Nguyen, Tam T. T. (2019) - Information System Theories and Practies - Cmu-Is 251-2020S-TEXT

DUY TAN UNIVERSITY
INTERNATIONAL SCHOOL
------------------
INFORMATION SYSTEM
Theories & Practices
CMU-IS251
INSTRUCTOR: M.Sc Nguyen Thi Thanh Tam
Da Nang, 2019
Information System Theories & Practices
DUY TAN UNIVERSITY

INTERNATIONAL SCHOOL
------------------
Name of Course : INFORMATION SYSTEM Theories & Practies

Course No : CMU-IS-251
Number of Credits :3
Student Level : Second year students in Information System
2 | Nguyen Thi Thanh Tam - DTU

ABSTRACT
This is INFORMATION SYSTEM THEORIES AND PRACTICES course, designed for the
second or third year student in Information System Management major.
This course:
 Could be taken at the same time with the software project management course.
This course does not require any programming.
 Provides in-depth knowledge and skills to the field of Information Systems as they
are practiced in the software industry.
 Introduces information system management theories, but focuses more on the
actual practices to give students broader views and approaches that are currently
being applied in most information technology organizations.
 Discovers the roles, responsibilities, authorities of information system
management such as Chief Information Officer, Middle Level Management
(Directors, Senior Management) and Line Management (project manager).
 Explores the concepts of “Services Management” and practices that are being used
in most information technology organizations.
As a result of having successfully completed this course, students will be able to:
 Understand and appreciate the information system management principles.
 Understand the components of information system management and the structure
by which these components work together to create a well-defined information
systems management organization.
 Describe the roles, responsibilities and authorities of information system
management structures.
 Describe how information technology is used to solve business problems and help
business achieve its goals and objectives.
 Apply the practices of information system management in the highly competitive
software industry.
 Organize and structure a service delivery to enhance the competitiveness of the
business.
 Provide guidance to future information system managers as students are entering
the industry and ready to assume more responsibilities.
 Understand risks and issues of the information system management process.
 Plan and set the stage for IT service delivery.
 Manage information systems according to its service functions.


INTRODUCTION
Today Information Technology is everywhere and controls many things, from large
manufacturing companies to small business, from government systems to private enterprise
systems. Information Technology (IT) is the study of how computers process information and
create value in the highly competitive market. IT professionals work in different kinds of
industries, designing hardware, software, communications networks, building internet
applications, and more. Because of the broad range of opportunities available to information
technology professionals, knowledge in Information Technology can help nearly anyone find a
good job in an industry they choose.
However as Software Engineering, Computer Science and Information Technology fields
has a technical focus, there is another field that combines the aspects of technology and business
and focuses more on the management rather than technical called Information Systems
Management (ISM). A degree in Information Systems Management (ISM) can prepare you for
an exciting career in a variety of industries. As information technology plays an increasingly
important role in business, many companies are looking for skilled workers with experience in
managing information technology systems (hardware and software).
According to several U.S government studies, students that have ISM degrees can excel at a
variety of jobs immediately after graduation. People with strong communication skills can work
as company representatives to support customers. People with strong management skills can
manage data centers, networks, or company infrastructures.
Highly talented people can start as a manager of an IT department, then advance to
management of an entire computer network, and eventually Chief Information Officer (CIO) of
a company. The world of information technology is always changing, so learning how to keep
up with the pace of technology is one of the most important things students learn when enrolled
in this kind of program. The fast pace at which technology changes means that many different
types of people are required to specialize in a variety of different areas, providing plenty of
opportunity for everyone. Because it is easier to keep up with one aspect of technology than
with all of them, it is important for ISM students to specialize in particular fields such as
network management, database management, security management, application management or
ecommerce management.
A degree in Information System Management (ISM) can give you the edge toward a
management position over others because no matter what industry you work in, you can be sure
that your company uses information technology in a number of ways. Examples may be
improving customer order-processing to manufacturing or providing services to global
customers. Government is also a large employer hiring many ISM graduates as many
government functions have been converted to computer automation. Knowledge of information

technology can help almost anyone advance in his or her career and secure a good job. But is
Information Systems Management (ISM) a good choice for you?
First, students who pursue degrees in Information System Management (ISM) do NOT have
to be highly technical but must be problem solvers. While computers help the business to an
amazing degree, they can also impact many things if they are NOT working properly. The
ability to manage technical people who work on computers, ISM students must have the
fundamental knowledge on how computers work. You also must be able to identify, locate, and
solve problems in a timely fashion, so having the ability to analyze and make decisions are
important skills for ISM students. As the manager of information technology, ISM people often
work in a place where many people do NOT know much about computer systems. This means
that they must be able to explain computers and how they can support the business, which
requires good communication skills. On the contrary, technical people tend to spend a lot of
time doing technical work but they do not know much about the business. They also need to be
managed in a way that they feel comfortable. ISM people should be able to explain the business
aspect such as budget, finance, time, costs and return on investment to these technical people.
Overall, communication, the ability to train, to educate, and to manage are essential skills of
ISM students.
A major in information technology management (ISM) is suitable for people who have broad
knowledge of both business and technology with good communication skills, writing skills,
logical thinking, and leadership skills. Most ISM jobs require a Bachelor Degree for entry level
and usually an advanced degree for middle level management (Master of Science in Information
systems Management or Master of Business Administration with a focus on technology).
Typical programs consist of several information technology and business courses including:
Introduction to Programming Languages, Introduction to Information System Management,
Computing Network Security, Database Administration, Advanced Information Systems,
Project Management, and Business Finance.

Lecture 1: Overview of Information Systems

Learning goals:
The goal of this lecture is to:
1) Introduce information system management concepts and principles.
2) Explain different types of Information Systems.
3) Discuss the business environment of the 21st century.
4) Explain the integration of business and information technology.
5) Explain the values of information technology strategy.
Benefits
This lecture provides an overview of information system management theories and
applications. It also covers several types of information systems but focuses on the Decision
Support System (DSS) as it is widely used in business today. The students will learn about the
value and strategy of information technology as it is fully integrated with the business to create
value. By understanding the issues and how information technology can support and provide
strategic value, students will have a sufficient foundation for understanding subsequent lectures.
Today with the advancement of computing technology, information technology no longer
plays the supporting role but become a strategic element in almost all businesses. Many
companies realize that they can not succeed without information technology especially in the
highly competitive globalized environment. However, the collection, analysis, production, and
distribution of information within an organization for management decision are depending on
the structure of the Information Technology (IT) management. It is essential that we recognize
that IT management is so critical therefore organizations must organize the IT structure
accordingly and invest appropriate resource into the support, delivery and management of IT
systems. Because IT is still a young discipline as compare with other fields such as accounting,
finance, marketing etc. many aspects of IT management are often overlooked or only
superficially addressed within many organizations. Therefore, issues facing Business Managers
and IT Managers are:
1) Information Technology and business strategic planning.
2) Integrating and aligning IT and business goals.
3) Implementing information technology solutions.
4) Measuring IT organization effectiveness and efficiency
5) Achieving Return on Investment (ROI)
6) Demonstrating the business value of IT
7) Developing business and IT partnerships and relationships.
8) Delivery IT services
9) Using IT to gain competitive advantage.

1.1. Definition of Information Systems
1.1.1. Definition
An information system is more than the software application and the hardware technology it
runs on. Information systems also include people who design, adjust, change and manage all
existing work processes to implement the business solution.
Information System (IS) is the system of people, data and all activities that process the data
and information in an organization. A set of interrelated components that collect, process, store,
and distribute information to support making decision and control in an organization. A set of
components interact with each other to accomplish a purpose.
An Information System can be a manual or an automated process. If it is an automated
process using a computer-based system then it is called an Information Technology (IT).
Information technology (IT) sometimes referred to as Information and Communication
Technology (ICT) is the study, design, development, implementation, support and management
of computer-based information systems, including software applications and computer
hardware. Today most people use the term Information System for the “System” or “Computer”
and Information Technology for the “organization” or “people” in that field.
Examples:
A business is a system. Its components such as marketing, manufacturing, sales, research,
accounting, shipping and personnel all work together to create business value or profit that
benefits the owners and employees.
1.1.2. Component of Typical Information Systems
Typical Information Systems consists of:

 Computer Hardware: CPUs, Disks, Terminals, servers, etc.

 Computer Software: System programs such as operation systems, database systems,

telecommunication control programs and application programs that carry out the function
that users want, etc.
 Data: Information that the system keeps over a period of time.
 Procedures: Rules, policies and instructions for operating the system.
 People: Those who operate the system, those who provide input to the system or use the
output etc.
1.1.3. System Characteristics: To achieve a purpose, a system must interact with its
environment (receive input and produce output)
1.2. Some types of Information Systems
1.2.1. On-Line System:
 On-line systems accept input directly from the area where they are created and the output
are returned directly to where they are required.
 A common characteristic of on-line systems is that data is entered into the system and
received from the system remotely. That is, users interact with the system from terminals
that could be located far away from other terminals and from the system itself.
 Another characteristic of on-line systems is that it stores data in its files or its database, so
that data can be retrieved and/or modified quickly.
1.2.2. Real-Time System:
 A real-time system is an on-line system that controls the environment by receiving data,
processing data, and returning the results quickly to affect the environment at that time.
 It is characterized by the following features:
• Processing activities that are taking place simultaneously.

• Assignment of different priorities to different tasks, as some need to be serviced

immediately, while others can be delayed.
• Interruption of one task before it is finished in order to begin servicing higher-priority
tasks.
• Extensive communication between tasks, especially since many tasks are working on
different aspects of an overall process like controlling a manufacturing process.
• Simultaneous access to common data, both in memory and on secondary storage, thus
requiring elaborate procedures to ensure that common data does not become corrupted.
 Process control systems: The systems that are used to monitor and control oil refineries,
chemical manufacturing processes, milling and machining operations.
 High-speed data acquisition systems: The systems that receive high-speed telemetry
data from orbiting satellites, or computers that capture massive amounts of data from
laboratory experiments.
 Missile guidance systems: The systems that track the trajectory of a missile and make
continuous adjustments to the orientation and thrust of the missile engines.
 Telephone switching systems: The systems that monitor voice and data transmissions
over thousands of telephone calls, detecting phone numbers being dialed, on-hook and
off-hook conditions, and all of the other many conditions of the typical telephone
network.
 Patient monitoring systems: The systems that monitor patient “vital signs” (e.g.,
temperature and pulse) and either adjust medication or sound an alarm if those vital signs
stray outside some redetermined condition.
Decision-Support Systems (DSS):
 Process control systems: The systems that are used to monitor and control oil refineries,
chemical manufacturing processes, milling and machining operations.
 High-speed data acquisition systems: The systems that receive high-speed telemetry
data from orbiting satellites, or computers that capture massive amounts of data from
laboratory experiments.
 Missile guidance systems: The systems that track the trajectory of a missile and make
continuous adjustments to the orientation and thrust of the missile engines.
 Telephone switching systems: The systems that monitor voice and data transmissions
over thousands of telephone calls, detecting phone numbers being dialed, on-hook and
off-hook conditions, and all of the other many conditions of the typical telephone
network.
 Patient monitoring systems: The systems that monitor patient “vital signs” (e.g.,
temperature and pulse) and either adjust medication or sound an alarm if those vital signs
stray outside some redetermined condition.
1.2.3. DSS Categories
 Communication-driven DSS supports multiple users working on a shared task such as

Net-meeting.
 Data-driven DSS focuses on access to and manipulation of internal company data and,
sometimes, external data.
 Document-driven DSS emphasizes, manages, retrieves, and manipulates unstructured
information in a variety of electronic formats.
 Knowledge-driven DSS provides specialized problem- solving expertise stored as facts,
rules, procedures.
 Model-driven DSS emphasizes access to and manipulation of a statistical, financial,
optimization, or simulation model. Model-driven DSS use data and parameters provided
by users to assist decision makers in analyzing a situation; they are not necessarily data-
intensive.
1.2.4. Knowledge-Based Systems:
 Knowledge-Based Systems or “expert systems” imitates human performance in a wide

variety of “intelligent” tasks.
 The goal of the field of artificial intelligence is to produce those kinds of programs.
 For some systems, that goal is close to being attained; for others we can begin to build
programs that significantly assist people in their performance of a task.
1.3. Information Systems Management

Information Systems Management is the management discipline covering the application of
people, Information system can increase the value to the business by automating business
processes and making them more effective and efficient; Increase productivity and facilitate
business growth; encourage the sharing of information within the company, so management can
make decisions on a timely basis; link Information Technology activities to business and make it
highly visible in the business world.
The key asset of companies today, is their information, represented in people, experience,
process know-how, and innovations (patents, copyrights, trade secrets).To strive for competitive
advantage, companies must put into best use a strong information technology infrastructure or
information system.Information Systems Management is the discipline of managing people,
processes, and technologies to provide business value to the company.The potential goals of
information systems are to support and transform the business for competitive advantage.
Information Systems Management is the management discipline covering the application
of people, technologies, and process collectively called information systems to solve business
problems.Information Systems Managers analyze data collected in operational activities of an
organization to help make business decisions.
Bridge the gap between business and technology

1.4. Role and Impact of Information Systems Management to business
Information Systems Can …

 Increase the value to the business by automating business processes and making them
more effective and efficient.
 Increase productivity and facilitate business growth.
 Encourage the sharing of information within the company, so management can make
decisions on a timely basis.
 Link Information Technology activities to business and make it highly visible in the
business world.
 The key asset of companies today, is their information, represented in people, experience,
process know-how, and innovations (patents, copyrights, trade secrets).
 To strive for competitive advantage, companies must put into best use a strong
information technology infrastructure or information system.
 Information Systems Management is the discipline of managing people, processes, and
technologies to provide business value to the company.
 The potential goals of information systems are to support and transform the business for
competitive advantage.
As we are entering the 21st century, Information Technology (IT) has changed the way
companies do business, the nature of competition and the requirements to build, sell, automate,
provide IT services and compete in the marketplace. Many businesses have invested in that
change and IT budgets have grown rapidly, often ahead of business growth rates as global
companies transformed the business and moved online with the Internet.
Business environment of the 21st century:
- Market Economy at Global Scale
- Business Cycle: At the Speed of the Internet
- Business Operation at 24/7
- Privatization & Consolidation
- Growth & Acquisitions
- Globalization Trends
The global business environment is intensely competitive. Every business is under extreme
pressure to survive by reacting to the following:
 Changing demographics (globalization, distribution of people, buy, sell and compete
globally)
 Corporate volatility (mergers, acquisitions, divestitures, alliances, etc.)
 Cost control (contain and reduce expenses)
 Quality

 Knowledge & Skills (new technology, new skills,etc.)

 Regulations (more constraints, rules, etc.)
To survive and be successful, businesses must: Be the best within selected markets.
Maintain low cost structure. Adopt a differentiated approach to business. Achieve customer
satisfaction. Defend and grow market share. Have quick response to market needs. Continuously
improve business processes.
So that, business must apply technology to:
Increase Speed: Faster than a person, reduce bureaucracy, redundancy.
Storage & Retrieval: Store and retrieve information faster and reduce costs.
Communication: Move data and information from one place in a process to another
instantly and in a variety of forms.
Control: Control business processes, increase throughput, eliminate errors.
Monitor: Check and track activities.
Support decision making: Collect data and information to be used at decision point.
* Business Expects IT To …
1. Secure and distribute data throughout the business to help management in making
decisions.
2. Embed the business logic into IT applications, rules and calculations that operates on that
data (finance, accounting systems).
3. Integrate several in-house systems of the organization into an extended enterprise
systemthat positions the business into a global value network (i.e., ERP, SCM).
4. Establish customer facing channels that streamline the engagement with strategic
segments (i.e., CRM).
 Information Technology must be used to promote efficiency and speed by enabling
process automation and information sharing across the organization, and remove unnecessary
communication and duplication of data.
1.5. Strategic Information Technology
Information Technology must be used to promote efficiency and speed by enabling process
automation and information sharing across the organization, and remove unnecessary
communication and duplication of data.

Due to intense global competitive pressure, every business is demanding that information
technology resources be transformed into a key strategic organization that focuses on:
 Distinct mission and goal-oriented
 Business planning, solution creating
 Customer and market focused
 Strategic and process oriented
Competitive Strategy Using IT
1.5.1. Reduce Cost Strategy:
• Reduce inventory (Just in Time)

• Reduce manpower costs
• Reduce manufacturing costs (process control)
Just in time: Inventory strategy that reduces in- process inventory by eliminating excessive
storage or costly warehousing by having needed parts arrive at the manufacturer only when
needed.
Automation: The use of control systems such as computers to control industrial machinery
and processes, replacing human operators.
Total Quality Management (TQM): A management approach that focuses on quality,
reducing defects and rework, ultimately reducing cost and achieving customer satisfaction.
Standardization: The process of establishing a uniform way of performing activities to
ensure quality and reduce costs.
1.5.2. Differentiation Strategy:
• Create a difference (better products/services)

• Niche market
• Faster, better, cheaper

Focus on customer
• Provide best value to customers
• Understand customer preferences
• Track market trends
• Provide products, services, & information anytime, anywhere
• Tailor customer service
Focus on supplier
• Receive best value from suppliers
• Understand supplier business
1.5.3. Innovation Strategy:
Business Process Reengineering (BPR)

• Re-design business processes
• Combine innovation and process improvement
• Accept and mitigate risks
Becoming agile (Faster, better response)
• Four basic elements:
◦ Customers‟ perception of product/service as solution to individual problem
◦ Cooperate with customers, suppliers, other companies (including competitors)
◦ Thrive on change and uncertainty
◦ Leverage impact of people and their knowledge
1.5.4. Growth Strategy:
• Expand production capacity

• Expand into global markets
• Diversify
• Integrate into related products and services
Adding new products & services: A growth strategy in which a company seeks to add to its
existing business, with new lines of unrelated products that will appeal to its existing customers.
Create new markets: A growth strategy in which a company creates new market niches and
new customers by inventing new-products that no one has based on radical innovation.

New business model: A growth strategy in which a company creates a new way of doing
business based on cutting edge of technology or business that can deliver better products and
services than anybody.
1.5.5. Alliance Strategy:
• Broaden supporting base with consortium

• Mergers, acquisitions, joint ventures
• Marketing, manufacturing, or distribution agreements
An agreement between two or more businesses stating that they will combine efforts to act in
a certain way in order to achieve a common goal. Strategic alliances usually make sense when
the parties involved have complementary strengths.
Examples:
• Share infrastructure & risk with partners
• Link complementary core competencies
• Reduce concept-to-cash time through sharing
• Increase facilities and market coverage
• Gain access to new markets and share market or customer loyalty
• Migrate from selling products to selling solutions
1.5.6. Other Competitive Strategies
• Locking in customers or suppliers by building business value into relationships

• Creating switching costs (Proprietary applications)
• Virtual companies
• Raising barriers to entry
1.6. Summary
Today with the advancement of computing technology, information technology no longer
plays the supporting role but become a strategic element in almost all businesses. Many
companies realize that they can not succeed without information technology especially in the
highly competitive globalized environment.
1.7. Homework
1. Give five examples from your own experience of real-time systems, on-line systems,
decision- support systems, and expert systems.

2. Can a decision-support system make decisions? If not, why not?

3. What could be done to change the typical decision-support system so that it could make
decisions? Would this be desirable?

Lecture 2: Information Technology Organization

Learning goals:
1. Explain the role of information technology in business.
2. Describe the information technology (IT) organization structure
3. Discuss the two major groups within IT organization.
4. Explain the theory of “Fit” and how CIO answers to business problems
5. Provide the concept of IT strategy as viewed by IT management.
Benefit
This lecture will help students to understand the new role of information technology (IT) in
business as it is integrated with business strategy to create value and help achieve the goals and
objectives. By understanding the new advantages of information technology, students will be
able to view IT from the strategic perspective of the Chief Information Officer (CIO). Students
will also understand the management structure and two major organizational of IT
(Development and operation or services).
2.1. Role of Information Technology
Innovation and Change are transforming business at a very fast rate. Business must use
Information Technology (IT) to create value quickly in a highly competitive market.
The change in business also changes society as information technology has become
accessible to more and more people with personal computers and internet applications.
Business understands that information technology has a critical role and should be used to
reduce design, manufacturing, research and production time, allowing business to compete
globally.
The role of Information Technology (IT) is changing as it adapts to new business
conditions and the increasing expectations of users.
As more businesses are using IT, there is a need for the management of all IT resources
(hardware, software, people, etc.) in a company.
Information System Management (ISM) is the IT management role that has broadened its
responsibilities to more than just technology. It will support the company with strategy and
provide solutions to all business issues.
2.2. Typical Organization Structure

2.3. Role and Responsibilities of Information System Management
 Executive managers: Long-range strategic decisions about products and services.

 Middle managers: Carry out the programs and plans of senior management.
 Operational managers: Monitor & manage organization‟s daily activities.
Typical Organization Chart
2.4. Role and Responsibilities of CIO
 The CIO has come to be viewed as a key contributor in formulating strategic goals.
 A CIO proposes the information technology needed by a company to achieve its goals
and then works within a budget to implement the plan.

 The CIO role is also sometimes used interchangeably with the chief technology officer
(CTO) role
◦ The CIO is generally responsible for processes and practices supporting the flow of
information
◦ The CTO is generally responsible for technology infrastructure.
 The role of CIO is to define the IT strategy and manage the destiny of the IT organization
in an ever-changing
 Chief Information Officer (CIO) or IT executives must ask key questions about IT
performance:
1. "Are we doing the right things?"
2. "Are we doing things the right way?"
3. "Are we getting things done?"
4. "Are the things we are doing providing value to the business?"
 CIO => Strategic direction review:
◦ Business planning;
◦ Response to competitive threats or opportunities;
◦ Alignment of business and IT objectives and plans;
◦ Use of IT to increase current business or develop new business;
◦ Development of new products or markets that challenge the current strategy;
◦ Reengineering core processes for growth;
◦ Reevaluation of strategic targets
◦ The strategic direction review
◦ Reviewing of IT environmental trends ,
◦ Current strategy to identify whether it still “Fit” the business strategy,

◦ assess organization capability to determine the nature and scope of deviations
from the anticipated course of action
◦ Strategic direction review takes place annually or continuously
 A successful “fit” of organizational strategy with its business environment is an external

fit.
 The concept of “external fit” helps answer the question "Are we doing the right things?"
 To achieve external fit, organizations must design “internal systems” that carry out the
strategy: this is the internal fit.
 The concept of “internal fit” helps organizations answer the question: "Are we doing
things the right way?”
2.5. Information Technology Groups
Information Technology supports the business by having two groups: Development and
Operation.

2.5.1. Development group: Analyzes business needs, determines capabilities, and

develops software solutions. Once the development is completed, the running and
maintenance of software becomes the responsibility of the operation group.
Information Technology Development Management consists of three areas:
1. Strategic Direction Review
Review and, if necessary, reorient the strategic direction of the organization.
2. Assess Organization‟s Capabilities
Analyze and reconfigure the structure and processes of the organization to better
deliver business value over time.
3. Implement IT Solutions
Provide the business with appropriate information system solutions.
2.5.2. Operation group: (Maintenance Service) Focuses on what information technology
can do for the business as it manages the business efficiently and effectively by
balancing cost, time and quality.
1. Monitoring business operations and their supporting processes, systems and
technology.
2. Ensuring business needs are met, as they change and evolve.
3. Adjusting the IT environment accordingly, through maintenance activities.
2.6. Overview of Strategy
2.6.1. Definition
A strategy is a long-term plan of action designed to achieve particular goals and objectives.
A set of specific activities that defines the future direction and specifies the management actions
to create the long-term value when implemented. Strategy is differentiated from tactic which is a
short-term plan or operation which is immediate action with resources available. Strategic
direction review is a process of analyzing current existing strategy, whether implicit or explicit,

to define targets and actions.
2.6.2. Strategic Direction Review

To align business and IT objectives and plans. To respond to competitive threats or business
opportunities. To leverage IT to improve current business or develop new business. To develop
new products or markets that are NOT in the current strategy. To Re-engineer for growth.
Strategic Direction Review to QA: "Where are we?" (the current reality). "Where are we
going?" (the vision). "What should we do?" (the course of action to reach the target)
2.6.3. Creating Strategy

Executives (CIO) must create IT strategy that predicts future events. Many IT executives are
reluctant to “invalidate” the current strategy on which they have built past success. Industry
studies have shown that many strategies failed when based merely on things of the past.
Effective strategy must consider the impact of new events, new technology and market trends.
The key factor is to develop scenarios based on assumptions about the future to determine where
uncertainties exist in these projections that are critical to the organization's future direction.
2.6.4. Strategic Creation Process

2.6.5. Progressing Strategy

In today's rapid business and technological change, organizations must be open. Too strict
an adherence to the “strategic plan" may lead to missed opportunities.
2.6.6. Business Strategy Definition

Integrated set of activities or actions aimed at increasing the organization's viability, long-
term well-being and expansion in the market.
Strategy is based on vision about the future, on anticipation and experiencing of the market,
and on a course of action with the commitment of people in the organization.
2.6.7. Business Definition
Business scope and organizational boundaries of a business unit.Business scope is the
served markets which are "customer group/product function/product form” segments to which
the organizational unit sells a product or service.Organizational boundaries define the business
unit's chain of activities in the design, production, marketing and distribution of its products and
services, as well as the related cost functions and added value.
Business model:
The representation of how the organization chooses to engage in business. The model
includes the customers and markets served, products, services and any factors relevant to how it
differentiates itself in its chosen markets.
Executive Management Must

 Review strategy, course of action and goals.

 Ensures that the organization is following the course of action according to the strategic
goal identified in the strategic planning process.
 Review and detect any “misfits” that reflect unanticipated events and poor outcomes in
the process.
 Identify potential opportunities or threats. If a significant gap is detected, executives
needs to review strategic direction and take corrective action.
Strategic Direction Review
 In strategic direction review, IS executives analyze where the organization is going,
where it stands, then determines what is needed to provide value to business.
 Executive and IS Management must understand the strengths, weaknesses, opportunities
and threats of IT organization in its environment.
 IS Management must ask the fundamental questions:
◦ Is there a vision?
◦ Is it communicated and shared?
◦ Is it what the organization is doing?
◦ How does the strategy fit in the business environment?
 IS Management must review how it works in the past and in the future (business,
economy, society, etc.) to achieve its goals.
Review Business Value
 The criteria for every IT decision is: “Will this decision, investment or action deliver the
maximum business value?"
 It is critical that management focus on the realization of targeted business benefits.
 Business Value may be reflected in current business performance, future organizational
growth or a combination of these.
 Deciding the appropriate goals and measurable outcomes establishes a framework for
aligning decisions at every level of the organization.
2.6.8. Four Types Of Strategy
1. Core competency
A core competency strategy focuses on the key strengths that organizations
possess, such as: intellectual capital, distinctive capabilities or processes.
2. Value driven
A value-driven strategy places its value above market trends. Charitable, faith
based or ideal based organizations fall in this category. They go to market based on “core
beliefs.”
3. Market driven

A market driven strategy‟s primary goal is increased earnings and maximizing

shareholder value. Most private companies follow this strategy.
4. Vision driven
A vision driven strategy is focusing on a compelling view of how things ought to
be according to a dominant executive with an approach to making their place in the
market.
Review Core Competency Strategy

 Analyze internal strengths and weaknesses
 Review market environment to determine new product or market opportunities and
“fit”
 Design competitive strategy
 Adapt to business values and market
Review Value Driven Strategy
 Affirm “core beliefs”
 Formulate strategy based on core beliefs
 Identify gap of core competencies
 Assess market environment to ensure “fit”
Review Product-Market Strategy
 Identify market trends
 Determine opportunities
 Formulate potential strategies
 Check core competencies and exam strategies for obtaining them
 Adapt to new values
Vision Driven Review
 Stipulate desired state or outcome
 Formulate strategies based on outcome

 Projection of market trends to determine necessary strategies

 Analyze gap in competencies and design strategies for obtaining them
 Amend new values
The Ultimate Solution
The ultimate solution has three factors:
1. Business needs are understood and met; value is delivered to the business.
2. The right resources are used to deliver the solution.
3. An integrated, cohesive action plan or program solution with the capacity to evolve is
attained to maximize the value of the investment.
2.7. Summary
The new role of information technology (IT) in business as it is integrated with business
strategy to create value and help achieve the goals and objectives.
2.8. Homework
1. Why business strategy and IT strategy must be integrated?
Answers: Today business must rely on IT to improve its efficiency to compete in a globalized
world. IT is no longer just supporting the business but must play an important role in determine
which technology must be implemented to give the business advantages.
2. Why do executive must review its IT strategy and direction?
Answer: As the role of IT changes, the IT strategy also must change. It is important for CIO to
review the strategy to determine whether the strategy needs any improvement.
3. Why organization is viewed as “Open system”?
Answer: Organization must be dynamic because it must change to fit with the changes in the
market and technology. A close system will not allow the organization to change as necessary.
Successful organization must fit its environment in order to survive.
4. Each student to write a short paper (< 2 pages) answering the following questions:
 Why does company need a CIO? Can a CEO or CFO do the job of a CIO?
 Must a CIO be a technical person or a businessperson? Explain.

Lecture 3: Information Technology Strategy & Direction

Learning goals:
The goals of this lecture are:
1. Review the three key focuses of the CIO.
2. Explain the strategic direction reviews.
3. Understand the SWOT technique.
4. Prepare students to create an IT strategy.
Benefits
Students will understand the two major functions of Information organization: Development
and support services. The roles and responsibilities of the Chief Information Officer (CIO) and
what the CIO should do in the development area. Students will learn that with the extensive use
of information technology, information is the most important resource that any organization has
to manage. To develop applications to support the business is one key function but to collect,
analyze, store, and distribution of information within an organization is also very important
function. It is essential that IT organization focuses on these two functions and organizations
must invest appropriate levels of resource into the support, delivery and management of these
critical IT development and support services.
3.1. Role of CIO in Strategy and Direction Review
CIO => Review:
Business Scope :The range of served markets, which are "customer group/product
function/product form” segments to which the organizational unit sells a differentiated product
or service.
Business Strategy: Vision about the future, on anticipation and concrete experiencing of the
market, and on a course of action with the commitment of organizational members.
Executive: Review current strategy and direction to determine how well it will “fit” the
market environment
CIO => Analyze Trends:
 Identify technology trends in the industry that are important to the organization.

 These trends may be socio-economic, technological changes in the industry, emerging
technologies or changes in customer markets.
 To create a picture of a possible future or vision for the organization.
CIO =>Strategic Direction Review:
 Monitoring the business
 Reviewing the current strategy
 Organization profile in terms of milestones, achievement and goals defined in past
strategy planning.
 Gathers and analyzes information on strategic reality that indicates unanticipated
opportunities or threats such as new market emergence, new business agreements, programs and
projects completed.
 This activity evaluates the external and internal “fit” of the organizational unit and IT
function.
 The fit of the organization with the environmental market trends and external fit is
assessed and improved.
 The fit of the organization profile with the improved target or internal fit is also assessed.
CIO => Organization Profile:
 The executive develops a profile of the organization in terms of how it plans and
conducts its business.
 The executive also reviews the current business model, the status, history, and impact of
active or recently completed programs.
 The organization profile is important to establishing a successful action plan.
 To provide a clear picture of the organization„s overall structure and resources, and how
it functions over time.
 To analyze its processes in order to decide on an appropriate implementation approach
by reviewing:
◦ Organization Policies and Principles
◦ Organization Structure & Leadership
◦ Organization Processes & Business Processes
◦ Organization Resources, Financial Resources, Human
3.2. Strategy Evaluation
Current Strategy describes the organizational unit's pattern of actions based on assembly or
synthesis of its vision, business definition, performance results, market/product scope, business
network, and core competencies. These actions are as they exist in reality and have evolved to
the present, along with the business drivers of these elements that may be uncovered. In
evaluating the Current Strategy, it is always important to compare the organizational unit's
strategy as articulated by management with the reality of the observed pattern of organizational
behaviors (the real strategy). Some of the most successful corporate strategies have originated
from 'bottom-up' opportunism rather than formal 'top-down' strategic planning processes.
Definitions
 Vision-What organization wants to be, it provides common direction and an
idealized environment without specifying how to get there.
 Mission-Why organization exists, it specifies the purpose of the organization.
 Strategy-To align all activities that enable the organization to achieve its goals &
objectives.
Review Current Strategy:
 Organization Vision
◦ Mission
◦ Goals
 Current Business Definition
◦ Current Business Scope

◦ Current Organization Boundaries
 Performance Results
◦ Current Customers
◦ Current Sales and Revenues
◦ Current Market Share
◦ Current Financial Performance
 Current Product/Market Scope
◦ Customer Segments
◦ Organization Products and Services
 Current Core Competencies
3.3. The SWOT Technique
Executives examine the existing strategy and the organization's performance, as well as the
current strengths and weaknesses to determine its ability to support the current business strategy.
The review technique is often referred to as a SWOT analysis (strengths, weaknesses,
opportunities, threats). The organization is analyzed in terms of its approach, processes, and
abilities to establish and achieve appropriate business goals.
SWOT (Strengths, Weaknesses, Opportunities, Threats) is used to assess the ability of an
organization as compared to competitive forces in its industry. Opportunities or threats for
increasing or decreasing competitive advantage.The organization is analyzed in terms of its
approach, processes, and abilities to establish and achieve appropriate business goals.
Figure 3-1. The SWOT template

Examine capabilities of the organization in the following areas:

 Managementcapabilities. (Organizational structure, planning, coordination,

staffing, supervision, training, etc.)
 Development capabilities (Capacity, quality, technologies, process, etc.)
 Marketing capabilities (Company reputation, market share, quality reputation,
service reputation, sales-force effectiveness, etc.)
 Operations (Facilities, technical skill, etc.)
 Financing capabilities (Revenue, cost, funding, etc.)
 Capabilities of alliances and partners.
Strengths
Every organization has some strengths. In some cases this is obvious, such as a
large organization could dominate the market by their size alone but in other
cases, it is a matter of perspective, such as a smaller organization has the ability
to move fast in response to market. It is important to note that organizations that
are in a bad position also have strengths. Whether these strengths are adequate is
an issue for analysis.
Example:
 Right products, quality and reliability.

 Superior product performance vs. competitors.
 Better product life and durability.
 Large manufacturing capacity.
 Highly skilled staff with lots of experience.
 Large customer base.
 Direct delivery capability.
 Product innovation ongoing.
 Can produce from existing sites.
 Management is committed and confident.
Weaknesses
Every organization also has weaknesses. In some cases, this is obvious; such as,
it must follow stricter regulation by government on the environment. In other
cases, is a matter of perspective, for example, a company has 99% market share
but is open to attack from every new player. It is important to note that
companies that are extremely competent in what they do, also have weaknesses.
How badly these weaknesses will affect the company is a matter of analysis.
Examples
 Customers are growing unhappy.

 Some gaps in range for certain business sectors.

 Becoming a smaller player due to competition.
 No direct marketing experience.
 Cannot support end-users abroad.
 Need more sales people.
 Limited budget.
 No new product for several years.
 Development staff needs more training.
 Customer service staff needs training.
Opportunities
All organizations have opportunities that they can gain from. These could range
from diversification to sale of operations. Identifying hidden opportunities is the
mark of skilled managers.
Examples
 Could develop new products.

 Competitors have poor products.
 Profit margins could increase.
 Positive customer response to new ideas.
 Could extend business overseas.
 New applications and products.
 Can surprise competitors.
 Potential market overseas.
 Could seek better supplier deals.
 Could outsource some developments.
Threats
No organization is immune from threats. These could be internal, such as falling

productivity and higher cost of operation. Or they could be external, such as
lower priced international competition.
Examples
 Environmental effects would favor competitors.

 Existing business distribution at risk.
 Market demand seasonal.
 Difficult to keep key technical staff.
 High employee turnover.
 New business model could distract core business.

 Vulnerable to attack by competitors.
Knowing yourself: Executive conducts interviews and reviews documents that describe
the current strategy. By observing the organization's processes and achievements, the executive
can establish how well the organization's behavior conforms to the existing strategy.
3.4. Overall Strategy
 Vision description
 Stated values
 Mission
 Goals – Measurable target outcomes
 Target customer value
 Target volume and revenues
 Target market share
 Target financial performance
 Other key performance
3.5. Summary
Information is the most important resource that any organization has to manage. To develop
applications to support the business is one key function but to collect, analyze, store, and
distribution of information within an organization is also very important function. It is essential
that IT organization focuses on these two functions and organizations must invest appropriate
levels of resource into the support, delivery and management of these critical IT development
and support services.
3.6. Homework
1. What are the advantages of the SWOT technique?
Answer: A quick review of strengths, weaknesses, opportunities and threats of an organization.

2. Why CIO needs to have an IT strategy?
Answer: To understand how IT can help support the business. Ensure alignment with business
strategy, how well IT “Fits” the current environment, what are the critical issues, strategic
drivers, and the vision for the future.
3. Each student is to write a short paper (< 2 pages) answering the following question:
Review these four CIO questions: "Are we doing the right things?", "Are we doing things
the right way?", "Are we getting things done?" and "Are the things we are doing
providing value to the business?" and explain them from your point of view, What does it
mean to you?

Lecture 4: Assess Organization’s Capabilities

Learning goals:
The goals of this lecture are:
1. Understand organization‟s capabilities.
2. Describe the transformation process for IT organization.
3. Explain the key CIO questions for IT management.
4. Understand IT value and its contribution.
5. Prepare student to participate in an assessment of IT organization‟s capabilities.
Benefits
Students will learn that the primary purpose of the IT organization is to define an optimal set
of capabilities for the company. The capabilities encompass the company‟s human, financial,
material and intellectual resources, as well as the business processes that define how the
resources are deployed to deliver the products and services of the enterprise.
4.1. Role of CIO in process assess the Organization’s Capabilities
Today, the roles of IT Executives (CIO) are more than strategic planning and direction. It
must also support specific business needs as change happens quickly in the “globalized world”.
Information Technology systems must “enable” the business to structure and implement
processes, services and distributed infrastructure required to do business globally; and delivers
solutions of immediate business value.
Today, every business is experiencing fierce global competition for new products and
services. Globalization and the Internet have changed the way organizations do business with
more opportunities and more competitors. To survive, organizations must balance two things:
agility and performance.
Performance is the measure of how effective and efficient business processes are in
achieving the desired result. To accurately analyze performance, organizations and business
processes need to be analyzed to determine capabilities. The focus of this analysis must be on
the inter-relationship of behaviors and structures. Business processes are complex and have
many components interacting over time to produce a result. By studying and understanding
behavior and structure, the changes can be envisioned, which will allow the performance of the
organization to be improved.
 CIO must assess the organization‟s capabilities.
 The capabilities encompass the company‟s human, financial, material and intellectual
resources, as well as the business processes that define how the resources are deployed to
deliver the products and services of the enterprise.
 The CIO can identify strengths, weaknesses, or gaps that must be filled to improve IT
capabilities.
4.2. Process to Manage Change

CEO & CIO -> Create a business model that identifies the relationships between current
components of the organization as they relate to organizational performance.
=> Identify how changes will influence the performance to meet the business targets set by
the organization.
Business Change Model
 "Where are we?" (the current reality)
 "Where are we going?" (the vision)
 "What should we do?" (the course of action to reach the target)
Executive need to:
 Establish an organizational policy for changes.

 Determine current capabilities.
 Plan change activities.
 Provide resources and assign responsibilities.
 Establish standard processes to reflect changes.
 Train people on new skills.
 Monitor and control the change processes.
 Objectively evaluate changes.
 Review change status & collect information.
4.3. The transformation process for IT organization
Future of information system

Integrate all IS and Business Advantage
4.4. Assess Organization Capabilities
4.4.1. Define Integrate all IS and Business Advantage
Capabilities define what an organization is able to do. Whether in the form of organizational
development, employee competency, process construction or information technology. The
definition of capabilities systematically identifies new capabilities into the existing processes,
people, information and material needed to successfully achieve business outcomes.
New capabilities: In developing new capabilities to improve the IT organization‟s current

capabilities, executives and management need to understand the effect of change upon:The
performance of the organization, existing resources, skills and culture, business relationships,
current plans and projects, opportunities and threats.

Improvement of capabilities should be treated as an improvement program.
4.4.2. Improvement Program
The purpose of an improvement program is to define an optimal set of capabilities for the
company that includes human, financial and infrastructure, as well as processes that define how
these resources are deployed to deliver the products and services to meet targeted business
goals.
The Definition of Capabilities supports a major change that would be accomplished and
managed as an improvement program by:
 Defining the new capabilities required

 Integrate change solutions into business process
Figure 4-4.Effect of missing element
Key Concepts In Change
 Focusing on high value activities

 Establishing core competencies
 Standardizing & simplifyinginternal processes
 Training & retraining
 Outsourcing “commodity” activities
 Improving workflow efficiency
 Strengthening customer relationship
 Managing by facts & data
 Integrating Commercial Off The Shelf
4.4.3. Basic Questions about Organization’s Capabilities
 How much are you spending on information technology?

 What percentage of your projects are currently on time and on budget?

 What is the average schedule and budget overrun on your projects?

 Which of your projects are mostly likely to fail outright?
 What percentage of your project cost arises from avoidable rework?
 How satisfied are customers & users of your products and services?
 How do the skills of your people compare to the industry averages?
 How do the capabilities of your organization compare to similar organizations?
 How much has your productivity improved in the past 12 months?
 What is your plan for improving the skills of your staff and the effectiveness of
your organization?
“Managers that cannot answer these questions need to be retrained.”
Executives Should Ask Managers …
Are you committed to improving the organization‟s capability to

produce quality products & services at the best cost, within a
reasonable time? If not, why not, and when will you ? What does
commitment mean to you?
Do you know our organization‟s quality goals?
• Have you read them?

• Are you familiar with the quality measurements?
• How do you know if these quality goals are being met?
• How do you track your progress against these goals?
• What happens when these goals are not met?
Do you know about our business goals?
• Are they reasonable?

• What is the impact to your group?
• Can your group meet these goals?
• Do you know that we are tracking progress against these goals?
• What happens when these goals are not met?
Are you participating in any skill improvement activities?
• Have you received any additional skills training?

• How important it is to your group?
• Does your group have the skills to do their jobs?
• What happens if your group does not have enough skills?
Do you know how to reduce your project risks?

• Do you have a formal estimating & planning process?

• Do you have historical data on cost and schedule?
• Do you have a commitment process?
• Do you know how to identify project risks?
What can we do together to make better use of our people?
• How can we ensure that our skilled and experienced people are
effectively used?
• What suggestions do you have for making our training program more
effective?
• Do you think we need more training for our people on:
o Project Management?
o Software Engineering?
o Systems Engineering?
o Information Technology?
o Information System Management?
o Information Security?
4.4.4. Competency
Competency is an underlying characteristic of an individual that is causally related to
effective or superior performance, as determined by measurable objective criteria.
Workforce Competency is a cluster of knowledge, skills, and process abilities that an
individual should develop to perform a particular type of work in the organization. A capability
gives an organization a competitive advantage. Executive and IT management must identify the
knowledge, skills, and process abilities required to support the business and create value so that
they may be developed and used as a basis for workforce competency.
Establishing Competency, IT Executives and Management need to:
Conduct skills analysis to identify skill gaps.Establish skills forecasting for future workforce.
Provide training on valuable skills. Establish environment where new skills can be practiced.
Measure effectiveness of newly acquired skills. Establish “Community of Practice” to share
“Best Practices.” Develop “Core Competency” for organization. To be “Preferred Supplier” of
high value skills to the business.

Figure 4-5.Competency planning
Figure 4-6.Competency development
Figure 4-7.Competency Architecture

Figure 4-8.Building Competency
4.4.5. Infrastructure & Environment
Besides investment in knowledge and skills of staff, organizations must also focus on
standardizing infrastructures.Executives and management must architecture a set of components
that defines their structural relationships and their interaction to meet a given business
purpose.These components include the business and IT resources, the processes and
management of the organization and an infrastructure that supports all of the above.The
arrangement and optimizing infrastructure can help support the organization provide faster,
better and more efficiency to the business.
4.5. Summary
IT executives and management must set up an optimal set of capabilities for the
company.The capabilities consist of resources such as human, financial and infrastructure, as
well as business processes that define how they are deployed to deliver the products and services
to customers. The capabilities support changes in the business that allows the company to meet
it targeted goals.
4.6. Homework
1.Why should executive ask managers these questions?

2.Why manager needs to know these questions?
3.Why communication is so important in IT organization?
4.Why competency is important in IT organization?
5.Each student is to write a short paper (< 2 pages) answering the following
questions:
 Why does CIO need to assess organization‟s capabilities annually?
 Why does senior management need information about people, finance, process,

structure? (Explain your rationale).
Answers:
1. To determine the effectiveness of the communication process within the company
whether managers understand and commit to the strategy and direction of the CIO.
2. To understand the capabilities of the IT organization regarding quality, risks,
knowledge and skills.
3. If managers do not understand what goals and objectives are, they may not
manage their works properly and may not communicate these messages clearly to
their subordinates.
4. To determine whether IT organization is capable of support the business goals and
objectives.

Lecture 5: Implement Information Technology Solutions

Learning goals:
1. Describe how to implement IT solution.
2. Explain the IT strategy and its importance of Information system management.
3. Understand the information technology implementation phases.
4. Understand roles, responsibilities and authorities of people in a project.
5. Understand the managing by task packages principles.
Benefits
Students will realize that there is a well defined process in implement IT solutions to the
business. Solutions should be broken into small manageable pieces; each should be treated as a
separate project. Project should undergo a system life cycle and in the development process, an
activity is justified by the deliverables it produces. Deliverables define the information acquired
and refined during the course of a delivery project.
Deliverables propose a structure for the information acquired, suggest the kind of
information to include, and, when applicable, list techniques to use for its development. Students
will learn the concept of managing by deliverables by:
1. Dividing a project into deliverables makes the results of activities visible and
easier to manage;
2. Centering a project on deliverables shifts the focus away from procedures and
towards results;
3. Deliverables serve as a powerful communication tool among project team
members.
Deliverables divide the work of a project into manageable chunks that can be monitored,
making project progress objectively measurable.
5.1. The key issues to implement IT solution
5.1.1. The Pressure to Change
In today's competitive economy, every business is under constant pressure. This pressure can
come from the business environment, customers, or competitors. The effects of these pressures
can often happen simultaneously. As a result, an organization's business processes can begin to
break down.
With standing pressure: In providing products and services to customers, business processes
must be flexible so they can adapt and respond to external pressures.At the same time, business
processes need to be continually improved so the organization„s competitive edge is
maintained.Organizations must leverage information technology to bring more value to the
business.By initiating an improvement program, IT executives and information system
management can provide appropriate solutions to business problems.
5.1.2. Program
Figure 5-1. Program

Program is a collection of all strategic improvement actions or changes that can be put into
operation in the form of one or more programs to achieve a targeted set of business
outcomes.Programs are the basis for business investment decisions.
Incremental approach: It is beneficial to partition a program into small manageable projects
so they can be prioritized and implemented when needed.A project is an information system
solution that brings sufficient value to the business to justify investment in IT
organizations.With projects, new or revised components and functionality of information
systems are delivered.
5.1.3. IT Project management

Project is solution implement: Temporary endeavor undertaken to create an unique product
or service. Temporary means that every project has a definite beginning and a definite end.
Unique means that the product or service is different in some distinguishing way from all similar
products or services.
Project management is the application of knowledge, skills, tools and techniques that enables
the initiation, planning, execution, control and closure of a given project. This is done within a
given time frame and budget, with the expected level of quality to satisfy project requirements
and objectives.Details of IT Project Management process and skills will be covered in the
Information System Management course.IT Management must review the characteristics of the
situation requiring a change.Based on this information, management can decide on the type of
change to be carried out. For example, if an information system no longer meets the business
objectives, the manager must determine: To what degree the system is now obsolete (roughly).
What aspects can be improved or changed in order to keep pace with the targeted business goals.
Based on these findings, management can decide on the solution to (either improve the system
or replace it).
Implement IT as a project: Solutions should be implemented as IT projects so managers can
clarify the requirements and context of the project.Project managers must get commitment from
the business organization and obtain confirmation of the comprehension of the project from
senior managers and stakeholders.By following a defined process, project managers can acquire
a broad view of all the aspects of the project (i.e., scope, expectations, operating environment,
contractual terms, budget, financial arrangements, critical success factors, risks, etc.).
From the business perspective, the key issues facing many IT organizations as well as their
IT Managers are:
 IT and business strategic planning

 Integrating and aligning IT and business goals
 Implementing continual improvement
 Measuring IT organization effectiveness and efficiency
 Optimizing costs
 Achieving and demonstrating Return on Investment (ROI)
 Demonstrating the business value of IT
 Developing business and IT partnerships and relationships
 Improving project delivery success
 Outsourcing
 Using IT to gain competitive advantage
 Delivering the required, business IT services
 Managing constant business and IT change
5.2. The system development approache
 The five phases:
◦ Survey
◦ Analysis
◦ Design
◦ Install
◦ Maintenance.

5.3. Information System phases
Figure 5-2. Information System phases
Phase 1 – Problem recognition
Identifies the issue that must be solved, it summarize the definition of the change to the
organization embodied in the Information System and a project proposal comprising an
initial delivery approach, plan, budget and estimate of resources to answers the question,
"Does the project make business sense?
Phase 2 – Information gathering and analysis
 Collects additional data to ensure they have all information needed to start the
development of the solution.
 It also defines the solution to the degree required to ensure feasibility, cost-
effectiveness and answer the question, "Is the project feasible?"
Phase 3 – The Requirements specification
 Focus on the description of critical aspects of the current system; an initial architecture of
the system.
 It document all requirements for the next phase;
Phase 4 – The System Architecture & Design
 Complete the architecture of the system, plans the design, construction and
implementation of the releases of the system, and confirms feasibility.
 Results of the phase include: The architecture and standards for the entire system; the
prototypes of key components; the selection of off-the-shelf software components (If
needed); the revised plans for detailed design, construction and implementation.
The Architecture of the Solution: The architecture integrates components, alternatives
and principles, and establishes standards that apply to the system as a whole.
Figure 5-3. Overall architecture

Design & Implement Solution: The design of the solution comes from the architecture
that details the new system and its components. Design drives the implementation of
components. The information system solution involves the set of tasks and components
that must be constructed, acquired, assembled and deployed.
Phase 5 – The System Construction & Release
For each Release of the System:
◦ The System construction and release phase designs, builds, tests and integrates
progressively larger pieces of a release.
◦ Results of the phase include:
 Detailed development and testing plans;
 Tested and integrated components;
 User documentation,
 Training and communication materials;
 Detailed plans for the implementation of the release.
Phase 6 – The system review and maintenance
 Focuses on the review and acceptance of a release.
 It performs all necessary conversions and installations, transfers responsibility to users,
and puts a release into production and continues to provide supports when needed.
5.4. Roles, Responsibilities and Authorities of Stakeholders
The three key viewpoints are: The Business viewpoint: Information System must produce
solutions that add value to the business.The Resources viewpoint: Information System must
deliver the solution on time and within budget.The Quality viewpoint: Information System must
deliver solution with a qualityarchitecture that can be easily integrated with existing
components.
All information system projects must be structured according to well-defined roles and
responsibilities for stakeholders - customers & users and project teams that:Favor a collaborative
work environment, avoid duplication of effort, improve communication among participants and
encourage new ideas of all participants in the execution of their responsibilities.
Roles are the positions in the project structure and the relations between them. A role
corresponds to a set of responsibilities.Responsibilities are the activities undertaken by a
participant in a specific area. They imply a decision-making power and an obligation to assume
the consequences of one's decisions.A clear division of roles and responsibilities is necessary to
ensure that each participant in the project knows exactly what is expected of them and their team
members.
Figure 5-4. Roles and responsibilities
5.5. The Manager by task packages principles
Project status and progress require effective communication between customers & users and
project team members.When project activities are NOT visible, it is impossible to monitor the
progress of the project.Although money and time are being spent and resources used, project
results only happen in the end – often less than what is expected.
To make project activities visible to all participants, each key activity in a project must result
in a “tangible artifact” or “Task Package”.Project activities must be organized into several
manageable „tasks'. These tasks:
 Must be predefined
 Must have a specific purpose
 Must be estimated and assigned
 Must be measured and controlled
A project's success is measured by tangible results.Project activities are organized around

visible results in the form of a “task package”, breaking down the entire work into small,
manageable and controllable tasks.Task packages enable the information systems management
to estimate efforts and scope in a level of detail that meets the needs of the project.By having
task packages, project management can measure progress objectively.
A Task Package is a “tangible product” created as the result of an information system

activity; is a thing to be produced during a project.Always has a specific purpose.Is used to
communicate, capture design, and manage projects.Task Package could be a document, a plan, a
specification, software, or a diagram. An activity or a task is like a journey and a package is the
destination.
Figure 5-5. Manage progress
It is important to define the task package first because if you do NOT know where you are
going, how do you know when you get there?Knowing the task package will help define the task
that you must perform during the development & maintenance of the information system.
Distinguish Phase, Activity & Task Package: A phase has a series of activities. Although
theseactivities are described separately, they can be implemented independently or
concurrently.Each activity creates a Task Package. The same Task Package may be produced or
updated by more than one activity and more than one phase

Figure 5-6. Distinguish Phase, Activity & Task Package
5.6. Summary
5.7. Homework
1. Why do we want to breakdown IT solutions into several projects?

2. What are the advantages of managing by deliverables?
Answers:
It is possible that the solution maybe large and complex. To solve business problems may
require a lot of time and efforts. To ensure that the solution can be deliver the needed value
quickly and users do not have to wait several months or years, it is better to breakdown the
solution into many smaller tasks or projects. Each solves one small issue or deliver small
function to users and the evolution of solution ensure that IT response to users‟ needs in an
effective and efficient way.
Deliverables divide the work of a project into manageable chunks that can be monitored,
making project progress objectively measurable. Dividing a project into deliverables makes the
results of activities visible and easier to manage. By emphasize on deliverables developers can
shifts the focus towards results; Deliverables serve as a powerful communication tool among
project team members.

Lecture 6: Deliver Business Values

Learning goals:
6. Explain the important of initiate IT changes to organization.
7. Describe the process of IT change proposal to ensure value delivery.
8. Discuss change elements and the important of implement changes.
9. Prepare students to participate in change process and value management.
Benefits
Students will learn how IT can deliver value to the business by proposing changes to the
organization infrastructures. Every change must follow a well-defined process to ensure the
delivery of value to the business. Contradict to several process improvements or change theories
that change must deliver tangible products, in business practice it is important that the benefits
and value outcomes must be defined and reviewed before the implementation.
6.1. Change or Improvement
The key role of IT Management is to ensure the delivery of value based on the IT
investments. To deliver value, sometimes it is necessary to change the way organizations
operate. Change or improvement should be based on the strategic direction and the capabilities
of the IT organization. The change activities should be organized as a program that has two key
factors: Change realization and Benefits realization
 Change realization is the approach for assisting organizations to do new and better things
with their existing people. Change realization assists organizations in developing specific
capabilities needed to effect change for a given situation. The approach is organized not only
to realize the benefits of a specific change, but also to leave the organization stronger to
accommodate future, more frequent and larger changes.
Figure 6-1. Change realization elements

 Benefits realization focuses primarily on ensuring delivery of benefits sought from a

change investment, rather than just tangible deliverables. Without a focus on the benefits,
change programs can become overly preoccupied, producing tangible products of
questionable value. In order to practice effective benefits realization, processes related to
benefits management and program/project management must be fully integrated. Change or
improvement programs must be selected and directed by the IT management responsible for
realizing the benefits and must continue through the entire information systems life cycle.
Figure 6-2. Benefit Realization
6.2. The process of Information Technology Change
Change Realization follows a five-step process
6.2.1. Initiate – Develop a shared understanding of purpose and objectives of the change
6.2.2. Assess – Use diagnostic tools to assess the situation, surface risks, identify gaps
and monitor progress of change
6.2.3. Plan - Based on the diagnosis and the change process, develop a set of
interventions to close gaps, resolve issues, mitigate risks and build needed
capabilities.
6.2.4. Implement –deliver planned interventions in a wide number of areas:
◦ change strategy;
◦ readiness and impact assessment;

◦ change program design;
◦ change program management;
◦ communication;
◦ training and education;
◦ leadership coaching;
◦ organization alignment activities;
◦ Institutionalization.
6.2.5. Monitor
6.3. Program Concepst Definition
6.3.1. Definition
Management must determine if a proposed business change or IT investment merits further
investment.
This is the first step of a change process by which management shares a common
understanding of the change, as well as review the resources committed to the change.
Key factors of this decision are:
• Degree of executive sponsorship
• Alignment to strategic business priorities
• Business value and risks
6.3.2. The Program Concept Definition phases
The Program Concept Definition phase consists of three activities:
 Identify Candidate Opportunities:

CIO ->Develop a high level overview of the proposed opportunity that addresses business
context, business opportunity or need, scope of potential solution, organizational change impact,
and major areas of costs and benefits
 Define Program Opportunity
CIO ->Value estimate for the program. Includes: the proposed program, scope,
organizational change impacts, costs, benefits and risks.
 Assess Program Value Case
CIO-> Validate the plan to make sure the completeness and reasonability of the costs and
benefits.
Identify Candidate Opportunities. The CIO should work with the businessmanagement to
develop a high level overview of the proposed program.Topics to be covered include business
context, business opportunity or need, scope of potential solution, organizational change impact,
and major areas of costs and benefits.Program concepts may be initiated as part of strategy or
architecture assignments or may be initiated independently within the organization.
Example: Complexity & Variation
Figure 6-3. Complexity & Variation

Complexity and variation leads to:
 Lost productivity and more costly

 Inefficient use of company assets
 Missed business opportunities
Solution:

Figure 6-4. Simplify & Standardize

Current Systems:
• Thousands of servers
• Multiple databases
• Multiple operating systems with multiple versions
• Thousands of desktop and laptop PCs with multiple configurations
Program Solution:
Server optimization:
• Shared server environment
• Standard configuration
• White space reduction & utilization
Desktop:

• Synchronized workstation
• Standard configuration
• Standard desktop
Problem: Security
Current Situation
• Business systems have their own controls
• Very costly to guarantee data protection
• Appropriate data access must be ensured
• Applications with their own security architectures
• Multiple logons
Proposed Solution: Provide a single secured connection for all customers, suppliers,
and employees
6.4. Summary

6.5. Homework
1. What happens if a change does not bring benefits?

A waste of resources (time, money)
2. What happens if IT is not providing any values?
Replace the CIO and senior management.
3. Each student is to write a short paper (<2 pages) to discuss the difference between
Change realization and benefit realization. And why organization would need both?

Lecture 7: Information Technology Services Management

Learning goals:
1. Introduce the concept of information Service Management.
2. Describe the information technology services
3. Describe Service Level Management.
4. Understand Service Level Agreement (SLA) concept.
Benefits
Students will learn that the primary objective of Service Management is to ensure that the IT
services are aligned to the business needs and actively support them.
Students will Know important that IT acts as an agent for change to facilitate business
transformation
7.1. The concept of Information Service Management
The new approach for operational groups is called IT Service Management which views the
IT facilities offered as “Services.”An IT service can be defined as a set of related functions
provided by Information Systems supporting the business area.The typical service can be made
up of software, hardware, communication facilities, documentation and special skills that are
dedicated to deliver and support the business with quality in a reliable and efficient way.If IT
strategy is to be seamlessly aligned to the organization‟s strategy, IT must manage the ongoing
delivery and enhancement of its services.Service Level Management ensures that ongoing
requirements, communications, and expectations between business and IT are proactively
managed. Service Level Management is also responsible for ensuring that internal IT
expectations are being met.The service catalog sets the standards against which expectations,
improvements, and performance metrics are measured.Service Level Agreements (SLAs) and
Operating level agreements (OLAs) ensure that agreements are in place to support the offerings
within the IT organization.
IT service management is aimed at providing. IT servces that facilitate the achievement of
business objectives and goals in a timely and cost effective manner.
IT operation management considers the Users (Customers) of IT services as critical and
ensures that they have access to the appropriate services to support the business functions as
they get involved by:Asking for service or changes;Needing communication, updates; Having
difficulties, queries; Real process delivery; The service desk functions as the single contact-
point for users' requests.
7.2. IT Service Management Goals
• IT Service Management is aimed at providing
• IT services that facilitate the achievement of business objectives and goals in a timely and
cost effective manner.

7.3. Overview of Service Management
7.4. Service Level Management
In most organizations, the quality of service is unknown. Few people can specify exactly
what quality service is. This results in people judging the service on subjective criteria. The
issues of quality and expectations are related, therefore a good service can be defined as service
that consistently achieves customer satisfaction. How do you know that your customer is
satisfied with your service? Customer satisfaction survey or Customer input & involvement.
Service Level Management forms the basis for all service level agreements. Having a strong
Service Level Management ensures the quality of services for IT organizations.

Service Level Management is concerned with managing the expectations that customers
have of the IT department. It involves: Identifying customer‟s requirements in the context of
overall business objectives, determining how these can be met within the required budget and
communicating and reviewing the actual and perceived levels of IT service. Service Managers
work with all IT teams to ensure that levels of service can be delivered by: Setting measurable
performance targets, monitoring performance, taking action where targets are not met. Service
Managers must work to ensure that all IT team members are aware of what is expected of them.
Each member must know how to perform their jobs well, and knowing the consequences of not
doing their jobs well.
Service Level Management consists of:
 IT Service Catalog: Lists all IT services to customers in clear, familiar terms.

Provides a centralized place through which users can request IT service.
 Operating Level Agreements (OLAs): Documents agreed-upon expectations of IT
services between IT teams.
 Service Level Agreements (SLAs): Documents the agreed-upon expectations of
business and IT service management representatives.
 Underpinning Contract (UC): Ensures there is a contract between suppliers, third
parties, and the organization. Communicates and documents the agreed-upon
expectations between the suppliers, third parties, and the organization.
7.5. The benefits of Service Level Management (SLM)
• The IT services are designed with the real goal : meeting the customer's needs.

• Communication with customers is enhanced and misunderstanding about the characteristics
and quality of the services offered are avoided.
• Clear and measurable objectives are set.
• The respective responsibilities of the customer and the service providers are clearly
established.
• Customers know and accept the quality levels offered and clear protocols of action are put in
place which can be used to tackle any deterioration in service.
• The constant monitoring of the service allows the weakest links in the chain to be identified
so they can be improved.
7.6. IT Service Process
The Service Level Manager is responsible for understanding and documenting the customer
request for services and translates the request into a set of requirements with measurements for
internal IT teams that provide the service. The key of IT service is to quantify the service
correctly according to business objectives by: Understanding the customers‟ needs, Defining and
reviewing the service requests with the customer, Documenting how the service is to be
delivered to meet the needs, Specifying measurements to consistently be able to meet the
requests and achieve customer satisfaction.
IT Service Management must document all services in a catalog to provide an overview of
the services available to customers of IT, to be used as a marketing tool to show customers what
services are available. The catalog will help IT to manage the expectations of the business more
effectively. The design of the document should be consistent with its marketing purpose. It
should contain information that is interesting to customers, expressed in non-technical language,
with the layout in a professional and interesting style. It is possible to have the catalog as a
website that lists all services.

Example
A Service Manager is an individual responsible for communicating with customers,
managing requirements, escalating issues, and ensuring that business needs are met.A good
service manager must understand customer‟s need and define performance metrics (i.e.,
reliability metrics, financial reporting, business value reporting, or new enhancements
introduced). Service managers also request periodic reviews with customers to address any
issues such as… which service failures require attention from the organization.Ensure that
infrastructure services such as networking, operating systems, databases, and communication
and collaboration tools are designed and managed to support the business SLAs.Never commit
to service levels that cannot be supported by current infrastructure capabilities.Ensure that the
SLAs are written from a business perspective.Evaluate the SLA measures using the following
criteria:
 Do they support the business objectives?
 Are they specific?
 Can they be measured?
 Are they attainable, even if this requires significant effort on the part of IT?
 Are they realistic in relation to the benefits they will bring to the business?
Service Level Management does not operate in isolation. To be effective, they need to be
integrated with other service management disciplines such as capacity management, financial
management, configuration management, change management and all services that IT provides
to its customers.As IT becomes strategic, business organizations demand a higher level of
professionalism from IT. Traditionally, the key contact has been with the development group as
they analyze needs and implement solutions, but this model does not work well as more services
in operation groups are needed to maintain, sustain and support the business.The ongoing
balance between costs, benefits and quality should be managed by the operation group which
requires strong service management.
Service Level Management in itself is not a guarantee of good service. It only works if all
other operation disciplines have been implemented and are working properly.A good service is
not possible unless there is a formal program to determine and maintain a consistent level of
service.The issues of quality and expectation are closely related to provide value to the business.
Service level management is the key concept for operational excellence.
7.7. Service Level Agreement (SLA)
Service Level Agreements (SLAs) are formal agreements between IT organizations and their
customers (customer can be internal or external). The content and structure of the SLAs depend
on a number of factors including: physical, cultural, and business aspects of the organization. If
the company consists of a number of different independent units, these could be seen as separate
customers. It is important to list all services available to customers to let them know what is
available and help IT managers to manage the expectations more effectively.A Service Level
Agreement (SLA) is fundamental to service provisions, from the perspective of both the supplier
and the recipient. It documents and defines the parameters of the relationship between the two
parties.The quality of the service level agreement is, therefore a critical matter. It is not an area
that can be left to chance and must command careful attention.The SLA itself must be of
sufficient detail and scope for the service covered. Typical SLA sections include: Introduction,
Scope of Work, Performance, Tracking and Reporting, Problem Management, Compensation,
Customer Duties and Responsibilities, Warranties and Remedies, Security, Intellectual Property
Rights and Confidential Information, Legal Compliance and Resolution of Disputes,
Termination and Signatures. Of course, other sections may be applicable.
Content Of Typical SLA:
 Introduction
 Scope of Work
 Performance
 Tracking and Reporting Problem Management
 Compensation
 Customer Duties and Responsibilities
 Warranties and Remedies
 Security
 Intellectual Property Rights and Confidential Information
 Legal Compliance and Resolution of Disputes
 Termination
 General Information
 Schedules
 Signatures (for approval)
SLA Example:

7.8. The main activities involved in SLM
7.9. Summary
7.10. Homework and Teamwork Assignment
HOMEWORK
Each student will write a short paper (< 2 pages) describe the difficulties or issues when
implement this function in an organization.
TEAMWORK
Reading this scenario and write summary about half of papers:

The students should study this case scenario to familiarize themselves to the situation and
understand that almost any type of business can adopt the service management framework (ITIL
framework) and not necessary just software organization.
these teamwork cases refer to a (fictitious) large food service business called
"Macro-Foods”. This business has several locations in many places and provides
food services to a wide range of customers, including:
 Cafeteria in Software Park for several high-tech companies.

 Special events (Wedding, Birthday party, Special events, etc.)
 Restaurant services.
The logistics of its service are complex and the levels of service required must
be very high to meet international standard in terms of quality and delivery

schedules. The owner, Mr. Bill Ate understands the important of providing
quality services is equal to business success so he decides to develop several
service processes to improve its standards of service that allows him to manage
customer relations, production and distribution more efficiently.
To improve the business, Mr. Bill Ate has decided to implement Service Level
Management principles to all of his restaurants and food services. He hires
several people to manage the food process, creating a catalogue of services with
a comprehensive service quality plan and document a Service Level Agreements
(SLAs) with all of his customers.
Mr. Ate selects one of his top experienced managers to manage customer
relations as Service Level Manager. His function is to negotiate and agree on
service delivery with customers. His responsibilities include:
 Preparing and maintaining an up-to-date catalogue of the services.

 Determining the general structure of the SLAs, OLAs and UCs.
 Negotiating SLAs, OLAs and UCs with customers and suppliers
 Supervising fulfillment of the service delivery agreements with customers
and suppliers.
 Keeping the top management and IT organization informed about the
performance of the process.
 Defining the service improvement plans resolving deficiencies in the
quality of the services delivered and/or adapting these services to new
customer needs and the latest technological advances.
 Interacting with other IT processes to ensure that they all receive and
contribution the necessary information for the optimal functioning of the
organization.
"Macro-Foods" documents its service catalogue according to the different types
of customer.
 Private individuals who eat at the “Macro-Food” restaurants.

 Small companies or individuals who order food on “special occasions”.
 Large companies who have cafeterias for their employees in the high tech
Park.
The description of each service includes additional information on the service
level agreement about:
 Delivery times.
 Availability of the service (holidays, night hours, etc.)
 Associated Services.
 Support.
 People responsible for the services on both the customer's and the
supplier's side.
 Deadlines for delivery of the service.
 Duration of the agreement and conditions for its renewal and/or
cancellation.
 Conditions of availability of the service.
 Support and maintenance work associated.
 Response times.
 Recovery times in the event of incidents.
 Contingency plans if applicable.
 Charging and collection methods.
 Criteria for evaluating the quality of the service.
Mr. Bill Ate is facing a problem so he ask your team to help him to solve it by
develop a service process to solve it for him.

Lecture 8: Capacity Management

Learning goals:
1. Explain the concept of Capacity Management.
2. Describe the process of Capacity Management.
3. Explain the issues with IT infrastructure acquisitions and purchases.
4. Prepare student to manage capacity of an IT organization.
Benefits
Students will be able to understand the concept of Capacity Management where performance
of IT resources is optimized so that necessary capacity is available when it is needed, avoiding a
negative impact on quality of service.
Students will appreciate the planning for growing IT infrastructure according to a plan that
matched to real business needs. By mastering this management technique, students can help
reduce the cost of maintenance and administration associated with obsolete hardware and
applications and avoids the problem of incompatibilities in the IT infrastructure as well as
avoiding unnecessary expenses caused by "last minute" purchases.
8.1. The concept of Capacity Management
The capacity of a system is its maximum performance or output. Knowing the capacity of the
system will allow information system management to identify whether the organization has the
resources required to provide the services. Knowing the capacity is not enough as it only
identifies that there is a certain amount of resources available. Information system management
must find the best way to use those resources to get the desirable results.The traditional view of
IT is mainly focused on the functionality of systems rather than capacity. As the information
system becomes faster and bigger, functionality expands to fill the extra capacity, suppliers and
vendors continue to develop more powerful and advanced technology. As technology develops
and demand increases, the cost of technology drops and it becomes even easier to supply
capacity. Capacity Management must Keep up with advancements in technology and react when
performance levels drop.
Capacity Management supports the cost- effectiveness and maximum performance of IT
services by helping organizations match their IT resources to business demands. It includes
planning for: hardware, networking equipment, peripheral equipment, software, human
resources. Ensure the best use of the appropriate IT infrastructure to cost-effectively meet
business needs by understanding how IT services will be used. Also, match the IT resources to
deliver these services at the agreed levels of service currently and in the future. Key objectives
are: Ensure that existing infrastructure is performing optimally according to the agreed levels of
service, understand the way in which the infrastructure is currently being used and in the future,
forecast and plan infrastructure requirements to ensure the agreed upon ongoing delivery of IT
services. To determine that the right cost, justification, and capacity of IT resources are provided
and achieved at the right time, in order to meet the agreed upon service levels for the business.
Capacity management goals to understand the business requirements, current operations and IT
infrastructure to ensure that current and future capacity and performance aspects of the business
are provided cost- effectively.
Information System management must be able to explain clearly the IT capacity to users so
they understand what to expect.
Example:
Capacity statement:
• Our server can store 25 GB of data and is capable of response time of less than 0.01
seconds.
-> Do you think customers understand this purely technical capacity?
->How does the customer react to this technical statement?
->Does capacity management do a good job?
• Our server can provide simultaneous access to the finance application for 80 users with
an average response time of 0.01 seconds.
->This capacity statement is explained in business terms to provide meaningful
information to customers.
->How do customers react to this? (I could have 80 users use the system and it is fast ….
0.01 of a second is very fast.)
8.2. Capacity Management Goals
 To determine that the right cost, justification, and capacity of IT resources are provided
and achieved at the right time, in order to meet the agreed upon service levels for the
business.
 To understand the business requirements, current operations and IT infrastructure to
ensure that current and future capacity and performance aspects of the business are
provided cost- effectively.

 Information System management must be able to explain clearly the IT capacity to users
so they understand what to expect.
8.3. Capacity Management Benefits
Increased efficiency and cost savings. Economic provision of services. Capacity is matched
to business need. Unnecessary spare capacity is not being purchased or maintained. Planned
buying is cheaper than panic buying. Allows an organization to take advantage of economies of
scale and market conditions. Reduced risk of performance problems and failure.
8.4. The Roponsibilities of Capacity Management
The responsibilities of Capacity Management include:
Ensuring current and future IT capacity needs are met.
Monitoring the performance of the IT infrastructure.
Drawing up capacity plans associated with the levels of service agreed.
Managing demand for IT services.
8.5. The Capacity Management process
The Capacity Management process may be subdivided into a series of sub-processes
analyzing the IT capacity needs from different points of view:
Business Capacity Management: focus on the future needs of users and customers.
Service Capacity Management: analyses the performance of IT services in order to
ensure the agreed levels of service are met.
Resource Capacity Management: study both the use of IT infrastructure and the trends
to ensure that sufficient resources are available and that they are used efficiently.
8.6. The main activities of Capacity Management

8.6.1. Workload Management

The workload of a device or system is the amount of processing or traffic initiated by a user.
It excludes system overhead or tasks. Workload Management identifies and forecasts how this
throughput is going to change during capacity planning. Workload Management consists of:
Defining workload for standard transactions or transmission of files and documents; Cataloging
workload profile for each workload; Analyzing past use to estimate future use (forecasting).
8.6.2. Resource Management

Resource Management is responsible for allocating the resources used to provide IT services
to the level agreed in the SLAs. It works together with Configuration and Availability
Management to map out and allocate the various resources needed for each service. Resource
Management knows exactly which services are supported by each infrastructure component and
can, therefore, identify where each service is at the most risk. Resource Management includes
hardware, software, networking equipment, peripheral equipment, and human resources.
8.6.3. Demand Management

Demand Management‟s objectives are to optimize the use of capacity by moving workload
to less utilized times, servers, or places. Activity-based Demand Management is analyzing and
tracking the activity patterns of the business process to predict demand for service. At a strategic
level, Demand Management involves analysis of Pattern of Business Activity (PBA) and user
profiles. Each profile can be associated to one or more PBAs. At a tactical level, it involves use
of differential charging to encourage customers to use IT services at less busy times.
Temporary: Demand Management is used when there has been a partial failure to a
component used to provide services.
Permanent: Demand Management is used when an identified upgrade is too expensive or

impractical.
In both cases, customer demand for IT is managed by assigning resources according to

business priority. Differential pricing is sometimes used to encourage more utilization during
off-peak times. Service packages. They represent the value that the customer wants and for
which they are willing to pay. Demand Management imposed regulation could result in certain
services being unavailable at certain times. Demand Management is the most cost-effective form
of capacity management in a temporary situation.
8.6.4. Application Sizing

The purpose is to predict the service level, resource, and cost implications of any new
application or any major addition to existing applications. Application sizing must be done from
the early phases of a project, where cost and business impact implications are assessed.
8.6.5. Modeling
Modeling enables the Capacity Management team to predict the performance of a specified
system under a given volume and variety of work. Modeling is used to answer “What if”
questions for: Specific configurations, specific workloads, combinations of workloads
Modeling is a tool to define current performance as a baseline, verify the accuracy of the
result and tune the model until the results are within acceptable tolerance, predict the outcome
of the planned scenarios
8.6.6. The Capacity Plan

The capacity plan documents the current levels of resource utilization and service
performance, and after consideration of the business strategy and plans, forecasts the future
requirements for resources to support the IT services that underpin the business activities. The
capacity plan predicts when the system is going to reach saturation point and then identifies
what action should be taken to prevent it. Capacity plans should be done annually and be
reviewed quarterly by using scenarios for better accuracy.
Capacity Planning Process:

Capacity Management needs to have a database that contains: Technical data; Business data;
Service data; Financial data; Utilization data. Different platforms require different data and the
capacity database will consist of a number of data sources.This information and database would
be part of the Configuration Management database.
8.6.7. Performance Management

Performance Management is the daily management of IT systems to ensure that they are
performing optimally and to prevent any performance problems.Performance Management
ensures that systems are able to support the levels of performance required to meet the Service
Level Agreements between business and IT organizations.
Monitoring: To ensure that resources and services are performed as required to meet the
Service Level Agreements (SLAs). It includes items regarding capacity (throughput) and
performance (response time).
Analysis: To identify trends of utilization and service levels so that a baseline can be
determined. Regular monitoring and comparison with the baseline can identify exceptions in the
SLAs and to predict future resource usage.
Tuning: To identify measures to improve either utilization or performance levels for specific
services.
Implementation: To implement tuning activity by change management to minimize

disruption and reduce negative impact or risk.
Business Capacity Management. This function looks at the future service requirements
needed by the business, based on business planning and Service Level Management.It uses
inputs from:Existing SLAs, future service level requirements, the business plan, the capacity
plan, modeling, application sizing.

Service Capacity Management. This function looks at the performance of existing services. It
assesses the current IT services, their use of resources, working patterns, and ensures that the
services can meet their SLA targets.It uses inputs from:SLAs; system and service throughput
and performance; monitoring, measurements, analysis, tuning and demand management.
Resource Capacity Management. This function focuses on the actual components of the IT
infrastructure to ensure optimal utilization and performance.It uses inputs from: current
technology and its utilization, future or alternative technology, resilience of systems and
services.
Relationships With Other Areas: Security Management: Security and Capacity Management
must ensure that overloads do not pose security risks.Business Continuity: IT Service Continuity
provides critical data for the Capacity Plan.Knowledge Management: Capacity Management
processes. Procedures and lessons learned should be stored in Knowledge Management
database.Capacity Management provides critical support for all other domains and disciplines.
8.7. Summary
Capacity Management:
Reduce the cost of maintenance . Administration associated with obsolete hardware and
applications and avoids the problem of incompatibilities in the IT . "last minute" purchases
HOMEWORK
Each student to write a short paper (< 2 pages) describing the difficulties or issues when
TEAMWORK
Scenario: Up until now, “Macro-Food” has been reactive to customers‟ orders, when
more orders come, company increases works, when fewer orders come in, company
asks people to stay home without pay. Of course this makes many workers not very
happy. The quality of service also changes when it depends on the people selected for
the jobs, as some are doing better than others. Mr. Bill Ate wants to change it so he
asks your team to come up with solution to solve this problem. As the management
team assigned by Mr. Bill Ate, your team should come up with a solution and present
to Mr. Ate in the following day.
Sample Answer:
With the increasing importance of services, the team recommends that “Macro-Food”
implement the Capacity Management process. The team suggests that Mr. Bill Ate hires a
Capacity Manager with the following responsibilities:
 Monitoring the performance of all restaurants, paying special attention to

customers during Lunch and Dinner time (11 AM to 1 PM and 5 PM to 10 PM) as
these are particularly important time for providing good service to customers.
 Analyzing, the impact of the various orders on the restaurant‟s capacity and assign
the right workers for the right jobs.
 Determine which restaurant has more customers at certain time and shift workers
there to avoid workload issues.
 Evaluating, in conjunction with Service Level Management, the quality of
service expected as well as the distribution of workers as SLAs imply.
 Identify workers based on skills that can meet the demand rather than treat
everyone the same.
 Producing regular reports on the state of the services offered.
 Analyzing trends and statistics on the workload.
 The results of this work should allow:
 The preparation of an annual Capacity Plan which will be reviewed quarterly
against the real data obtained from monitoring of restaurants together with the
business forecasts.
 The Capacity Database (CDB) to be populated so that it contains all the
information relating to capacity.
 Improvements to the service to be proposed.
With the aim of:
 Minimizing the number and impact of future incidents degrading the quality of
service.
 Rationalizing the use of restaurant supports capacity.
 Reducing the cost of the restaurant services.
 Increasing productivity and customer satisfaction.

Lecture 9: Availability Management

Learning goals:
1. Describe the Availability Management concept.
2. Explain the process of Availability Management.
3. Understand the skills of an Availability Manager.
4. Prepare students to participate in Availability Management activities.
Benefits
Students will understand that today we are living in an increasingly dependent on
information technology. Technology allows us to access information and services at speeds that
would have been unthinkable just a few years ago. As customers and users of technology, we
demand total availability from technology providers.
At the same time, rapid technological development means equipment and services constantly
need to be renewed. As service providers, IT organization faces the challenge of having to
upgrade the infrastructures with no margin for error, as systems have to be available to the
customer practically 24/7.
9.1. The concept of Availability Management
With the advancement of technology, IT services have become a key factor in business
processes.IT providesbusiness solutions and supports all business processes and transactions.For
example: Electronic banking, ATM.
Availability is the proportion of time that the customer is able to access a particular IT
service.The availability of IT systems and services is influenced by:The complexity of the IT
systems; the reliability of IT components and the environment on which the systems rely; levels
of maintenance; the infrastructure on which the IT services are built; the configuration of the
IT infrastructure.
Availability Management is the planning, managing, implementing, and optimizing of IT
services so they can be used where and when business requires them.Availability Management
is applied to all new IT services, existing IT services where Service Level Agreements (SLAs)
have been arranged, IT suppliers (Internal and External), all aspects of the IT infrastructure
which may impact availability.Ensure the delivery of IT services where, when and to whom
they are required, by planning and building a reliable and maintainable infrastructure and key
support according to the requirements.Determine the availability requirements of the business
and matching these to the capability of the IT infrastructure.Responsible to ensure that the cost
of high availability does not exceed its value.Look for the best compromise between the cost of
the availability solution and unavailability.
9.2. Availability Management Goals
To ensure IT services are designed to deliver the agreed levels of availability.To measure
and monitor availability, reliability, and maintainability on an on going basis.To optimize the
availability of the IT infrastructure according to business objectives.To work at reducing the
frequency and duration of incidents.To ensure that corrective actions for downtime are identified
and progress.To create and maintain an availability plan.
9.3. The Roponsibilities of Availability Management
Include:
 Determining availability requirements in close collaboration with customers.
 Guaranteeing the level of availability established for the IT services.
 Monitoring the availability of the IT services.
 Proposing improvements in the IT infrastructure and services with a view to increasing
levels of availability.
Supervising compliance with the OLAs and UCs agreed with internal and external service
providers.
9.4. The main benefits of Availability Management
The main benefits of correct Availability Management are:
Fulfillment of the agreed service levels.
Reduction in the costs associated with a given level of availability.
The customer perceives a better quality of service.
The levels of availability progressively increase.
The number of incidents is reduced.
9.5. Availability Architecture

9.6. Availability Management Process
Determining the requirements from the business for IT services.Planning availability and
recovery design criteria for the IT infrastructure.Determining the vital business functions and
impact arising from IT component failure. Where appropriate provide additional
resilience.Defining the targets and establishing measures for availability, reliability and
maintainability to be documented and agree with the Service Level Management. Monitoring
and trend analysis of IT components.Reviewing IT service and component availability and
identifying unacceptable levels.Maintaining the availability plan.
9.6.1. Customer Requirements
It is important to quantify the availability requirements so that IT organizations can draw up

SLAs correctly.The required availability must be in line with both the real needs of the business
and the capabilities of the IT organization.Although business customers would agree that a high

level of availability is desirable, they need to be made aware that high availability can result in
costs that may not be justified by their real needs.It is necessary that Availability Management:
 Identify the critical business activities.

 Quantify the reasonable length of interruption permissible foreach service depending on
its impact.
 Establish protocols for maintenance and revision of IT services.
 Define the IT service availability intervals (i.e., 24/7, ...).
9.6.2. Availability Planning
Planning availability allows the IT organization to establish levels of availability that match
the needs of the business and the capabilities of the IT organization.The Availability Plan must
include:The current availability status of the IT services, tools for monitoring availability,
analysis methods and techniques to use, relevant and precise definitions of the metrics to use,
availability improvement plans, expectations about future availability.
Determine availability requirements include estimate business impact, determine the cost of
downtime, calculate the cost of building higher availability. Design for infrastructure from the
beginning, identify single points of failure, risk analysis, determine measurements for new
services, testing.
Security considerations. A key factor in obtaining high levels of reliability and availability is
robust Security Management.Security-related aspects must be taken into account at all stages of
the process.It is as important to determine when the service will be available as who will use it
and how.
Availability and security are interdependent and any failings in one of them will seriously
affect the other.Planned downtime. Routine systems maintenance. Availability Improvement

Following service availability measures are usually included in the SLA:
 Agreement statistics: What is included within the agreed service.

 Availability: Agreed service times, response times, etc.
 Help Desk Calls: Number of incidents raised, response times, resolution times.
 Contingency: Agreed contingency details, location of documentation, contingency site,
3rd party involvement, etc.
 Capacity: Performance timings for online transactions, report production, number of
users, etc.
 Costing Details: Charges for the service, and any penalties should service levels not be
met.
9.6.3. Maintainability
The ability of IT services to be maintained or restored to a satisfactory and operational

state.Maintenance or restoration of a service can be divided into separate stages:Anticipating
failures, detecting failures, diagnosingfailures, resolving failures, recovering from failures
9.6.4. Monitoring
Availability Management must monitor the availability of the IT service and report any
incident from the time of the interruption of service until it is restored (downtime).
 Detection time: This is the time elapsing between when the fault occurs and when the IT
organization becomes aware of it.
 Response time: This is the time that elapses between the detection of the problem and
when the incident is logged and diagnosed.
 Repair/recovery time: The time taken to repair the fault or find a workaround and
restore the system to the same state as before the service was interrupted.

Overview of Incidents
It is important to define measurements on the availability in terms the customer can

understand.
 Average downtime: The average duration of a service interruption, including the time
taken to detect, respond and resolve the incident.
 Average uptime: The average length of time the service is available without
interruptions.
 Average time between incidents: The average time between one incident and the next.
This is equal to the sum of the average downtime and average uptime. The average time
between incidents is a measure of the reliability of the system.
 Measurements
Availability is measured from the customer‟s point of view and is recorded in the
SLA.Availability is normally expressed in a percentage:
Cost of Unavailability
User productivity loss = Hourly cost of affected user X hours of disruption; And
IT productivity loss = Hourly cost of affected IT staff X hours of disruption; And
Lost revenue = Lost revenue per hour X hours of disruption; And

Other business losses incurred (Overtime, wasted materials, financial penalties or fines etc.)
And Impact on customer service.
Many business processes and transactions depend on information technology (IT). The cost
of unavailable IT services is high and has a significant impact on the business.
9.7. Some Availability Techniques
CFIA (Component Failure Impact Analysis): This method is used to identify the impact of
the IT service availability on the failure of each configuration item involved.
FTA (Failure Tree Analysis): The aim is to study how faults propagate throughout the IT
infrastructure, so as to better understand their impact on service availability.
CRAMM (CCTA Risk Analysis and Management Method): The aim of CRAMM is to
identify the risks and vulnerabilities to which the IT infrastructure is exposed in order to take
countermeasures to reduce them or enable rapid recovery of the service in the event of an
interruption.
SOA (Service Outage Analysis): The aim of this technique is to analyze the causes of the
faults detected and propose solutions to them. It differs from the previous methods in that it
performs its analysis from the point of view of the customer, placing special emphasis on factors
other than purely technical aspects directly linked to the IT infrastructure. Scope and plan the
service outage analysis. Build hypotheses on possible cause and effect. Analyze data. Interview
key personnel. Produce findings and recommendations. Build and validate the solution.
9.8. Summary
Today, many businesses are increasingly dependent on information technology. Technology

allows business to access information and services at speeds that would have been unthinkable
just a few years ago.
The speed of business transactions and processes are accelerating each year. Business
demands total availability from IT providers.
Rapid technological development means equipment and services constantly need to be
renewed and replaced. IT organizations have to upgrade IT systems with no margin for error, as
all systems have to be available to the business 24/7.
Availability Management is responsible for optimizing and monitoring IT services so that
they function reliably and without interruption to comply with the SLAs, and all at a reasonable
cost. Customer satisfaction and the profitability of the IT services depends to a large extent on
its success.
Homework:
Teamwork:

Scenarios:
As more and more people are working at different time and different shifts,
Mr. Bill Ate found that many customers come to his restaurants at odd hours
and they demand certain kind of menus that usually not available at certain
time. For example: Breakfast at 4: AM or Lunch at 2: PM and Dinner at 11:
PM. He also found that the number of customers increased significant because
of the quality of foods and low prices, but many people also complain that
they have to wait a long time for food services. Mr. Bill Ate asks your team to
come up with a solution to this problem

Lecture 10: Service Continuity Management

Learning goals:
1. Explain the need for IT Service Continuity Management (ITSCM).
2. Explain the issues with ITSCM.
3. Describe the ITSCM process and how it could be implemented in an organization.
4. Prepare students to participate in ITSCM activities.
Benefits
Students will learn some basic concepts of IT Service Continuity Management (ITSCM) by
how IT could guarantee the rapid recovery of (critical) IT services after a disaster and how to
establish policies and procedures that avoid the harmful consequences of a disaster or instance
of major disruption.
10.1. The basic concepts
IT Service Continuity Management (ITSCM):
 Guaranteeing the rapid recovery of (critical) IT services after a disaster.
 Establishing policies and procedures that avoid, as far as possible, the harmful
consequences of a disaster or instance of major disruption.
10.2. The main benefits of IT Service Continuity Management
The main benefits of proper IT Service Continuity Management may be summarized as:
Proper management of risks.
A reduction in the length of interruption of service due to major disaster.
Improved confidence in the quality of service among customers and users.
Support for the Business Continuity Management process.
10.3. The main activities involved in IT Service Continuity Management
Establishing the policies and scope of ITSCM.
Evaluating the impact on the business of an interruption in IT services.
Analyzing and predicting the risks to which the IT infrastructure is exposed.

Establishing the strategies for IT service continuity.
Adopting proactive risk prevention measures.
Developing contingency plans.
Testing those plans.
Training staff on the procedures necessary for a rapid recovery of service.
Periodically reviewing the plans and adapting them to real business needs.
10.4. The IT Service Continuity Management process
10.4.1. ITSCM process
Step 1:To establish the objectives, scope and the commitment of the IT organization, i.e. the
policy.
◦ General business continuity plans.
◦ Strategic IT services.
◦ The quality standards adopted.
◦ Any history of serious interruptions to IT services.
◦ The business outlook.
◦ The available resources.
IT Service Continuity Management will NOT succeed if the resources, in terms of both
people and equipment (software and hardware), devoted to it are insufficient.
Step 2: IT Service Continuity Management is to determine the impact an interruption on IT
services may have on the business
Consequences of the interruption of service on the business:
◦ Loss of profits
◦ Loss of market share

◦ Damage to brand image
Step 3: To assess the risks associated with IT services
ITSCM must:
◦ Have an in-depth knowledge of the IT infrastructure and the configuration items
(CIs) involved in providing each service, particularly critical and strategic IT
services.
◦ Analyze possible threats and estimate their probability.
◦ Detect the most vulnerable points of the IT infrastructure.
10.4.2. Two approaches to IT service continuity
Preventive measures: Avoid interruptions to service
Reactive measures: Restore acceptable levels of service in the shortest time possible.
IT Service Continuity Management is responsible for designing prevention and recovery
activities offering the necessary guarantees at reasonable expense.
10.4.3.Implementation
Executive Board: Overall authority and control within the business and responsibility for:
crisis management, public relations, liaison with other business units, groups, departments,
regulators, government, etc.
Coordinating Team: Understand business processes, priorities, and manage the overall
recovery activities:Support business recovery, coordinate any critical activities, manage central
control of service continuity
Business Recovery Teams: Responsible for implementing the business recovery plans for
their own areas and act as day-to-day liaison with staff, customers, and suppliers.A business
recovery team follows the direction of coordinating team‟s policies, procedures, standards, and
priorities to ensure recovery processes are implemented accordingly.The coordinating team‟s
planning must give appropriate authority for each team or individual to make decisions and take
action during the contingency. These roles and responsibilities must be clearly identified.
Typical structure

IT Service Continuity Management (ITSCM) must determine the impact an interruption on

IT services may have on the business.The business depends on IT services. If these services are
interrupted it will affect almost all aspects of the business: loss of profits, loss of market share,
damage to brand image, other side effects. ITSCM must determine how long business can wait
before restoring service without an impact on business processes and document commitments
under SLAs.The purpose of the analysis is to identify: which IT services support critical
business processes, the damage or loss for the organization if IT services are not available, the
time before impact can be felt.ITSCM must use impact scenarios, which identify different
combinations of service unavailability, and assess the effect of each on the business.This also
helps to identify: the form that the damage or loss may take, how damage or loss can escalate
after an incident, the minimum staffing, facilities and services necessary for a business to
operate at a minimally acceptable level, the recovery time, the full recovery time for a business
to operate normally.
ITSCM must enumerate and assess the various risk factors according to their probability and
impact. ITSCM staff must:Have an in-depth knowledge of the IT infrastructure and the
configuration items involved in providing each service, particularly critical and strategic IT
services; assess possible threats and estimate their probability; assess the vulnerability of IT
infrastructure. The results of this assessment provides sufficient information to put forward
various prevention and recovery measures suited to the real needs of the business.
ITSCM is responsible for designing prevention and recovery activities and offering the
necessary guarantees at a reasonable expense.Preventive measures require a detailed analysis of
risks and vulnerabilities. Some may be general in nature: fires, natural disasters, etc., whereas
others will be strictly IT related: storage system failures, hackers, viruses, etc.Preventing general
risks adequately depends on close collaboration with Business Continuity Management (BCM)
and requires measures involving the organization's "physical" infrastructure.ITSCM needs to
pay special attention to preventing risks and vulnerabilities to the IT systems. The close
collaboration of Security Management is essential in this regard.
There are three options for recovery activities:

 Cold standby: requires an alternative site where the service environments

can be reproduced in no more than 72 hours. This is the appropriate option if the
recovery plans estimate that the organization can maintain its levels of service
during this period without the support of the IT infrastructure.
 Warm standby: requires an alternative site with active systems designed to
allow recovery of critical services within 24 to 72 hours.
 Hot standby: requires an alternative site with continuous replication of the
data and all the systems active ready to substitute the live structure immediately.
This is the most expensive option and should only be used when an interruption to
IT service has immediate commercial repercussions.
10.4.4.IT SCM Plans
IT Service Continuity Management needs to create a series of documents, including:A risk

prevention plan, an emergency management plan, a recovery plan.
Risk Prevention Plan: The main objective of the risk prevention plan is to minimize the
impact of a disaster on the IT infrastructure. Commonly used measures include: Distributed data
storage; back-up electricity power supply systems; data back-up policies; duplication of critical
systems; passive security systems
Emergency Management Plan: Emergency management plans need to take into account
aspects such as:
 Evaluating the impact of the contingency on the IT infrastructure.

 Assigning emergency roles to IT service personnel.
 Informing users and customers of a serious interruption or service degradation.
 Procedures for contact and collaboration with the suppliers concerned.
 Protocols for putting the relevant recovery plan into action.
Recovery Plan:The recovery plan needs to include everything necessary to reorganize the
staff involved, re_establish the hardware and software systems necessary, and recover the data
and restart the IT service. The recovery procedures may depend on the importance of the
contingency and the associated recovery option (cold or hot stand-by), but in general they
involve:
 Assigning personnel and resources.

 Alternative hardware facilities.

 Security plans guaranteeing the integrity of the data.

 Data recovery procedures.
 Cooperation agreements with other organizations.
 Protocols for informing customers.
Recovery plan must follow these phases:
 Alert phase: When an incident is reported, an initial damage assessment must be

completed and decision is taken on whether to move to the next phase or not.
 Invocation phase: Certain arrangements and actions are invoked to handle the
situation.
 Recovery phase: IT services are restored and business processes are recovered.
 Return to normal phase: facilities and assets are repaired or replaced and
operations are transferred back to permanent arrangements.
10.5. The IT Service Continuity Management report
ITSCM report includes:
• Analysis of new risks and assessment of their impact.
• Evaluation of the disaster drills carried out.
• Prevention and recovery activities performed.
• Costs associated with the prevention and recovery plans.
• Preparation and training of IT personnel regarding the prevention and recovery
plans and procedures.
10.6. Summary
IT Service Continuity Management manages the risk of IT services failing by reducing and
avoiding identified risks and planning to recover IT services as a contingency, to support the
continued functioning of the business to a specified level within a stated set of circumstances.
ITSCM focuses on all IT services that are needed to keep critical business process
functioning.

Homework:
Teamwork:
Scenario: Mr. Bill Ate, owner of “Macro-Foods” company recognizes that even
his company has a Business Continuity Management but his restaurant sector is
currently does not have any Service Continuity Management. He understands
the importance that services have for his business so he wants to correct this
problem as soon as possible. As the sole provider of food services to many
companies in High-tech Park, he has enjoyed high profit margin. If their food
services are interrupted, thousand people will be very angry and the company may
lose this profitable business. Mr. Bill Ate decides that his company will guarantee
the continuity of services within 1 hours of any incident. (i.e., Fire, storm, traffic
jam, electricity issue etc.)
You are given the task to solve this problem for him.
Sample answer:
“Macro-Foods” should appoint a manager the role of managing the process and charged with
coordinating all the activities involved with Macro Foods‟ Business Continuity Management.
Business Continuity Management has signed an agreement with other catering companies
for emergency supplies to cover the company's most important customers:
• Catering services for high tech parks.

• Special occasion such as wedding, special meetings
In these cases, coordination requires the development of special modules allowing order
databases to be exported in standard data exchange formats so they can be processed by the
other organization.
Additionally, an emergency management application has been developed to allow supplier
orders to be handled and ensure the integrity of existing foods is maintained, according to its
information and the impact of the business interruption on the food storage.
The following are also established:
• A regular calendar of trials of the recovery plans.

• A calendar of training courses on action protocols in emergency situations.
However, IT Service Continuity Management not only has to apply reactive measures to
mitigate the impact of a possible interruption to service. Its obligations also include the drafting
of prevention plans to avoid these situations arising. To avoid interruptions to its services the
company:
• Contracts food services with another food provider just in case there is a
interruption such as fire, storm, or electricity power outage in the area.
• Replicates critical food service systems at different locations.

• Supervises the policy of back-ups of the business servers in case of electricity

outages.
• Installs fire protection systems to the company kitchens.

Lecture 11: Financial Management

Learning goals:
1. Describe Financial Management in an IT service organization.
2. Explain the benefits of Financial Management.
3. Describe the process of Financial Management.
4. Prepare students to participate in Financial Management activities.
Benefits
Students will understand about IT Financial Management by evaluate and control the costs
associated with IT services such that customers are offered a high quality service with an
efficient use of the necessary IT resources. If the IT organization and/or its customers are not
aware of the costs associated with the services they use or deliver, they will not be able to assess
the return on investment or establish consistent technology investment plans.
11.1. Financial Management in an IT service organization
The objective of IT Financial Management is to evaluate and control costs associated with IT
services to ensure that customers are offered quality service with an efficient use of the
necessary IT resources.If the IT organization and its customers are not aware of the costs
associated with the services, they will not be able to assess the return on investment (ROI) or
establish technology investment plans.The main objective of IT Service Financial Management
is to operate IT services to the business efficiently and profitably.
IT Service Financial Management must:
 Evaluate the costs associated with delivering services.

 Provide the IT organization with all the financialinformationit needs to make
decisions and set prices.
 Advise customers on the value of IT services.
 Evaluate the Return on Investments (ROI) in IT.
 Manage the accounting of the expenses associated withIT services.
Financial Management manages IT infrastructure costs and provides a good financial basis
for business decisions relating to IT by identifying and accounting for the costs of delivering IT
services.
Objectives:
 To account for the cost of operating the IT department and providing IT services.
 To facilitate accurate budgeting and provide information about the cost of IT
services, which will enable the business to make better decisions.
 To build the basis to determine Return on Investment (ROI) of IT and balance
costs, capacity and service level requirements.

 If needed, build a framework for cost recovery.
11.2. The main benefits of Financial Management
• Reducing costs and increasing the profitability of the IT service.
• Adjusting, controlling, matching and justifying the prices of the IT service.
• Increasing customer satisfaction by having contract services that offer good value.
• Plan IT investments according to the proper budgets of IT services.
• IT services are used more efficiently.
• IT organization operates as a strategic business unit with overall performance goals.
11.3. The main activities in Financial Management
Figure 11-1. Financial Management

Budgeting: The process of predicting and controlling how money is spent, including periodic
negotiation cycles to set annual budgets and daily monitoring of current budgets.
Accounting:The set of processes that enable he IT organization to fully account for the way
money is spent. It usually involves ledgers and should be managed by the accountant.
Charging:The set of processes required to bill customers for the services supplied to them.
11.3.1.Budgeting
Budgets are set by forecasting the costs of specific categories of expenditure. Where these
are not known, they are estimated according to Business forecasts, Capacity forecasts and
Service Level Management.
The final budget may include:
 Limits on capital expenditures

 Limits on operational expenditures
 Limits on expenditures outside the organization

 Limits on variance between actual and planned spending

 Guidelines on how budget must be used
 An agreed workload and set of services to be delivered
 Agreements on exceptions
The objectives of having IT budgets are Planning IT spending and long-term investments,
Ensuring that IT services are adequately financed and establishing clear objectives that allow the
performance of the IT organization to be evaluated. For the budgets to be realistic, it is
necessary to identify all the cost items. Estimating the cost associated with these items is not
easy as external factors are not under the direct control of the IT organization, such as an
increase in the cost of hardware, software, resources, salary and licenses, etc.
11.3.2.IT Accounting
An accounting system is a set of interrelated activities used to budget, track, and charge for
IT services by:
 Tracking actual costs against budget

 Supporting investment strategy
 Providing cost targets for service delivery
 Prioritizing resource usage
 Making daily decisions of cost implications and minimum risks
 Supporting IT charging services
There are three types of accounting organizations:
 Accounting Center: This type of organization simply identifies the cost of providing
service, may do some budgeting. The focus is on measuring performance and conducting
investment assessments.
 Recovery Center: This is where organizations analyze the full expenditure and
investment so they can be recovered from the customers – usually in some form of charging.
The focus is on making customers aware of the true costs of using services.
 Profit Center: This is where the IT department acts as a business in its own right,
although its objectives are set by the organization as a whole. This does not always imply that
the department has to make a profit.
The cost model is a framework in which all known costs are identified and allocated to
specific customers or services.The first step in defining a cost model is to categorize how the
costs are actually incurred. Cost types are categories that make it easier to identify where money
is being spent or where it is going to be spent.Cost types are: hardware, software, people,
accommodations (facilities), services.Within each cost element there are different types of costs
that will behave in different ways: capital and operational, direct and indirect, fixed and variable
and depreciation.

The types of cost:
 Direct costs: Costs that are specifically related to a single product or service, for
example, web servers used for an internet service.
 Indirect costs:Costs that are not specifically related to a single service, such as the IT
organization's connectivity, on which many web services and the general communications
platform depend. These costs are more difficult to determine and are generally spread or pro-
rated across the various services and products.
 Fixed costs:Costs related with fixed assets, independent of the volume of production,
such as cost of equipment.
 Variable costs:Costs that depend on the volume of production, such as the cost of the
personnel providing the service, etc.
 Cost ofcapital: Derived from the repayment of fixed assets or long-term investments.
 Operating costs:Costs associated with the day-to-day functioning of the IT organization.
A cost unit is the basic unit of service that a customer will use or be charged for.Cost units
are items that can easily be measured or seen by customers and users.A simple calculation
includes:
 Identifying the direct costs of the services.

 Apportioning the indirect costs.
 Adding the two figured together.
 Dividing by the project number times the serviceto be used (e.g. number of transactions).
 Add any variable costs.
11.3.3.The Charging System
A set of interrelated policies, activities, and tools that enable IT to recover their costs from
users on an equitable basis to determine the most suitable charging policies for an organization;
recover fairly and accurately, the agreed costs of providing IT services and collaborate with
customers to ensure optimal return on IT investment by the business.
The type and configuration of a charging system will be determined by:
 Level of recovery required

 The need to influence user behavior
 Ability to measure usage
 Level of control of the internal market
It is important to identify exactly what the customers will be charged for. The user should
see these items as a unit. Both fixed and variable costs should be identified for each chargeable
item.
 Pricing

Knowing the cost of IT services provided and establishing a pricing policy that allows the
costs incurred to be recovered are essential.Pricing is the process of identifying exactly how
much money the charging process should recover.Since the level of pricing has a direct impact
on the demand for the service, these factors should be taken into account:
• What is the pricing objective?

• What is the true demand for the services?
• Accurate determination of direct & indirect costs.
• What services are available externally if customers have a choice?
Cost plus margin: the total cost of the service is calculated and a profit margin is added.
Market price: services are charged at the market rate for services of a similar kind.
Negotiated price: the price of the services is negotiated directly with the customer.
Variable price: dependent on the IT capacity actually used and/or the objectives met.
Once the price has been set, the rates for services have to be defined according to:
• The chosen policy

• The services asked for
• Scale and availability needs
• The associated costs
• The prices prevailing in the market
 Charging method
Direct charging: Customer is charged directly on receiving a service (e.g. charging for
delivery and installation of a PC).
Resource usage: Customer is charged based on the use of specific IT resources (e.g. disk
space or CPU usage).
Output related: Customer is charged for specific printout or report.
Apportionment: Customer is charged on shared facilities which is split up between users and
the facility or resource.
Market related: Customer is charged based on what the market rate.
IT Organizations should charge when budget is control by users, freedom of choice,

commercial flexibility, adequate monitoring capabilities exist, charging exists for other
resources. Billing is the process of producing an invoice and recovering the funds from
customers.

Benefits of Charging for Services are:
• Better utilization of resources

• Allows comparisons
• Improves cost consciousness
• Demand management
• Recovers IT costs in an equitable manner
• Informs users to influence usage
• Raises revenue – become profit center
11.4. Summary
The IT service Financial Management can evaluate and control the costs associated with IT
services so that customers are offered a high quality service with an efficient use of IT
resources.
If the business is not aware of the costs associated with the services they use, they will not be
able to assess the return on investment or establish technology investment plans.
By having financial management, IT organizations can transform from a cost center to a
profit center just like any business unit and move away from a supporting role to a more
strategic role.
Homework:
Teamwork:
Scenario:
"Macro-Foods" company has been providing food services for customers in
restaurants, high tech companies‟ cafeterias, and special occasion service etc. Mr.
Bill Ate believes in quality service and has hired many service managers to ensure
that his services meet customers‟ needs and the quality of foods and services
exceed the SLAs. However, this type of service management spending has not
been well documented on the finance accounts and budgeted specifically. It is
impossible to know what impact that having these services would impact the cost

of each of the services provided and how much it contributes to the profit of the
company.
Sample Answer:
Mr. Bill Ate wants to develop a new pricing policy for his service management
process that allows him to pass on its costs to customers, in the same way that it
passes on the cost of food preparation, transport, raw materials, etc.
It is recommended that Mr. Ate appoint a senior manager to look into this
process.
The work plan for the near term includes:
 In collaboration with Configuration Management, drawing up a list of all

the CIs involved in providing direct services to customers.
 Evaluate the costs associated with their use, and sharing them out among
the different services if necessary, on a pro rata basis: depreciation,
maintenance, consumables, etc.
 Evaluating the cost of staff and operating costs.
 Estimating costs associated with IT services that are hidden or difficult to
assign.
 Evaluating indirect costs: installations, administrative costs, etc.
 Establishing strict accounting criteria for the administration of IT costs.
 Establishing a cost + margin pricing policy.
All these activities aim to define precisely the costs associated with the IT
services already being delivered and to propose rates that can be passed on to
customers, either directly or as a part of general items.
However, the objectives of proactive Financial Management go further, and

include the proper planning of future expenses and investments. For this
purpose, in collaboration with Service Level Management, Capacity
Management and Availability Management, the following points have been
studied:
 Customer requirements and market trends.

 The impact on costs and Service Improvement Programs (SIP).
 Forecasts and future IT capacity needs.
The information compiled will be used as the basis for the preparation of the
budgets prepared by Financial Management.


Lecture 12: Configuration & Change Management

Learning goals:
The goal of this lecture is to review:
1. The Control of all element of IT infrastructure in detail.
2. Manage all elements of IT infrastructure via a database.
3. Provide accurate status on every IT elements.
4. Monitor the configuration systems on a periodic basis.
5. Explain the Change Management process.
6. Describe the relationship between Change Management and other IT service functions
7. Explain the advantages of orderly Change Management.
Benefits
Students will understand about IT Financial Management by evaluate and control the costs
associated with IT services such that customers are offered a high quality service with an
efficient use of the necessary IT resources. If the IT organization and/or its customers are not
aware of the costs associated with the services they use or deliver, they will not be able to assess
the return on investment or establish consistent technology investment plans.
Students will understand that change always happen and the goal of Change Management is
to evaluate and plan the change process to ensure that, if a change is made, it is done in the most
efficient way possible, following the established procedures and ensuring the quality and
continuity of the IT service at all times.
12.1. IT Configuration Management
IT Service Configuration Management covers the identification, recording, controlling and

reporting of all IT components by maintaining a database that document the status, lifecycles
and relationships, as well as any information needed to cost effectively manage the quality of IT
services.
A configuration is anything that needs to be controlled, and could include: hardware,
software, networks, people, documentation, charges, incidents, problems, procedures and
anything else that must be controlled.
A configuration item (CI) is a component of a configuration.
12.2. The main objectives of Configuration Management
The main objectives of Configuration Management are to provide accurate and reliable
information about all the components of the IT infrastructure.Without configuration
management in place, it is impossible to track IT infrastructure costs in order to make best use of
it. As changes do happen, if not managed, it can create confusion and frustration among users.
12.3. The concept of Configuration Item

12.3.1.Configuation:
A configuration is anything that needs to be controlled, and could include: Hardware,
Software, Networks, People, Documentation, Charges, incidents, problems, Procedures, And
anything else that must be controlled
12.3.2.Configuation Item:
A configuration item (CI) is a component of a configuration.
• For example: Keyboard, monitor are two configuration items of a PC (A
configuration)
12.4. The activities involved in Configuration Management
Controlling all elements of the IT infrastructure configuration in sufficient detail by utilizing

a Configuration Management Database (CMDB). Providing accurate information about the IT
configuration to all management processes. Interacting with other disciplines such as Incident,
Problem, Change and Release Management so that they can resolve incidents effectively by
finding the cause of the problem rapidly, making the changes necessary to solve it, and keeping
the CMDB up-to-date at all times. Periodically monitoring the configuration of the systems and
comparing it with the CMDB to correct any discrepancies.
Planning
IT Configuration Planning includes:
 Analyzing current configurations.

 Assessing the organization context.
 Assessing the policies of related processes.
 Identifying key projects, suppliers, development, and support groups.
 Developing key structures, roles and operation of the Configuration
Management process.
 Identifying the location of various libraries and databases used

inConfiguration Management.
Identification
Logical: Identifying what configuration items need to be recorded and what

information is recorded about them.
 Configuration items must be uniquely identified.

 The identification must be visible.
 Identities (Names) must have meaning.
Physical: Marking items to identify which items are under configuration control
(e.g. barcode or sticker).
Relationship is a link or association that exists between one configuration item

(CI) with other configuration items (CIs).Relationship can be primary
(Hierarchical) or secondary (used by).
Examples
 Hardware and hardware

 Hardware and software
 Applications, hardware and software
 Hardware, software, operating system
 Networks
 Users, hardware, software, applications
 Request for change, incidents and problems
A baseline is a snapshot of a configuration item (CI) at a specific time in its

lifecycle. It can be seen as “Standard CI”. Baselines can be used to:
 Identify what a CI looked like before a change.

 Revert to a previous version of a CI.
 Simplify the capture of information about CIs.
 Simplify database design.
A lifecycle refers to the stages that occur during the life of a configuration item
(CI). Each CI has its own lifecycle and CIs of the same type will share the same
life cycle. By defining lifecycles, configuration management allows CIs to be
moved and tracked from stage to stage in a controlled manner. CIs can then be
checked to see whether they are: authorized, complete, cost in line, on time, to
specification.
Software and document libraries should be identified with the following

information:
 Contents, location and medium

 Conditions for entering an item
 How to protect and recover libraries
 Conditions of use and access controls
Naming convention of these items should:
 Be unique
 Be consistent with naming convention
 Allow for copy and version numbers
 Allow for growth
Control Information
Configuration Management (CM) control is concerned with the information kept

in the CMDB on the access to it, change to it, addition of new items. CM ensures
that only authorized and identifiable CIs are recorded in the CMDB.CM is
responsible for the data in the database and will have strict controls to manage
access.
Status accounting
Status accounting uses the life cycles to track and update the status of CIs.Status
accounting functions of CM are responsible for the recording and reporting all
data for all CIs. These reports can be produced to pre-defined criteria or be taken
directly from the CMDB when required.
Examples of reports:
 Number of incidents for a CI during a period

 A history of changes to one CI during a year
 The total amount spent with a supplier in a year
 How many PCs have specific version of operating system
Verification
Configuration Management should audit the CMDB, on periodic basis, to ensure

that it accurately reflects the reality of the IT infrastructure.
The CMDB will be easier to control if:
 The CMDB is active and NOT passive.

 The CMDB is updated automatically, where possible.

 Configuration Management activities are integrated with other

procedures.
 Audit/checks are built in the system.
 People are trained in Configuration Management processes.
 The CMDB are maintained with back up and archive features.
 Database administration and Performance Management are working
together to ensure efficiency and effectiveness.
12.5. The main task of Configuration Management
The Configuration Management System has the following features:
 It manages the CMDB.

 It prevents unauthorized changes.
 It promotes security controls.
 It validates CIs Data.
 It establishes relationships with other disciplines.
 It integrates Release Management and others.
 It updates and approves status changes.
 It establishes representations of CIs and its relationships (could be in graphic
form).
Configuration Management Database (CMDB)
The Configuration Management manages a “centralized database” or CMDB that contains

all relevant information about CIs and their relationships to one another. The CMDB can be
multiple “physical databases” located in different areas, but it must provide a single central
“Logical database” with logical access to all configuration data to:
 Avoid duplication of data

 Identify relationships
 Allow access to all data
 Generate management information
12.6. The change Control Process

 Service Desk
Service desk (Help desk) has access to:
 Equipment held
 Software accessible
 Diagnostic aids
 Problem history
 Change history
 Service Level Agreement
 Training/experienced record
 Personal information
 Problem Management
Configuration Management assists Problem Management to:
 Automate problem escalation

 Log problems
 Identify trends and problem matching
 List known errors and outstanding problems
 Identify relationships
 List recent changes
 Outline responsibilities
 Impact assessment
 Compare costs of a fix to the cost of NOT fixingthe problem
 Change Management
The CMDB supports Change Management:

 Informs about the pre-change status.

 Identifies affected CIs and others.
 Cross-references incidents/problems and other changes.
 Improves resource assessment – reference to past records.
 Speeds up the change management process.
 Supports risk assessment.
 Release Management
The CMDB can help Release Management with:
 Record location of software and hardware

 Code control
 Release building
 Identify who needs new releases
 Implementation
 Software and hardware recovery
 Corruption or loss of data
12.7. Configuration Management Report
The documentation generated should include:
 Scope and level of detail of the CMDB.
 Deviations between the information stored in the CMDB and that obtained from the
configuration audits.
 Information on CIs that have been involved in incidents.
 Costs associated with the process.
 Classification systems and naming conventions used.
 Reports on unauthorized and/or unlicensed configurations.
 Quality of the recording and classification process.
 Statistical information and composition of the IT structure.
12.8. Change Management
The purpose of Change Management is to evaluate and plan the change process to ensure

that, if a change is made, it is done in the most efficient way possible, following the established
procedures to ensure the quality and continuity of the IT service at all times.
The reasons for making IT changes are:
 Solving known errors

 Developing new services
 Improving existing services
 Meeting legal requirements
Change Management‟s objective is that all changes that need to be made to IT infrastructure
and services be evaluated and implemented correctly according to standard procedures.
Change Management‟s goals are:
 To manage the process whereby changes are requested, assessed, authorized and
implemented.
 To ensure that no unauthorized changes are implemented.
 To minimize risk and disruption caused by changes.
 To ensure that changes are properly researched and that all relevant parties have
input into the assessment of changes.
 To coordinate the effort involved in building, testing, and implementing changes.
Change Management is a centralized, formal process to manage all changes in:
 Hardware
 Software
 Networking equipment
 Applications
 All documentations, plans, procedures relevant to the running, supporting and
maintenance of IT infrastructure
 Note: IT Change Management does NOT manage changes to CIs

under the control of development projects. It is under Configuration
Management.
12.9. The benefits of Change Management
The number of potential incidents and problems associated with each change is reduced.If
the change has a negative impact on the IT structure, the process of returning to a stable
configuration is relatively quick and simple.The number of back-outs needed is
reduced.Changes are better received and the tendency to resist change is reduced.The true costs
associated with the change are evaluated and is, therefore, easier to assess the true return on the
investment.The CMDB is kept properly up-to-date. This is essential if all other IT processes are
to be managed correctly.Standard change procedures are developed allowing rapid updates to
non-critical systems.

12.10. Change Manager and Change Advisory Board (CAB)
Change Manager: The person responsible for the change process and ultimately responsible
for all the tasks assigned to Change Management.
Change Advisory Board (CAB): Internal group, chaired by the Change Manager,
consisting of the representatives of IT services management areas, it may include:
• External consultants
• Representatives of user groups
• Representatives of hardware and software suppliers
• The Change Advisory Board (CAB) is responsible for assessing the impact of
requested changes and estimating the resource requirements. They advise the Change
Manager on whether changes should be approved and assist in the changes.
• CAB members may vary depending on the change being requested, and should
consist of people who are impacted by the change.
• In case of emergency, CAB may need to consult with senior managers, before
approving urgent changes.
12.11. The Change Management process
12.11.1. Request for Change (RFC)
All changes to IT infrastructure must be made via a Request for Change (RFC).Change
Management manages all changes to IT infrastructure and services to ensure that they are
implemented correctly and standard procedures are followed.
Change Management ensures that changes:
• Are justified.
• Are carried out without impacting IT service quality.
• Are properly recorded, classified and documented.
• Have been carefully tested in a test environment.
• Are recorded in the CMDB.
• Can be undone by running back-out plans if the system functions incorrectly after
implementation.
Sources of Change
Problem Management:Responsible for proposing solutions for known errors in

the IT infrastructure. The RFC must be documented with information about the
known error so that it can be evaluated later.

New Services: The development of new services usually requires changes to the
IT infrastructure. It is important to coordinate the whole process with Capacity,
Availability and Service level management to ensure that the changes meet
expectations and do not degrade the quality of other services.
Business Strategy: Management may change strategic direction that affects the
levels of service offered. This kind of change requires modifications to existing
hardware, software and procedures.
Third-Party Software Updates: Suppliers may stop supporting old versions of

software packages or introduce new versions with some enhancements, making
it worthwhile to upgrade.
Legal Requirements: Changes in government legislation may require some

changes in the IT infrastructure.
Other Sources: Employee, customer or supplier may suggest some

improvements to the services, which may require infrastructure changes.
12.11.2. Change Process
Figure: Change process
Logging
The first step in the change process is to record the Request for Change (RFC)
appropriately with the following data:

• Date received
• Unique identifier of the RFC
• Identifier of the associated known error (where appropriate)
• Description of the proposed change:Reason for change, purpose of
changeCIs involved, estimated resources needed, estimated time
The information in the log must be updated throughout the change process for
better tracking with the following data:
• Status: "accepted", "rejected", or "implemented”

• Date of acceptance or rejection of the RFC
• Preliminary management evaluation
• Priority and category
• Back-out plans
• Assigned resources
• Implementation date
• Post-implementation review
• Final evaluation
• Close date
Preliminary Filter Review
After the RFC has been logged, a preliminary filter review needs to be made to
accept or reject the change.
An RFC may be rejected if the change is not justified. The RFC must be returned
to the person or department making the request so they can offer new
justifications or modify it if necessary.
Accepting the change does not mean that it will subsequently be implemented by
the CAB. It is merely an indication that it is sufficiently justified to be given
further consideration.
Classification
After accepted, RFC should be classified (by priority and category) depending
on its urgency and impact.
The priority determines the relative importance of the RFC in relation to other
outstanding RFCs.
• Low: Change can be made alongside others, such as when updating

software packages, buying new hardware, etc.
• Normal: Change should be made when it does not get in the way of
another higher priority change.
• High: Change should be made without delay, as it is associated with

known errors that are significantly degrading service quality.
• Urgent: This problem has to be solved as it is causing an interruption or

serious degradation to service. An urgent change triggers the so-called
emergency change process, which we will deal with separately.
The category determines the difficulty and impact of the RFC so the change
board can determine the resources needed.The category is determined based on
the impact on the organization and the effort required implementing the
change.Minor changes may not need the approval of the CAB and may be
implemented directly.Any other changes need to be discussed by the CAB and
sometimes may need the collaboration of specialists to advise on the change.
Change Evaluation
The CAB will evaluate all changes in detail before approval by asking:
 What are the expected benefits of the proposed change?

 Do these benefits justify the costs entailed by the change process?
 What are the associated risks?
 Do we have the necessary resources to make the change with certainty of
success?
 Can the change be postponed?
 What will the general impact be on the IT infrastructure and quality of
service?
 Could the change affect the established IT security levels?
12.11.3. The main activities involved in Change Management
Monitoring and directing the change process.
Recording, evaluating and accepting or rejecting the Request for Changes (RFCs) received.
Convene meetings of the CAB for approval of RFCs.
Coordinating the development and implementation of the change.
Evaluating the results of the change and proceeding to close the change if successful.
12.12. Summary

Configuration Management provides accurate and reliable information about all the
components of the IT infrastructure by:
• Controlling all the elements of the IT infrastructure configuration with a sufficient
level of detail and managing this information using the configuration database
(CMDB).
• Providing accurate information about the IT configuration to all the various
management processes.
• Interacting with Incident, Problem, Change and Release Management so they can
resolve incidents effectively by finding the cause of the problem rapidly, making the
changes necessary to solve it, and keeping the CMDB up- to-date at all times.
• Periodic monitoring of the configuration of the systems in the production
environment and comparing it with that held in the CMDB to correct any
discrepancies.
Change Management is responsible for:
• Monitoring and directing the change process.
• Recording, evaluating, accepting or rejecting the RFCs received.
• Coordinating meetings of the CAB for approval of RFCs.
• Coordinating the development and implementation of the change.
• Evaluating the results of the change and proceeding to close the change, if
successful.
Homework:
Sample answer:
The instructor may want to discuss the difficulties in Configuration Management such as:
Incorrect planning: it is essential to plan the necessary activities correctly to avoid
duplications or mistakes.
Inappropriate CMDB structure: keeping an excessively detailed and exhaustive configuration
database up-to-date can be a time-consuming process requiring too many resources.
Inappropriate tools: it is essential to have the right software to speed up the data entry process
and make the best use of the CMDB.
Lack of Coordination between Change and Release Management making it impossible to
maintain the CMDB correctly.
Lack of organization: it is important for there to be a correct assignment of resources and
responsibilities. Where possible, it is preferable for Configuration Management to be undertaken
by independent specialist personnel.
Lack of commitment: the benefits of Configuration Management are not immediate and are
almost always indirect. This can lead to a lack of interest on the part of management and
consequently a lack of motivation among the people involved
Teamwork:
Scenario:
Mr. Bill Ate understands that configuration management is important, but for his food service
company, it can easily waste a lot of resources if excessively criteria are laid down. Therefore,
he decided to limit the scope of the configuration database to the systems he felt to be critical
such as:
 LAN servers.
 Internet servers.
 Service Centre computing infrastructure.
 SLAs
He asks your team to design a Configuration Management system that meets his initial simple
goal.
Sample Answer:
To simplify management of “Macro-Foods”, it is recommended that configurations should be
organized to each configuration items as described by Mr. Ate with these advantages:
 Medium-to-long term reduction in the associated costs.
 Improving the consistency of the services delivered.
 Simplification of all the processes associated with service support: Incidents,
problems, changes, versions, etc.
Opting for a series of standard configurations allows a high level of detail to be achieved
without the effort being excessive. The following items were therefore entered on the database:
 Software configurations:
 Operating Systems:
 Installed applications.

Interdependencies: parent-child relationships, owners, etc.

 Associated documentation.
 Hardware configurations:
o Servers and work stations.
o Sub-components,with their interrelations: parent-child relationships,
interdependencies, etc.
o Associated documentation and controllers.
 Associated SLAs and monitoring reports.
At the same time, management tools were installed to allow all these configurations to be
monitored remotely and periodic automatic audits to be carried out.

Lecture 13: Release Management

Learning goals:
1. Describe the Release Management process.
2. Explain the issues of Release Management.
3. Explain the benefits of Release Management.
4. Prepare students to participate in Release Management activities.
Benefits
Students will understand that software requirements often change and without a change
control process, these changes could impact the development process, creating confusion and
frustration. Changes also must be made without deterioration of the quality of service by:
 New releases meet the proposed objectives.
 The number of incidents caused by incompatibilities with other installed hardware or
software is reduced.
 The related testing processes not only allows the quality of the hardware and software
due to be installed to be tested, but also elicits the opinions of users on the functionality
and usability of the new versions.
 Keeping the DSL properly maintained will prevent the loss of (valuable) copies of the
source files.
 The number of illegal software copies is reduced.
 Control of the software and hardware deployed is centralized.
 Protection against viruses and other problems associated with uncontrolled software
versions is improved. .
13.1. The concept of Release Management
13.1.1. Release Management
Release Management is responsible for implementation of all the hardware and software
installed in the production environment.
Release Management works closely with Change Management and Configuration
Management to ensure that all information relating to changes (new versions) is properly
included on the CMDB so that it is fully up-to-date and provides an accurate image of the
configuration of the IT infrastructure.

Release Management also keeps the Definitive Software Library (DSL) up-to-date, where
copies of all the software in production environment are kept, and the Definitive Hardware
Storage (DHS), where spare parts and documentation for the rapid repair of hardware problems
on the live environment are kept.
13.1.2. Overview of Release Management
13.2. The responsible of Manager
Release Management is responsible:
• To plan and manage the release of software and hardware to users in production
environment.
• To design and implement procedures for the distribution and installation of changes to
IT systems.
• To ensure only correctly released, tested, and authorized versions of CIs are in use.
• To ensure the physical storage and protection of master copies of all software.
13.3. The main objectives of Release Management
Establishing a policy for implementing new versions of hardware and software.

Implementing new versions of hardware and software on the live environment after
verifying them in a realistic test environment.
Ensuring that the change process meets the specifications of the relevant RFC.
Ensuring, in cooperation with Change Management and Configuration Management, that
all the changes are correctly entered on the CMDB.
Archiving (identical) copies of the live software, and all their associated documentation,
in the Definitive Software Library (DSL).
Keeping the Definitive Hardware Storage (DHS) up-to-date.
13.4. The benefits of Release Management
Changes are made without deterioration of the quality of service. New releases meet the
proposed objectives. The number of incidents caused by incompatibilities with other installed
hardware or software is reduced. The related testing processes not only allows the quality of the
hardware and software due to be installed to be tested, but also elicits the opinions of users on
the functionality and usability of the new versions. Keeping the DSL properly maintained will
prevent the loss of (valuable) copies of the source files. The number of illegal software copies is
reduced.
Control of the software and hardware deployed is centralized. Protection against viruses
and other problems associated with uncontrolled software versions is improved.
13.5. The concept of Release
13.5.1. Release
• Major releases: Represent a significant release of software and hardware upgrades
which are important modifications to the functionality, technical capabilities, etc.
Ex: version 1.0, 2.0, etc.

• Minor releases: These are the correction of one or more specific errors and are often
modifications that implement documented emergency solutions correctly.
Ex: 1.1, 1.2, 1.3, etc.
• Emergency releases: Modifications to quickly repair a known error in software or
hardware.
Ex: 1.1.1, 1.1.2, etc
13.5.2. Type of Software Release
Alpha: A conceptual release or prototype.
Beta: A release that still needs to be tested for bugs in an environment similar to the
production.
Full: All components of the release unit are built, tested, distributed and implemented.
Delta: A partial release, usually just to fix a problem or only release some functionality
earlier than scheduled or only release the CIs that have changed.
Package: More than one release units grouped together.
Urgent: Temporary fixed.
13.5.3. New Versions
The most common options include:
• Delta release: Only the modified components are tested and installed.
• Full release: All the affected components are distributed, whether they have been
modified or not
• Package of Releases: Change Management may opt to distribute different packages of
releases in a synchronized way.
13.5.4. Release Management Elements

13.6. The main activities involved in Release Management
Establishing a planning policy for the implementation of new versions.
Developing new versions or buying them from third parties.
Testing new versions in an environment that simulates the live environment as closely as
possible.
Validating the new versions.
Implementing new versions in the live environment.
Carrying out back-out plans to remove the new version if necessary.
Updating the DSL, the DHS and the CMDB.
Informing and training customers and users about the functionality of the newly released
version.
13.5. Summary
Release Management:
• Establishing a planning policy for the implementation of new versions.
• Developing new versions or buying them from third parties.

• Testing new versions in an environment that simulates the live environment as closely
as possible.
• Validating the new versions.
• Implementing new versions in the live environment.
• Carrying out back-out plans to remove the new version if necessary.
• Updating the DSL, the DHS and the CMDB.
• Informing and training customers and users about the functionality of the newly
released version.
13.6. Homework

Lecture 14: Incident Management & Problem Management

Learning goals:
1. Describe incident Management and Problem Management.
2. Explain the benefits of Incident Management and Problem Management.
3. Prepare students to participate in Incident and Problem Management activities.
Benefits
Students will be able to understand the differences between Incident management and
problem management and be able to manage any incident appropriately.
14.1. The concept of Incident
An incident is any “event” which is NOT part of the normal operation of a service that
causes an interruption to the quality of the IT service.
A major incident exists where the impact on the business is extreme.
Relationships with others:
Incident Management
 The goal of Incident Management is to resolve any incidents causing interruption of
service in the quickest and most effective way possible.
 Incident Management should not be confused with Problem Management, because it is
not concerned with finding and analyzing the cause of a particular incident, but solely
with restoring the service.
 Incident management is responsible for minimizing impact to business through:

• Workarounds or permanent fixes identified through problem management.
• Assign it to problem management to diagnose and resolve.
 Minimize impact to business operation by restoring normal levels of service within
agreed times, thus ensuring the best possible levels of service quality and availability.
• To ensure the best use of resources to support the business during service failures
or disruptions.
• To log and track incidents.
• To maintain a record of relating incidents.
• To devise and apply a consistent approach to incidents.
14.2. The goals of Incident Management
 Detecting any alterations in IT services.

 Logging and classifying these alterations.
 Assigning personnel charged with restoring service, as defined in the relevant
SLA.
This activity requires close contact with users, which means that the Service Desk, the
customer interface people needs to play a central role. Although the concept of an incident is
naturally associated with a malfunctioning of the hardware and software systems but incident is
defined as: “Any event which does not form part of the standard operation of a service and
which causes, or may cause, an interruption or a reduction in service quality."
Thus, any call to the Service Desk may be classified as an incident. This includes Service
Requests, such as asking for new licenses, changing access to information, etc. provided these
services are considered standard. Any change requiring a modification to the infrastructure is
considered not to be a standard service and requires the initiation of a Request for change
(RFC), which should be handled in accordance with the principles of Change Management.
14.3. Level of Priority
It is common that multiple incidents happen at the same time, making it necessary to define
levels of priority when resolving them:
• Impact: This determines the importance of the incident depending on how it affects
business processes and the number of users affected.

• Urgency: Depends on the maximum delay the customer will accept for the resolution of
the incident and the level of service agreed in the SLA.
Incident Management should take into consideration the expected resolution time and the
resources necessary. “Simple" incidents will be dealt with as soon as possible. Depending on the
priority, the necessary resources will be assigned to resolve the incident. The incident's priority
may change during its lifecycle.
14.4. The main benefits of Incident Management
• Improved user productivity.
• Fulfillment of the levels of service agreed in the SLA.
• Greater process control and service monitoring.
• Optimization of the resources available.
• A more accurate CMDB, as incidents affecting configuration items are logged.
• And, in particular, improved general customer and user satisfaction.
14.5. Incident Management Process

 The first level of support is provided by Help Desk during the user call to report the
incident.
 If Help Desk can not resolve then incident is referred to technical support group for
further diagnosis and action.
 If the support group can not resolve then they have to contact another specialist to assist
them.
 The transferring from one to another level of support is called Escalation.
 Functional escalation: The support of a higher level specialist is needed to resolve the
problem.
 Hierarchical escalation: A manager needs to be consulted to make decisions that are
beyond the competencies assigned to the level..
 Incidents may be reported from various sources, such as users, application managers, the
Help Desk (Service Desk), technical support, among others.
 Incidents should be logged immediately as there is a risk of new incidents emerging,
causing the first incident process to be postponed indefinitely.
 The Help Desk must be able to evaluate whether the service required is included in the
customer„s SLA in the first incident and if not, forward it to a competent authority.
 It is important for the Help Desk to check that the incident has not already been logged:
it is commonplace for more than one user to report an incident, so it is necessary to check
to avoid unnecessary duplication.
 Assigning a reference: Help Desk will assign an incident reference number to uniquely
identify it in both internal processes and when communicating with the customer.

 Initial data capturing: Help desk collects basic information needed to process the
incident (time, description of the incident, systems affected, etc.) and enter them on the
associated database.
 Incident notification: Help Desk may determine where the incident may affect other users
and notifies them so they are aware of how the incident may impact their work.
 Help desk examines the incident based on information from a knowledge database (KB)
to determine if it matches with any incident that has already been resolved and an
assigned procedure applied.
 If the Help Desk is unable to resolve the incident, it will forward it to a higher level for
the experts assigned to investigate. If these experts are unable to resolve the incident, the
predefined escalation protocols will be followed.
 Throughout the lifecycle of the incident, the various agents involved must update the
information stored in the databases so that all the levels involved have complete
information on the incident's status.
 Classification: The purpose of incident classification is to collect all the information that
may be used to resolve it. The classification process has the following steps:
• Categorization: A category is assigned depending on the type of incident and
the workgroup responsible for resolving it. The services affected by the incident
are also identified.
• Establishing level of priority: The incident is assigned a level of priority,
based on predefined criteria, depending on its impact and urgency.
• Allocation of resources: If the Service Desk cannot resolve the incident in the
first instance, it will designate the technical support personnel responsible for

resolving it (second level).
14.6. Problem Management
The main functions of Problem Management are:

 To investigate the underlying causes of any real or potential anomalies in the IT service.
 To define possible solutions to anomalies.
 To put forward requests for changes (RFC) needed to re-establish quality of service.
 To carry out post-implementation reviews (PIR) to ensure that the changes have brought
about the desired results without causing side effects.
Problem Management may be:
a) Reactive: Analyzing incidents that have occurred in order to discover their causes and
propose solutions to them.
b) Proactive: Monitoring the quality of the IT infrastructure and analyzing its
configuration in order to prevent incidents even before they happen
As previously describe, Incident Management's sole aim is to restore quality of service as
quickly as possible. It does not seek to determine the origins or causes of degradation to service
quality. When a type of incident becomes recurrent or has a powerful impact on the IT structure,
the role of Problem Management is to determine its causes and look for possible solutions.
The main functions of Problem Management are:
 To investigate the underlying causes of any real or potential anomalies in the IT service.
 To define possible solutions to anomalies.
 To put forward requests for changes (RFC) needed to re-establish quality of service.
 To carry out post-implementation reviews (PIR) to ensure that the changes have brought
about the desired results without causing side effects.
Problem Management may be:
c) Reactive: Analyzing incidents that have occurred in order to discover their causes and
propose solutions to them.
d) Proactive: Monitoring the quality of the IT infrastructure and analyzing its
configuration in order to prevent incidents even before they happen
As previously describe, Incident Management's sole aim is to restore quality of service as
quickly as possible. It does not seek to determine the origins or causes of degradation to service
quality. When a type of incident becomes recurrent or has a powerful impact on the IT structure,
the role of Problem Management is to determine its causes and look for possible solutions.

14.7. The benefits of Problem Management
The main benefits of correct Problem Management are:

 An improvement to the general quality of the IT services.
 The number of incidents is minimized.
 Incidents are resolved more quickly, and generally, at the first line of IT support, thus
saving resources and unnecessary escalation.
 The documentation produced is of considerable value for Capacity Management,
Availability Management and Service Level Management.
14.8. The activities in Problem Management
Problem Control: this is responsible for logging and classifying problems to determine their
causes and turn them into known errors.
Error control: records known errors and proposes solutions to them by means of RFCs
which are sent to Change Management. It also conducts Post-Implementation Review of these
changes in close collaboration with Change Management.
When the structure of the organization allows, it carries out Proactive Problem Management
to help detect problems even before they manifest themselves by causing degradation to quality
of service.

14.9. Incident Management Reports
Service Level Management: It is essential that customers have timely information about the
level of compliance with SLAs and that corrective measures are taken in the event of non-
compliance.
Monitoring the performance of the Help Desk will determine the degree of satisfaction of
the customer from supervising the proper function of the first line of support and customer care
delivered.
Optimizing the allocation of resources: Managers need to know if the escalation process
has followed the established protocols faithfully and if duplication has been avoided in the
management process.
14.10. Identifying mistakes: It may happen that the specified protocols are not right for the
organization's structure or the customer's needs, meaning that corrective measures
need to be taken.
Availability of Statistical Information: Which may be used to make future projections
about the assignment of resources, additional costs associated with the service, etc.
14.11. Summary
Incident Management minimizes impact on business operations by restoring normal levels of
service within agreed times, and ensuring the best possible levels of quality service to
customers.
Problem Management minimizes the disruption of IT services by organizing resources to
resolve problems according to the business needs, preventing them from recurring and recording
the formation that will improve IT services.

Homework:
Teamwork
Scenarios:
Incident Management: A manager has just received a call from the person in charge of
supplies at one of its high tech company's cafeterias. The person says that he had ordered a
new batch of ice-creams a few days ago over the web, they had not yet arrived and the stock
was running low. He is very angry at the food service because it is summer and most of his
people would buy ice cream.
The manager looks in the computer database and confirms that the order was made several
days ago, but he also notices that it was incorrectly stored. He tries to repeat the order on his
computer, but the system continues to malfunction. What should he do?
Problem Management: The manager has informed Problem Management about the
incident which could not be associated with a known error and which caused a low impact
interruption to service. What would be the better solution?
Sample Answers:
Incident Management:
The manager should do the following:
 Evaluate its priority: although the impact is low, the incident is urgent as the customer
needs the delivery urgently.
 Log the details of the incident.
 Check the Knowledge Base in the database to investigate whether the incident is the
result of a known error, (has happened before) and if there are any possible “work-
around”.
 Propose a temporary solution to the customer by pointed to a reserved area of the
website where he can place "urgent" orders by email.
 Contact systems department to warn that the incident may be repeated throughout the
day.
 Use the application that monitors warehouse stock, he checks the availability of the
ice-creams ordered.
 Reassures the customer that he will receive the ice-creams before midday via the
company's express service.
Meanwhile, the IT systems department:
 Runs a series of tests and confirms that, in general, the system is functioning correctly.
 Are unable to identify the cause of the incident.
 They contact the manager and suggest that the problem be forwarded to Problem
Management with a preliminary classification of low priority.

The manager receives the information and decides that:

 Given the low impact of the incident and the fact that the customer has been given a
satisfactory work-around, it does not need to be escalated.
 They log the work-around for the incident together with the information provided by
the systems department.
 The incident is closed.
Problem Management:
Problem Management decided to analyze the problem following the established
protocol:
 Identifying the problem.
 Classifying of the problem.
 Establishing the possible causes.
 Checking the most likely cause.
 Confirming the actual cause.
Identification: In the case with which we are concerned, the problem is easy to define:
 The online orders application produces unpredictable errors when recording certain
orders. There is no apparent relationship between the error and other
hardware/software components.
Classification: The problem may be classified according to the following parameters:
 Identification: Problems recording orders.
 Source: Online orders module.
 Frequency: the problem is not recurrent, this is the first time it has been detected.
 Impact: slight. The incident was resolved without a serious interruption to service.
Possible causes: The most likely causes include:
 Errors in programming on the client side of the application.
 Errors in the web server recording modules.
 Database configuration errors.
The analysts decide that the most likely origin of the problem is in the application's
recording modules.
Checking the most likely cause: with the help of the information recorded by Incident
Management:
 Problem management tries to reproduce the problem.
 They find that the error is only reproduced with a particular brand of ice-cream.
 They notice that the brand of ice-cream has an apostrophe in its name and that if this is
removed the order is recorded without problems.
Verification:
 A test environment is set up reproducing the module of interest on the live

environment.
 The necessary programming changes are made.
 They confirm that the order is recorded correctly.
The problem has been converted into a known error. It is now the task of Error Control
to:
 Raise an RFC with the proposed solution.
 Carry out the post-implementation review if Change Management considers it
appropriate to implement the RFC.

Lecture 15: Service Desk

Learning goals:
1. Explain the role of Service Desk.
2. Describe the process of managing Service Desk.
3. Explain the benefit of Service Desk concept.
4. Prepare students to participate in Service Desk Management activities
Benefits
Students will understand that the main objective of the Service Desk is to serve as a point of
contact between users and IT Services Management. By having a single centralize point of
contact, organization can:
 Reducing costs by ensuring efficient allocation of resources.
 Better customer care, leading to greater satisfaction and loyalty.
 Opening up new business opportunities.
 Centralizing of processes improving communication and information management.
 Proactive service support
15.1. The Roles and Responsibilities of Service Desk
The main objective of the Service Desk, is to serve as a point of contact between
customer, users and IT Services Management.
Service Desk is the center of all the IT service support processes by:
• Logging and monitoring incidents.
• Applying temporary solutions to known errors in collaboration with Problem
Management.
• Working with Configuration Management to ensure that the relevant databases are up-
to-date.
• Managing changes asked for by customers through service requests in collaboration
with Change Management and Version Management.

15.2. Point of Contact
The point of contact with the customer may take various forms, depending on the breadth and
depth of the services offered:
 Call Centre: The aim is to manage a high volume of calls and redirect users (except in
trivial cases) to other levels of support and/or sales.
 The Help Desk: Its main objective is to provide a first line of supporting resolving
service interruptions as quickly as possible.
 The Service Desk: This is customers' and users' interface with the whole range of IT
services offered by the organization focusing on business processes. Apart from offering
the services mentioned above, it provides customers, users and the IT organization itself
additional services such as:
Supervising maintenance and service level contracts.
Channeling customers' Service Requests.
Software license management.
Centralizing all the processes associated with IT management.
15.3. The benefits of Service Desk
The main benefits of implementing an effective Service Desk include:

 Reducing costs by ensuring efficient allocation of resources.
 Better customer care, leading to greater satisfaction and loyalty.
 Opening up new business opportunities.
 Centralizing of processes improving communication and information management.
 Proactive service support.
15.4. The Inplementation of Service Desk
Service Desk requires IT managers to answer the following questions:
• What are the needs?
• What should its functions be?
• Who will be in charge of it?
• What professional qualifications will its team have?

• Will some services, such as hardware technical support, need to be outsourced?
• What types of structure should the Service Desk have (distributed, centralized,
virtual) to best meet your needs and those of your customers?
• What technology tools do you need?
• What metrics will be used to determine the performance of
the Service Desk?
15.5. Types of Service Desk
To achieve these goals an appropriate physical and logical structure is needed.
15.5.1.Logical structure
The members of the Service Desk team must:
 Be familiar with the protocols for interaction with customers: scripts, checklists, etc.
 Be equipped with software tools they need to log their interactions with users.
 Know when to escalate incidents to higher levels or contribute to discussions on the
compliance with SLAs.
 Have the relevant knowledge bases at their fingertips so as to give a better service to
users.
 Receive training on the company's products and services.
15.5.2.Physical structure
The structure of the Service Desk opted for will vary depending on the service needs
(global, local, 24/7, etc.).
There are three basic formats:
 Centralized
 Distributed
 Virtual
The main characteristics of each format are described below:
Centralized Service Desk
In this case all contact with users is channeled through a single central structure.
The main advantages are:
 Costs are reduced.

 Resources are optimized.

 Management is simplified.
However, this approach may have significant drawbacks when:
 Users are spread across several geographical locations, with different languages, products
and services.
 Maintenance services need to be delivered on site.
Distributed Service Desk
This is the structure traditionally used when the company offers services at different
geographical locations (whether these are cities, countries or continents). The advantages are
clear in these cases. However, geographically distributing the Service Desks in this way can
entail serious difficulties:
 It is generally more expensive.
 Managing and monitoring the service is more complicated.
 It is more difficult for data and knowledge to flow between the different Service Desks.
Virtual Service Desk
Thanks to high speed communications networks, the geographical location of the Service
Desk can nowadays be irrelevant. The main aim of a virtual service desk is to utilize the
advantages of both centralized and distributed service desks. In a virtual Service Desk:
 Knowledge is centralized.
 Unnecessary duplication is avoided, with the consequent cost savings.
 A "local service" can be offered without incurring extra costs.
 The quality of service is uniform and consistent.
15.6. Service Desk Activities
The activities of the Service Desk can include almost all aspects of IT Services Management.
However, its main function is that of managing relationships with customers and users, keeping
them informed about all the processes of interest to them. Some of the key functions a Service
Desk should offer are:
15.6.1.Incident Management
Although managing incidents in full requires the collaboration of other departments and
staff, the Service Desk must be able to provide a first line of support to help resolve
interruptions to service and/or service requests from customers and users. Its specific
tasks include:
 Logging and monitoring each incident.
 Checking that the support service required is included in the associated SLA.
 Tracking the escalation process.
 Identifying problems.
 Closing the incident and obtaining confirmation from the customer.
15.6.2.Information Center
The Service Desk should be the main source of information for customers and users,
informing them about:
 New Services.
 New releases to correct errors.
 Compliance with the SLAs.
This direct contact with customers should also be used to identify new business
opportunities, and to assess customers' needs and their level of satisfaction with the service they
are given. The Service Desk is ideally positioned to provide inside information on all the IT
service management processes. For it to do so, however, it is essential that it log all interactions
between users and customers properly. The Service Desk is also responsible for relations with
external suppliers providing maintenance services. In order to offer a high quality service, it is
essential that there be close links between external maintenance providers and Incident
Management. This should be channeled through the Service Desk.
We have all endured frustrating experiences dealing with large companies that promise high
quality, round the clock support, and when it turn out to have a contact center with staff who are
poorly trained, if not rude. It is important to understand that Service Desk's success is your
company's success and it depends to large degree on the people in the team. It is therefore
essential to establish strict selection and training protocols for them. Ideally, the Service Desk
staff should:
 Share the organization's customer care philosophy.
 Deal with customers in a way that is correct and polite, using language the
customer can understand.
 Have an in-depth knowledge of the services and products offered.
 Understand customers' needs and redirect them, if necessary, to the experts in
question.
 Control all the technological tools available to them in order to offer a high quality
service.
 Be able to work as a team.
The training they are given should relate to all these aspects and not be limited to building
their technology skills. It is also essential for the management to be committed to:
 Close monitoring of the services delivered, particularly as regards their
effectiveness and performance.
 Continuous support to the service desk team in its difficult task of dealing directly
with customers.
 Team work.

And finally, remember that you never get a second chance to make a first impression. The
best measure of the success of a Service Desk is customer satisfaction. It is important to try to
set up well defined metrics with which to measure the performance of the Service Desk and the
perception users have of it. Progress reports should include points such as:
 The average time taken to respond to requests sent by e-mail, phone or fax.
 The percentage of incidents closed at the level of the first line of support.
 The percentage of queries responded to in the first instance.
 A statistical analysis of the incident resolution times organized according to their
urgency and impact.
 Compliance with the SLAs.
 The number of calls handled by each member of the Service Desk team.
Another important monitoring task is that of overseeing the level of customer satisfaction.
This can be achieved by means of surveys allowing the customer's perception of the services
provided to be assessed. You could opt to close each incident or query with a series of questions
allowing the customer's opinion about the attention received to be gathered, along with his or
her satisfaction with the solution offered, etc. All this information should be compiled and
analyzed periodically to enable the quality of service to be improved.
15.7. Summary
Service Desk is an important aspect of user and liaison support. It is the main contact
between IT organizations and its customer and users.
Service Desk staff represents the image of the company and organization as they help
customers to resolve problems, record information on IT services and escalate problems to the
right level of support services.
15.8. Homework
Scenario:
Macro-Foods receive so many calls to order foods, complain about quality of services, certain
incidents where food order were delivered to the wrong places, inefficient services and these call
disrupted normal operation as manager are busy response to customers and suppliers. How can
the company avoid these issues?
You are tasked to help solve this problem.
Sample Answer:
Macro-Food should set up a service desk and centralizing all the IT organization‟s contacts
with customers and suppliers by:

 Appoint a manager to be in charge of the Service Desk.

 The main functions of the service desk are:
1) Managing the first line of support for Incident Management.
2) Monitoring the quality of service offered with respect to the SLAs.
3) Providing sales-related information about the services offered.
4) Conducting regular surveys on the level of customer satisfaction.
5) Drawing up periodic reports with the information gathered.
 Setting website to interact with users by means of:

Forms for queries and reporting incidents.
Remote querying (by means of the associated web services) of the state of active
incidents, incident history and compliance with SLAs.
Up-to-date FAQs allowing users to run their own queries on the services provided,
known errors, etc.
 Drawing up a "Customer Care Manual" describing the different protocols for interaction
with users, depending on the situation in question.
 Choosing a software tool to help record and manage all the Service Desk's information
flows.
 Giving specific training to staff responsible for dealing directly with users and customers
on applying the "Customer Care Manual" and on the software tools used.
 Creating a detailed plan for the progressive implementation of the Service Desk

Lecture 16: Security Management

Learning goals:
1) Describe issues of information security.
2) Review security issues of IT infrastructure.
3) Explain Information Security process & practices.
4) Discuss the evaluation and protection of Information Security.
5) Prepare students to participate in Security Management activities.
16.1. Security Management
The growth of the Internet, problems associated with information security have worsened
considerably and affect all organizations. Information is an integral part of any business and
managing it correctly rests on three basic factors:
 Confidentiality: the information must only be accessible to its predefined recipients.
 Integrity: the information must be correct and complete.
 Availability: the information must be accessible when it is needed.
Security Management ensures that the information is correct and complete, that it is always
available for business purposes and that it is only used by authorized people.
16.2. Security Management Staff
Security Management staff must have an in-depth knowledge of both the business and the IT
services in order to establish security policy, as well as procedures to ensure that the information
is accessible when needed by people authorized to use it.
Security staff must work with the business and IT organization to determine security
requirements, then document them in the relevant SLAs so that implementation of them can be
ensured.
Security Management should review all risks to which the IT infrastructure is exposed to
ensure that these risks do not represent a danger to IT service continuity.
16.3. Security Management Goals

 Designing a security policy (in collaboration with customer and suppliers) that is aligned
with the needs of the business.
 Ensuring compliance with the agreed security standards.
 Minimizing the security risks threatening continuity of service.
16.4. The benefists of Security Management
The main benefits of proper Security Management are:

 Interruptions to service caused by viruses, computers being hacked into, etc. are avoided.
 The number of incidents is minimized.
 Information is accessible when it is needed and data integrity is preserved.
 Data confidentiality, and the privacy of customers and users, is preserved.
 Regulations on data protection are complied with.
 The perception customers and users have of the quality of service, and their confidence in
it, is improved.
16.5. Information Security Process
Using risk analysis, IT customers identify their security requirements.
The IT organization determines the feasibility of the requirements and compares them to the
organization„s minimum information security baseline.
The customer and IT organization negotiate and define a service level agreement (SLA) that
includes definition of the information security requirements in measurable terms and specifies
how they will be verifiably achieved.
Operational level agreements (OLAs), which provide detailed descriptions of how
information security services will be provided, are negotiated and defined within the IT
organization.
The SLA and OLAs are implemented and monitored.
Customers receive regular reports about the effectiveness and status of provided information
security services.
The SLA and OLAs are modified as necessary.

16.5.1.Security SLA
Typical SLA information security includes:
• Permitted methods of access.
• Agreements about auditing and logging.
• Physical security measures.
• Information security training and awareness for users.
• Authorization procedure for user access rights.
• Agreements on reporting and investigating security incidents.
• Expected reports and audits.
16.5.2.Security Policy Includes
• The relationship with the business processes.
• Coordination with IT processes.
• The protocols for access information.
• The risk assessment procedures.
• Training programs.
• The level of monitoring of security.

• Security reports to be issued periodically.
• The scope of the Security Plan.
• The structure and people responsible for the Security Management process.
• The processes and procedures employed.
• The internal and external security auditors.
• The resources: software, hardware and staff.
Example:
 All users will be authenticated before accessing system.
• Passwords will be randomly generated.
• Audit log data will be restricted to read-only.
• Passwords must be at least 6 alpha-numeric characters.
• There must be at least one numeric character in a password.
• Remote access to sensitive data will not be permitted.
• Users will be allowed maximum 3 tries to login.
16.5.3.Security Plan
The aim of the Security Plan is to set the levels of security that must be included as a part of
the SLAs, OLAs and UCs.
This plan should be part of Service Level Management, which is ultimately responsible for
both the quality of the service delivered to customers and the service received by the IT
organization and external suppliers.
The Security Plan has to focus on offering better and more secure service to customers.
Security metrics should be defined to allow the agreed levels of security to be evaluated.
The Security Plan should establish security protocols covering all the phases of the service

and all the levels involved.
16.5.4.Implementation Using PDCA
The Plan phase is about issuing the policy, assessing information security risks and selecting
appropriate controls.
The Do phase involves implementing security protocols, procedures and control, and
operating the controls.
The Check phase is to objectively review and evaluate the performance (efficiency and
effectiveness) of the Security Management system.
In the Act phase, changes are made where necessary to bring the system back to peak
performance.
16.5.5.Implementation Issues
There is insufficient commitment or knowledge to the security process from members of the
IT organization.
Excessively restrictive security policies could bring negative effects on the business.
It is difficult to monitor and guarantee security of the IT service (firewalls, antivirus
software, etc.) due to the changing nature of technology.
Staff are not given adequate security training to be able to apply security protocols.
There is limited coordination between different business and IT processes, making it
impossible to evaluate the risks properly.
16.5.6.Measurements
Security Management must coordinate the implementation of the security protocols and
measures established in the Security Policy and the Security Plan.
Security Management must verify that:

• The staff know and accept the established security measures and their responsibilities
regarding security.
• Employees sign confidentiality agreements relevant to their post and responsibility.
• The relevant training is given.
• Security Management is also directly responsible.
16.5.7. Security Evaluation
 It is essential to evaluate security service in compliance with the security measures, their
results and the level of compliance with SLAs.
 It is advisable for these evaluations to be backed up by external audits conducted by
people who are independent from Security Management.
 These evaluations/audits should assess the performance of the security process and put
improvements into action. These will be set out in RFCs, which will be sent for
evaluation by Change Management.
 Independent reports should be produced each time a serious security-related incident
occurs.
16.5.8.Security Maintenance
 Security Management is a continuous process and the Security Plan and security-related
sections of the SLAs need to be kept up-to-date.
 Changes in the Security Plan and the SLAs may be a result of the evaluation referred to
above, or of changes made to IT infrastructure or services.
 It is also important that Security Management is up-to-date regarding new risks and
vulnerabilities caused by viruses, spyware, denial of service attacks, etc., and that the
necessary hardware and software upgrades are made.

16.5.9.Controlling the Process
 Security Management should be able to:
• Reduce the number of security-related incidents.
• Provide efficient access to information by authorized personnel.
• Provide proactive management allowing potential vulnerabilities to be identified before
they cause serious damage to the quality of service.
• Prepare reports on the performance of security issues and provide information to all
organizations.
16.6. Summary
Security Management enables business and IT service to focus on information security
issues. Too often, information security is perceived as “additional activities" or a "hindrance" to
business functions.
With Security Management, business owners and IT organizations negotiate information
security services; this ensures that the services are aligned with the business' needs.
Security Management can enable organizations to develop and implement information
security in a structured, clear way based on best practices. Information security staff can help the
organization move from "fire fighting" mode to a more structured and planned approach.
With its requirement for continuous review, Security Management can help ensure that IT
service can maintain their effectiveness as requirements, environments and threats change.
Security Management establishes documented processes and standards (such as SLAs and
OLAs) that can be audited and monitored. This can help IT organizations understand the
effectiveness of its security.

Security Management provides a foundation upon which the integration of a number of
processes and best practices can be built securely such as Change Management, Configuration
Management, and Incident Management.
Security Management enables its staff to discuss details of information security in terms
people can understand that information security is a key part of having a successful, well-run
organization.
Many people do not relate to technical details about encryption or firewall rules, but with
proper training they could appreciate security concepts and be able to incorporate security into
their processes for handling problems, improving service, and maintaining SLAs.
The security reporting keeps the organization„s management well informed about the
effectiveness of their security measures so they can make informed decisions about the risks of
their organization.
16.7. Homework
Each Student to write a 1 page paper on the topic of: “what are the difficulties when
implement security management in a company?
Scenario:
A large portion of “Macro-Food” business is an Online ordering, especially that many of its
customers are employees from High tech companies located in the Software Park. These people
order their foods using “Macro-Food” websites which listed the catalogue of menus for Lunch,
Diner, Snacks and special occasion events. Many companies pay by their credit cards or special
arrangement with their banks so the businesses are mostly on line where orders, payments and
special arrangement transaction are conducted as an e-business (online).
The management of "Macro-Foods" understands that an approach to security based solely on
the concept of "defending against cyber attacks" does not meet the needs of the business.
It is important that their customers have up-to-date information about their orders,
outstanding payments, etc. and this requires interaction with the company's finance systems.
Clearly, this raises a number of additional security problems, as channels to the outside have to
be opened up from within the organization‟s IT core
Sample Answer:
The management of "Macro-Foods" has decided to create a Web Services allowing access to
their information while preserving its confidentiality and integrity. This requires a review of the

Security Plan and the security sections of the SLAs.

As basic security measures:
 The range of IPs which the service is able to access is limited. The service is only
available from authorized customer IP addresses.
 Encryption protocols are implemented for the files exchanged.
 Authentication is required in order to access the service.
 Interaction with the application is monitored to detect possible outside attacks.
 A log is kept of when, how and by whom the service is used.
 A single input channel is authorized for the local services through the company's web
servers.
A periodic evaluation of the service is proposed in order to detect vulnerabilities and adopt
corrective measures.
The objective is to offer a quality service with high levels of security so as to build customer
loyalty at a time or rapid development when the competition is just a click away.

REFERENCES
Required Reading:
[1] John Vu – Senio Scientist – Institute for Software Research, slide Information System
Theories and Practies , Carnegie Mellon University
Bibliography:
[2] O‟Brien, J (1999). Management Information Systems – Managing Information Technology in

the Internetworked Enterprise. Boston: Irwin McGraw-Hill. ISBN 0-07-112373-3.
[3] Laudon, Kenneth C.; Laudon, Jane P. (2009). Management Information Systems: Managing
the Digital Firm (11 ed.). Prentice Hall/CourseSmart. p. 164.
[4] Transaction processing systems (TPS) collect and record the routine transactions of an
organization. Examples of such systems are sales order entry, hotel reservations, payroll, employee
record keeping, and shipping.
[5] Pant, S., Hsu, C., (1995), Strategic Information Systems Planning: A Review, Information
Resources Management Association International Conference, May 21–24, Atlanta.
[6] Laudon, K.,&Laudon, J. (2010). Management information systems: Managing the digital
firm. (11th ed.). Upper Saddle River, NJ: Pearson Prentice

Nguyen, Tam T. T. (2019) - Information System Theories and Practies - Cmu-Is 251-2020S-TEXT

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nguyen, Tam T. T. (2019) - Information System Theories and Practies - Cmu-Is 251-2020S-TEXT

Uploaded by

Copyright:

Available Formats

DUY TAN UNIVERSITY

INSTRUCTOR: M.Sc Nguyen Thi Thanh Tam

DUY TAN UNIVERSITY

Name of Course : INFORMATION SYSTEM Theories & Practies

2 | Nguyen Thi Thanh Tam - DTU

3 | Nguyen Thi Thanh Tam - DTU

4 | Nguyen Thi Thanh Tam - DTU

5 | Nguyen Thi Thanh Tam - DTU

6 | Nguyen Thi Thanh Tam - DTU

Lecture 1: Overview of Information Systems

7 | Nguyen Thi Thanh Tam - DTU

1.1. Definition of Information Systems

existing work processes to implement the business solution.

components interact with each other to accomplish a purpose.

An Information System can be a manual or an automated process. If it is an automated

process using a computer-based system then it is called an Information Technology (IT).

Information technology (IT) sometimes referred to as Information and Communication

of computer-based information systems, including software applications and computer

and Information Technology for the “organization” or “people” in that field.

A business is a system. Its components such as marketing, manufacturing, sales, research,

benefits the owners and employees.

1.1.2. Component of Typical Information Systems

Typical Information Systems consists of:

8 | Nguyen Thi Thanh Tam - DTU

 Computer Software: System programs such as operation systems, database systems,

environment (receive input and produce output)

1.2. Some types of Information Systems

1.2.1. On-Line System:

1.2.2. Real-Time System:

9 | Nguyen Thi Thanh Tam - DTU

• Assignment of different priorities to different tasks, as some need to be serviced

1.2.3. DSS Categories

 Communication-driven DSS supports multiple users working on a shared task such as

 Knowledge-Based Systems or “expert systems” imitates human performance in a wide

1.3. Information Systems Management

11 | Nguyen Thi Thanh Tam - DTU

Information Systems Management is the management discipline covering the application of

highly visible in the business world.

information system.Information Systems Management is the discipline of managing people,

Information Systems Management is the management discipline covering the application

problems.Information Systems Managers analyze data collected in operational activities of an

organization to help make business decisions.

Bridge the gap between business and technology

12 | Nguyen Thi Thanh Tam - DTU

1.4. Role and Impact of Information Systems Management to business

Information Systems Can …

13 | Nguyen Thi Thanh Tam - DTU

 Knowledge & Skills (new technology, new skills,etc.)

14 | Nguyen Thi Thanh Tam - DTU

• Reduce inventory (Just in Time)

1.5.2. Differentiation Strategy:

• Create a difference (better products/services)

15 | Nguyen Thi Thanh Tam - DTU

1.5.3. Innovation Strategy:

Business Process Reengineering (BPR)

• Expand production capacity

16 | Nguyen Thi Thanh Tam - DTU

• Broaden supporting base with consortium

• Locking in customers or suppliers by building business value into relationships

Today with the advancement of computing technology, information technology no longer

highly competitive globalized environment.

17 | Nguyen Thi Thanh Tam - DTU

2. Can a decision-support system make decisions? If not, why not?