possibility that the proposed change will not be accepted. Detailed planning of
the Change is part of the activity "Build - Implement - Test - Assistance
" after the Change has been authorized.
A Feasibility Study is provided by
an expert or specialist of the address service. Eventually additional
requirements provided by other processes, such as Financial,
Availability orCapacity Management will also need to be
reviewed.
After the responsible expert
finishes their contribution to the planning of the security actions, the status
needs to be set on planned design package
Activity Specific Rules
·
set the "Security Transition Owner" to a member of the IT
Security Management Staff
·
set the "Security Transition Agent" to a member of the Service
Expert or Specialist Group
·
Create a Security Feasibility Study & Risk Analysis according to the
Change Requirements and the Security Policy
·
coordinate Creation of the Security Feasibility Study & Risk
Analysis package with others
·
document in the Security Feasibility Study & Risk Analysis Document
as well as in the Security Transition Record
·
go to control activity "created^"
Build - Test
- Implement - Assistance
If a security change is approved
for implementation, Change Management will request assistance
from Security Management, who in turn may request assistence from
the sub-process Build, Test, Implement and Assistance.
This activity provides the
following information:
·
A detailed definition of implementation instructions
·
A detailed definition of test procedures and documents
·
Support during implementation
·
Approval of the implementation
Within the change plan the order
and time line of actions need to be described. Testing documentation must
address the test design and ensure the effectiveness of the test.
The Test has to be executed before
the live Change takes place and is split up into two main test areas:
·
1. Test of the implementation - "Does the provided document
describe the right implementation actions in the right implementation
order?"
·
2. Test the functionality of the new service in the test-system -
"Does the system perform the functions defined in Change?". This test
is performed according to the defined testing documentation. The result has to
be documented an the Change Management has to be informed.
Implementation activities are
fulfilled and lead by Change Management. Security
Management only assists and supports with regards to the security
aspects and functions.
Activity Specific Rules
·
support creation of the implementation plan including fallback plan
·
support creation of the test plan
·
support test of the implementation plan including fallback plan
·
support implementation
·
document activities and Test results
·
coordinate work with Change Management
·
go to control activity "assisted"
Evaluation
and Closure Assistance
In coordination with the Post
Implementation Review of the Change, Security Managment helps to test the
implementation from the security point of view. In cases of a failed tests,
the Change Management has to decide if the fallback plan has
to be executed or the implementation can be accepted despite any issues in
testing.
Activity Specific Rules
·
support Post Implementation Review and tests
·
consult Change Managment about Fallback Execution
·
support fallback implementation if nessecary
·
document Activities and Security Test results & Fallback
Implementation
·
go to control activity "assisted - closed"
Security
Verification
This activity is performed by
the Security Manager. The target of the activity is to verify, if
implemented, that security optimization fulfills the planned results -
Verification uses the "Four-Eye Principle".
If actions do not provide the
results planned, the status can be set to re-designed. Planning
activity needs to be started again. If it is decided that a security
improvement action is not approved, then the status should be set to cancelled.
If the Security Management approved that decision, the status
is being set to OK. In the perspective of Security
Management, these actions are approved and can be implemented once
the Change Management has authorized the actions.
High Level
Process Flow Chart
This chart illustrates the Security
Management Verification process and its activities
Performance
Indicators (KPI)
·
Number of security incidents per audit by breach level
·
Number of external security audits
·
Number of internal security audits
·
Top Ten services with the most security incidents
Process
Trigger
Event
Trigger
·
Any request for a Security Audit
·
from any Process Manager or Process Owner
·
from any Service Owner
·
from Senior Management
·
from Customer and Customer Owner (Account Manager)
Time Trigger
·
Security Audits are often time triggered and processed on regular base.
Regular Security Audits are defined in
·
Security Policy
·
the Process Description
·
the Service Description
·
Servie Level Agreements (SLA)
·
Operational Level Agreements (OLA)
·
Underpinning Contracts
Process
Specific Rules
Process
Activities
Planning of
Verification Activities
This activity plans the audit
activities. Issues to be addressed by the planning:
·
Which services need to be audited regrading security issues?
This depends on the number of
security incidents and the severity of security incidents per service as well
as the importance of a service.
·
What is the scope of the audit?
What is the extend of the audit:
full audit or just the check of few indicators?
·
Auditing method?
Audit to be fulfilled by checks,
real life tests or just an questionnaire?
·
How often is the audit needed?
This depends on the number of
security incidents and the severity of security incidents per service as well
as the importance of a service and how exposed a service is to external and
internal threads.
·
Who is performing the audits?
Auditors need to be alternated
often to assure that the auditor is independent, not influenced by options or
customer relationship and by the will to keep the auditing contract.
Result of this activity is a audit
plan, that need to be communicated.
Activity Specific Rules
·
set Security Verification Agent to member of IT Security Management
Staff
·
set Security Verification Owner to Security Manager
·
set Security Verification Requester
·
create Security Verification Description
·
select Security Verification Auditor according to the Security Policy
·
document Service affected by the Security Audit
·
document Configuration Items affected by the Security Audit
·
document Customer affected by the Security Audit
·
document User affected by the Security Audit
·
document Expert/Specialists affected by the Security Audit
·
create audit plan
·
go to control activity "planed"
Performing
Verification Activities
Based on an audit plan, the audit
is performed by the Security Verification Auditor
Activity Specific Rules
·
set Security Verification Agent to Security Verification Auditor
·
set Security Verification Owner to Security Manager
·
documet result in Security Verification Record
·
go to control activity "performed"
Review of
Verification Results
Results of the audit need to be
checked. If Security incidents occur these need to be classified in severity
breach levels and handled by the Process Manager. In case of minor changes the
Change Management is addressed, in case of major changes, the process is
started with a redesign of new design of e Security Package.
Activity Specific Rules
·
set Security Verification Agent to Security Verification Auditor
·
evaluation & classification of each Security Incident
·
trigger Incident, Problem or Change Management where necessary
·
document result in Security Verification Record
·
go to control activity "reviewed"
4. CAPACITY MANAGEMENT
ITIL capacity management is
responsible for ensuring that adequate capacity is available at all times to
meet the agreed needs of the business in a cost-effective manner. The capacity
management process works closely with service level management to ensure that
the business’ requirements for capacity and performance can be met. Capacity
management also serves as a focal point for any capacity issues in IT Service
Management. Capacity management supports the service desk and incident and
problem management in the resolution of incidents and problems related to
capacity.
Successful capacity management
requires a thorough understanding of how business demand influences demand for
services, and how service demand influences demand on components. This is
reflected by the three subprocesses of capacity management: business capacity
management, service capacity management, and component capacity management. It
is required that capacity management develop a capacity plan, which addresses
both current capacity and performance issues, as well as future requirements.
The capacity plan should be used throughout IT Service Management for planning
and budgeting purposes.
Capacity management is responsible
for defining the metrics to be captured during service operation to measure
performance and use of capacity. This includes monitoring tools, which can
provide input to the event management process. Capacity management may be
called upon to perform tactical demand management, which involves using
techniques such as differential charging to change users’ behavior so that
demand does not exceed supply. Other activities of Capacity management include
sizing (working with developers to understand capacity requirements of new
services) and modeling (building statistical representations of systems).
Capacity Management Definitions
Before implementing capacity
management, it’s important everyone is on the same page. One way for an
organization to accomplish this is to learn and own the definition. Capacity
management introduces new ideas and terms that should be discussed before they
are implemented, including component, capacity plan, capacity
report, capacity management information system, and performance.
A component is the underlying structure behind a service. For example, it is the database behind the application or the server underneath the website. It is a component that must be purchased, built, maintained, and monitored. Improving performance often involves a replacement, upgrade, or load balancing of the individual component.
The capacity plan contains different scenarios for predicted business demand and offers costed options for delivering the service-level targets as specified. This plan allows service designers to make the best choices about how to provide quality service at an affordable price point.
The capacity report is a document that provides other IT management with data regarding service and resource usage and performance. This is used to help other managers make service-level decisions or decisions regarding individual components.
The capacity management information system (CMIS) is the virtual repository used to store capacity data. Dashboards are one way to store and report on capacity data.
Performance is how quickly a system responds to requests. For example, how quickly an application processes data and returns a new screen is one indicator of its performance.
A component is the underlying structure behind a service. For example, it is the database behind the application or the server underneath the website. It is a component that must be purchased, built, maintained, and monitored. Improving performance often involves a replacement, upgrade, or load balancing of the individual component.
The capacity plan contains different scenarios for predicted business demand and offers costed options for delivering the service-level targets as specified. This plan allows service designers to make the best choices about how to provide quality service at an affordable price point.
The capacity report is a document that provides other IT management with data regarding service and resource usage and performance. This is used to help other managers make service-level decisions or decisions regarding individual components.
The capacity management information system (CMIS) is the virtual repository used to store capacity data. Dashboards are one way to store and report on capacity data.
Performance is how quickly a system responds to requests. For example, how quickly an application processes data and returns a new screen is one indicator of its performance.
The Purpose of Capacity Management
The purpose of capacity management
is to determine how much capacity should be provided based on
the information from demand management regarding what should
be provided. In particular, capacity management is concerned with speed and
efficiency. If IT capacity forecasts are accurate and the amount of IT capacity
in place meets business needs, the capacity management process is a success.
Capacity Management Activities
This process involves constant
measurement, modeling, management, and reporting. More specifically, these
activities include:
·
Designing a service so that
it meets service-level agreement (SLA) objectives once implemented
·
Managing resource performance
so that services meet SLA objectives
·
Assisting with the diagnosis
of performance-related incidents and problems
·
Creating and maintaining a
capacity plan that aligns with the organization’s budget cycle, paying
particular attention to costs against resources and supply versus demand
·
Continually reviewing
current service capacity and service performance
·
Gathering and assessing data
regarding service usage, and documenting new requirements as necessary
·
Guiding the implementation
of changes related to capacity
In practice, implementing this from scratch would involve the same steps as for other projects. For example, implementation might follow these broad steps:
1. Gather the data
Work with business to determine
the service-level need. Determine what this means relative to service
availability and service capacity. Identify the individual components
necessary. Work with demand management resources to predict demand based on
user roles. Work with the financial management team to determine the costs.
2. Design a service and reach
agreement
Once you've identified the services and the level of performance needed,
the cost, and the expected demand, you'll be able to work with ITIL service
level management to build an SLA that everyone can agree to. You will also have
designed a service at this point.
3. Build the service
The next step is to build the
service. This involves purchasing the components and building the IT
infrastructure, processes, and documentation necessary to support the new
service/s. Capacity management should continue to monitor the business needs
and any new data to ensure that the service being built will have the necessary
capacity for quality performance. Financial management will be involved at this
stage to facilitate purchasing of components and other resources.
4. Operation
Once you have built the service,
and everyone agrees it will meet demand, capacity, and availability
requirements, it's go-live time. This is when service operation takes over.
Capacity management then supports service operation to deliver services that
meet targets.
Monitoring and managing services and their individual components are
most easily done via monitoring dashboards that provide
data on multiple components in one location. Gathering the data manually from
each service or component adds to the total time it takes to produce
service-capacity reports.
Capacity Management Processes
This process is built on several sub-processes, including business
capacity management, service capacity management, component capacity
management, and capacity management reporting. These processes share
common activities, such as modeling, workload management, analysis, and
optimization.
Business capacity management is the sub-process that turns the needs of the business into IT service
requirements. It is involved in service strategy and service design, reviewing
the data to ensure that there will be not be any changes in demand before the
IT service is implemented. This sub-process works with demand management to
ensure that the service is meeting business needs. Other sub-processes make
sure that the service meets service-level targets; this sub-process ensures
that the service-level targets meet the business needs. A thorough
understanding of the business and the service-level agreements is necessary to
effectively perform the activities in this sub-process.
Service capacity management is the sub-process that focuses on the operation of the service. Unlike component capacity management, this process focuses solely on the service itself. It ensures that the end-to-end service provided meets agreed-upon service-level targets. For example, this process would monitor, control, and predict a ticketing system to ensure it was up and running efficiently.
Component capacity management focuses on the technology that provides the performance and capacity to the IT service. Components are things like hard disks, phones, and databases. This sub-process requires knowledge of how each component individually contributes to service performance. It manages, controls, and predicts performance usage and capacity of individual components rather than the service as a whole (as seen in service capacity management). The goal of this sub-process is to reduce the total amount of service downtime by monitoring current performance and predicting future performance. Component capacities are designed around service capacities and not the other way around.
Capacity management reporting is the final sub-process. It gathers and then provides other stages with the data related to service capacity, service usage, and service performance. The output of this sub-process is the service capacity report.
Service capacity management is the sub-process that focuses on the operation of the service. Unlike component capacity management, this process focuses solely on the service itself. It ensures that the end-to-end service provided meets agreed-upon service-level targets. For example, this process would monitor, control, and predict a ticketing system to ensure it was up and running efficiently.
Component capacity management focuses on the technology that provides the performance and capacity to the IT service. Components are things like hard disks, phones, and databases. This sub-process requires knowledge of how each component individually contributes to service performance. It manages, controls, and predicts performance usage and capacity of individual components rather than the service as a whole (as seen in service capacity management). The goal of this sub-process is to reduce the total amount of service downtime by monitoring current performance and predicting future performance. Component capacities are designed around service capacities and not the other way around.
Capacity management reporting is the final sub-process. It gathers and then provides other stages with the data related to service capacity, service usage, and service performance. The output of this sub-process is the service capacity report.
Capacity Management and Other ITIL
Processes
Capacity management must interface with other processes within ITIL, including
demand management, availability management, service-level management, and
financial management. When the business has a service need, it comes from
demand management. It's then relayed to the business continuity management
team, which then translates it into an SLA and capacity terms. Service-level
management helps with this. Once the service is deployed, service capacity
management and component capacity management come in to keep everything at peak
performance. Availability management works hand-in-hand with capacity
management to keep services running and prevent downtime. Financial management
comes into play when individual components must be estimated, purchased,
maintained, and replaced. Not working closely with financial management can result
in either untimely drops in uptime or organizational budget losses.
5. AVAILABILITY MANAGEMENT
Is one of five components in the ITIL Service Delivery
area. It is responsible for ensuring application systems are up and available
for use according to the conditions of the Service Level Agreements (SLAs).
The Availability Management team reviews business
process availability requirements and ensures the most cost effective
contingency plans are put in place and tested on a regular basis to ensure
business needs are met. For example, Internet applications supporting online
ordering systems may have 30-minute or less recovery requirements, so they may
be provisioned with infrastructure components providing several levels of
redundancy. Less critical, non-customer-facing applications used by a few users
in small offices with a 5-day recovery period may be provisioned on less
expensive infrastructure with limited redundancy capabilities.
Availability Management is also the lead in Component
Failure Impact Analysis and Service Outage Analysis initiatives, determining
cause, analyzing trends and taking any appropriate actions to ensure service
availability meets SLAs.
Availability Management activities include:
·
Ensuring service availability
meets SLAs
·
Determining the cause of
availability failures
·
Reviewing business requirements
for availability of business systems
·
Cataloging business requirements
·
Ensuring proper contingency plans
are in place and tested
·
Establishing high-availability,
redundant systems to support mission-critical applications
Benefits to
implementing Availability Management processes include:
·
Services are available for use
during expected timeframes as specified in SLAs.
·
Services are provisioned on
specific infrastructure depending upon their availability needs. This avoids
unnecessary costs due to provisioning services with longer recovery times on
more expensive high-availability platforms.
·
Potential service availability
issues are identified and corrected before they negatively impact services.
Availability Management processes are tightly
integrated with Service Level Management, Capacity
Management, IT Service Continuity Management, and Incident
Management.
TeamQuest Predictor allows you to run multiple
scenarios to show business units the impact of various availability management
decisions, helping to determine the optimal performance levels needed to meet
business unit goals while ensuring that these metrics can be tracked and
reported on an ongoing basis.
TeamQuest Analyzer allows you to monitor
availability metrics of a large number of systems through color indicators. It
also provides detailed diagnostic capabilities to quickly determine the
probable cause of an outage, and more importantly, how to keep the problem from
recurring. TeamQuest Analyzer also captures historical data for trend
reporting, allowing IT to proactively predict potential issues and address them
before they become problems.
TeamQuest Surveyor automatically publishes
reports containing availability metrics taken from not only the TeamQuest CMIS,
but other performance databases as well. You can customize availability reports
for different audiences by organizing and annotating them, choosing appropriate
charts and graphs, adding a corporate logo, and arranging it all with appropriate
explanations and labeling.
TeamQuest tools support Availability Management by:
·
Gathering historical and real-time
data on service performance
·
Providing the performance data
required to make informed decisions regarding IT's ability to meet SLAs
·
Allowing you to experiment with
multiple scenarios to determine resources needed to meet business unit goals
·
Determining the cause of outages
·
Preventing availability problems
from recurring
·
Proactively identifying potential
availability issues so they can be resolved before they impact users
·
Tracking and reporting
availability metrics on an ongoing basis
6. SERVICE LEVEL MANAGEMENT
Is the process by which the quality of the IT services
offered is defined, negotiated and supervised. Is responsible for finding a realistic
compromise between the customers' needs and expectations and the costs of
associated services, such that these are acceptable to both the customer and to
the IT organisation.
Service
Level Management must:
·
Document all the IT services
offered.
·
Present the services in a way that
is comprehensible to the customer.
·
Focus on the customer and the
customer's business and not the technology.
·
Work closely with the customer to
propose realistic IT services that match the customer's needs.
·
Establish the necessary agreements
with customers and suppliers in order to offer the services required.
·
Define the key IT service
performance indicators.
·
Monitor the quality of the agreed
services with the overall goal of improving them at a cost acceptable to the
customer.
·
Prepare reports on the quality of
service and service improvement plans (SIP).
The main
benefits of good Service Level Management are:
·
The IT services are designed with
the real goal in mind: meeting the customer's needs.
·
Communication with customers is
enhanced and misunderstanding about the characteristics and quality of the
services offered are avoided.
·
Clear and measurable objectives
are set.
·
The respective responsibilities of
the customer and the service providers are clearly established.
·
Customers know and accept the
quality levels offered and clear protocols of action are put in place which can
be used to tackle any deterioration in service.
·
The constant monitoring of the
service allows the weakest links in the chain to be identified so they can be
improved.
·
IT management knows and
understands the services offered, facilitating agreements with suppliers and
subcontractors.
·
The Service Desk personnel
has the necessary documentation (SLAs, OLAs,etc.) to enable
fluid dealings with customers and suppliers.
·
The SLAs help IT
management to calculate costs and justify prices to customers.
In the
long term this results in improved service and the resulting satisfaction of
customers and users.
The main
difficulties when implementing Service Level Management may be
summarised as:
·
A lack of good communications with
customers and users, which means the SLAsagreed do not meet their
real needs.
·
The service level agreements are
based more on the customer's wishes and expectations than on services that the
IT infrastructure can offer with an adequate level of quality.
·
IT services are not properly
aligned with the customer's business processes.
·
The SLAs are
excessively long and technical, thus failing to fulfil their primary objective.
·
Insufficient resources are
dedicated to service level management as the management views it an extra cost
and not an integral part of the service offered.
·
Communication problems: not all
the users know about the characteristics of the service and the levels of quality
agreed.
·
Compliance with SLAs is
not monitored adequately or consistently, making it difficult to improve the
quality of service.
·
There is no genuine commitment in
the organisation to the quality of the IT service offered.
