Professional Documents
Culture Documents
ITIL
FOUNDATION
- Janeiro 2004 -
Material do Curso de ITIL
Índice
Introduction .....................................................................................................................................................................................6
IT Service Management...................................................................................................................................................................8
IT Service Management – Background.......................................................................................................................................8
Services and Quality............................................................................................................................................................10
Quality Assurance...............................................................................................................................................................11
ISO-9000.............................................................................................................................................................................13
Organisational Maturity.......................................................................................................................................................14
CMM...................................................................................................................................................................................15
Organisation and Policies..........................................................................................................................................................16
Vision, objectives and policies............................................................................................................................................16
Planning Horizon.................................................................................................................................................................17
Culture.................................................................................................................................................................................18
Human Resource Management............................................................................................................................................19
IT Customer Relationship Management..............................................................................................................................20
Processes..................................................................................................................................................................................21
Processes and departments...................................................................................................................................................22
IT Service Management.......................................................................................................................................................23
Introduction to ITIL.......................................................................................................................................................................24
Background...............................................................................................................................................................................24
Advantages to the Customer/End User:...............................................................................................................................25
Advantages to the IT Organisation:.....................................................................................................................................25
Potential disadvantages:.......................................................................................................................................................26
Organisations............................................................................................................................................................................26
OGC (CCTA)......................................................................................................................................................................26
ITSMF.................................................................................................................................................................................27
EXIN and ISEB...................................................................................................................................................................27
The ITIL Books........................................................................................................................................................................28
ITIL (IT Infrastructure Library)...........................................................................................................................................28
Business Perspective............................................................................................................................................................29
Service Delivery..................................................................................................................................................................31
Service Support...................................................................................................................................................................33
IT Infrastructure Management.............................................................................................................................................35
Applications Management...................................................................................................................................................36
Management and Organisation............................................................................................................................................36
Planning and Implementation..............................................................................................................................................37
Service Desk
.......................................................................................................................................................................................................38
Introduction..............................................................................................................................................................................38
Objective ..................................................................................................................................................................................39
Process Description ..................................................................................................................................................................39
Activities ..................................................................................................................................................................................39
Activities.............................................................................................................................................................................40
Incident control....................................................................................................................................................................40
Roles ........................................................................................................................................................................................41
Relationships ...........................................................................................................................................................................41
Benefits ....................................................................................................................................................................................42
Summary.............................................................................................................................................................................43
Common Problems ..................................................................................................................................................................43
Metrics .....................................................................................................................................................................................45
Service Desk Structure - Best Practice......................................................................................................................................45
-2-
Material do Curso de ITIL
Resolution and recovery......................................................................................................................................................53
Incident closure ..................................................................................................................................................................53
Incident ownership, monitoring, tracking and communication............................................................................................53
Roles ........................................................................................................................................................................................53
Relationships ...........................................................................................................................................................................54
Benefits ....................................................................................................................................................................................55
Common Problems ..................................................................................................................................................................56
Metrics .....................................................................................................................................................................................56
Number of Incidents per time period...................................................................................................................................57
Number of Incidents per category........................................................................................................................................57
Number of Incidents per priority level.................................................................................................................................57
Incident resolution performance against service levels........................................................................................................57
Number of closed Incidents per time period........................................................................................................................57
Best practice.............................................................................................................................................................................57
Incident Management tools:.................................................................................................................................................57
Different types of escalation................................................................................................................................................57
Essential Terms.........................................................................................................................................................................58
Problem Management....................................................................................................................................................................59
Introduction..............................................................................................................................................................................59
Objective ..................................................................................................................................................................................59
Process Description ..................................................................................................................................................................60
Activities ..................................................................................................................................................................................62
Problem Control .................................................................................................................................................................62
Error Control.......................................................................................................................................................................63
Proactive Problem Management..........................................................................................................................................64
Completion of Major Problem reviews................................................................................................................................64
Roles ........................................................................................................................................................................................65
Relationships ...........................................................................................................................................................................65
Benefits ....................................................................................................................................................................................66
Common Problems ..................................................................................................................................................................67
Metrics .....................................................................................................................................................................................68
Best practices............................................................................................................................................................................69
Essential Terms.........................................................................................................................................................................70
Introduction..............................................................................................................................................................................70
Objective ..................................................................................................................................................................................71
Process Description ..................................................................................................................................................................72
Activities ..................................................................................................................................................................................73
Recording............................................................................................................................................................................73
Accepting (Rejecting)..........................................................................................................................................................73
Classifying...........................................................................................................................................................................73
Planning..............................................................................................................................................................................73
Coordination........................................................................................................................................................................74
Evaluating............................................................................................................................................................................74
Roles ........................................................................................................................................................................................75
Change Manager..................................................................................................................................................................75
Change Advisory Board (CAB)..........................................................................................................................................75
Change Advisory Board/Emergency Committee (CAB/EC) ..............................................................................................75
Relationships ...........................................................................................................................................................................75
Benefits ....................................................................................................................................................................................76
Common Problems ..................................................................................................................................................................77
Metrics .....................................................................................................................................................................................77
Best practices............................................................................................................................................................................78
Essential Terms.........................................................................................................................................................................78
Configuration Management
.......................................................................................................................................................................................................79
Introduction..............................................................................................................................................................................79
Objective ..................................................................................................................................................................................79
Process Description ..................................................................................................................................................................80
Activities ..................................................................................................................................................................................81
Planning:.............................................................................................................................................................................82
Identification:......................................................................................................................................................................82
Status accounting.................................................................................................................................................................83
Verification and audit..........................................................................................................................................................84
Roles ........................................................................................................................................................................................84
Relationships ...........................................................................................................................................................................85
Benefits ....................................................................................................................................................................................85
Common Problems ..................................................................................................................................................................86
Metrics .....................................................................................................................................................................................87
Key performance indicators.................................................................................................................................................87
Best practices............................................................................................................................................................................88
-3-
Material do Curso de ITIL
The CMDB..........................................................................................................................................................................88
Interesting Websites............................................................................................................................................................89
Essential Terms ........................................................................................................................................................................89
Release Management
.......................................................................................................................................................................................................90
Introduction..............................................................................................................................................................................90
Objective ..................................................................................................................................................................................91
Process Description ..................................................................................................................................................................92
Activities ..................................................................................................................................................................................92
Roles ........................................................................................................................................................................................96
Relationships ...........................................................................................................................................................................96
Benefits ....................................................................................................................................................................................97
Common Problems ..................................................................................................................................................................98
Metrics .....................................................................................................................................................................................99
Best practices............................................................................................................................................................................99
Interesting web sites..........................................................................................................................................................101
Essential Terms.......................................................................................................................................................................101
Introduction..................................................................................................................................................................................102
Objective ................................................................................................................................................................................103
Process Description.................................................................................................................................................................104
Activities ................................................................................................................................................................................106
Roles.......................................................................................................................................................................................108
Benefits ..................................................................................................................................................................................110
Common Problems ................................................................................................................................................................111
Metrics ...................................................................................................................................................................................113
Best practices..........................................................................................................................................................................113
Essentials (terminology) ........................................................................................................................................................114
Financial Management.................................................................................................................................................................115
Introduction............................................................................................................................................................................115
Objective ................................................................................................................................................................................116
Process Description.................................................................................................................................................................118
Activities ................................................................................................................................................................................119
Roles ......................................................................................................................................................................................123
Relationships .........................................................................................................................................................................124
Benefits ..................................................................................................................................................................................124
Common Problems.................................................................................................................................................................125
Metrics ...................................................................................................................................................................................126
Best practices..........................................................................................................................................................................127
Essentials (terminology) ........................................................................................................................................................127
Availability Management.............................................................................................................................................................128
Introduction............................................................................................................................................................................128
Objective ................................................................................................................................................................................129
Process Description ................................................................................................................................................................130
Activities.................................................................................................................................................................................132
Roles ......................................................................................................................................................................................134
Relationships .........................................................................................................................................................................135
Benefits ..................................................................................................................................................................................136
Common Problems ................................................................................................................................................................137
Metrics ...................................................................................................................................................................................137
Best practices..........................................................................................................................................................................138
Capacity Management..................................................................................................................................................................140
Introduction............................................................................................................................................................................140
Objective ................................................................................................................................................................................140
Activities ................................................................................................................................................................................142
Roles ......................................................................................................................................................................................144
Relationships .........................................................................................................................................................................145
Benefits...................................................................................................................................................................................147
Common Problems.................................................................................................................................................................147
Metrics ...................................................................................................................................................................................148
Best practices..........................................................................................................................................................................149
Essentials (terminology).........................................................................................................................................................150
IT Service Continuity Mgt...........................................................................................................................................................151
Introduction............................................................................................................................................................................151
Objective ................................................................................................................................................................................151
Process Description ................................................................................................................................................................152
Activities ................................................................................................................................................................................154
Roles.......................................................................................................................................................................................158
Relationships .........................................................................................................................................................................158
Common Problems ................................................................................................................................................................160
Metrics ...................................................................................................................................................................................161
-4-
Material do Curso de ITIL
Best practices..........................................................................................................................................................................162
Essentials (terminology) ........................................................................................................................................................162
Security Management...................................................................................................................................................................164
Introduction............................................................................................................................................................................164
Objective ................................................................................................................................................................................165
Process Description ................................................................................................................................................................166
Activities ................................................................................................................................................................................166
Roles.......................................................................................................................................................................................167
Relationships .........................................................................................................................................................................168
Benefits ..................................................................................................................................................................................168
Common Problems ................................................................................................................................................................169
Metrics ...................................................................................................................................................................................169
Best practices..........................................................................................................................................................................170
Essentials (terminology) ........................................................................................................................................................170
Conclusion...................................................................................................................................................................................171
Further reading........................................................................................................................................................................171
-5-
Material do Curso de ITIL
Introduction
In recent decades IT developments have changed the way that most businesses
operate. The changes are most evident in the various business processes of any
organisation. Examples of business processes are "the sales process" (eg. Marketing
generates leads and sends through to Sales, Sales develops relationships and prepares
proposals, Administration prints and sends the material to the client and ensures that there
is an action against the sales person to follow up the proposal, etc. etc.). All of these
business processes rely a great deal on computer based tools and the underlying
technology.
Since the introduction of the PC, LAN, client/server technology and the Internet,
organisations can bring their products and services to markets faster than ever before.
These developments are responsible for the transition from the industrial to the information
age. In the information age, everything has become faster and more dynamic.
In the 1980s, the quality of the IT services provided to the British government lead
the CCTA (Central Computer and Telecommunications Agency as it was referred to - now
the Office of Government Commerce, OGC) was instructed to develop an approach for
efficient and financially effective use of IT resources by ministries and other British public
sector organisations. The aim was to develop a framework/methodology/approach that was
vendor/supplier independent. This resulted in the Information Technology Infrastructure
Library™ (ITIL). ITIL v1 grew from a collection of best practices observed in the IT service
industry.
-6-
Material do Curso de ITIL
covered by the ITIL publications makes it useful to refer to them regularly and to use them
to set new improvement objectives for the IT organisation. The organisation can grow and
mature with them.
Special note: The most widely known "other frameworks" that have been
based on ITIL is the Microsoft Operations Framework. Microsoft do not try
and conceal their proprietary framework has it's basis in ITIL. They in fact
praise ITIL as an excellent starting point for organisations with Microsoft
Environments. What Microsoft have done however, is extend ITIL and create
a series of other processes and specific concepts.
ITIL is often referred to as Best Practice, although the relatively new term of "good
practice" is starting to be widely used.
Note: The term "best practice" will often spark heated debate among some
IT professionals. If you are not certain then the term "good practice" may be
a safer option to use. The ITIL material claims that it is Best Practice.
The broader adoption of ITIL has been hampered by the lack of a basic, but effective
introductory textbook. This course is the electronic version of this missing text. The course
is beneficial for anyone involved in IT Service Management.
This edition of this Course is based upon The Art of Service's Course material,
developed as an introduction to IT Service Management. That work was based on
management summaries and descriptions in official ITIL publications. Given the desire for a
broad consensus in the ITIL field, new developments, additional material and contributions
from ITIL professionals are welcome. They will be discussed by the editors and where
appropriate incorporated into new editions.
Given the rapid changes in this field, the ITIL books do not always describe the latest
developments. This is because ITIL is primarily a collection of best practices taken from a
variety of people in a wide cross section of industry. When writing this Course we aimed to
-7-
Material do Curso de ITIL
incorporate current developments in the field, without substantially diverting from the ITIL
publications.
Therefore the course can be used both to prepare for the official ITIL Service
Management Foundation exam and as a general introduction to the broader area of IT
Service Management.
This course does not address the planning and implementation of ITIL processes. In
chapter 2 ‘IT Service Management’ it does however address, in a more general way,
relevant matters in IT Service Management, in terms of quality, processes and policies.
Before you begin: Thank you for making the choice to study with us. This
course is prepared and supported by experienced and fully qualified IT
Service Managers. You can ask for help and explanations at any time. We
have set tests throughout the material to ensure that you are getting the
best value for the money you pay.
We know that you will enjoy the journey you are about to begin. We hope to
hear from you in the future. We like to get the stories about how this
learning exercise helped you to make significant improvements in your own
IT Service Management challenges.
IT Service Management
The objective tree is used to help all members of the organisation understand
the benefits of ITSM. Starting at the top of the tree, the most important consideration for
any business is that the Organisation's Objectives are met (eg. Increased market share,
lower costs and higher customer satisfaction).
Failure to meet the overall objectives means that the organisation ceases to function
(no matter how well the IT department is run). In order for the organisation's objectives to
be met, there must be a series of business departments working together in Business
-8-
Material do Curso de ITIL
Processes. An example of a business process is the "enrollment process" in a University.
The "enrollment process" involves Admissions (to capture basic student details), Security
(to issue id-card), Library (to provide required book lists), etc.
Each of these business processes needs a variety of services (IT Service Provision in
our Objective Tree) in order to work. In our University example the Admissions department
has a Student system, Security has it's Security system and the Library has a Library
system (hopefully all share a common repository of student information, but they all exist
for a different reason).
The next branch of the Objective Tree is Service Management. It is at this layer that
IT professionals must consider how they need to manage all the infrastructure (including
hardware, software, tools, etc.) in order to make the required Services available, to the
Business Processes so that the Organisation Objectives can be met.
• The section on the provision of services and quality addresses the relationship
between the quality experienced by the customer's organisational end users, and
quality management by the provider of the IT services.
• The section on organisation and policies addresses concepts such as vision,
objectives, and policies and discusses issues such as planning, corporate culture
and Human Resource Management. This section also discusses the coordination
between the business processes of a company and the IT activities.
• The section on process management looks at the control of IT service processes.
-9-
Material do Curso de ITIL
Providers of IT services can no longer afford to focus on technology. They now have
to consider the quality of the services they provide and focus on the relationship with their
customers.
However, services are provided through interaction with the customer. Services
cannot be assessed in advance, but only when they are provided. The quality of a service
depends to some extent on the way in which the service provider and the customer interact.
In contrast to the manufacturing process, customer and provider can still makes changes
when the services are being delivered. How the customer perceives the service and what
the provider thinks they supply, both depend largely on their personal experiences and
expectations.
Whether or not the service fulfils the expectations depends primarily on how
effectively the deliverables were agreed on in the first place, even more so than on how well
the supplier provides the service.
A continuing dialogue with the customer is essential to refine the services and to
ensure that both the customer and the supplier know what is expected of the service. In a
restaurant, the waiter will first explain the menu, and ask if everything is all right when
serving a new course.
The waiter actively coordinates supply and demand throughout the meal. This
experience with customers is then used to improve future customer contact.
- 10 -
Material do Curso de ITIL
The quality of a service refers to the extent to which the service fulfils the
requirements and expectations of the customer. To be able to provide quality, the supplier
should continuously assess how the service is perceived and what the customer expects in
the future.
Another customer may well consider what one customer considers normal as a
special requirement.
Eventually a customer will get used to something considered special at the start. The
results of the assessment can be used to determine if the service should be modified, if the
customer should be provided with more information, or if the price should be changed.
Quality is the totality of characteristics of a product or service that bear on its ability
to satisfy stated and implied needs (ISO-8402).
Reasonable costs may be considered as a derived requirement. Once it has been agreed
on what is to be expected of the service, the next step is to agree on what it may cost. At
this stage the service provider has to be aware of the costs they incur, and the current
market rates for comparable services.
A customer will be dissatisfied about a service provider who occasionally exceeds the
expectations but disappoints at other times. Providing a constant quality is one of the
most important, but also one of the most difficult aspects of the service industry.
For example, a restaurant will have to purchase fresh ingredients, the chefs will have
to work together to provide consistent results, and hopefully there are no major differences
in style among the waiting staff. A restaurant will only be awarded three Michelin Stars
when it manages to provide the same high quality over an extended period. This does not
often happen: there are changes among the waiting staff, a successful approach may not
last, and chefs leave to open their own restaurants. Providing a constant high quality also
means that the component activities have to be coordinated: the more efficiently the
kitchen operates, the more quickly the guests can be served.
Therefore, when providing a service, the overall quality is the result of the quality of
a number of component processes that together form the overall service. These component
processes formed a chain; a series of linked activities. Effective coordination of the
component processes requires not only high quality at each stage, but also consistent
quality.
Quality Assurance
Supplying products or services requires activities. The quality of the product or
service depends largely on the way in which these activities are organised. Deming’s quality
life cycle provides a simple and effective model to address quality. The model assumes that
to provide appropriate quality, the following steps must be undertaken repeatedly:
- 11 -
Material do Curso de ITIL
To be able to make use of this life-cycle approach, the activities of supplying products and
services must be divided into processes, each with their own plans and opportunities for
conducting checks. It must be clear who is responsible in the organisation and what
authority they have to change plans and procedures, not for only for each of the activities,
but also for each of the processes.
Quality assurance is a policy matter within the organisation. It is the whole of the
measures and procedures, which the organisation uses to ensure that the services provided,
continue to fulfill the expectations of the customer and the relevant agreements. Quality
assurance ensures that improvements resulting from quality management are maintained.
The ISO 9000 series of standards is often used to develop, define, assess and improve
quality systems.
- 12 -
Material do Curso de ITIL
ISO-9000
Some organisations require their suppliers to hold an ISO 9001 or ISO 9002
certificate. Such a certificate proves that the supplier has an adequate quality system whose
effectiveness is regularly assessed by an independent auditor.
ISO is the International Standards Organisation. A quality system that complies with
the ISO standard testifies that the supplier has taken measures to be able to provide the
quality required by their customers;
- 13 -
Material do Curso de ITIL
• the management regularly assesses the operation of the quality system, and uses
the results of internal audits to implement improvement measures where necessary;
• the suppliers’ procedures are documented and communicated to those affected by
them;
• customer complaints are recorded, dealt with in a reasonable time, and used to
improve the service where possible;
• the supplier controls the production processes and can improve them.
An ISO certificate does not provide an absolute guarantee about the quality of the
service provided, however, it does indicate that the supplier takes quality assurance
seriously and is prepared to discuss it.
The new ISO 9000 series of standards, ISO-9000-2000, puts even greater emphasis
than the previous standard on the ability of an organisation to learn from experience and to
implement continuous quality improvement.
Organisational Maturity
Experience with improving the quality of IT services has shown that it is rarely
sufficient to simply define current practices. The causes of a mismatch between the service
provided and the customer’s requirements are often related to the way in which the IT
organisation is managed. A permanent quality improvement focus demands a certain
degree of maturity of the organisation.
The European Foundation for Quality Management (EFQM) model can be useful in
determining the maturity of an organisation. It identifies the major areas to be considered
when managing an organisation.
In 1988 fourteen large European companies, with the support of the European
Commission, set up the European Foundation for Quality Management.
- 14 -
Material do Curso de ITIL
The objective of the EFQM is to promote Total Quality Management, aimed at
excelling in customer satisfaction, employee satisfaction and appreciation by society, and
performance results.
The EFQM ‘Model of Business Excellence’, generally known simply as the EFQM
model, is widely accepted as the major strategic framework for managing an organisation
aimed at the balanced, continuing improvement of all aspects relevant to the business.
Over 600 European businesses and research organisations have now joined the
EFQM. For further information: http://www.efqm.org.
CMM
Maturity models based on the CMM levels of maturity have also been developed for
IT Service Management.
Specifically, this affects the communication between the customer and the supplier.
It is advisable to bring both organisations to the same level of development, and to operate
at that level, or to adjust the communication in line with the lower level.
- 15 -
Material do Curso de ITIL
This section will discuss several important aspects of the organisation and policies
that are relevant to process management.
The policy of the organisation is the combination of all decisions and measures
taken to define and realise the objectives. In its policies, the organisation will prioritise
objectives and decide how the objectives will be reached. Of course, priorities may change
over time, depending on the circumstances. The clearer the organisation’s policies are to all
stakeholders, the less needs to be defined about how personnel are supposed to do their
work. Instead of detailed procedures, personnel can independently use the policies as their
guideline. Clearly formulated policies contribute to a flexible organisation, as all levels in the
organisation can respond more quickly to changing circumstances.
Implementing policies in the form of specific activities requires planning. Plans are
usually divided into stages to provide milestones where progress can be monitored. For
example, the policies can be used to draw up an annual plan, which is then used to develop
the budgets. An organizational annual plan can be further developed into greater detail as
departmental plans, quarterly plans or project plans. Each of these plans contains a number
of elements: an activity schedule, the required resources, and agreements about the quality
and quantity of the products or services to be delivered.
- 16 -
Material do Curso de ITIL
When translating the mission of the organisation into objectives, policies, planning
and tasks, there is the risk that after some time, the mission, objectives or policies are
forgotten. It is therefore important that at every stage we measure if the organisation is
still moving in the right direction, and remedial action is taken where necessary.
We have to measure if the organisation or processes fulfil the objectives, and there
are various methods available for this. One of the most common methods in business is the
Balanced Score Card, or BSC. In this method, the objectives of the organisation or
process are used to define Critical Success Factors (CSF). CSFs are defined for a number
of areas of interest or perspectives: customers/market, business processes,
personnel/innovation and finance. The parameters used to measure if the CSFs meet the
standards are known as Key Performance Indicators (KPI). Where necessary, these can
be subdivided into Performance Indicators (PI).
Key performance indicators, or KPIs, are parameters for measuring progress relative
to key objectives or Critical Success Factors (CSF) in the organisation.
If the IT department supports the interests of the business, the objectives of the IT
department will be derived from the business objectives. The IT department, for example,
might have the following objective: ‘To contribute to the competitive strength of the
business’. The specific objectives of the IT department will then be developed on the basis
of this general objective.
Depending on the nature of the business, objectives will be defined for the IT
department with respect to safety, accessibility, response speed, technical sophistication
and so on.
Planning Horizon
- 17 -
Material do Curso de ITIL
Technical infrastructure has the longest planning horizon and in its support
role it has fewer clear links with the substantive business activities. It takes time to develop
a technical infrastructure and the fact that information systems and the business depend on
the technical infrastructure, limits the speed at which changes can be implemented.
Furthermore, developing a technical infrastructure demands significant investment and the
period over which it can be depreciated has to be considered.
The planning horizon is shorter for applications as they are designed for specific
business purposes. Application life cycle planning is primarily based on the business
functions to be provided by the system, after which the underlying technology is considered.
Business plans, based on the organisation’s strategy, normally cover one calendar or
financial year. Budgets, planning and progress reports all fall within this period. In some
markets, the planning cycle time has become even shorter as the cycle time for product
development has also decreased.
• Time - this is the easiest factor to determine. It is defined by a starting date and ending
date, and is often divided into stages.
• Quantity - the objectives have to be made measurable to monitor progress. Terms such
as ‘improved’ and ‘quicker’ are insufficient for planning purposes.
• Quality - the quality of the deliverables (results) should be appropriate for the objective.
• Costs and revenues - the deliverables must be in proportion to the expected costs,
efforts and revenues.
Differences between the planning horizons occur not only between areas, but also
between the various levels of activities and processes (strategic, tactic and operational).
Culture
Organisations that want to change (for example to improve the quality of their
services) will eventually be confronted with the current organisational culture. The
organisational culture, or corporate culture, refers to the way in which people deal with each
- 18 -
Material do Curso de ITIL
other in the organisation; the way in which decisions are made and implemented; and the
attitude of employees to their work, customers, suppliers, superiors and colleagues.
Culture, which depends on the standards and values of the people in the
organisation, cannot be changed, but it can be influenced. Influencing the culture of an
organisation requires leadership in the form of a clear and consistent policies and a
supportive personnel policy.
The corporate culture can have a major influence on the provision of IT services. This
is due to the fact that businesses value innovation in different ways. In a stable
organisation, where the culture places little value on innovation, it will be difficult to adjust
the IT services in line with changes in the organization. If the IT department is unstable,
then a culture that values change can pose a serious threat to the quality of its services. In
that case, a free for all can develop where many uncontrolled changes lead to a large
number of faults.
Personnel policy plays an important and strategic role in fulfilling the long-term
objectives of an organisation (see also the EFQM model). It can also be used as an
instrument to change the corporate culture. The objective of modern personnel
management is to optimise the performance of all personnel in the organization. A variety
of instruments such as recruitment and selection, training and career development,
motivation and reward are used.
• Giving employees in the organisation the opportunity to develop and use their skills will
benefit the organisation.
• The hard approach sees human resources as means of production, which have to be
organised as effectively and efficiently as possible. As the corporate strategy is determined
by economic, technical and market factors, the same applies to personnel policy. This
approach places different values on employees. Some core employees are strategically
more important than peripheral employees who are easily replaceable. For example, a
company might choose to permanently employ only core personnel, and for the rest use a
pool of flexible personnel.
• The soft approach emphasises that making the best possible use of human potential and
opportunities will benefit the business. Modern employees are highly educated, ambitious
and prepared to invest a lot in their work. For this reason, their potential must be identified
early and developed continuously (career development, training policy). When selecting its
strategy and policy, the business must base its choices on the talent and potential of its
employees.
- 19 -
Material do Curso de ITIL
• The integrated approach looks at the shared interests of personnel and management in
an organisation. To reach the objectives of the organisation there will have to be good
inflow, movement and outflow of personnel. Changes in the market and the organisation
(e.g. developments in technology) lead to constant changes in the need for skills.
The quality of service provided by an organisation benefits if the best use is made of the
potential of its employees. This facilitates continuous improvement. Instruments for quality
management in personnel policy include:
• Policy Deployment - communicating to each employee how and to what extent their
task contributes to realising the objectives of the organisation. An important condition for
the success of policy deployment is that it also extends to all layers of management.
• Empowerment - giving employees the opportunity to organise and implement their task
in consultation with the organisation. The degree of empowerment determines the extent to
which employees can be held responsible for the quality of the work they provide.
This could be used as a basis for assessing and rewarding employees. The reward
may be material (salary) or immaterial, for example appreciation, new opportunities for
development and career opportunities.
The quality of IT services largely depends on good relationships with the customers
of the IT organisation. These relationships provide the basis for making and updating
agreements. IT Customer Relationship Management addresses maintaining a relationship
with customers and coordinating with customer organisations, at the strategic, tactic and
operational levels.
- 20 -
Material do Curso de ITIL
example, by organising surveys among customers and users, providing information, and
so forth.
The user is the person behind the PC, the employee who uses IT services for their
routine activities.
The customer is the person who is authorised to conclude an agreement with the IT
organisation about the provision of IT services (for example a Service Level Agreement,
SLA) and who is responsible for ensuring that the IT services are paid for.
Given the dynamic nature of both the customer organisation and the IT organisation,
the rate of change in both organisations should also be coordinated.
The agreements with the customer about the services to be provided are then
developed into service level proposals through Service Level Management. For example, if
the customer wants to introduce an intranet, then the availability, user support,
implementation of change requests and cost all have to be agreed. These agreements are
laid down in a Service Level Agreement (SLA).
In most cases, users can contact a Service Desk for operational requests and
questions, and to report problems.
Processes
When arranging activities into processes, we do not use the existing allocation of
tasks, or any existing departmental (functional) divisions. This is a conscious choice. By
opting for a process structure, we can often show that the certain activities in the
organisation are uncoordinated, duplicated, neglected, or unnecessary.
Instead, we look at the objective of each process and its relationships with other
processes. A process is a series of activities carried out to convert an input into an output.
We can label the input and output of each of the processes with quality characteristics
and standards (that is, what is expected to go into and what is expected to come out of
the particular process). These characteristics and standards provide information about the
- 21 -
Material do Curso de ITIL
results expected of the process. We end up with linked chains of processes, which show
what goes into the organisation and what the result is. As well as this we can describe
monitoring points in the chains to assess the quality of the products and services provided
by the organisation.
The standards for the output of each process have to be defined so that the complete
chain of processes meets the corporate objective/s, if each process complies with its
process standard. If the result of a process meets the defined standard, then the process
can be said to be effective. If the activities in the process are also carried out with the
minimum required effort and cost, then the process can be called efficient. The aim of
process management is to use planning and control to ensure that all processes are
effective and efficient.
We can study each process separately to optimise its performance. The process
owner is responsible for the process results. The process manager is responsible for the
realisation and structure of the process, and reports to the process owner. The process
operatives are responsible for defined activities, and report to the process manager.
The logical combination of activities results in clear points where the quality of
processes can be monitored. In a restaurant for example, we can separate responsibility for
purchasing and cooking; chefs may not have the authority to purchase anything as
experience may show that they tend to spend too much on fresh ingredients that do not add
value.
The management of the organisation can exercise control on the basis of the quality of the
process as demonstrated by data from the results of each process. In most cases, the
relevant performance indicators and standards will already be agreed. The day-to-day
control of the process can then be left to the process manager. The process owner will
assess the results based on a report of performance indicators and whether they meet the
agreed standard.
A procedure is a description of logically related activities, and who they are carried
out by. A procedure may include stages from different processes. A procedure defines who
does what, and varies depending on the organisation.
A set of work instructions defines how one or more activities in a procedure should
be carried out.
Most businesses are organised in a hierarchy. They have departments, which are
responsible for a group of employees. There are various ways of structuring departments,
for example by customer, product, region or discipline. IT services generally depend on
several departments, customers or disciplines. In a hierarchical organisation if there is an IT
service to provide users with access to an accounting program on a central computer it will
generally involve several departments.
In this example, the computer centre has to make the program and database accessible,
the data and telecommunications department has to make the computer centre accessible,
and the PC support department has to provide users with an interface to access the
application.
- 22 -
Material do Curso de ITIL
Processes that span several departments can monitor the quality of a service by monitoring
certain aspects of quality, such as availability, capacity, cost and stability. A service
organisation will then try to match these quality aspects with the customer’s demands. The
structure of such processes can ensure that good data is available about the provision of
services, so that the planning and control can be improved.
IT Service Management
- 23 -
Material do Curso de ITIL
Introduction to ITIL
This chapter describes the structure and objectives of the IT Infrastructure Library
(ITIL) and the organisations that contribute to maintaining ITIL as the best practice
standard for IT Service Management.
Background
ITIL was developed due to the fact that a growing number of organisations are
becoming increasingly dependent on IT to help fulfill their corporate objectives. This
increasing dependence has resulted in a growing need for IT services of a quality
corresponding to the objectives of the organisation, and which meet the requirements and
expectations of the customer. Over the years, the emphasis has shifted from the
development of IT applications to the management of IT services. An IT application
(sometimes referred to as an information system) only contributes to realising corporate
objectives if the system is available to users and, in the event of fault or necessary
modifications; it is supported by maintenance and operations.
In the overall life cycle of IT products, the operations phase expenditure amounts to
about 70 to 80% of the overall time and cost, the rest is spent on product development (or
procurement). Effective and efficient IT Service Management are essential to the success of
IT applications.
This applies to any type of organisation, large or small, public or private, with
centralised or decentralised IT services, with internal or outsourced IT services. In all cases,
the service has to be reliable, consistent, of a high quality, and at an acceptable cost.
ITIL offers a common framework for all the activities of the IT department, as part of
the provision of services, based on the IT infrastructure. These activities are divided into
processes, which provide an effective framework for further enhancement of IT Service
Management. Each of these processes covers one or more tasks of the IT department, such
as service development, infrastructure management, and supplying and supporting the
services.
This process approach makes it possible to describe the IT Service Management best
practices independently from the actual organisational structure of the department.
Many of these best practices are clearly identifiable and are indeed used, to some
extent, in most IT organisations. ITIL presents these best practices coherently. The ITIL
- 24 -
Material do Curso de ITIL
books describe how these processes (which have sometimes already been identified) can be
optimised, and how the coordination between them can be improved. The books also
explain how the processes can be formalised within an organisation. They provide a frame
of reference within the organisation for the relevant terminology, and help to define the
objectives and to determine the required effort.
The list below identifies some advantages and disadvantages of ITIL. It does not
claim to be a definitive list. Any attempt to supplement it often leads to an interesting
discussion about the advantages of disadvantages of ITIL and about the way in which
organisations actually use ITIL.
• The IT organisation develops a clearer structure, becomes more efficient, and more
focused on the corporate objectives.
• Following the ITIL best practices encourages a cultural change towards providing service,
and supports the introduction of a quality management system based on the ISO-9000
series.
- 25 -
Material do Curso de ITIL
• ITIL provides a uniform frame of reference for internal communication, standardisation
and identification of procedures.
Potential disadvantages:
• The introduction can take a long time and significant effort, and requires a change of
culture in the organisation. An over ambitious introduction can lead to frustration because
objectives are never met.
• Improvement in the provision of services and cost reductions are not visible.
• If there is insufficient investment in support tools, the processes will not be done justice
and the service will not be improved. Additional resources and personnel may be needed if
the organisation is already overloaded by routine IT Service Management activities.
Organisations
OGC (CCTA)
ITIL was originally a CCTA product. CCTA was the Central Computer and
Telecommunications Agency of the British government. On the 1st April 2001, the CCTA was
- 26 -
Material do Curso de ITIL
amalgamated with the OGC (Office of Government Commerce), which is now the new
"owner" of ITIL. The objective of the OGC is to help its customers in the British public sector
update their procurement activities and improve their services by making the best possible
use of IT and other instruments. ‘OGC aims to modernise procurement in government, and
deliver substantial value for money improvements.’ The OGC promotes the use of ‘best
practices’ in many areas (e.g. project management, procurement and IT Service
Management). The OGC publishes several series (libraries) of books written by British and
international experts from a range of companies and organisations.
Library consists of a number of clear and thorough ‘Codes of Practice’ to promote and
provide efficient and effective IT services.
ITSMF
The itSMF promotes the exchange of information and experiences that enable IT
organisations to improve the services they provide. It organises symposiums, congresses,
special subject evenings, and other events about current IT Service Management subjects.
Working parties also contribute to the development of the subject. The association
publishes a newsletter and operates a web site with information about its activities
(http://www.itsmf.com).
The certification system is based on the requirements for effectively fulfilling the
relevant role within an IT organisation. To date, certificates have been awarded to over
30,000 IT professionals in over 30 countries.
- 27 -
Material do Curso de ITIL
The Foundation Certificate is intended for all personnel who have to be aware of the
major tasks in the IT organisation, and the connections between them. After obtaining the
Foundation Certificate, the Practitioner and Manager exams can be taken. Practitioners are
trained to undertake specific ITIL processes or tasks in such processes, such as Incident
Management, Change Management and/or Service Level Management. Managers are
trained to be able to control these processes, to advise about the structure and optimisation
of the processes, and to implement them.
By now, ITIL represents much more than a series of useful books on IT Service
Management.
The ITIL community also allows for organisations involved to provide feedback so
that the reality of current best practice is quickly reflected and incorporated into the ITIL
theory.
Furthermore, extensions and alternatives have been developed, some of which may
be considered as IT Service Management methods in their own right. These alternatives
often address the needs of certain groups or organisations whose specific problems are not
adequately covered by ITIL.
The unique aspect of ITIL is that it offers a generic framework based on the practical
experience of a global infrastructure of professional users.
Each of the ITIL books addresses part of the overall ITIL framework. For the ITIL
purist we acknowledge that ITIL is a library of many books. This course is centred on the
Service Delivery and Service Support books. We use ITIL as the description of these two
books throughout the course.
ITIL defines the objectives and activities, and input and output of each of the
processes found in an IT organisation. However, ITIL does not give a specific description of
how these activities should be implemented, as this will be different in every organisation.
The emphasis is on an approach that has been proven in practice, but (depending on the
circumstances) may be implemented in a number of ways. ITIL is not a method, instead it
offers a framework for planning the most common processes, roles and activities, indicating
the links between them and what lines of communication are necessary.
- 28 -
Material do Curso de ITIL
Part of the ITIL philosophy is based on quality systems, such the ISO-9000 series,
and Total Quality frameworks, such as that of the EFQM. ITIL supports such quality systems
with a clear description of the processes and best practices in IT Service Management. This
can significantly reduce the time required to obtain ISO certification.
Originally, ITIL consisted of a large number of sets of books, each of which described
a specific area of the maintenance and operation of IT infrastructure. Ten books describing
Service Support and Service Delivery were considered as the core of ITIL. There were
approximately 40 other books on complementary subjects related to IT Service
Management, from cabling to managing customer relationships. However, the original series
of books in the Infrastructure Library mostly approached IT Service Management from the
IT perspective.
The Business Perspective Set was introduced to bridge the divide between the
business and the IT organisation. Even so, certain aspects of ITIL still had a slightly dated
approach.
The "core" ITIL books have now been revised and published as two books, one on
Service Support, and one on Service Delivery. This has eliminated significant overlap and
occasional inconsistencies in the earlier series and has improved cohesion. They also
support the vision of IT Service Management more thoroughly.
The ITIL puzzle shows the main elements addressed by the ITIL books. Each of these
elements interfaces with the others, and overlaps them to some extent.
· Service Delivery
· Service Support
· Applications Management
In this chapter, we will introduce the ITIL series of publications using the main
elements of the ITIL puzzle. By the end of 2002 the original set of books, each on a specific
aspect of IT Service Management, should have been replaced by six new ITIL books, as
have the books on Service Support and Service Delivery. However, many of the best
practices to be described in the new books are also included in the current ITIL series. For
more information www.itil.co.uk
Business Perspective
The ITIL books in the Business Perspective Set describe many issues related to
understanding and appreciating IT services as an integrated aspect of managing a business.
- 29 -
Material do Curso de ITIL
The Business Perspective Set, and the Business Perspective book, which will
eventually replace the set, addresses:
• Surviving changes
Other ITIL books address some of these topics, in addition to those in the Business
Perspective Set.
Relationships with suppliers can be characterised by the nature and content of the contacts.
These may be to discuss the long-term prospects of existing relationships, to promote
communication, or to investigate the range offered by various suppliers.
The major tasks of the Managing Supplier Relationships process include selecting suppliers,
assessing the performance of suppliers, and determining the way in which the IT
organisation handles supplier contracts.
- 30 -
Material do Curso de ITIL
Service Delivery
As indicated above, Service Support and Service Delivery are considered to be at the
heart of the ITIL framework for IT Service Management. The ITIL book on Service Delivery
describes the services the customer needs, and what is needed to provide these services.
• Capacity Management
• Availability Management
There is continual reference to how these areas also integrate the essential element
of Client Relationship Management.
The objective of Service Level Management is to make clear agreements with the
customer about the IT services required, and to implement these agreements.
Consequently, Service Level Management needs information about the customer needs,
facilities provided by the IT organisation, and the financial resources available.
By analysing the information needs of the customer (Information Pull) rather than what is
technically feasible (Technology Push), the IT organisation can improve customer
satisfaction.
- 31 -
Material do Curso de ITIL
How the service can be monitored and discussed.
Capacity Management
Availability Management
This process addresses the preparation and planning of disaster recovery measures for IT
services. Other common names are Contingency Planning and Disaster Recovery Planning.
The starting emphasis for IT Service Continuity Management is the requirement to
safeguard the continuity of the customer organisation in the event of a disaster (this means
that the IT organisation must be aware of the "Business Continuity Plan"). IT Service
Continuity Management is the process of planning and coordinating the technical, financial
and management resources needed to ensure continuity of service after a "disaster", as
agreed with the customer.
Security Management
- 32 -
Material do Curso de ITIL
Service Support
The ITIL book on Service Support describes how a customer can get access to the
appropriate services to support their business.
• Service Desk
• Incident Management
• Problem Management
• Configuration Management
• Change Management
• Release Management
Service Desk
The Service Desk is the initial point of contact with the IT organisation for users. Previously,
the ITIL books referred to it as the Help Desk. The major task of the Help Desk was
recording, resolving and monitoring problems. A Service Desk can have a broader role (for
example receiving Requests for Change) and it can carry out activities belonging to several
processes.
The new book on Service Support now distinguishes between the Service Desk (i.e. as a
function or organisational unit), and processes such as Incident Management,
Configuration Management and Change Management.
Incident Management
The distinction between "incidents" and "problems" is possibly one of the best-known
discussion points in the ITIL field. There are clear differences and by understanding both
processes the reasons become very clear.
Although the difference may be confusing there is a major advantage in that a distinction is
made between the rapid return of the service (the goal of incident management) and
identifying and remedying the cause of an incident (the goal of problem management)
- 33 -
Material do Curso de ITIL
Incident Management aims to resolve the incident and restore service quickly.
Incidents are recorded, and the quality of the incident records determines the effectiveness
of a number of other processes.
Problem Management
Once the cause of a series of re-occurring incidents has been identified (Known Errors), a
business decision is taken whether to make permanent improvements to the infrastructure
to prevent new incidents. Submitting a Request for Change makes this improvement.
By creating the Incident Management process in the Service Support book, Problem
Management is neatly split off and is not a part of solving incidents.
Note that your end users may still refer to what they experience as a "problem". It may not be
appropriate to educate your users that what they are experiencing is in fact an "incident". This is
a classic example of when the framework needs to be interpreted sensibly.
Configuration Management
Change Management
Release Management
The actual implementation of changes is often carried out through Release Management
activities. Both hardware and software (central processing, data communications and
clients) changes are often planned on the basis of releases. The main objective of Release
Management is to control the distribution of hardware and software, including integration,
testing and storage.
Release Management ensures that only tested and correct versions of authorised software
and hardware are provided. Release Management is closely related to Configuration
Management and Change Management activities.
- 34 -
Material do Curso de ITIL
IT Infrastructure Management
• Operations Management
• Systems Management
The ITIL module for Network Services Management also addresses the long-term
communications needs of the organisation. In essence, it describes how the ITIL best
practices can be applied in a network environment.
Operations Management
Computer Installation and Acceptance primarily concerns guidelines for planning the
acceptance, installation and eventual removal of large computer hardware in the IT
infrastructure. These guidelines are a development/extension of the activities in the
Change Management and Release Management processes.
- 35 -
Material do Curso de ITIL
Systems Management
To date, the ITIL Books have not covered Systems Management. In future a new
book on IT Infrastructure Management will cover it.
Environmental Management
Applications Management
The ITIL book on Applications Management will address the relationship between
management and the software lifecycle. This includes issues such as Software Lifecycle
Support and testing IT services. A major issue in Applications Management is effectively
responding to changes in the business. Clearly defining the requirements and implementing
a solution that meets the needs of the customer organisation is paramount.
Software Lifecycle Support aims to define the approach for supporting the entire
software lifecycle, in consultation with those responsible for software development.
The way in which software is designed, built, tested, introduced, operated,
maintained, and eventually decommissioned, is extremely important in IT services.
In every stage of the software lifecycle, there have to be agreements between those
developing and those operating the IT infrastructure. The selection of Software
Lifecycle models can have a significant impact on the IT services.
The objective of testing an IT Service for Operational Use is to ensure that the
proper operation of new or modified IT services is tested before they enter
operations. A system test, installation test and acceptance test are undertaken to
determine if the developed application works, is correctly installed, interfaces with
the rest of the IT infrastructure, and offers the "users" the functions agreed with the
"customer".
The ITIL series also includes some books on subjects at the strategic level, the
Managers Set.
- 36 -
Material do Curso de ITIL
(based on the ISO-9000 series of standards) in an IT organisation, and the
evaluation of an existing quality management system. The relationship between the
ISO standards and ITIL modules is also identified.
Quality Management activities include defining and implementing the quality policy
and managing the quality system, including audits.
IT Services Organisation
Planning and Control for IT Services aims to provide a coherent system of planning,
reporting and control for the IT organisation, to ensure that the organisation fulfils
the objectives and requirements based on the business strategy and the strategy of
the IT organisation. This includes coordinating the planning and reporting of the
various IT Service Management processes (for example in the form of annual plans
and quarterly reports).
There is now much experience throughout the world with planning and implementing
programmes to optimise IT Service Management. A recent ITIL book is devoted to this
subject.
Lack of commitment will create resistance from the very people needed to align
these processes with the business needs. And alignment is at the very heart of benefits
gained in a process driven approach for IT Service Management.
- 37 -
Material do Curso de ITIL
Analysing the needs of the organisation and implementing the required solution could
require the creation of a temporary organisation. This could be considered as a one project,
or as a series of projects in an improvement programme. One advantage is that it will
provide the organisation with clear decision points where it can decide to terminate,
continue, or modify the project. In this context, the ITIL books recommend the adoption of
PRINCE2 (Projects IN Controlled Environments) as a Project Management methodology.
Each project is based on an analysis of the current situation, the desired situation,
and the path in between. In most cases, the alternatives will be compared on the basis of:
You should be aware that ITIL is no magic formula. Do not expect miracles. You
should be particularly wary of so-called ITIL implementation projects that have a hidden
agenda, such as a reorganisation or merger. ITIL describes the best practice for improving
IT Service Management; it is not an organisational handbook. ITIL primarily provides a
frame of reference for process structures in the IT organisation and, to a much lesser
extent, a guideline for the structure of that organisation. If a project aims to improve the IT
organisation along these lines, then it is wise to seek out experts in this field (a good
starting point is outside consultants who are certified IT Service Managers (according to the
certification requirements laid down by Exin or the ISEB).
A baseline measurement or health check can provide a good start for process
improvements. Such an assessment of the IT Service Management processes can help
identify the strengths and weaknesses of the organisation, and define clear objectives for an
improvement project.
After some time the measurement can be repeated to show the progress of the
project or programme.
Service Desk
Introduction
You have just started a complicated job, which requires all your concentration. The
phone rings....Someone is facing computer difficulty!!! The printer is not working. You solve
the issue and just when you are back into the job …
Someone walks into your office asking when his or her expected upgrade will be done.
- 38 -
Material do Curso de ITIL
Wouldn’t it be great if you could complete this job without interruption?
It is the role of the Service Desk to act as the single contact point between the
customer and the IT Service Provider.
They will handle all incoming calls and only direct them through to the second or
third level support when necessary. For the customer the advantage is that they don’t have
to ring around, before finding the right person to solve their problem and for IT personnel it
means that they only have to deal with issues that are related to their skills or area of
responsibility.
Objective
The Service Desk offers "first line" support to users. Users need help if they are not
sure how to behave in a specific situation when using IT services or when they need
assistance to solve a particular issue involving IT.
As well, the Service Desk is the central point of contact where incidents or
inaccuracies in IT systems can be reported. The Service Desk is the face of the IT
department to the clients. Furthermore, the Service Desk is an important source of
management information.
• To facilitate the restoration of normal operation service with minimal business impact on the
Customer within agreed service levels and business priorities
Process Description
The Service Desk is not regarded as a process within ITIL but as a function.
As IT has become a greater part of business over the years the role of the Service Desk has
become crucial. Businesses relies on there IT service to stay on top of the market and be
competitive. The service provided by the Service Desk tends to be broader then just the IT
part of business hence the change in name from Helpdesk (which was more IT related) into
Service Desk.
It plays a vital role in IT Service management as from a customer point of view the service
desk is the IT Service Provider and therefore plays a critical part in how the customers
perceives the IT organisation as a whole.
Among the activities performed by the Service Desk are Incident recording and Incident
Control. This used to be part of the Helpdesk Process but is now included in the process
called Incident Management (covered in a later module).
Activities
The Service Desk has a number of primary responsibilities. These are:
- 39 -
Material do Curso de ITIL
• To provide a single point of contact for the customers;
• To facilitate the restoration of normal operational service (with minimal business
impact on the Customer) to the agreed service levels and according to the business
priorities.
Activities
The objective is to produce reports from which management can make decisions
and measure performance based on agreed service levels and deliverables.
Incident control
The Service Desk is responsible for recording all incidents and then controlling them. The
Service desk can use different ways in recording the incidents:
• Phone
• E-mail
• Internet
• Fax
• Personal visit
- 40 -
Material do Curso de ITIL
By making use of different ways of recording incidents and even automating the solution
then the workload of the service desk will be reduced and by association so will the costs.
Think about how much time it costs to reset a password for a user and how often that is
required. If by sending an email a set of actions would be started including: creating the
incident, resetting the password, informing the customer and closing the incident a great
deal of time could be saved.
Roles
The new Service Desk tends to be more then the just the place to lodge calls related to IT.
It has a role to provide and improve the service to the business in general. The changing
role is that the Service Desk is a more customer focused, whereas the traditional Help Desk
tended to be more technical in nature.
As there are different types of Service Desk models the skills required by the Service Desk
staff also must be carefully analysed.
Interpersonal skills are one of the more important ones. Technical skills become more
important when the Service Desk becomes more skilled and aims to solve most of the
incidents without rerouting them to higher levels of support.
Relationships
Being the single point of contact for IT Service, the Service Desk has a link with all
processes within ITIL. With some processes the link is a clearer than others.
The Service Desk is, in fact, an operational aspect of the important process of Incident
Management, e.g. incident control. The Service Desk registers and "controls" Incidents.
This allows the Service Desk staff the to quickly solve incidents by searching on a
Configuration Item, category and/or error code and applying a previously used solution.
- 41 -
Material do Curso de ITIL
Note: A Configuration Item (or C.I.) is discussed in the Configuration Management process
section. A C.I. is an item that we want to store information about.
In some cases the Service desk does some minor changes and so has a link with Change
Management and Release Management.
The link between the Service Desk and Service Level Management can be illustrated
as a result of the Service Desk monitoring Incident levels and reporting whether the IT
service is restored within the limits defined in Service Level Agreements (SLA's). Service
Desk will report to Service Level Management if IT Service is not restored within time
frames and escalation procedures are properly defined and adhered to.
Benefits
The benefits from a properly implemented Service Desk flow across Users, Customers, IT
Staff and the business as a whole.
Note: The difference between a Customer and a User should be explained. A Customer is the person who may often
be the representative of the business for the service provided and/or the person who funds the service. The user is
the ultimate end user of the service provided.
- 42 -
Material do Curso de ITIL
• Single point for all queries
• Better informed
• Quicker turn around of request, queries and incidents
Summary
An effective Service Desk will deliver overall cost reduction and increases in staff
morale, service reliability and identification of business opportunities. All this leads to
increases in Customer satisfaction ratings, with the associated improvement in perception
this brings.
Common Problems
There is no doubt in denying that along with any move towards improvement there will
be problems and barriers to success. Recognising this in advance goes a long way to solving
the problem when (not "if") it comes up.
• Users do not call the Service Desk, but try to go around it to the person they know,
the one who helped them so well the last time.
- 43 -
Material do Curso de ITIL
The Service Desk needs to be easily accessible, easy to
remember phone number, out of office process established,
after hours process established, low waiting times and different
ways of communicating/interfacing. Processes for dealing with
different levels of staff within the organisation (eg. creating a
group of "Critical Users") will also ensure that Service Desk
staff realistically deal with those in highly critical roles as a top
priority.
Users who wish to circumvent the proper procedure will be annoyed and cause
disruption. However, this short term problem should be ridden out, rather than
"giving in". In time, all users will become accustomed to change and eventually
start to accept and see the benefits (refer to SD Benefits).
• Not aware what the needs of the business and/or users are.
• Not all parties involved are informed about the Service provided and the Service
Levels agreed upon, resulting in unrealistic expectations.
This is not to say that staff will use this information against users who require
service, it simply means that users approach the Service Desk with realistic
expectations. Naturally, everyone's problem is critical when it happens - when a
user is irate or stressed it is not appropriate to point out that the agreed service
levels allow for a 48 hour response. This highlights the people skills that Service
Desk staff need to have.
- 44 -
Material do Curso de ITIL
Metrics
Metrics are essential in monitoring any IT Service provided. The Service Desk as a
service for users is no different in this regard.
Day to day reports can provide information on Calls and Incidents. For instance;
• How many and what kinds of incidents (classifications) the Service Desk solves at
first point of call.
• How long calls last, how many there are and how long the waiting time is before a
call is answered. This information can be extracted from appropriate tools or from
PABX records.
If standards are set before the Service Desk starts operating one can monitor the
progress of the Service Desk. The crucial factor is in defining what it is that should be
measured. It is realistic to start with a very simple set of metrics and possibly this is a
better approach as it means that there is no time lost in creating a long series of reports
that add no value to a customer.
The easiest way to begin to define what metrics are required is to look to the Service Level Agreements
(SLA's) that should define the response times, etc. for the Service Desk from the Customer perspective.
However, even if all Service Levels are met the most important measurement for any
Service organisation is the perception of the Customers of the service provided. Therefore
Customer satisfaction should be measured regularly.
The "hybrid" model is also a genuine Service Desk structure that uses a combination of
two or more Service Desk structures.
Very "visible" to the organisation. The Service Desk is most probably in the same
building or locality as the users of the IT Services. The advantage of this concept is the fact
that Service Desk staff are very well versed with the local situation and local conditions.
However, be aware of the fact that, if the organisation is spread out over various
locations with their own local service desks (ie multiple "local"), a high standard of process
adherence should be apparent. All Service Desk staff should follow the same processes and
procedures to prevent differences between the different Service Desk operations.
- 45 -
Material do Curso de ITIL
A centralised Service Desk is a physical point in one location. All users from the different
sites contact this one Service Desk.
- 46 -
Material do Curso de ITIL
This model leads to a reduction in operational costs, easier management of the IT Service
and better use of Resources.
The issue to consider is the need for a physical engineer at the various locations to
solve local incidents. Also time differences have to be taken in consideration when setting
up Service Level Agreements.
- 47 -
Material do Curso de ITIL
Hybrid models combine two or more of these particular structures into a customised
solution for a particular organisation. This is a genuine structure as the ITIL Framework
provides guidelines only for structure and is not a prescriptive solution book.
Interesting websites:
http://openview.hp.com/products/servicedesk/
http://www.interpromusa.com/hdicerti.htm
http://www.interpromusa.com/The Integrated Service Desk.pdf
http://www.itilworld.com/n-america/service-support_helpdesk.htm
• http://www.itil-service-support-management.com/Pages/Service support/Service
Desk/Service_Desk_scope.htm
http://www.itil.co.uk/online_ordering/serv_supp_graphs/serv_desk.htm
Essential Terms
Escalation:
When the time limit for resolving an incident has passed, the incident escalates into a
problem (depending on the priority and impact of the incident) and a different level of
support (Problem Management) comes into force and this:
- 48 -
Material do Curso de ITIL
Routing:
An incident is deposited at the second line support because no specialist knowledge for the
solution is available at the Service Desk
Incident:
An incident is every operational event that is not part of the standard operation of an IT
service. An incident influences the service delivery, although it can be small and in some
cases even transparent (not noticeable) for the user.
Problem:
A problem is the as yet unknown cause of the occurrence of one or more incidents.
Known error:
This is the situation where a successful diagnosis of a problem has shown what the cause is
and which CI is at fault. A possible solution may also be found as to how the problem can be
avoided.
Some organisations may use “expert” users to solve some first line support queries,
depending on the structure of the organisation. This can solve some short term people
resource issues.
Call
Each time the user contacts the service desk.
Incident Management
Introduction
The Incident Management process contains activities that are aimed at restoring an
IT service following a disruption. The Service Desk is usually the owner for this process
however all support groups across an IT organisation will play their part.
Requests for Change are handled in a similar way as Incidents so they can also fall
under Incident Management. A business may decide however to describe the handling of
RFC’s in a special procedure in order to keep the Incidents and RFC’s separated.
Note: An RFC is a Request for Change and will be dealt with in the Change Management
process area. An RFC is the "trigger" that begins the Change Management process.
- 49 -
Material do Curso de ITIL
Objective
The objective of Incident Management is to restore normal operations as quickly as
possible with the least possible impact on either the business or the user, and at a cost-
effective price.
The definition of how quickly is quickly should not subject to interpretation. The
timeframes for Incident resolution should be defined in the Service Level Agreements
(SLAs) that exist between the IT Department and the customer.
The speed of resolution will affect the cost. It is this cost-to-speed ratio that is often
forgotten when a user faces problems. Issues that are low priority during negotiations are
"somehow" escalated to the status of requiring high levels of attention when the issue
occurs.
Often support staff will simply respond to user pressure in such situations and
immediately the expectation is adjusted and anything less than immediate response to this
otherwise low priority issue is considered as poor service (the IT Support dilemma!).
Process Description
As with every process there is an Input and an Output.
The main input to this process are incidents. As shown in below Incidents can come
from many sources like users, management Information or infrastructure monitoring tools.
The Input for Incident Management mostly comes from users, but can have other
sources as well like management Information or Detection Systems.
The outputs of the process are RFC’s, resolved and closed Incidents, management
information and communication to the customer.
This concept is illustrated in the following diagram. The centre diamond shows the
activities of Incident Management.
- 50 -
Material do Curso de ITIL
Activities
The activities included in Incident Management are:
As shown incidents come from many sources. The Service Desk (more commonly
known as a Help Desk) is the primary point for recording incidents, although other IT staff
can play this role as well. The Service Desk is the single point of contact between service
providers and users, or their representatives, on a day-to-day basis and typically the owner
of the Incident Management process.
Incident priorities and escalation procedures need to be agreed as part of the Service
Level Management process and documented in SLAs.
- 51 -
Material do Curso de ITIL
Incidents should be classified according to three criteria (Priority, Impact & Urgency).
Priority
One of the important aspects of managing an Incident is to define its priority. How
important is it and what is the impact on the business? The responsibility for this definition
lies with the Service Level Management process. The priority with which Incidents need to
be resolved, and therefore the amount of effort put into the resolution of and recovery from
Incidents, will depend upon:
Impact
'Impact' is a measure of the business criticality of an Incident or Problem. Often this
equates to the extent to which an Incident can lead to degradation of agreed service levels.
Impact is often measured by the number of people or systems affected. Criteria for
assigning impact should be set up in consultation with the business managers and
formalised in SLAs.
Urgency
'Urgency' is about the necessary speed in solving an Incident of a certain impact. A high-
impact Incident does not, by default, have to be solved immediately. For example a User
having operational difficulties with his workstation (impact 'high') can have the fault
registered with urgency 'low' if he is leaving the office for a fortnight's holiday directly after
reporting the Incident.
Urgency is seen as to what degree the service is affected (stopped, partially affected,
functionally changed). If a user calls with an Incident and they can’t work (service stopped)
then it is of greater urgency than a user calling to request a functionality change.
Once logged the activity of investigation and diagnosis will take place. If the Service
Desk can’t solve an Incident it will be assigned to other support levels. They will then
investigate the Incident using the available skills sets and tools such as a knowledge base of
Known errors etc, and diagnose the problem. It is important that all parties that work on
the Incident keep record of their actions by updating the Incident record.
- 52 -
Material do Curso de ITIL
Incident closure
For the Incident Management process to be effective it is necessary that the Incidents
closure be done properly. This step includes:
To ensure the solution provided meets the user needs they are the only person that
can give the authority to close an Incident. The Incident record in the Service Desk tool
should be ‘closed’ so that accurate reporting can be carried out.
In some cases the Incident record is closed but a Problem record is still open (Refer
to Problem Management for more information about a Problem record).
Whilst an Incident may be passed across different IT groups during investigation and
diagnosis the Service Desk remain the owner of the Incident (in terms of tracking through
to closure). They will monitor the progress of the Incident in light of service levels and
maintain/manage communication with the user. If the Incident is not progressing
appropriately then the Service Desk may trigger either a functional or hierarchical
escalation. These different types of escalation are covered in the Best Practices section.
Roles
The role of Incident Manager in most organisations is assigned to the Service Desk
Manager.
Support roles:
- 53 -
Material do Curso de ITIL
First line support will be done by the Service Desk and includes the recording, classifying,
matching, routing, resolving and closing incidents.
Second and third level support is responsible for in investigation, diagnosis, and
recovery from incidents.
Relationships
Incident Management has a close relationship with other ITIL processes. Some of
these inter-process relationships are described here.
Configuration management:
The CMDB provides information about CI’s and the parent/child relationships
between them. This helps to determine the cause, solution and routing of an incident by
tracing a fault back through the C.I. relationships. For example, if a user cannot access the
Internet, by looking back through the parent/child relationships of that users PC could find
that a Hub that the user connects to (parent of the child PC) is a potential C.I. that should
be investigated.
Problem Management
Incidents with unknown causes are routed to Problem Management where they are
processed.
Known Errors, Work-arounds, Quick Fixes is given to Incident Management by
Problem Management.
Change Management
This process can be the cause of Incidents if a Change is not implemented correctly.
Therefore it is very important that Incident Management knows all planned changes so they
can relate Incidents to a change and notify the Change Management process so that roll-
back plans can be implemented if necessary.
On the other hand some Incidents will be solved by a Change, as will be the case when
faulty equipment is replaced.
Incident Management provides and gets information from all the Service Delivery
processes. Service Level Management, for example, is responsible for establishing service
levels that relate to work done within the Incident Management process. The Service Desk
will then report against these service levels.
- 54 -
Material do Curso de ITIL
Benefits
A well implemented Incident Management process will have easily visible benefits.
Unlike some other ITIL processes where benefits may be hard for end users to identify, the
benefits of good incident management will be felt by them directly.
For customers
For IT Organisation
• Prioritisation - the high impact, high urgency, incidents are the ones that jump to the
front of the queue. Resulting in the least possible impact on the business activities.
• Quicker resolution of Incidents leading (productivity gains).
• Management information is provided.
- 55 -
Material do Curso de ITIL
impact/high priority task and that there are other incidents demanding attention ahead of
them.
This is where the communication skill of IT Staff must be at it's highest (and most
tactful). Carefully selecting the words used to convey this message can be learnt. For
instance acknowledging the frustration they are facing and providing a very brief overview
of the things ahead of them in the queue. This way the person can (hopefully) understand
that there are more pressing issues ahead of theirs. Not dismissing their call as
"unimportant" or "I'm busy with other people" or "You'll have to wait".
Common Problems
We know there are many benefits of a good incident management process. Likewise,
there can be some real "show stoppers". The following major obstacles if not dealt with will
mean the process will be inefficient and ultimately unsuccessful.
Note: The CMDB is the Configuration Management Data Base. The CMDB is
covered in the Configuration Management process chapter. The CMDB holds
information about C.I.'s (Configuration Items).
• A knowledge database. This database will hold Known errors, work arounds and
resolutions. This will help Incidents to be resolved much faster and with less effort.
• An Incident Management tool to record and monitor Incidents easily. (Preferably this
tool is part of a complete Service Management tool that integrates the tools from all
processes).
The challenge in the implementation of these tools and databases is not to let the work
of setting up the system stand in the way of making progress.
Any ITIL process can be started in a very simple form. The biggest challenge facing
IT professionals is that it takes "discipline" to use the tools and procedures. The sooner
the discipline of logging information, searching for solutions rather than re-working
solutions can begin, the better.
If people start to use the tools and start to see benefits in doing so, then so the
proper "habits" are formed. It is then a relatively easy task to modify behaviours to use a
different tool or introduce new features/functionality as tool development or tool selection
progresses.
Metrics
Many metrics can be obtained from this process, some of the more notable and useful are:
- 56 -
Material do Curso de ITIL
Number of Incidents per time period
Number of Incidents per category
Number of Incidents per priority level
Incident resolution performance against service levels
Number of closed Incidents per time period
Best practice
Incident Management tools:
There are many Service Management tools on the market that now align and provide functionality to support ITIL
processes. These tools have many features, which assist in automating the process such as:
Hierarchical escalation occurs usually more proactively (e.g. when the service desk
identifies early that there is the likelihood of a breach and escalates manually rather than
waiting for the time lapse).
The following diagram shows the activities throughout the Incident Management
process and the status that each activity can be set at. Throughout the activities the
continual issue surrounding ownership, monitoring and tracking must also be considered.
- 57 -
Material do Curso de ITIL
Interesting Websites
• http://www.helpdeskinst.com/publications/practices.asp
• http://www.itil-service-support-management.com/Pages/Service support/Incident
management/Incident_mgmt.htm
• http://www1.worldcom.com/au/resources/whitepapers/pdf/WorldCom_White_Paper_
On_eCRM.pdf
• http://www.itil.co.uk/online_ordering/serv_supp_graphs/incident_mngt.htm
• http://tools2manage-it.com/serv_mgt.php
Essential Terms
Incident
"Any event that deviates from the (expected) standard operation of a system."
An incident is often simply a user requesting help for something that is not working. For
example “I can’t see my network drive”, “I can’t access the Internet”, “I can’t send email”.
It is any situation where something does not work and the specific details are not known.
Work around
It is possible for Problem Management to identify “work-around” in the investigation of
problems. These should be made known to Incident Management so that they can be
passed to the user until the permanent fix is implemented.
- 58 -
Material do Curso de ITIL
Problem Management
Introduction
Problems have a tendancy to always happen !!. No matter how well things are
running. Even with the most reliable IT, the service delivery will be troubled by disruptions
that cannot always be avoided.
We have learnt that an incident is a deviation from standard operation. This means
that users can face many incidents and a lot of the time they will face the same incident
many times.
A user calls with an "incident" - the Service Desk captures the call and gives great
Incident Management support : "re-boot your PC and see if that fixes it". It does. The user
is happy. The next day the same user calls with the same incident, with the same great
incident support. "Re-boot your PC". On the third day the user does not call again, they just
re-boot their PC and start to live with the issue. Then they start to tell other users - just re-
boot your PC that'll fix it. All of a sudden we have a plague of PC re-booting users !!!
In the mean time users print their documents over and over again as they think
they’ve done something wrong. The next day users still call with the same problem, the
document still not printing … The Service Desk releases the queue when applicable, the
document is printed and Incident is closed.
If Problem Management were in place a problem would have been identified and
recorded. The "Known Error" related to this problem would be found in the configuration of
the Printer. The solution, to reconfigure the printer so the queue is automatically released,
would be found and implemented. The stream of Incidents regarding this printer would
cease.
The releasing of the queue by the Service Desk would be used as a workaround to
restore the IT service in the event of the printer facing a similar issue in the future.
Objective
The objective of Problem Management is to minimise the total impact of problems on the
organisation. Problem Management plays an important role in the detection and repair of
problems to prevent their reoccurrence.
The following slide says this in a different way but also introduces the crucial element of
proactive problem management.
- 59 -
Material do Curso de ITIL
Process Description
The process focuses on finding patterns between incidents, problems and known errors.
These three areas are key things to understand in this "root cause analysis". The basic principle is
starting with many possibilities and narrowing down to a final root cause.
Note: "Root Cause analysis" is often used interchangeably with Problem Management.
The ITIL Framework doesn't prescribe what a process area should be called and Root
Cause Analysis is fine. However, Root Cause Analysis is typically a reactionary exercise.
ITIL's Problem Management caters for reactive work, but more importantly recognises
the value of proactive problem management. We use Root cause analysis
interchangeably with Problem Management.
Incidents:
Problem:
A problem is the “unknown underlying cause of one or more incidents”. This is the second
stage of "root cause analysis"/problem management. From the general incidents, more
- 60 -
Material do Curso de ITIL
investigation will uncover an underlying cause of these incidents. A “network problem” is a
good example of a problem definition in this case. Users don't call saying I have a "network
problem", they call and say "I can't save to my H: drive" or "I can't print or surf the web". IT
staff then piece all these incidents together and identify that we are facing a "network problem".
Root cause analysis has taken us closer to finding the root cause but not completely. A problem
is then a more specific definition.
Known Error:
A Known Error is the final step in the root cause analysis process. A Known Error can be
defined as, “when the root cause of the problem is known”. In our network problem example it
is where the faulty equipment or system has been identified.
This is the end of the root cause analysis process. Following the above example the Known error
would be “Router x is faulty”.
From the above we see the initial general issues being faced through to the final definition of the
root cause. The following diagram illustrates this flow.
- 61 -
Material do Curso de ITIL
The outputs of the process are:
• RFC’s (Request for Change) to start the change process to solve the Known Errors.
• Management Information
• Work arounds
• Known Errors
• Update Problem records and solved problems records if the known error is solved.
The following picture summarises this. The center diamond highlights the Problem Management
activities which we will look at in the next module.
Activities
The ITIL Problem Management has four primary activities as follows:
• Problem Control
• Error Control
• Proactive Problem management
• Completion of Major Problem Reviews
Problem Control
- 62 -
Material do Curso de ITIL
o It is also wise to note that the time, effort and cost that
goes into fixing problems must be weighed up against the
benefits of doing so. If costs outweigh benefits a simple
Problem record can be created that links all affected C.I.'s,
RFC's and Incidents.
• Classification of Problems
o This activity centres on understanding what the impact
on agreed service levels is of the problem. Classification of
problems is similar to Incident classification (impact, urgency,
priority).
Error Control
Error Control is the process in which the Known Errors are researched and corrected. The
request for change comes from this sub-activity and is submitted to Change Management and
then following approval the change is actioned.
- 63 -
Material do Curso de ITIL
Proactive Problem Management focuses the analysis of data gathered from other
processes and the goal is to define “Problems”. These problems are then passed off to
Problem and Error Control procedures, as if they had happened.
• Trend analysis
• Using data to highlight potentially weak components.
• Targeting preventative action
• Trend analysis can lead to identifying general problem areas.
The aim of proactive Problem Management is to redirect efforts away from always being
reactive, to proactively preventing incidents occurring in the first place.
- 64 -
Material do Curso de ITIL
3. What lessons do we take away from solving this problem?
Roles
Problem Manager role
• Identification of Problems
• Investigation of Problems leading to the Known Errors
• Monitoring the Process of eliminating Known Errors
• Raise RFC’s when necessary
• Identify trends
• Communicate Work arounds and quick fixes to Incident Management
Relationships
The Problem Management process has a close connection with the following ITIL processes"
Incident Management:
A very close and obvious link as we have learnt. Problem management aims to solve the
root cause for the Incidents that are recorded by Incident Management. It is important that
Incident Control provides accurate information so that Problem Control can solve the Known
Errors easier.
Problem management will supply Incident Management with workarounds and quick fixes
where possible.
Change Management:
If Problem Management finds the solution to a Known Error they have to submit a RFC for
the Change. Change Management is responsible for the implementation of the Change.
When it is implemented they, together with Problem Management, review the Problem to
verify that it is solved by the Change. This is called a Post Implementation Review after
which Problem Management can close the problem record.
- 65 -
Material do Curso de ITIL
Configuration Management:
Other processes:
Benefits
Problem Management improves the IT service quality by resolving the root cause of
incident(s). This leads to lower amounts of Incidents - benefiting users, customers, the
organisation and the IT department:
Advantages are:
- 66 -
Material do Curso de ITIL
• Higher resolution rate for Incidents at the Service Desk first time around
• Less Incidents
Common Problems
1. Incident Management and Problem Management don’t have well defined interfaces
with each other.
2. Known Errors are not communicated to Service Desk/Incident Management
3. No Commitment from Management
4. Unrealistic expectations of the Problem Management process.
The following slide raise these and other points of attention that have to be considered.
- 67 -
Material do Curso de ITIL
Metrics
Within Problem management there is lot that can be measured. It depends on the scope of
Problem management as to what is relevant.
- 68 -
Material do Curso de ITIL
Best practices
Considerations for Problem Management, a high-pressure area for IT.
The variety, complexity, volume and difficulty of problems facing Support teams
today compared to the "early days" (those of a decade ago) seem child's play. Why?
Increases in user demand have led to vast numbers of PCs; distributed Client/Server
networks; multi-site, multi-platform systems; cheap but complex software packages; all in
addition to the traditional mainframe systems, and all needing the same high levels of
technical support, and all to be delivered with a sensitive 'customer care' attitude.
This increasing workload is threatening the whole stability of IT. If we don't find a
lateral solution for managing it, demand will simply continue to grow at its present rate. The
result? Support functions will soon dwarf the rest of IT in terms of number of personnel,
running costs, and quality of expertise. And ignoring the problem, in the vain hope that it
will go away, is even worse.
Note: the following web links provide some additional research material. The Kepner-
Tregoe link is an interesting one. KT Analysis is a long serving tool that can be very
useful in carrying out the Problem Management process activities.
Interesting Websites
• http://www.itilworld.com/n-america/service-support_probmanage.htm
- 69 -
Material do Curso de ITIL
• http://www.kepner-tregoe.com
• http://www.itil-service-support-management.com/Pages/Service support/Problem
management/Problem_mgmt.htm
• http://www.itil.co.uk/online_ordering/serv_supp_graphs/problem_mngt.htm
Essential Terms
Work Around:
A "quick-fix" solution to an incident, which will produce an acceptable outcome for a limited
period.
Activities aimed at removal of errors while the errors are in a state of inactivity.
Change Management
Introduction
As organisations become more dependent on IT services and technology changes
rapidly succeed one another, the need for proper management and control of change grows
with it. Many problems in the quality of IT Service Support emerge from changes in existing
IT systems. The ITIL Change Management process is designed to act as a planning and
control process. Proper planning and control ensures the implementation of change can take
place without interrupting the operational IT service delivery.
It is Monday July 1st. End of financial year. For many organisations it is the time of
the year to close out and get final figures for the previous 12 months. Lots of reports being
run, lots of heavier than normal requests on systems, lots of printing, etc.
Imagine then a Service Desk where the phones start ringing at the start of the day.
“My report is not showing any figures.” “I can’t find any details of last year.” “All figures for
last year are lost.”
Mild panic quickly escalates to all out concern as no-one really knows what has
happened. They all individually try and solve the incident of each user by investigating the
software etc. Nothing seems to be wrong, with the system functionality, it's just that the
reports are all blank !
- 70 -
Material do Curso de ITIL
By now the IT Director is looking for some answers from his staff. He has to report to
the business manager on what has happened and why should he keep his job !
Then one of the Service Desk staff strolls in. He's had a late start as he worked back
last night. He notices the panic and asks what is wrong. When he hears the story he turns
red and tells them about the change they made the night before. You can hear a pin drop !
He thinks he may have caused the problem. They look into it and it seems it is the
problem so the staffer is asked to roll-back the change. Only trouble is no-one seems to
have kept a copy of the configuration prior to the change. So, the only way to solve this
issue is to correct the problem in the change. At the end of the day the problem is fixed
and the figures for last year are back. Things start to go back to normal at the Service
Desk …
But the IT Director stills feels the wrath of the business people, along with the known
business cost of the lost hours of productivity and still considers finding another role !
This is a situation that you want to avoid and with a good Change Management
process it is possible!
• The Service Desk would have known about a change being done the night before so
they could have made the connection between problem and change a lot earlier.
• The change wouldn’t be scheduled prior to such an important day in this organisation
because of the risks involved.
• The Change would have been tested properly so the whole issue might have been
avoided.
• A proper roll-back would be in place resulting in a quicker solution of the problem.
Objective
For an effective and efficient IT service delivery it is necessary to have the capability
to implement many changes correctly. Changes in reality often lead to (implementation)
problems.
"Assuring that standardised methods and procedures are in use for the efficient
and timely implementation of all changes, in order to minimise the impact of
change related problems on the quality of the IT service delivery".
The goal also build an internal understanding of the "how and why" for the process
(how = standardised methods and procedures, why = to minimise impact).
Remember....
- 71 -
Material do Curso de ITIL
Process Description
The common trigger for Change Management is a Request for Change (RFC). RFC's
come from within the IT organisation as well as from the Customers.
Another trigger for change can be the Forward Schedule of Changes (FSC). This
schedule is drawn up in advance in agreement with the customer. The FSC documents
known change events or agreed windows of change, that can be used for unforeseen (non-
urgent) changes.
Other inputs for the process is CMDB information about the affected Configuration
Items (C.I.’s) and the relationships that exist between the affected CI's. This vital
information contributes to the assessment that the Change Management process has to
make about the impact (potential or otherwise) or a proposed change.
The output of the process includes reports regarding the changes, triggers for
Configuration Management to change the CMDB, triggers for Release Management to
release, develop or implement new software or hardware and Change Advisory Board (CAB)
agenda and planned actions.
The Scope of Change Management is determined along with defining the scope of
Configuration Management.
If the Configuration Management process is to track details of hard disks and floppy
drives, then replacing a hard disk counts as a change (albeit a "minor change").
- 72 -
Material do Curso de ITIL
Determining the scope is a dynamic activity, as the scope can change and therefore
the need for information needed from the CMDB can change as well. Reviewing the scope
on a regular basis is important.
It is not necessary that not all changes are controlled by the Change Management
process. For example minor changes, such as resetting a password etc can be done by the
Service Desk (following set procedures) but doesn’t need to be controlled by Change
Management. To do so, would lead to increased workload, frustration and "by-passing" the
process.
Activities
The Change Management process includes the following activities:
• Recording
• Accepting
• Classifying
• Planning
• Co-ordination of activities
• Implementing
• Evaluating
Recording
Although this activity is not carried out by Change Management itself, it is the responsibility
of Change Management to make sure all Changes are recorded correctly.
Accepting (Rejecting)
At this stage RFC’s will be reviewed and accepted or rejected. Any rejection should always
be communicated and explained. A reason for the rejection of an RFC might be that it is
incomplete or illogical. Accepted RFC's then be classified.
Classifying
In this stage the RFC will be categorised and a prioritised. The category depends on
the impact the change has and the resources needed to do the change.
The priority is derived form the urgency and the impact of the change, along with
knowledge that the Change Management process may have from other process areas, that
the change requestor is not aware of.
Planning
The change will be planned and put on the Forward Schedule of Change (FSC), if
appropriate. The Change Advisory Board (CAB) meets to review the FSC. The FSC will
consist of:
- 73 -
Material do Curso de ITIL
Coordination
If approved the change must be built, tested and implemented. Change Management
doesn't do this work, but it co-ordinates the activities to ensure progress is made. Change
Management will also verify that a back out plan has also been developed and submitted for
approval.
Evaluating
Each change (except minor standard changes) should be evaluated to see if the
changes had the desired effect. The effort put into a post change evaluation will be
dependant on the size of the change and the impact it had on the organisation (good or
bad, what lessons can be learnt).
- 74 -
Material do Curso de ITIL
Roles
Change Manager
This board should to be made up of representatives from all areas within IT and
representatives from business units. The CAB can have an element of flexibility so if there
are no changes on the Agenda that effect a specific business perhaps they don’t have to be
present at the CAB Meeting.
A sub-set of the CAB that can meet at short notice to consider Emergency changes.
Relationships
The Change Management process depends on the accuracy of the configuration data to
ensure the full impact of making changes is known. There is a very close relationship
between Configuration Management, Release Management and Change Management.
- 75 -
Material do Curso de ITIL
Advising the Service Desk of changes is crucial. Changes are nearly always first
"discovered" in the Incident Management process, via the Service Desk.
Also the Problem Management process can submit RFC’s to solve Known Errors and
sometimes this can cause a snow-ball effect, if the Configuration Management process is
unable to explain what the affected components will be as a result of the change (including
hardware, software, SLA's).
Note: SLA's (Service Level Agreements) are discussed in the Service Level
Management process. It is possible to store information about an SLA in the
Configuration Management Database (CMDB). By doing this relationships can be
created between hardware or software components and the SLA. So when a change
is proposed to a component the linked SLA can be investigated to determine if the
change will breach the SLA.
The others processes are also linked to Change Management in the sense that they either
request changes (Availability Management) or they will be consulted to determine the
impact of changes (IT Service Continuity Management, Service Level Management and
Capacity Management).
Benefits
Change Management is one of the ITIL processes that can often be not really liked. IT Staff
have a tendancy to think that "it's only a small change, no-one will be affected".
It is in these situations that most damage is often done. Discipline is required to adhere to
the process. As an IT support person if you are told to implement the change without
- 76 -
Material do Curso de ITIL
following the process, ask for the directive in writing, that way there can be no mis-
understanding when problems come up.
Remember that low impact, low risk changes can be covered by creating a change request
that is open-ended and approved. For example, hard disk archiving. Provided the change is
documented, the affected parties listed and the RFC is closed, reviewed and re-opened on a
periodic basis then there is no need to create a seperate RFC every time the change is
required.
• Less impact of changes on the quality of the IT service delivery and the Service Level
Agreements (SLA's).
• Through structured planning, the cost of a change can be estimated more accurately
• Fewer changes need to be reversed, but if the need arises it is a simpler process
• Collection of management information is possible on changes.
• Increase in productivity of the user because of a reduction of service interruptions.
• Increase in productivity of IT staff (less time lost of fixing changes).
Common Problems
Along with the benefits of the any process, we have to acknowledge the inherent problems
as well. Change Management is a highly visible process, both within the IT Department and
the business users and business customers.
Note: The distinction between Customer and User is straightforward. The customer is
the one paying for the service. The User is the ultimate end-user of the service.
Tool Selection
You need an appropriate tool to support the Change Management process. Ideally, a single
tool will be able to accommodate the activities of a number of ITIL processes. With Change
Management, it would be almost essential that the same tool be used as the Configuration
Management Data Base.
If the changes that are controlled by Change Management are too wide (eg it includes
password rests) the workload will become to high and people will try to bypass the process.
Commitment
Metrics
The beauty of all ITIL processes is that they can be measured. Measurement allows baseline
setting and targets to be set for improvement.
- 77 -
Material do Curso de ITIL
Change Management is no different in this regard and the following indicators are common
for measuring this process.
Best practices
The following list of sites provide some excellent background reading on Change Management.
Interesting websites
• http://www.itil-service-support-management.com/Pages/Service%20support/Change
%20management/Change_mgmt.htm
• http://www.itilworld.com/n-america/service-support_changeman.htm
• http://www.infra.com.au/TuDelft.htm
• http://www.itil.co.uk/online_ordering/serv_supp_graphs/sschange.htm
• http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/itsolutions/ecommerce/maintain/operate/rmdotcom.asp
• http://www.atlsysguild.com/
• http://www.guild.demon.co.uk/SpecTemplate8.pdf
• http://www.guild.demon.co.uk/SpecTemplate8.rtf..zip
• http://www.atlsysguild.com/GuildSite/Robs/Template.html
Essential Terms
Change
CAB
Representative group of stakeholders, who assess the change requests. The Change
Advisory Board advises the change manager on whether the change should be accepted or
rejected.
All requests for modification of the managed infrastructure that are not Service Requests.
Service Request
Fully defined and approved changes, which are individually recorded, but not individually
assessed by Change Management. These changes are made routinely.
- 78 -
Material do Curso de ITIL
Forward Schedule of Change (FSC)
A change schedule, which contains all the planned changes for a certain period of time.
Configuration Management
Introduction
Through the storage and management of data regarding the IT infrastructure the
Configuration Management process gives the IT organisation greater control over all the IT
assets. The more dependent on their IT systems organisations become, the more important
Configuration Management becomes.
It is, therefore, necessary to keep a register of all Configuration Items (C.I.'s) (IT Assets)
within the IT infrastructure. Configuration Management aims to provide a "logical model" of
the IT infrastructure by identifying, controlling, maintaining and verifying the versions of all
C.I.'s.
Objective
• provide IT Management with greater control over the C.I.s (IT Assets) of the
organisation.
- 79 -
Material do Curso de ITIL
• provide accurate information to other ITIL processes.
Process Description
The Configuration Management Process could almost be considered as a pivotal process for
all other (especially the Service Support) processes. Configuation Management is considered
central and supportive to the other ITIL processes by providing information about the IT
Infrastructure.
Reminder Note:
- 80 -
Material do Curso de ITIL
o Service Desk is a function and Security Management has an active part in all
processes.
A major input into the Process is from Change Management either requesting information
about items that will be affected or advising the status of changed items.
The process starts with the design, populating and implementing of the CMDB
(Configuration Management Data Base)
The Outputs of the Process are reports to IT management and also the constant availability
of Information that can be supplied from the CMDB to other processes.
Activities
The activities of the Configuration Management process are:
• Planning
• Identification
• Control
• Status accounting
• Verification and Audit
- 81 -
Material do Curso de ITIL
Planning:
This includes setting up the process "boundaries" like the goal, scope, objectives, policies,
procedures and interaction expected with other processes.
It is the task of the Configuration Manager to determine what can be achieved, at what cost
- balanced against the business requirements. This combination affects the level of detail
and how many C.I.'s will be specified.
Scope:
The scope of the process must be decided. This essentially answers the question: What will
and will not be included within the process? For example some IT organisations will
manage the PABX and phone systems, in this case these infrastructure items would be
within the scope of the process.
CI Level:
The CI Level refers to the amount of detail that will be captured for each CI. For example is
a PC considered enough detail or is it necessary to capture the hard disk, network card and
memory details. The decision about the level of detail required should depend upon how
the information will be used. A lot of detail requires extra work to keep updated, while too
little detail defeats the purpose of the process and does not contribute towards good
decision making.
Identification:
The identification activity involves the gathering of all C.I. information within the scope of the
process. C.I. information is gathered either manually and/or by the use of automated tools. At
the time of gathering this data each CI should be labeled for reference and control purposes.
- 82 -
Material do Curso de ITIL
Note: The labeling of IT Infrastructure can be incorporated into the Security Management
process. Labeling techniques include visible labels, that include common contact
numbers (eg. Service Desk), reference numbers and even hidden labeling (security paint
that shows up under "black lights" and microchip identifiers that are not visible to the
human eye).
The information gathered will be governed by the scope, C.I. level and attributes decided upon.
Note: The attributes of a C.I. are the "things" about that C.I. that we want to record
(eg. the attributes of a Personal Computer can be hard disk size, processor type,
processor speed, Operating system version).
Values are the quantifiable measurement of attributes (eg. the value of a hard disk
size can be 3Gig or 8Gig, the value of a processor speed can be 1 GigaHertz or 10
GigaHertz)
Before gathering any information control procedures and the Change Management
process should be in place so that after information is gathered and populated into
the CMDB changes to the infrastructure don’t make it redundant.
Control
Before the CMDB is populated control procedures should be in place. It is vital that changes
to the CMDB and the CI’s within are only made with the proper authorisation. Procedures
need to be set up so that all changes are always documented, for example with authorised
RFC’s. We can start to see the very strong relationship that Change and Configuration
Management share.
Status accounting
Status accounting is the activity that records the current and historical states of a C.I. so
every change to a C.I. is traceable. Status levels can be defined as part of the planning
process (eg. On order, In use, Out of order, Under repair, Retired).
- 83 -
Material do Curso de ITIL
By conducting regular audits an organisation can verify that all C.I.’s are recorded correctly.
The first audit should be held right after the CMDB has been implemented to be make sure
it is a correct representation of the actually IT infrastructure.
Other times for audits can be after disasters, major changes and following a pre-defined
timetable.
The degree of audit will again need to take into consideration the value that will be derived
from the audit and the size (and therefore cost) of doing the audit. Partial audits, spot audit
checks are all feasible strategies to "get a feeling" about the level of C.I. accuracy.
Roles
The Configuration Manager will assist in determining the scope and level of detail
required in the process, implement procedures for interaction with other processes and take
responsibility for the planning and population of the CMDB.
The Configuration Librarian is the person who controls access to master copies of
software and documentation. Like any librarian the focus is on physical items. These items
will be held in the "definitive software library" (DSL).
Note: In small organisations the role of the Configuration Manager and the Change
manager can be combined.
- 84 -
Material do Curso de ITIL
Relationships
As indicated, the IT infrastructure forms the foundation of the IT organisation. All processes
within ITIL therefore have links with Configuration Management or retrieve information from
the Configuration Management Database.
Change Management and Release Management however, have the closest relationship to
Configuration Management and could even be considered as an integral part of it. The flow
chart shows the relationships between the 3 processes and how the flows between the
processes occur at every stage.
Benefits
Some of the benefits that come from implementing Configuration Management include:
• ability to provide Information to the other processes about C.I.’s and the
relationships that exist between them.
• control of the IT Infrastructure. Knowing where a C.I. is and who’s responsible for it.
- 85 -
Material do Curso de ITIL
• optimal support on security issues
The following slide restates some of these benefits and introduces some new ones.
Common Problems
Problems that can prevent an effective implementation of Configuration Management are:
• Level of detail for the CI’s is not right. If the level is too deep too much information
is recorded which will take to much time, money and effort to maintain. However, if
the level of detail is not detailed enough parts of a C.I. can be changed without
anyone knowing. This can result in increased incidents and problems due to the
difficulty in tracing the faulty component.
• Control. There needs to be a process in place that secures the validity of the CMDB.
For example users who can purchase software themselves via the Internet may
- 86 -
Material do Curso de ITIL
create incidents that are difficult to solve due to unknown configuration changes (the
typical "I didn't change anything !!")
Metrics
The measurement of the Configuration Management process has many potential KPI's that
can be analysed. To measure the effectiveness of Configuration management, realistic
targets should be set. The targets can be changed over time to ensure improvement of the
process.
• RFC’s that were not completed successfully because of poor impact assessment,
incorrect data in the CMDB, or poor version control
• Software licences that have been wasted or not put into use
• The amount of calls per month that are solved whilst the User is on the phone using
information from the CMDB.
• Reduction in Incidents and problems over time and the change in impact they have
on the business
- 87 -
Material do Curso de ITIL
• Improvement in the time needed to resolve Incident and Problems that can’t be fixed
immediately
• The number of changes to the CMDB per month because of identified errors in the
CMDB.
Best practices
The CMDB
Most organisations already use some sort of CMDB, in a spreadsheet or paper based. In
most cases the CMDB is based on database technologies, which makes gathering
information more user friendly. Information that can be gathered from a CMDB include:
• Relies on....
o SLA "Provision of Banking Services" relies on Server 2
o SLA "Provision of Banking Services" relies on Printer 9
• Is part of....
o Hard disk 12 is part of Server 2
• Affects....
o SLA "Provision of Banking Services" affects Customer 11
o SLA "Provision of Banking Services" affects Customer 12
• Is linked to...
o Banking system is linked to Admin system
• Had ......
o Printer 9 had RFC 0013 applied
o Printer 9 had RFC 0035 applied
An additional bonus is the use of the CMDB to cover the legal aspects associated with the
maintenance of licences and contracts.
The Definitive Software Library (DSL) is a storage place where all software versions are kept
secure. New releases will be built on copies of the software from the DSL, not from the
software that is being used in the production environment. The DSL is plays an important
part in the Release management process and is discussed in more detail in that chapter.
- 88 -
Material do Curso de ITIL
Interesting Websites
• http://www.itilworld.com/n-america/service-support_configman.htm
• http://www.itil-service-support-management.com/Pages/Service
support/Configuration management/Configuration_mgmt.htm
• http://www.itil.co.uk/online_ordering/serv_supp_graphs/ssconfiguration.htm
Essential Terms
IT infrastructure:
All parts of importance to the provision of IT services. These include: hardware, software,
network and components, documentation, manuals, procedures, air-conditioning, cooling,
organisation etc etc. Staff, however, is not a C.I. (according to ITIL, many organisations
choose to include staff into their CMDB as soon as the organisation is mature enough to
handle this).
Attribute:
Values:
A value is the quantifiable part of an attribute. (examples of values are "red", "10", "E9",
"critical")
Links/Relations:
Configuration Control:
Ensures C.I.’s are only changed with the appropriate documentation and that C.I.’s are
tracked from procurement to disposal.
Asset Management:
The difference between Asset Management and Configuration Management is that Asset
Management has a list of assets and Configuration Management has a database with
relationships between C.I.s.
Configuration baseline
- 89 -
Material do Curso de ITIL
A Configuration baseline is the configuration of a product or system established at a specific
point in time, which captures both the structure and details of a configuration. It serves as
reference for further activities.
Release Management
Introduction
With the increasing complexity of systems and a greater need for IT organisations to provide a
stable environment, the release of new software and hardware into the business must be closely
controlled. Quite often however a poor release strategy leads to the very thing that others in the
IT organisation are working hard to avoid; downtime and loss of infrastructure stability.
The "Catch 22" however is that there in an ever increasing pressure to “have the release sooner”,
as it will deliver immediate “benefits” to the organisation. External forces often drive the
demand to get the latest hardware of software into production as businesses strive to be
first to market or to help them gain a competitive edge.
This process within ITIL aims to provide a structured approach to the management of
releases into the infrastructure from release planning through to actual installation. The
relationships with Change Management and Configuration Management are key for this
process as all three are very closely related.
These secured libraries provide the physical storage location of all software Configuration
Items (CI's) (DSL) and spare parts for hardware (DHS).
Software comes in various forms such as source codes, loads, libraries and executables.
The different versions of the same software held in the DSL have been through
authorisation and quality controls and are used for the construction and implementation of
releases.
Spare hardware held will be dependant on a risk assessment (looking at the assets of the
organisation and then the threats and vulnerabilities), as well as third party involvement
regarding support contracts (Underpinning Contracts). Changes to the production hardware
environment must flow through to the DHS, so that any held spares can be compatible with
latest production hardware.
- 90 -
Material do Curso de ITIL
Objective
Release Management is the process that "protects" the live or production environment.
Protection comes in the form of formal procedures and extensive testing regarding proposed
changes to software or hardware within the production environment.
Note: The use of the term "Production Environment" conjures up images of a factory
or manufacturing facility. However, it is a generic term applied to all areas of
infrastructure in use that contribute towards the realisation of organisational
objectives.
Note: It is the use of this term Production Environment that probably provides an
answer to a question that gets raised a lot regarding the ITIL framework. Can the
(ITIL) framework be used in other business areas, other than IT ?
The answer is most definitely yes. The framework is not a prescriptive set of
processes that lack flexibility. They are a set of generic guidelines that, with the right
perspective, can be applied just as easily to manufacturing & engineering disciplines.
• Provision for physical and secure storage of approved hardware and software items
in the Definitive Hardware Store (DHS) and Definitive Software Library (DSL)
• Ensuring that only authorised and quality controlled software & hardware versions
are used in the test and production environments.
Note: Even the test environment can be subject to the Release Management
process. Many businesses have a very high reliance on their test centres and
cannot afford uncontrolled actions, simply because the environment is not the
front line of the business.
- 91 -
Material do Curso de ITIL
Process Description
The main components controlled under a good Release Management process include:
Release Management manages all software and hardware from purchase or development
until testing and the eventual migration into production.
The process starts with the planning of a new release, be it for hardware or software and
ends with a well documented, securely stored, implemented new release with the lowest
possible impact on the organisations day-to-day activities.
The following diagram illustrates some of the basic before and after situations surrounding
the Release Management process.
Activities
The following diagram shows the activities of Release Management and their relationships
with the Configuration Management Database (CMDB):
- 92 -
Material do Curso de ITIL
The Release Policy will document how the organisation will approach the release of new
hardware and software in to the infrastructure. Specified in this policy will be items such
as:
- 93 -
Material do Curso de ITIL
• The scope of the Release Management process ie. What level of control and what
parts of the infrastructure will be under the control of the process
Preparation for any release requires a structured planning approach to increase the chance
of success. The use of a formal project management methodology like PRINCE2 will assist
in this to define items such as:
• A release schedule
• Resource requirements
• Project Approach
• Back up plan
• Quality plan
• Acceptance plan
PRINCE2 is published by the same body that publishes ITIL (the Office of
Government Commerce (OGC) in the UK). And like ITIL it is a widely accepted
framework for best practice.
This activity within Release Management can be considered as the technical stage of the
process. All the actions associated with designing, configuration and building are completed
by relevant staff, in a "controlled" manner.
At the end of this stage a Back-Out Plan should also have been created. Back-Out plans can
be aimed at restoring all services to their state before any change OR to restore as close to
the pre-change state as is feasible given the nature of the change.
The suitability and content of the Back-Out plan will be assessed during the Change
Management process.
The output of this activity should be a release complete with instructions on its installation,
a test plan and a backout plan.
- 94 -
Material do Curso de ITIL
Testing and Signing-Off of New Releases
Lack of adequate testing is the most common cause of failure of all (changes) releases.
Testing should not only be done on the release expected end result but also on the
implementation activities and the back out procedure.
Representatives of the Business should test for expected functionality. This is referred to as
"User Acceptance Testing" (UAT). IT staff perform technical tests including the test of the
installation (ideally the test staff will not be the build staff).
Release acceptance should be performed in a controlled test environment that can be reset
to known configurations of both software and hardware. These configurations should be
described in the Release definitions and stored in the CMDB, along with any other related
CI’s.
The overall release plan that was originally created must now be enhanced with detailed
information on the rollout of the release. This will include:
• In case of multiple sites: action plans for the separate sites taking local differences
into consideration.
• Acquiring hardware and software. The rollout plan should include the procedures to
be followed for their secure storage prior to rollout and the mechanisms to trace
their deployment during the implementation.
• Scheduling meetings for managing staff and groups involved in the Release.
It is important to communicate with all parties involved in order to increase the acceptance
and success of the release. This might involve several meetings/training sessions with user
groups, IT staff and Managers.
The timing of any training and/or communication must be planned in accordance with the
expected actual release date.
The Service Desk is a key area that must be informed about the release, any known issues
(or workarounds) that have been established during testing and generally how the new
release should be supported.
The release plan should be made public in case of a large release so users know what to
expect and when.
- 95 -
Material do Curso de ITIL
Release, Distribution and the Installation
Release Management will be responsible for the process of purchase, storage, transport,
delivery, and hand-over of hardware and/or software.
Distribution and installation are seen as different activities. Often a release will be
distributed and (in the case of software) not "go live" until a log-on script is changed and
the release activated.
Following the distribution of the release installation will take place making it available to the
user community.
Release Management must work closely with the other processes (mainly Change
Management and Configuration Management) to maximise the success of the release.
The CMDB should be updated with the new Release details and all old C.I.s should be
decommissioned and appropriately marked in the CMDB (retired, decommissioned, etc.)
Roles
The main role within the Release Management process is that of the Release Manager.
This person is responsible for defining and maintaining the definition of the release policy
and controlling the activities within the process. The Release Manager will have a good
technical background and a good knowledge regarding latest utilities and support tools.
Release Management staff will need to receive technical training for development,
software maintenance and hardware build skills.
Relationships
Release Management is very closely linked with Change Management and Configuration
Management. Change Management controls all the changes and determines when a new
release will be implemented and what changes will be in any release. In most major
organisations a representative for the Release Management process will have a
representative in the Change Advisory Board (CAB).
Note: The CAB is the authorising body for changes to proceed. Can you remember
the term given to the group of people who approve Emergency Changes?
- 96 -
Material do Curso de ITIL
Benefits
• The software (source, loads and executables) of the organisation is held in a secure
location (the Definitive Software Library (DSL)).
• Ability to implement many concurrent changes in the software being used in the
production environment without adversely affecting the quality of the IT
environment.
• With end users more informed of new releases and involved in testing the new
releases the risk of resistance will be reduced significantly.
- 97 -
Material do Curso de ITIL
Common Problems
In order for Release Management to be successful the following issues need to be taken in
consideration as they may cause problems:
• Lack of Commitment: End Users might be reluctant at first to be told by this process
how to act in case of a new release. The advantage of this process needs to be
communicated before the process is implemented.
• Urgent fixes. Procedures need to be in place to make sure that they are dealt with
correctly and don’t compromise the accuracy of the CMDB, DSL or DHS.
- 98 -
Material do Curso de ITIL
Metrics
In order to assess the effectiveness of the Release Management process a number of key
performance indicators (KPI’s) should be monitored.
• Outcome of audits of the DSL and the DHS. Security - all software can be accounted
for etc.
• Accurate and timely recording of all build, distribution and implementation activities
within the CMDB
Best practices
Different Types of Releases
- 99 -
Material do Curso de ITIL
Delta release
Includes only those CI’s within the release unit that have actually changed or are new since
the last full or package release. For example: In a word processing package the help file
has a bug and requires an update. Only the help file module is updated whilst the rest of
the program remains the same. The same analogy could be used with the word processing
package as a part of the whole office automation suite.
Full release
In a full release all components of the release are updated. For example: An update is
made to the whole office automation suite including the word processing package,
spreadsheet database etc.
Package release
The Package release includes all previous delta and full releases. These releases are
generally implemented less frequently and therefore allow for longer periods of stability for
the live environment. An example of a Package Release might be an SOE (Standard
Operating Environment) for a desktop PC that includes the hardware, office automation and
business applications.
• Development. Only here can new software be developed. Newer versions will be
based on a copy of the software in the DSL. Each new version will cause an
increased version number.
- 100 -
Material do Curso de ITIL
Essential Terms
Definitive Software Library:
A library, which stores in their definitive, accepted form, all the versions of software
configuration items that have been accepted from the developer or supplier. This logical
library can be physically present in several locations.
A physical secure storage of definitive hardware spares. These are spare components and
assemblies that are maintained at the same level as the comparative systems within the live
environment.
Release:
A software CI introduced into the test environment and subsequently into the production
environment. In most cases documentation and accompanying hardware also are part of
the release.
Release Unit:
Type of Releases:
Full Release: all components of a release unit are built, tested, distributed and implemented together.
Delta Release: or partial release, only those CI's in the Release Unit that have actually changed since the
last delta or full release.
Package Release: combination of full releases and delta releases (helps to reduce the risk of incompatible
releases, by changing many systems concurrently).
- 101 -
Material do Curso de ITIL
The Managing Director (MD) announces to the Chief Information Officer (CIO) that the
company is thinking about outsourcing the IT Organisation. Over the last two years there
have been numerous and major complaints about the current IT services by the business.
The customers say it doesn’t do what it should, it is not working properly etc.
The CIO is puzzled to say the least. He had no idea that they were doing so badly. They
actually thought they were doing well. The services were up and running for most of the
time. They resolve incidents quickly and didn’t get many complaints from the users that
they were aware of.
His staff have been putting in an enormous amount of effort to upgrade the server that the
payroll system has been running on.
1. The IT Organisation thinks it is delivering services of a high standard but they have
no figures to back that up. The loosely defined "up and running most of the time"
didn't take into account the outages during critical times.
2. The effort on upgrading the server is commendable, but of no benefit as the
business recently decided to outsource the company payroll activities.
3. There probably is no official procedure in place to ask for the Customers opinion or a
how to make a complaint so how could they have know about the perception of the
customer regarding there services?
- 102 -
Material do Curso de ITIL
Implementing the Service Level Management process will solve the main problems in this
situation. The most widely known element of Service Level Management are Service Level
Agreements (SLA's). SLA's allow the IT organisation and the customer to come to
agreement about which services are been provided, the availability required of them and
their costs. These levels would be measurable so both sides can verify if the levels are being
met.
Service Level Management is the process that forms the link between the IT organisation
and the customers. Implementing Service Level Management can only be completely
successful when the other ITIL processes are implemented as well.
The main aim of SLM is to ensure the quality of the IT services provided, at a cost
acceptable to the business.
Note: There are some who feel that Service Level Management is the single most important
process within ITIL. This is a difficult argument to defend. By its very nature of processes
within ITIL are of equal standing. It is true that SLM has more of a 'customer focus' than
most other processes, but without those other processes, there is nothing to see the
customer about!
Objective
The Service Level Management process manages the quality of IT service delivery according
to a written agreement between the users and IT department called the Service Level
Agreements (SLAs).
The goal for SLM is to maintain and improve on service quality through a constant cycle of
agreeing, monitoring, reporting and improving the current levels of service. It is
strategically focused on the business and maintaining the alignment between the business
and IT.
- 103 -
Material do Curso de ITIL
Process Description
This is a document that contains customer requirements regarding which IT services they
want and the availability/performance they need for those services. This is the starting
point of setting up the Service Level Agreements.
Service Specifications
The IT organisation draws up the Service Specifications based on the SLR. This is the
translation of the customer requirements into "how" the IT organisation is going to provide
these services. What are the technical needs? It also will show relationships between the
SLAs, the third parties and IT the organisation itself.
The SLA is a document that defines agreed service levels between the customer and
provider, i.e. between IT and the business. SLAs should be written in language that the
business understands (clear, concise and free of jargon). SLAs should not include detailed
procedure diagrams for other processes or content such as technical information that the
business will not understand.
With the an external supplier or third party is involved in the delivery of IT Services then a
contract has to be drawn up to ensure that they provide their service within a certain
- 104 -
Material do Curso de ITIL
agreed time, cost, level, etc. The IT organisation passes through the business requirements
to external suppliers.
This document will be reflective of the service levels defined in SLAs. For example, if the
SLA states a fix of a printer in 5 days then the UC with the third party should support this
i.e. Fix printer and return to organisation in 3 days.
Some IT services depend on other service being provided from within the IT organisation.
For example a service to provide a program that runs via the network depends on the
availability of the network. Agreements about the availability of the network will be drawn
up in an Operational Level Agreement or SPA. As with the UPC these internal "contracts"
will support the SLAs in the same manner except the focus is towards the internal IT
organisation.
This plan will contain information about performance indicators for the IT organisation to
measure the Services. It will contain performance indicators for each of the processes that
are implemented in the organisation. It is important to also include the performance
indicators in the UCs and OLAs as they contribute to the IT service as a whole.
Service Catalogue
This is a document that contains all the Services that are provided, a description of the
service, service levels, cost of the service, the customer and the person/department
responsible for the maintenance of the service. The content of a Service Catalogue will vary
depending on the requirements of the IT organisation.
Note: Be sure to understand the principal difference between an Underpinning Contract and
an Operational Level Agreement.
- 105 -
Material do Curso de ITIL
Activities
• Negotiating with clients over the possibilities and price of automation and drafting
• Identifying
• Defining
• Negotiating
• Monitoring
• Reporting
• Reviewing
Identifying
Within this activity the IT organisation will need to define the services it provides within a
Service Catalogue. The Service Catalogue is like a menu of services that will clarify for IT
what is on offer and the components of these services.
- 106 -
Material do Curso de ITIL
In this stage the relationship between the IT organisation and the customer is built or
maintained. The aim is to find out the customer requirements with regard to IT services. As
part of this activity the SLR document is written documenting the customer requirements.
This document should be signed off by both parties to ensure that a clear understanding is
achieved by IT and the business regarding requirements.
Defining
The results of this activity the first time around will be the delivering of the SLR, the service
specs and the SQP.
On an ongoing basis this activity will include taking the SLRs as well as the content of the
Service Catalogue and defining a draft SLA that aligns both into acceptable service levels.
During the creation of this document consideration of the UCs and OLAs is critical as these
documents support the SLA.
Later on the needs of the customer and the specs need to be verified on a regular basis as
they might change. The needs of the customer might change due to a change in the
business procedures and the specs made need changing as a result of the changed
Requirements or the introduction of advanced technology.
Negotiating
Once the draft SLA is formulated negotiation is carried out to gain agreement, acceptance
and a signature for the following documents.
• Underpinning Contracts
It is critical that the above documents are negotiated and signed off.
Monitoring
If service levels cannot be measured and monitored their value is substantially reduced.
Why set service levels if you do not know if they are being met?
In order to be able to measure the service levels they need to be clear and have to be
objective.
It is not enough to define how much time a service can be unavailable, one also needs to
define when a service is said to be available again. Is it when the IT organisation restored
the service or when the users are aware of it?
In order to monitor the performance, availability and support service levels other processes
such as Capacity, Availability and Incident Management should be in place. These
processes will manage and report on service levels reporting back to the Service Level
Management process.
- 107 -
Material do Curso de ITIL
Reporting
The reports should show the figures about the service levels that are required and the
actually measured service levels.
• Down time of the network and any other occasion where the service levels have not
been met.
Reviewing
Reviewing the Service with the Customers on a regular basis will help discover
opportunities to improve the IT service that is provided. With the help of a Service
Improvement Plan (SIP) this can be achieved.
Once the Service Level Agreements are documented is it not end of the process it is the
start!
It is also important to regularly review how the process itself operates and update where
necessary.
Roles
Service Level Manager Role
The Service Level Manager is responsible for the implementing of the process and
maintaining or improving the Service Levels by initiating improvement actions. The role
requires a position that allows the person to negotiate the service levels with the customers
on behalf of the IT organisation.
The Service Level Manger oversees the steps that result in the following official documents:
• Service Specs
- 108 -
Material do Curso de ITIL
• Service Level Agreement
• Underpinning contract
Relationships
Service Level Management is at once the basis and, the result of, the implementation of
Service Management processes. Service Level Management is related to every other module
within Service Management.
You can’t implement Service Level Management to a full maturity without the other nine
processes and the Service Desk function, due to the holistic approach required for Service
Management.
The Service Support processes - Incident and Problem and the Service Desk - aim to restore
the services as soon as possible when there is a breach within the Service Levels. They
provide SLM with valuable information as the customer’s perception of the Service Levels.
The Service Delivery processes are more focussed on keeping the services running within
the parameters defined in the SLAs. They get information from SLM about the required
levels and give information about the actual levels and advice about the impact of new or
changed services.
- 109 -
Material do Curso de ITIL
Note: Remember the Service Support Processes are:
o Incident Management
o Problem Management
o Change Management
o Release Management
o Configuration Management
Benefits
Introducing Service Level Management will have the following benefits for the Business and
the IT organisation:
• The IT service will be of a higher quality and will cause less interruption. Hence the
productivity of the IT customers will improve as well.
• The IT organisation will provide services that meet the expectations of the
customers.
• Cost reduction.
- 110 -
Material do Curso de ITIL
• The services provided by the third parties is more manageable with the underpinning
contracts in place and therefore any possibility of negative influence on the IT
service provided is reduced.
• Monitoring the service make it possible to identify week spots that can be improved.
Common Problems
- 111 -
Material do Curso de ITIL
The following issues need to be addressed in order to ensure a successful Service Level
Management process:
• The service levels set out in the SLAs must be achievable for the IT Organisation in
the first place.
• UCs and or OLAs much be set up properly otherwise external suppliers or internal
parties may inadvertently create a breach of the agreed Service Levels.
• The services need to be measurable and objective for IT Customers and the IT
organisation.
• There needs to be a commitment to negotiate the Service Levels required and in the
drawing up Service Level Agreements. This must be backed with a commitment to
conduct regular reviews and not simply let the agreements get outdated.
Note: A useful acronym when thinking about Service Level Agreements (or any contract) is
SMART
• Simple
• Measurable
• Achievable
• Realistic
• Time driven
- 112 -
Material do Curso de ITIL
Metrics
The following question will help determine if the Service Level Management process is
effective and efficient:
• Do the services within the SLAs have the necessary UCs and or OLAs?
Best practices
Interesting websites:
Assessment
http://www.itil.co.uk/online_ordering/serv_del_graphs/servlevel_mngt.htm
White papers
- 113 -
Material do Curso de ITIL
Books
http://www3.gartner.com/1_researchanalysis/focus/entmgmt013002.html
More theory
http://www.microsoft.com/technet/treeview/default.asp?
url=/TechNet/prodtechnol/windows2000serv/maintain/opsguide/cfgmgtog.asp
Essentials (terminology)
Service Level Management:
The process of negotiating, defining, drafting, securing and revising a demanded and cost
justified level of service delivery to the user.
Business demands and requirements for service levels. Examples are: downtime, availability
% and opening hours of the helpdesk. Together with the service catalogue they can be
input for the SLA negotiations.
Service Catalogue
Overview of all current services as delivered by IT. May have a price list attached.
Actions, phases and due dates for the improvement of the services
A document that contains all the information for the managers, including the Performance
Indicators for the other ITIL processes.
- 114 -
Material do Curso de ITIL
Financial Management
Introduction
Over recent years modern businesses have become more and more dependent on IT to
operate their business processes efficiently. As a consequence the number of end users
drastically increased and so did the total amount of money spent on IT (the IT budgets).
All too often customers of IT organisations and senior managers often perceive that there is
too much money spent on IT. This has, therefore, led to a demand for increasingly higher
quality and cost-effectiveness of the provided services.
The IT organisation on the other hand is often under the impression that they are doing ‘a
good job’, but find it very difficult to clearly explain in business language what the real costs
and benefits are of the provided IT Services.
Organisations (the Customers and senior managers) are reluctant to spend money on
improving IT services if they don’t have a clear picture of the costs involved and the
benefits it has for the business. Financial Management for IT Services can make the costs
clear, set up a charging method and give customers an idea about the quality / price
relation. In other words, Financial Management for IT Services promotes the running of IT
Services as a business operation.
The slide below shows some common thoughts and remarks often heard in organisations
through out the world.
- 115 -
Material do Curso de ITIL
Objective
- 116 -
Material do Curso de ITIL
The objective of the Financial Management for IT Services process for an in-house IT
organisation should be:
In a commercial environment, there may be additional statements that reflects the profit-
making and marketing aims of the organisation, but for any IT Services organisation the
objectives should include:
• ‘to be able to account fully for the spend on IT Services and to attribute these costs
to the services delivered to the organisation’s Customers.’
The main focus of this process, therefore, is on understanding the costs involved in
delivering IT Services (by attributing the costs to each specific IT Service and Customer).
This awareness of costs improves the quality of all decisions made in regards to IT
expenditure. Charging (notional or by sending real bills) the costs to the Customers is
optional.
- 117 -
Material do Curso de ITIL
Process Description
Budgeting (mandatory)
Budgeting is the process of predicting and controlling the spending of money within the
organisation and consists of a periodic negotiation cycle to set budgets (usually annual) and
the day-to-day monitoring of current budgets.
Budgeting ensures that the correct finance is available for the provision of IT Services and
that during the budget period they are not over-spent. All organisations have a periodic
(e.g. annual) round of negotiations between the business departments and the IT
organisation covering expenditure plans and agreed investment programs which ultimately
sets the budgets for IT.
IT Accounting (mandatory)
IT Accounting is the set of processes that enable the IT organisation to account fully for the
way its money is spent (particularly the ability to identify costs by Customer, by service and
by activity). It is in this regard more important to understand the costs than to know up to
the dollar cent how much something costs.
Charging (optional)
• A planning cycle (annual) where cost projections and workload forecasting form a
basis for cost calculations and price setting.
• An operational cycle (monthly or quarterly) where costs are monitored and checked
against budgets, bills are issued and revenue collected.
All these processes are discussed in more detail in the following chapter.
- 118 -
Material do Curso de ITIL
Activities
Each of the three sub-processes of Financial Management for IT Services consist of a set of
activities, which will be discussed in this chapter.
Budgeting
In most cases this will be the period of a financial (fiscal) year which can we
subdivided in smaller periods.
Determine all the categories available and estimate the costs for the next
budget period. Take in consideration that demand might increase over time.
Some costs might need to be estimated.
- 119 -
Material do Curso de ITIL
IT Accounting
IT Accounting aims to provide the information about what the money was spent on. All
Configuration Items necessary to deliver an IT Service to the Customer bear a certain cost.
These costs together add up to the total costs necessary for IT Service delivery. In order to
understand costs we need to discuss costs in a general way.
Direct costs are costs that can be assigned to specific services. For example the cost of a
printer that is used by one department only can be seen direct costs. Indirect costs are
costs that can’t be related to a certain service. For example the electricity of the IT
department they are also called shared costs.
Capital costs are costs involved with the purchasing of items that will be used over a few
years and need to be depreciated. (The depreciation amount is part of the total costs).
Operational costs are those resulting from the day-to-day running of the IT Services
organisation (e.g. staff costs, electricity, hardware maintenance) and relate to repeating
payments whose effects can be measured within a short timeframe (usually less than 12
months).
- 120 -
Material do Curso de ITIL
Fixed costs are costs that stay the same regardless. The rent of a building is an example of
fixed costs. Variable costs change with the use of the service. If you take a telephone
service as an example the line rental costs are fixed, as they will be the same each month
regardless how many calls you make. The costs for the calls are variable costs as they
depend on the amount of calls are made.
Cost types
Cost types need to be determined (they are also used in the budgeting activity). The main
cost types are Hardware, Software, People, Accommodation, Transfer and External Service
costs.
Depreciation methods
Capital costs are depreciated over the useful live of the fixed asset (e.g. desktops in three
years, the mainframe in ten years). There are three methods of depreciation:
Straight-line method.
An equal amount is written off the value of the asset each year.
• Depreciation by usage
The Depreciation is written-off to the extent of usage during a period.
In most cases there already will be an accounting model in place for the rest of the
business. It is important to define a Cost Model that complies with the overall business
accounting model.
- 121 -
Material do Curso de ITIL
Charging
In a Profit Centre the objective is to recover, through Charging, an amount greater than the
costs incurred. For an in-house IT organisation the aim could be to recover the costs back in
a fair and simple way. But it could also be just to influence the behaviour of the Customers
and end users. That is, via Charging the IT organisation can influence the demand and
actual usage of IT Services, and the way the service are provided.
Before Charging can take place a few decisions need to be made regarding the Charging
policy, Cost Units and Pricing.
Communication of information
Only the actual costs will be calculated, reported and charged to the customer (plus specific
amounts, if this is agreed with the customer).
Pricing flexibility
Establish and charge the prices each year. This method gives the option to influence
excessive use.
Notional charging
All costs are invoiced, but the customer doesn’t have to pay the physical dollars. This
method is used to gain experience and eliminate mistakes.
In order to be able to charge the costs to the IT customers Cost Units or chargeable items
need to be set up. These have to be clear, so they can be checked and are understood by
the Customer. Examples would the PC they use, the amount of print jobs they request.
Pricing moves the budget responsibility from the IT department to the user organisation. A
good pricing system gives the client the sense that they get value for their money.
- 122 -
Material do Curso de ITIL
A pricing method (or a combination) need to be chosen:
Cost price
Cost price plus (to cover expenses made for R&D and overhead)
Market prices, the price that is charged for the service on an outside market
Going rate. Rate that is also used in similar organisation or other departments within the
business.
Roles
The IT Finance Manager can be a person from the IT organisation or the Finance
department. An alternative would be that the tasks, associated with this role, are shared
between both. The main responsibilities are:
- 123 -
Material do Curso de ITIL
• To work, at an appropriate level, with representatives of the organisation
management and the Finance Department, to develop the policies of Budgeting, IT
Accounting and Charging.
If the IT Finance Manger is from the IT organisation maintaining a close relationship with
the Finance Department becomes one of the responsibilities.
Relationships
Financial Management for IT Services provides (depending on which pricing system has
been chosen within the organisation), important information to Service Level Management
about the introduced costing, pricing and charging strategies.
As well as this the Financial Management process analyses which level of service delivery is
technically cost realistic for the business.
Financial Management for IT services can, together with Capacity Management and
Availability Management, develop pricing strategies. These strategies can realise an optimal
spread of the workload within an organisation, which will result in optimal use of resources.
It can also use asset and cost information from Configuration Management to analyse
different scenarios of equipment (different costs for different configurations).
Benefits
The benefits of implementing the Financial Management for IT Services process include:
• Higher satisfaction of Customers as they know what they are paying for.
For budgeting:
• The ability to verify if the actual costs compare to the estimate costs.
- 124 -
Material do Curso de ITIL
• The guarantee that the money resources are available to run the IT organisation
within the agreed Service Levels.
For IT Accounting:
• IT and Business managers make better decisions, which ensures that the IT Services
organisation runs in a cost-effective manner.
• Ability to accurately account for all the expenses made by the IT organisation.
For Charging:
• Influence the demand for the provided IT Services; hence influence the behaviour of
the Customer.
Common Problems
In order for the process to work effective and efficiently the following issues should be
addressed as they are typical areas that can cause problems in this process area;
• Cost Models that are used for IT Accounting are too detailed, creating too much
administrative overhead.
• Financial Management for IT Services is not in alignment with the way the overall
organisation manages its finances.
- 125 -
Material do Curso de ITIL
Note: The area of Financial Management for IT Services is often glossed over. Typically, customers agree to charges at a point in
time, but when the actual charges are levied the challenges begin. To offset this, it is wise to quite often ensure that your
customer has had their expectations set, so that levied charges do not come as a shock.
Metrics
Key performance indicators to report on the process are:
Note: Accountancy is a respected profession around the world. It is very unlikely that this
process can be properly implemented without some specific expertise in accounting.
- 126 -
Material do Curso de ITIL
Best practices
Interesting websites:
Assesment
http://www.itil.co.uk/online_ordering/serv_del_graphs/financial_mngt.htm
White paper
More theory
http://www.microsoft.com/technet/treeview/default.asp?
url=/TechNet/prodtechnol/windows2000serv/maintain/opsguide/cfgmgtog.asp
Essentials (terminology)
Financial Management for IT services:
The implementation of Financial Management for IT services is the foundation for an
independent IT organisation, which is not only aware of costs, but is also oriented on future
investments.
Budgeting:
The process of predicting and controlling the spending of money within the organisation and
consists of a periodic negotiation cycle to set budgets and the day-to-day monitoring of the
current budgets.
IT Accounting:
The set of processes that enables the IT organisation to account fully for the way its money
is spent.
- 127 -
Material do Curso de ITIL
Cost Model:
A framework in which all known costs can be recorded and allocated to specific Customers,
activities, or other category. Most Cost Models are based on calculating the cost for each
Customer, but other models can be developed to show the cost for each service or the cost
for each location. The calculation of Costs-by-Customers is the usual start-point if a
Charging system is to be introduced.
Depreciation:
The measure of the wearing out, consumption or other reduction in the useful economic life
of a fixed asset, whether from use, passage of time, or obsolescence through technological
or market changes.
Charging:
The set of processes required to bill customers for the service supplied to them. This
requires sound IT accounting.
Pricing:
Pricing is just one element of the marketing quartet – ‘product, pricing, promotion, place’.
Deciding upon the appropriate charge/price is, therefore, not merely a question of cost
recovery but also of its impact upon the demand for the product.
Billing:
Passing on charging information to managers to make them aware of the cost of the
resources used by their business. This can be done with a real transfer of money (Full
Charging) or without (No Charging or Notional Charging).
TCO
Total Cost of Ownership, a method of calculating the cost of a product or service as
promoted by Gartner.
ROI
Return on investment (= average increase in profit / investment)
ROCE
Return on capital employed (= net profit before tax and interest / total assets less current
liabilities)
Availability Management
Introduction
Organisations are increasingly dependent on IT services, when they are unavailable, in
most cases the business stops as well. There is also an increasing demand for 7 days per
week 24 hrs a day availability of IT services.
It is therefore vital for the IT organisation to manage and control the availability of the IT
Services. This is done by defining the requirements from the business regarding the
availability of the IT services and then matching them with the possibilities of the IT
organisation.
- 128 -
Material do Curso de ITIL
Objective
To ensure the highest availability possible of the IT services as required by the business to
reach its goals.
- 129 -
Material do Curso de ITIL
Process Description
• Information from the other processes, Incidents, Problems, SLAs and achieved
service levels
• Procedures to ensure availability and recovery are dealt with for every new or
improved IT service.
- 130 -
Material do Curso de ITIL
Key terminology and actions that form the basis of this process are:
Availability:
The availability and flexibility of components of the infrastructure. This is expressed in the
following formula:
Reliability:
The reliability of components of the infrastructure. In this case the Mean Time Between
Failures (MTBF) can be used as a measuring tool.
“…freedom from operational failure” (ITIL Service Delivery Book, OGC, 2001)
“The ability of an IT component to continue to operate even though one or more of its sub
components has failed”
Maintainability:
The capability to maintain or restore a service or component of the infrastructure at a
certain level, so that the required functionality can be delivered. Some services or indeed
components of the infrastructure are easier to maintain and/or restore to service in the
event of a failure. For example, an application has been developed that requires daily
housekeeping to ensure its operation and a highly qualified Database Administrator can only
do this. This application is not easy to maintain. The maintainability of C.I.'s within the
infrastructure is an important consideration as the speed of recovery and the ease of
maintenance will impact the uptime and hence availability of services.
Operational Level agreements (OLA's) within the Service Level Management process tie in
here.
Serviceability:
Serviceability refers to the agreements that are held with third parties providing services to
the IT organisation. These contracts will define how these external parties will perform to
ensure the availability of the services they interface with. For example, how will they
ensure resilience, how will they maintain the infrastructure they are responsible for.
Security:
This is divided into confidentiality, integrity and availability (CIA). It can be desirable (for
security reasons, which might endanger the availability) not to make certain components of
the infrastructure available, logically or physically.
- 131 -
Material do Curso de ITIL
Security is of great concern to most organisations these days and it is important to ensure
that IT services are made available to the organisation in a secure way. That means that
services and information is available to the right people. It is also important to ensure that
services are not so secure that it impedes that ability of the organisation to use these
services.
Activities
The activities within the process can be divided in three main activities, which will be
discussed in detail in the remainder of this chapter:
• Planning
• Improving
Planning
It is important not only to find out the requirements but also to find out if and how the IT
organisation can meet these requirements. The Service Level Management process
maintains contact with the business and will be able to provide the availability expectations
- 132 -
Material do Curso de ITIL
to the Availability Management process. The business may have unrealistic expectations with
respect to availability without understanding what this means in real terms.
For example, they may want 99.9% availability yet not realise that this will cost five times
more than providing 98% availability, for their organisations infrastructure. It is the
responsibility of Service Level Management and the Availability Management process to
manage expectations.
Design
When considering the design of the infrastructure the IT organisation can either design for
“availability” or “recovery”.
When the business cannot afford for particular service/s to have downtime for any length of
time designing the infrastructure for availability should be the approach. In this instance
the IT organisation will need to build resilience into the infrastructure and ensure that
preventative maintenance can be performed to maintain services in operation. In many
cases building “extra availability” into the infrastructure is an expensive task that must be
justified by business need.
When the business can tolerate some downtime of services or the cost justification cannot
be made for building in additional resilience into the infrastructure then designing for
recovery is the appropriate approach. In this approach the infrastructure will be designed
such that in the event of a service failure recovery will be as fast as possible. Spare part for
example will assist in the speedy of infrastructure components that fail.
Other Considerations
• Security issues
Define the security areas and the impact they might have on the availability of services.
Make sure it is clear who has access to what and where.
• Maintenance management
This is a maintenance window that is agreed upon and known to the customers in which the
IT organisation can do the maintenance and repairs. This way the impact on the IT service
of the maintenance and repairs will be reduced.
Improving
- 133 -
Material do Curso de ITIL
The Availability Plan will look into the future (for example 12 months) and document what
measures will be put in place to ensure that the infrastructure and IT services will be
available to meet business requirements.
Input from monitoring and other processes, such as Service Level Management, will provide
the basis for decisions on what “availability” measures will be put in place. All plans must
be cost justifiable and aligned with business needs.
This involves reporting about the availability of each service, the down times and recovery
times. These reports will often go to the Service Level Management process to use in
reporting comparisons (planned versus actual) on service levels back to the customer.
It is also important to measure and report on the perception of the customers on the
availability of the IT service.
You can use many ways to identify (un-) availability and potential problems. The following
are a few mentioned by the OGC:
CFIA
Component Failure Impact Assessment can be used to predict and evaluate the impact on
IT Service arising from component failures within the IT infrastructure.
FTA
Fault Tree Analysis is a technique that can be used to determine the chain of events that
causes a disruption to IT services.
CRAMM
CCTA Risk Analysis and Management Methodology can be used to identify new risks and
provide appropriate countermeasures associated with any change to the business
availability requirements and revised IT infrastructure design.
SOA
Systems Outage Analysis is a technique designed to provide a structured approach to identifying
the underlying causes of service interruption to the user.
Roles
The Availability Manager
The Availability Manager has a guiding role and has a general, yet sound knowledge of the
IT infrastructure. They will assemble and analyse data from processes like Problem
Management, Change Management, Service Desk and Capacity Management to assist in
management and planning with regard to availability.
Using the results of this data they steer other Service Management processes in order to
guarantee the agreed availability, thus helping to prevent problems. For example they may
attend Change Advisory Board meetings within Change Management.
- 134 -
Material do Curso de ITIL
The Availability Manager communicates their findings to the Service Level Manager and,
through that, makes an important contribution to the establishment of the SLAs. They
implement the policies of Security Management in relation to the security of data.
Relationships
The introduction of Availability Management without the other processes in place is likely to
fail, as without the support of the other processes it can’t deliver the agreed availability.
Incident Management and Problem Management provide a key input to ensure the
appropriate corrective actions are being progressed.
The measurements and reporting of IT availability ensures that the level of availability
delivered, meets the Service Level Agreement (SLA). Availability Management supports the
Service Level Management process in providing measurements and reporting to support
service reviews.
- 135 -
Material do Curso de ITIL
Benefits
Optimal use of the capability of the IT Infrastructure and delivering the availability of the IT
services that is according the agreed requirements of the customers.
- 136 -
Material do Curso de ITIL
Common Problems
As with every process there are some issues that need to be addressed as they can make or
break the success of the process.
• Unclear requirements from the business regarding the availability expected of the IT
service
The business and the IT organisation must share a common understanding on the definition
of availability and the definition of downtime.
Metrics
By reporting on the following items the effectiveness and efficiency of the process can be
measured:
- 137 -
Material do Curso de ITIL
• Time it takes to recover from an incident
Note: Check the AV Essentials section for defined availability terms (eg. MTBF, MTTR, etc.)
Best practices
Interesting websites:
Assesment
http://www.itil.co.uk/online_ordering/serv_del_graphs/avail_mngt.htm
Essentials (terminology)
Down time:
The total period during which an IT service is not operational within the agreed service times.
- 138 -
Material do Curso de ITIL
Mean Time To Repair (MTTR):
The average period between commencement of an incident and its solution.
Fault, Failure:
The moment at which a functional unit no longer provides the required function.
High Availability
A characteristic of the IT Service that masks the effects of IT component failure to the user.
Continuous Operation
A characteristic of the IT operation that masks the effects of planned downtime to the user.
Continuous Availability
A characteristic of the IT Service that minimises or masks the effects of all failures and
planned downtime to the user.
- 139 -
Material do Curso de ITIL
Capacity Management
Introduction
The Capacity Management process is designed to ensure that the capacity of the IT
infrastructure is aligned to business needs.
The main purpose of Capacity Management is to understand and maintain the required level
of service delivery (via the appropriate capacity) - at an acceptable cost.
Through gathering business and technical capacity data this process plans for and delivers
the, cost justified, capacity requirements of the business. The Capacity plan is the core
document that describes how this will take place over the coming period.
Objective
The main objective of Capacity Management is to understand the business’s capacity
requirements and deliver against them both in the present and the future.
- 140 -
Material do Curso de ITIL
Process Description
The Capacity Management process breaks down into three sub-processes listed below:
This sub process has the focus on the long term. It is responsible for ensuring that the
future business requirements are taken into consideration then planned and implemented as
necessary.
Is responsible for ensuring that the performance of all current IT services falls within the
parameters detailed as targets within SLA’s.
Is responsible for the management of the individual components within the infrastructure.
Resource capacity management has more of a technical focus.
- 141 -
Material do Curso de ITIL
Activities
Each of the sub process mentioned before involve, to a higher or lesser degree, the
following activities:
- 142 -
Material do Curso de ITIL
• Iterative Activities
• Storage of Capacity Management Data
• Demand management
• Application Sizing
• Modeling
• Capacity Plan
• Reporting
Iterative Activities
Demand management:
Demand Management is responsible for the management or workload in the infrastructure
to better utilise the current capacity rather than increasing capacity. User behaviour is
influenced to shift workload, for example to another time of the day to relieve capacity
shortages.
Application Sizing:
Application Sizing related to the assessment of the capacity requirements of applications
during their planning and development. The capacity requirements of a new application will
be understood and the infrastructure can be tuned as necessary to meet the new
requirements.
Modeling:
By simulation or with assistance of mathematical models modeling allows for the prediction
of future capacity requirements. The results from this can be used as an input into the
Capacity Plan.
Capacity Plan
Capacity Plan, this plan is drafted on the basis of data from the CDB (Capacity Database),
financial data, business data, technical data, etc. The plan is future oriented and covers a
period of at least 12 months.
Reporting
Reporting entails the reporting of capacity performance over any given period. Reporting
for example could be (but not limited to) against the capacity metrics in SLAs.
- 143 -
Material do Curso de ITIL
Roles
To do this, the manager must be involved in evaluating all changes, to establish the effect
on capacity and performance. This should happen both when changes are proposed and
after they are implemented. They pay particular attention to the cumulative effect of
changes over a period of time. The cumulative effects of single changes can often cause
degraded response times, file storage problems, and excess demand for processing
capacity.
Other roles within Capacity Management are the roles of the network manager, application
and system manger. They are responsible for translating the business requirements in to
required capacity to be able to meet these requirements and to optimise the performance.
- 144 -
Material do Curso de ITIL
Relationships
Capacity Management is part of Service Delivery and is directly related to the business
requirements. It is not simply about the performance of the system’s components,
individually or collectively.
These processes will provide Capacity Management with information about incidents and
problems related to Capacity. Capacity Management will support the processes with solving
the incidents and or problems and also provide them with information about the capacity
performance.
Capacity Management activities will raise Request for Changes (RFC's) in order to ensure
that the appropriate capacity is available. These are subject to the Change Management
process, and implementation may affect several Configuration Items (C.I.'s), including
hardware, software and documentation, and will require effective Release Management.
Availability Management
The link between Capacity Management and Availability Management is strong, as the
availability that is needed requires a certain amount of capacity within the configuration
items. Without enough capacity, you will never have enough availability. Furthermore, the
values measured by Capacity Management are of importance to Availability Management in
relation to availability and reliability.
Both Capacity Management and Availability Management need to provide the service level
manager with input for effective SLA negotiations. Capacity Management informs Service
Level Management about the result levels that can be provided to the client.
Financial Management
The drafted capacity plan delivers important input for Financial Management, which on this
basis can draft a very accurate investment plan capacity Management gets information in
return about the available budget.
Capacity Management provide ITSCM with the information about the minimum required
Capacity needed for recovery. It is important to consider the impact (for needed capacity)
of changes to the IT services on the ITSCM procedures.
- 145 -
Material do Curso de ITIL
- 146 -
Material do Curso de ITIL
Benefits
• Cost savings
Common Problems
Common problems that can be encountered while the process is already implemented
include:
- 147 -
Material do Curso de ITIL
• Capacity information from suppliers is not available or is too general and can be
misleading for infrastructure components.
• The detail of monitoring can be to deep causing the process to be too expensive.
• Information is difficult to obtain. It is not always easy to predict what future capacity
is required before you build an application.
Note: This final point is important. All too often end users and customers are interviewed at
length about their expected capacity requirements, only to demand more as soon as the
new application goes live. It is up to the IT professionals to have built in the ability for the
application to scale to match any new requirements.
Metrics
- 148 -
Material do Curso de ITIL
• Are the requirements being met?
• Is capacity not a cause for the breach of Service Levels, Incidents or Problems?
Best practices
With cheap hardware prices, capacity planning may seem unimportant; you can always
upgrade later. A simple guess of the capacity requirements should be sufficient, right? Why
give this subject any more thought?
There are two main issues that make capacity planning critical.
The first is the rate of technical change. We now measure progress in "Internet years" --
equivalent to about 90 days of a calendar year.
The second is with Internet/Intranet at the helm. Today’s systems are primarily being
developed within a 3-tier architecture. This rapid change, coupled with the increase in
complexity of 3-tier architecture, is causing system designers to pay closer attention to
capacity. Five years ago, a designer could roll out a new system with a rough estimate of
capacity and performance. The system could then be tuned or more capacity added before
all of the users had been converted to the new system. The process was reasonable
because the systems were typically not mission-critical.
Today, there’s no time for this approach. Once systems are in place they become an
integral part of the overall design. Downing the system for upgrades becomes increasingly
expensive in both time and resources. In addition, the added complexity of the environment
typically requires more care, due to the interdependency between various application
components.
Capacity planning is driven purely by financial considerations. Proper capacity planning can
significantly reduce the overall cost of ownership of a system. Although formal capacity
planning takes time, internal and external staff resources, software and hardware tools, the
potential losses incurred without capacity planning are staggering. Lost productivity of end
users in critical business functions, overpaying for network equipment or services and the
costs of upgrading systems already in production more than justify the cost of capacity
planning.
Interesting websites:
http://www.capacityplanning.com/
Assessment
- 149 -
Material do Curso de ITIL
http://www.itil.co.uk/online_ordering/serv_del_graphs/capacity_mngt.htm
White Papers
http://www.iccmforum.com/iccm.asp?r=Capacity&s=CPUResource
Tools
http://regions.cmg.org/regions/cmgarmw/shortarm.html
http://www.iccmforum.com/iccm.asp?r=Tutorial&s=Benchmarks&t=Standard
http://www.iccmforum.com/iccm.asp?r=Tutorial&s=Benchmarks&t=ZiffDavis
Essentials (terminology)
Capacity Plan,
A plan that is drafted on the basis of data from the CDB, financial data, business data, technical data, etc. The plan is
future oriented and looks forward for a period of at least two years.
Performance Management
This is the monitoring of results, signaling of trends, analysis of information and tuning (e.g. by spread of
workloads).
Workload Management
The identification and registration of use of resources of each workload and the detection of peaks and patterns.
Resource Management
- 150 -
Material do Curso de ITIL
There are still quite a few managers that see IT Service Continuity Management (ITSCM) as
a luxury for which they do not have to allocate any resources. However, statistics show that
disasters regularly occur. Causes of such disasters are events like fire, lighting, flood,
burglary, vandalism, power failure or even terrorist attacks. Thinking about - and actually
establishing - a Business Continuity Plan could have saved affected companies a lot of
troubles or even their business itself.
As businesses are becoming increasingly dependent on IT, the impact of the unavailability
of IT Services has drastically increased. Every time the availability or performance of a
service is reduced, the users cannot continue with their normal work. This trend towards
dependency on IT will continue and will increasingly influence users, managers and
decision-makers. That is why it is important, that the impact of a total or partial loss of the
IT Services is estimated and Continuity Plans established to ensure that the business will
always be able to continue.
Objective
The objective of the ITSCM process is to support the overall Business Continuity
Management (BCM) process by ensuring that the required IT technical and services facilities
can be recovered within required and agreed business time-scales.
- 151 -
Material do Curso de ITIL
Process Description
ITSCM is concerned with managing an organisation’s ability to continue to provide a pre-
determined and agreed level of IT services to support the minimum business requirements,
following an interruption to the business. This includes:
• Reducing the vulnerability and risk to the business by effective risk analysis and risk management.
• Producing IT recovery plans that are integrated with and fully support the organisation’s overall Business
Continuity Management (BCM) Plan.
ITSCM should be closely aligned with and driven by the overall BCM process, as a sub-set of
this process. BCM manages risks to ensure that the organisation can continue to operate at
a specified minimum level in case of a disaster. ITSCM is focused on the IT Services and
ensures that the minimum of IT Services can be provided in case of disaster. One won’t
work with out the other.
If the BCM process has a solid plan to evacuate part of the business process and continue
to work in a separate building, but there is no IT infrastructure ready, the plan is of no use.
The same apply if you do have plans which enable the IT organisation to provided the IT
Service elsewhere if the business process can’t be continued because there’s is no
contingency plan in place for that.
- 152 -
Material do Curso de ITIL
The process can be divided in 4 stages, which will be described in the next chapter in detail:
• Initiation
• Implementation
• Operational Management
- 153 -
Material do Curso de ITIL
Activities
Each of the stages has its own activities, which will be described in more detail throughout this
chapter.
Initiation
• Initiate BCM
The initiation process covers the whole of the organisation. The policies around BCM and
ITSCM are defined, the scope of the process and the terms of reference determined,
resources allocated and a project plan established.
The impact of a disaster on the business will be investigated. Questions that can be asked
are: Can the business still operate in case of a disaster? For how long can it survive? Does it
rely on the IT services to be able to operate?
How much the organisation stands to lose as a result of a disaster or other service
disruption and the speed of escalation of these losses will be assess by:
- 154 -
Material do Curso de ITIL
o Identifying the potential damage or loss that may be caused to the
organisation as a result of a disruption to critical business processes.
• Risk Assessment
This activity analyses the likelihood that a disaster or other serious service disruption will
actually occur. This is an assessment of the level of threat and the extent to which an
organisation is vulnerable to that threat. Risk Assessment consists of two parts:
In case of a Recovery Plan decisions have to made on how to recover. The options are:
- 155 -
Material do Curso de ITIL
o No contingency.
This choice can be made if a risk analysis suggests that the failure of (a part
of) the IT service delivery does not irretrievably affect business. It may be
sensible however, to confirm in writing, that in case of a calamity no concrete
contingency plan is available.
o Administrative procedures.
If the infrastructure is no longer available, a switch is made to administrative
procedures. Disadvantage is, that when the availability of the IT
infrastructure is restored a catch-up activity must be performed.
o Fortification strategy.
In this approach, one chooses a security method where, in fact, nothing can
happen. The costs of such are high and if, despite this, something does go
wrong, no alternatives are available.
o Reciprocal agreements.
In the case of a calamity, organisations make (parts of the) infrastructure
available to each other. Disadvantage is reciprocal dependency and
confidentiality of data.
Implementation
Several plans need to be set up in order to be able to Implement the ITSCM process. These
plans address issues like, emergency procedures, damage assessment, what to do with
data, recovery plans etc.
The risk reduction measures need be implemented. In most cases this will be done with
help of the Availability process. Also stand-by procedures will have to be put in place. For
- 156 -
Material do Curso de ITIL
example setting up an agreement with a third party to supply goods in case of a disaster
without having to go through the proper channels.
The Recovery Plan (or Continuity plan) has to be set up. The plan should cover at least the
following subjects:
o Recovery initiation
Testing is a critical part of the overall ITSCM process and is the only way of ensuring that
the selected strategy, stand-by arrangements, logistics, business recovery plans and
procedures will work in practice.
Operational Management
These are essential issues that need to be taken care of in order for the ITSCM process to
be successful. This ensures that all staff are aware of the implications of Business Continuity
and of IT Service Continuity and consider these as part of their normal working routine and
budget.
It is necessary to review and audit the plans on a regular basis to make sure they are still
up to date.
• Testing
By testing on a regular basis not only can the effectiveness of the plan be tested but also
people will know what happens, where the plan is and what is in it.
• Change Management
- 157 -
Material do Curso de ITIL
Following tests and reviews and in response to day-to-day Changes, there is a need for the
ITSCM plans to be updated. ITSCM must be included as part of the Change Management
process to ensure that any Changes to the IT infrastructure are reflected in the contingency
arrangements provided by IT or third parties.
• Assurance
The quality of the process is verified to assure that the business requirements can be met
and that the operational management processes are working satisfactorily.
Roles
A distinction can be made in roles and responsibilities in and outside crisis times. Different
levels within this process can be defined, starting with the board followed by senior
management, management, team leaders and their team members. It is vital to document
the responsibilities of each and every role.
• Develop and manage the ITSCM Plan to ensure that, at all times, the recovery
objectives of the business can be achieved.
• Ensure that all IT Service areas are prepared and able to respond to an invocation of
the Continuity Plans.
• Communicate and maintain awareness of ITSCM objectives within the business areas
supported and the IT Service areas.
Relationships
ITSCM has a close relationship with all the other ITIL processes and the business in general.
The relationship with some of the processes is described in more detail.
Service Level Management provides the ITSCM process with information about the required
service levels.
Availability Management
Availability Management has more a supportive role and helps the ITSCM process to prevent
and reduce the risk of disasters by delivering / implementing risk reduction measures.
- 158 -
Material do Curso de ITIL
Configuration Management
Configuration Management provides information about Configuration Items that are needed
in order to be able to restore the IT service after a disaster.
Change Management
Change Management needs to make sure that the ITSCM is aware of the impact of the
Changes on the Continuity and Recovery Plans, so the plans are updated if necessary.
Capacity Management
Capacity Management makes sure the appropriate infrastructure can support the business
requirements.
Service Desk in combination with Incident Management provides the ITSCM process with
historical data (statistics).
Benefits
- 159 -
Material do Curso de ITIL
ITSCM supports the BCM process and delivers the required IT Infrastructure and Services to
enable the business to continue to operate following a service disruption. The main benefits
of implementing the ITSCM process are:
Common Problems
A few of the problems one can encounter while implementing the ITSCM process are:
- 160 -
Material do Curso de ITIL
• The ITSCM is not based on the BCM.
• Lack of awareness and support of the users and the IT personnel causing the process
to fail in case of a disaster.
Metrics
- 161 -
Material do Curso de ITIL
During/after a disaster one can report on:
Best practices
Interesting websites:
http://www.globalcontinuity.com/
http://www.microsoft.com/technet/itsolutions/idc/oag/oagc20.asp
http://www.iccmforum.com/iccm.asp?r=Tutorial&s=Benchmarks&t=ZiffDavishttp://www.disasterrecoveryworld.com/
Whitepages
Assesment
http://www.itil.co.uk/online_ordering/serv_del_graphs/itserv_cont.htm
Essentials (terminology)
IT Disaster
The unavailability for a longer period of time of IT Service provision which makes in
necessary to switch to an alternative system and for which the actions to be taken are not
part of a daily routine.
- 162 -
Material do Curso de ITIL
Gradual Recovery (Cold Stand-by)
This is applicable to organisations that do not need immediate restoration of business
processes an can function for a period of up to 72 hours, or longer, without a re-
establishment of full IT facilities.
Stand-by arrangements
Arrangements to have available assets which have been identified, as replacements should
primary assets be unavailable following a business disruption. Typically, these include
accommodation, IT systems and networks, telecommunication and sometimes people.
Vulnerability
A weakness of the system and its assets, which could be exploited by threats.
- 163 -
Material do Curso de ITIL
Security Management
Introduction
Everyone has heard about the impact a virus can have on a business.
Names as the Kournikova virus, Nimda and the Trojan Horse does ring bells about the
vulnerability of our Business and the reliability of the businesses on IT services,
A national event would take place, which would attract a lot of attention. The event was
the life chat session with Prince Willem Alexander and his fiancé Maxima on the Internet.
The main telecom provider in the Netherlands provided it and they bragged about how they
could ensure the availability and the high performance of the event.
A group of activists thought this was the time to show the country how vulnerable even the
big companies are by hacking in to the systems, causing the servers to go down and so
interrupting the life chat session for a period of time.
In this case no harm was done but if they had bad intentions they could have easily caused
a lot of damage
In both cases there is a risk of information being damaged or misused due to a breach in
security or lack thereof.
- 164 -
Material do Curso de ITIL
The security of Information is a key management concern in the modern, electronic
business world. In order for companies to maintain their competitive edge, business
decisions must be based on accurate, complete and accessible information.
The degree to which these aspects are preserved must be based on the business
requirements for security. This can be properly understood through accurate risk and impact
analysis. Security management is concerned with addressing activities that are required to
maintain risks at a manageable level.
Objective
• To ensure that it complies with the external requirements of, legislation regarding
privacy, insurance policies, and the SLA’s.
• To create a secure environment regardless of the external requirements
- 165 -
Material do Curso de ITIL
Process Description
The process of Security Management is a flexible one and needs to be reviewed continuously to ensure that it is still
up to date. It therefore should, plan, do, check and act in a continuous cycle.
The activities of Security Management are undertaken either by the process itself or by
other processes under the control of Security Management.
Activities
- 166 -
Material do Curso de ITIL
The following activities are part of the security management process:
o Control
o Plan
o Implement
o Evaluate
o Maintenance
o Reporting
Control
In this process the basics for the Security Process are laid out. This includes among others; describing the roles and
responsibilities, description of the sub processes, the Security plan and the implementation thereof and selecting the
tools.
Plan
This sub process will plan the security sections of the SLA’s with Service Level Management. It also includes
addressing the Security sections in the Under Pinning Contracts (UPCs) and the operational level agreements.
Implement
Implementation of all the security measures is the aim of this sub process.
Evaluate
It is necessary to evaluate the implementation of the security measures to see if they are
effective. Regular audits also need to be done to ensure that the process is working
efficiently en effectively.
Maintenance
The maintenance of the security aspects of the SLA’s and the maintenance of the security
plan are the responsibilities of this sub process.
Reporting
• Security incidents
• Results of audits
• Performance of security tests
• Identification of incident trends
Roles
In most cases there will be only the Security Manager however in very large organisation
there may be more persons involved in the process.
The security manager is responsible for implementing and maintaining the process. The
Security Manager has close ties with the Business Information Security officer
- 167 -
Material do Curso de ITIL
Relationships
The Security Management process has links with all the ITIL processes. Each process
carries out one or more of the activities of Security Management. Although the
responsibilities for these actions are still within the separate processes Security
management provides the input for the activities.
Service Level Management provides information about the required service levels and
receives input about the achieved levels.
Configuration management: The CMDB contains the information about the C.I.’s. Every
C.I. should be classified indicating the required availability, integrity and confidentiality,
which will determine the level of security that is required.
Change Management implements the changes, which ensure security or enhance it. On
the other hand they need to address the security issues for every change. In most cases the
Security Manager will be part of the CAB.
Benefits
- 168 -
Material do Curso de ITIL
Common Problems
• Commitment: extra rules and regulations are most likely to generate resistance
rather than appealing to end users.
• Attitude. Most security issues are caused by human errors. Quite often this is due to
complacency.
• Verification. It needs to be possible to check if the security measures are working if
they are there for the right reasons
• Changes. Over time the security aspect of changes might not get as much attention
as is needed.
• Awareness. As with every other process it is important to communicate with the
organisation to gain the cooperation of the business.
Metrics
The metrics of this process are similar to the ones of Service Level Management but focus on the security aspect.
- 169 -
Material do Curso de ITIL
Best practices
http://www.securitymanagement.com/
http://www.ismanet.com/
Or
Should they contract such services to an outsourcing specialist who is using the latest
available technology, tools and expertise to offer the most efficient service?
The decision to outsource Security Management needs to be weighed carefully as this highly
debatable decision has both pros and cons.
Essentials (terminology)
Confidentiality
Integrity
Availability
Ensuring that authorised users have access to information and associated assets when
required
Privacy
- 170 -
Material do Curso de ITIL
Verifiability
Being able to verify that the information is used correctly and that the security measures
are effective.
Conclusion
In recent years, IT Service Management has developed into a field in its own right.
Organisations are now so dependent on the automation of large parts of their business
processes that the quality of IT services and the synchronisation of these services with the
needs of the organisation are now essential to their survival.
This introduction to IT Service Management aims to provide a thorough introduction to the
field. It not only provides a convenient introduction to the books in the IT Infrastructure
Library (ITIL), but also serves as the first step to prepare for the Foundation Certificate
exam in IT Service Management.
This course aims to provide an effective introduction to the dynamic area of IT Service
Management, and will be useful even for those not preparing for the exam. However, it does
not pretend to have the answers to all the questions that arise in a field so multifaceted as
IT Service Management. Instead, it aims to encourage discussions and to compare the best
practices with the learner's own experience.
We expect that this course will fulfill a clear need, and it deserves not just to be read and
studied, but also to be used wisely in practice.
Further reading
There are a wide variety of topics available as additional reading in this area. Searching
using any internet search engine for topics like "ITIL" and "IT Service Management" will
return good results.
OGC/CCTA http://www.ogc.gov.uk
EXIN http://www.exin-exams.com
ITSMF http://www.itsmf.com
ITIL http://www.itil.co.uk3
- 171 -