IT Governance Standards: COBIT, ISO17799/27001, ITIL and PMBOK – Part 3

Send to Kindle

The content of this blog is essentially material I compiled for training sessions that I ran last year. It was originally PowerPoint, but I hope that this blog version is useful. Some of the legislative stuff is probably now out of date, and it was for an Australian audience – moral of the story is to do your own research.

For part 1 of this presentation, view this post and part 2 this post.

IT Infrastructure Library (ITIL)

  • To facilitate Quality Management of IT Services
  • To improve efficiency, increase effectiveness and reduce risk
  • To provide codes of practice in support of Total Quality
  • ISO9000-compliant

The Information Technology Infrastructure Library (ITIL) is a framework of best practice approaches intended to facilitate the delivery of high quality information technology (IT) services. ITIL outlines an extensive set of management procedures that are intended to support businesses in achieving both quality and value for money in IT operations. These procedures are supplier independent and have been developed to provide guidance across the breadth of IT infrastructure, development, and operations.

The IT Infrastructure Library (ITIL) is so named as it originated as a collection of books each covering a specific ‘practice’ within IT management. After the initial published works, the number of publications quickly grew (within ITIL v1) to over 30 books. In order to make ITIL more accessible (and affordable) to those wishing to explore it, one of the aims of the ITIL v2 project was to consolidate the works into a number logical ‘sets’ that aimed to group related sets of process guidelines for different aspects of the management of Information Technology systems, applications and services together.

Specifically, the goals of ITIL are to:

  • To facilitate Quality Management of IT Services
  • To improve efficiency, increase effectiveness and reduce risk
  • To provide codes of practice in support of Total Quality

As a side note, ITIL is ISO9000-compliant

How does ITIL Work

  • Provides guidance on strategic, tactical and operational management of IT infrastructure
  • Provides a systematic, process-based approach, supported by procedures
  • Suggests implementation strategies
  • Acts as a training aid
  • Vendor Independent
  • Complies with requirements for ISO9001 quality standards

Vendor Frameworks based on ITIL

ITIL is not vendor specific but many vendors base their own IT service quality on ITIL.

"The Microsoft Operations Framework (MOF) provides operational guidance that enables organizations to achieve mission-critical system reliability, availability, supportability, and manageability of Microsoft products and technologies. With MOF guidance, you’ll be able to assess your current IT service management maturity, prioritize your processes of greatest concern, and apply proven principles and best practices to optimize your management of the Windows Server platform."

ITIL Overview

  • ITIL is published as a series of books, each covering a major IT discipline
  • Service Support
  • Service Delivery
  • ICT Infrastructure Management
  • Application Management
  • Security
  • Each of these books break these disciplines down into sub areas. They define concept, goals, scope and relationship to other ITIL disciplines
  • Planning and implementation of each discipline
  • These are supported by three books which support the practical implementation of ITIL.
  • The Business Perspective
  • Planning to Implement Service Management
  • ITIL® Small-scale Implementation

The current version (Version 2) of ITIL is published in a series of books, each of which covers one major discipline in IT:

  • Service Support
  • Service Delivery
  • ICT Infrastructure Management
  • Application Management
  • Security

These are supported by three books which support the practical implementation of ITIL.

  • The Business Perspective
  • Planning to Implement Service Management
  • ITIL® Small-scale Implementation

As a quick example we will examine the "Service Delivery" Book

ITIL Example: Service Delivery

  • Service Delivery consists of 5 disciplines
    • Service Level Management
    • Capacity Management
    • IT Service Continuity Management
    • Financial Management for IT Services
    • Availability Management

Service Delivery consists of 5 disciplines

Service Level Management ensures that agreed services are delivered when and where they are supposed to be delivered.

There are a number of business processes that form part of Service Level Management. These are:

  • Reviewing existing services
  • Negotiating with the Customers
  • Reviewing the underpinning contacts of 3rd party service providers
  • Producing and monitoring the Service Level Agreement (SLA)
  • Implementation of Service Improvement policy and processes
  • Establishing priorities
  • Planning for service growth
  • Involvement in the Accounting process to cost services and recover these costs

Capacity Management is the discipline that ensures IT infrastructure is provided at the right time in the right volume at the right price, and ensuring that IT is used in the most efficient manner.

These are inputs into the following Capacity Management processes:

  • Performance monitoring
  • Workload monitoring
  • Application sizing
  • Resource forecasting
  • Demand forecasting
  • Modeling

From these processes come the results of capacity management, these being the capacity plan itself, forecasts, tuning data and Service Level Management guidelines.

ITIL Example: Service Delivery Continued

  • Service Delivery consists of 5 disciplines
    • Service Level Management
    • Capacity Management
    • IT Service Continuity Management
    • Financial Management for IT Services
    • Availability Management

Continuity Management / Disaster Recovery / Business Continuity. Continuity management is the process by which plans are put in place and managed to ensure that IT Services can recover and continue should a serious incident occur. It is not just about reactive measures, but also about proactive measures – reducing the risk of a disaster in the first instance.

Continuity management is so important that many organizations will not do business with IT service providers if contingency planning is not practiced within the service provider’s organization.

Continuity management involves the following basic steps:

  • Prioritizing the businesses to be recovered by conducting a Business Impact Analysis (BIA)
  • Performing a Risk Assessment (aka Risk Analysis) for each of the IT Services to identify the assets, threats, vulnerabilities and countermeasures for each service.
  • Evaluating the options for recovery
  • Producing the Contingency Plan
  • Testing, reviewing, and revising the plan on a regular basis

Availability Management is the practice of identifying levels of IT Service availability for use in Service Level Reviews with Customers. All areas of a service must be measurable and defined within the Service Level Agreement (SLA). To measure service availability the following areas are usually included in the SLA:

  • Agreement statistics – such as what is included within the agreed service.
  • Availability – agreed service times, response times, etc.
  • Help Desk Calls – number of incidents raised, response times, resolution times.
  • Contingency – agreed contingency details, location of documentation, contingency site, 3rd party involvement, etc.
  • Capacity – performance timings for online transactions, report production, numbers of users, etc.
  • Costing Details – charges for the service, and any penalties should service levels not be met.

IT Financial Management is the discipline of ensuring IT infrastructure is obtained at the most effective price (which does not necessarily mean cheapest), and calculating the cost of providing IT services so that an organization can understand the costs of its IT services. These costs may then be recovered from the Customer of the service.Costs are divided into costing units:

  • Equipment
  • Software
  • Organization (staff, overtime)
  • Accommodation
  • Transfer (costs of 3rd party service providers)

The costs are divided into Direct and Indirect costs, and can be Capital or Ongoing.

Drilldown: Service Level Management

  • 4.1: Why, goal, scope and concept
  • 4.2: Defined process to implement – benefits, costs, problems
  • 4.3: Planning the SLM process
  • 4.4: Implementation of SLM (service catalogue)
  • 4.5: Ongoing monitoring and reporting
  • 4.6/7: KPI and performance targets
  • Annex 4A: Roles and requirements of SLM
  • Annex4B-D: Examples

4.1.1 Why Service Level Management?

Service Level Management (SLM) is essential in any organization so that the level of IT Service needed to support the business can be determined, and monitoring can be initiated to identify whether the required service levels are being achieved – and if not, why not.

Service Level Agreements (SLA), which are managed through the SLM process, provide specific targets against which the performance of the IT organization can be judged.

4.1.2 Goal for SLM

The goal for SLM is to maintain and improve IT Service quality, through a constant cycle of agreeing, monitoring and reporting upon IT Service achievements and instigation of actions to eradicate poor service – in line with business or cost justification. Through these methods, a better relationship between IT and its Customers can be developed.

4.1.3 Scope for SLM

SLA’s should be established for all IT Services being provided. Underpinning Contracts and Operational Level Agreements (OLA’s) should also be in place with those suppliers (external and internal) upon whom the delivery of service is dependent.

4.1.4 Basic concept of SLM

Service Level Management is the name given to the processes of planning, coordinating, drafting, agreeing, monitoring and reporting on SLA’s , and the on-going review of service achievements to ensure that the required and cost-justifiable service quality is maintained and gradually improved. SLA’s provide the basis for managing the relationship between the provider and the Customer.

When the first ITIL SLM book was published in 1989, very few organizations had SLA’s in place. Today most organizations have introduced them – though with varying degrees of success. This version includes some coverage of the common causes of failure, and guidance on how to overcome these difficulties.

What is an SLA?

A written agreement between an IT Service Provider and the IT Customer(s), defining the key service targets and responsibilities of both parties. The emphasis must be on agreement and SLA’s should not be used as away of holding one side or the other to ransom. A true partnership should be developed between the IT provider and the Customer, so that a mutually beneficial agreement is reached, otherwise the SLA could quickly fall into disrepute and a culture of blame prevent any true service quality improvements from taking place.

In the next part of this series, we will examine ISO17799

For the last post of this topic, consult this post.

 Digg  Facebook  StumbleUpon  Technorati  Deli.cio.us  Slashdot  Twitter  Sphinn  Mixx  Google  DZone 

No Tags

Send to Kindle
Bookmark the permalink.

One Response to IT Governance Standards: COBIT, ISO17799/27001, ITIL and PMBOK – Part 3

  1. Pingback: Cobit disciplines | Touchbyanangel

Leave a Reply

Your email address will not be published. Required fields are marked *