ITIL PPO Certification

Name the PPO process that come from service strategy.
Demand management
demand management
the process that seeks to understand, anticipate, and influence customer demand for services and support the provision of capacity to meet those demands
Name the PPO processes that come from service design.
1. Availability Management
2. Capacity Management
3. Information Security Management
4. IT Service Continuity Management
Availability Management
the process that ensures that enough cost-justifiable capacity is present now and in the future to meet business requirements; operates at three levels: business, service, and component
Information security management
the process that ensures that security requirements from the business are understood and realized, and that effective security policies are implemented, managed, and improved as needed
IT Service Continuity Management
the process that ensures that IT continuity planning is aligned with the business continuity planning; ensures that cost-effective plans are in place, communicated, and understood so that extreme conditions can be managed while controlling risk
Purpose of Service Design
design IT services, practices, processes, and policies to realize the service provider’s strategy; ensure that services are cost-effectively designed in order to realize the business strategy
objective of service design
design services so that minimal improvement is required over time; design services in line with business requirements so that minimal improvement is required over the life of the service
value of service design
-reduced total cost of ownership
-improved quality of service
-improved consistency of service
-ease of implementation of new or changed services
-improved service alignment and performance
-improved IT governance
-improved effectiveness of service management processes
-improved information and decision-making
-improved alignment with customer values and strategies
Service design begins with
a set of new or changed business requirements and ends with the development of a service solution
5 major aspects of service design
1. S (service solution)- service solutions for new or changed service
2. T (tools)- the management information systems and tools, especially the service portfolio
3. A (architectures)-the technology architectures and management architecture
4. M (metrics)- the measurement methods and metrics
5. P (processes)- the processes required
Service Design Package
document(s) defining all aspects and areas of an IT service and its requirements through each stage of its lifecycle; produced for each new IT service, major change, or IT service retirement
ITIL suggests a design approach that considers the following areas:
– the scalability to future requirements
-outcomes supported
-utility requirements
-warranty requirments
-technologies, components, and inter-relationships
-supporting services (internal and external)
-performance requirements and measurements
-required security levels
-sustainability
Within the technology area, ITIL identifies four domains that need to be addressed and considered as they support and underpin the delivery of all services
1. (i) infrastructure
2. (d) data/information
3. (e) environmental
4. (a) applications
ITIL suggests a formal approach to the business requirements gathering stage, including the following key elements:
-appointment of project manager
-identification of all stakeholders
-requirements analysis, agreement, and documentation
-budgets and business benefits
-conflict resolution
-sign-off processes
-engagement and communication plan
Why do service providers need to conduct service design activities? (business value of service design)
1. align IT service provision with business goals and objectives
2. prioritize all IT activities based on business impact and urgency
3. increase business productivity and profitability through increased efficiency and effectiveness
4. support corporate governance
5. create competitive advantage
Service providers demonstrate business value by:
-agreeing services, SLAs and targets across the whole enterprise, ensuring critical business processes receive most attention
-measuring IT quality in business/user terms, reporting what is relevant to users (for example, customer satisfaction, business value)
-mapping business processes to IT services and IT infrastructure, to ensure that dependencies between the relationships are well understood, and to reduce the possibility of disruptions caused by loss on business services and processes
-mapping business processes to business and service measurements, to ensure focus on IT service measurements related to business performance measurements and desired business outcomes
-mapping infrastructure resources to services in order to take full advantage of critical IT components that are linked to critical business processes
-providing end-to-end performance monitoring and measurement of IT services supporting business processes, regularly reported against SLA targets
ISG (IT steering group)
a formal group that is responsible for ensuring that business and IT service provider strategies and plans are closely aligned; includes senior representatives from the business and the IT service provider
ISG should consider the following items
-business and IT plans
-demand planning
-project authorization and prioritization
-review of projects
-potential outsourcing
-business/IT strategy review
-business continuity and IT service continuity
-policies and standards
purpose of design coordination process
-ensure goals and objectives of the service design stage are met
-provide and maintain a single point of coordination and control all design processes and activities
objectives of design coordination process
-ensure the consistent design of appropriate services, service management information systems, architectures, technology, processes, information, and metrics to meet current and evolving business outcomes and requirements
-coordinate all design activities across projects, changes, suppliers, and support teams, and manage schedules, resources, and conflicts where required
-plan and coordinate the resources and capabilities required to design new or changed services
-produce SDPs based on service charters and change requests
-ensure that appropriate service designs and /or SDPs are produced and that they are handed over to service transition as agreed
-manage the quality criteria, requirements, and handover points between the service design stage and service strategy and service transition
-ensure that all service models and service solution designs conform to strategic, architectural, governance, and other corporate requirements
-improve the effectiveness and efficiency of service design activities and processes
-ensure that all parties adopt a common framework of standard, reusable design practices in the form of activities, processes and supporting systems, whenever appropriate
-monitor and improve the performance of the service design lifecycle stage
scope of design coordination process
coordinate all design-related activities for new or changed services moving into production environments, as well as any design-related activities for services that are being retired
scope of designation coordination includes the following responsibilities
-assisting and supporting each project or other change through all the service design activities and processes
-maintaining policies, guidelines, standards, budgets, models, resources, and capabilities for service design activities and processes
-coordinating, prioritizing, and scheduling of all service design resources to satisfy conflicting demands from all projects and changes
-planning and forecasting the resources needed for the future demand for service design activities
-reviewing, measuring, and improving the performance of all service design activities and processes
-ensuring that all requirements are appropriately addressed in service designs, particularly utility and warranty requirements
-ensuring the production of service designs and/or SDPs and their handover to service transition
the scope of design coordination does not include the following tasks
-responsibility for any activities or processes outside of the design stage of the service lifecycle
-responsibility for designing the detailed service solutions themselves or the production of the individual parts of the SDPs
The PPO lifecycle in context to service strategy
demand management process; provides the signal in the form of a service charter for design activities to begin
The PPO lifecycle in context to service design
warranty processes that include availability management, capacity management, information security management, and IT service continuity management; capacity management has a strong relationship with demand management form the service strategy stage of the service lifecycle
The PPO lifecycle in context to service transition
design processes produce a service design package, which is used by service transition to move a service through various lifecycle stages; warranty aspects of transition processes are important to consider as well as the impact of change on the warranty aspects of services
The PPO lifecycle in context to service operation
many of the design processes covered in PPO are frequently invoked; capacity and availability management are often involved in operational aspects of monitoring and understanding trends in availability and capacity for services and components; operational staff are often involved in various aspects of continual planning
The PPO lifecycle in context to continual service improvement
the processes covered in this course are subject to improvement; metrics and measurements used by continual service improvement must be built into new and changed services by the design processes
business value of the design coordination process
– design activities at acceptable risk and cost levels
– higher customer and user satisfaction
– ensure consistent architecture, allowing integration between services and systems
-improved focus and achievement of business value through well designed services
-greater agility and higher quality in the design of services
demand management purpose
-identify, understand, and influence demand for services
– ensure that adequate capacity exists to meet demand
demand management objectives
-understand PBAs
-identify user profiles
-ensure that services are designed to meet PBAs
-ensure resource availability
-anticipate cases where demand exceeds capacity
scope of demand management
-identify the variable aspects of business
-manage variance in demand
business value of demand management
-understand and prepare for the variable aspects of business
-influence and shape demand
-ensure that available capacity meets demand
Policies, principles, and basic concepts of demand management
-supply and demand
-gearing service assets
-demand management throughout the lifecycle
Demand management supply and demand
-supply must be matched to demand
-understand demand and impact to service assets
-incentives can be used to influence demand
-supports capacity management where PBAs inform capacity planning and it optimizes performance and cost
Demand management gearing service assets
demand is dynamic; identify signals of increasing/decreasing demand; manage assets to meet demand through: identifying services supported; quantify PBAs; specify appropriate architecture; plan capacity and availability; manage performance
demand management through the lifecycle
-service strategy: identify services and outcomes; forecast demand and estimate activity levels
-service design: confirm requirements; ensure capacity and availability designed to requirements
-service transition: test and validate ability to meet and mange demand
-service operation: monitor demand; perform tuning or corrective actions as required
-continual service improvement: identify trends in PBAs; initiate changes and improvements as necessary
process activities, methods, and techniques of demand management
-identify sources of demand forecasting
-PBAs
-UPs
-activity-based demand management
-develop differentiated offerings
-management of operational demand
Demand management activity: identify sources of demand forecasting
-understand business activity
-determine how activity impacts service demand
-potential sources of information that include: business plans; marketing plans and forecasts; production plans (in manufacturing environments); sales forecasts; new product launch plans
demand management activity: patterns of business activity
PBA profile contains the following information:
-classification: some method of flagging the type of PBA, whether it is automated or user generated, as well as what types of business outcomes the PBA supports
-attributes that include: frequency; volume; location; duration
-requirements: relevant to any performance, security, availability, privacy, latency or tolerance concerns
-service asset requirements: utilization information about service assets related tot he PBA, such as what assets are utilized, when they are utilized, and the extent of the utilization
demand management activity: user profiles
-based on organizational roles and responsibilities which include automated processes and applications can have UPs
-associated or mapped to one or more PBAs
-under change management control
user profile (UP)
a pattern of user demand for IT services; each includes one or more patterns of business activity
Triggers of demand management
-request for a new service
-request for a change to an existing service
-strategy driving the creation of a new service
-requirement to define a service model
-requirement to define PBAs and UPs
-utilization rates affecting performance or causing a breach to an SLA
-any exception to a forecast PBAs
inputs of demand management
-initiative to create a new service
-initiative to change an existing service
-validation of service models
-validation of PBA
-customer portfolio, service portfolio, and customer agreement portfolio
-charging models
-chargeable items
-service improvement plans
outputs of demand management
-user profiles
-PBAs in the service and customer portfolios
-policies for management of demand
-policies for how to deal with situations where service utilization is different than customer expectations
-documentation of differentiated offerings that can be used to formulate service packages
process interfaces with demand management service strategy
-strategy management
-service portfolio management
-financial management for IT services
-BRM
process interfaces with demand management service design
-service level management
-capacity management
-availability management
-IT service continuity management
process interfaces with demand management service transition
-change management
-service asset and configuration management (SACM)
-service validation and testing
process interfaces with demand management service operation
event management
information management in demand management
-service portfolio
-customer portfolio
-project portfolio
-meeting minutes between BRM and customers
-service level agreements
-configuration management system
CSF: the service provider has identified and analyzed the PBAs and is able to use these to understand the levels of demand that will be placed on a service
KPI: patterns of business activity are defined for each relevant service
KPI: patterns of business activity have been translated into workload information by capacity managment
CSF: the service provider has defined and analyzed UPs and is able to use these to understand the typical profiles of demand for services from different types of users
KPI: documented UPs exist and each contains a demand profile for the services used by that type of user
CSF: a process exists whereby services are designed to meet the PBAs and business outcomes
KPI: demand management activities are routinely included as part of defining the service portfolio
CSF: an interface with capacity management ensures that adequate resources are available at the appropriate levels of capacity to meet the demand for services
KPI: capacity plans include details of PBAs and corresponding workloads
KPI: utilization monitors show balanced workloads with minimal over-utilization and a maximum amount of unused capacity to prevent technical groups from over-investing in capacity to avoid being blamed for over-utilization
CSF: there is a means to manage situations where demand for a service exceeds the capacity to deliver it.
KPI: techniques to manage demand have been documented in capacity plans and, where appropriate in SLAs
KPI: differential charging has resulted in more even demand on the service over time
challenges related to the demand management process
-the availability of information about business activities
-difficult for customers to break down activities in terms that make sense to the service provider
-lack of a formal service portfolio management process or a formal service portfolio
risks related to the demand management process
-lack of, or inaccurate, configuration information
-failure of SLM to define, negotiate, and agree to commitments for minimum and maximum service utilization levels
Responsibilities of Demand Management Process Owner
-generic process owner role for demand management
-ensures that demand management is integrated with other processes
responsibilities of demand management process manager
-carries out generic process manager role for demand management
-identifies and analyzes PBAs to understand the levels of demand for services from different types of users
-helps design services to meet the PBAs and business outcomes
-ensures that adequate resources are available at the appropriate levels of capacity to meet the demand for services
-anticipates and prevents or manages situation where demand for a serive exceeds the capacity to deliver it
-gears the utilization of resources that deliver services to meet the fluctuating levels of demand for those services
capacity management process
-extends across the lifecycle
-aligns capacity with demand
-influenced by: PBA, lines of service, service level packages
-capacity needs must be considered during the design stage
-capacity continues throughout all lifecycle stages
purpose of capacity management
provide a focal point for all capacit- and performance-related issues for services and components
objectives of capacity management
-produce and maintain capacity plans describing current and future capacity needs
-guide the business and IT on capacity-related issues
-manage the performance of services and components
-ensure that service performance meets or exceeds all agreed targets
-assist incident management and problem management
-assess the impact of changes on service and component capacity
-ensure that cost-justifiable capacity management measures are in place
scope of capacity management
-focal point for all IT performance and capacity issues
-encompasses all areas of technology
-handles some aspects of human resources including scheduling and staffing levels
business value of capacity management
-effective resource planning and control in order to meet required levels of service
-ensure that required capacity is delivered cost-effectively
-improved performance and availability of services and components
-improved customer satisfaction
-efficient and effective design and transition of new or changed services
-more accurate capacity-related budgeting
-environmental consciousness
-directly contributes to the business through the following activities: monitoring PBA and service level plans; production of regular and ad hoc reports on services and component capacity and performance; tuning and optimization of services and components; producing capacity forecasts based on the agreed needs of the business; influencing customer behavior; regularly producing a capacity plan; resolving capacity-related incidents and problems; analyzing capacity-related trends and making improvements
policies of capacity management
ensures that capacity and performance of IT services and components matches agreed existing and future demands of the business in a cost-effective and timely manner; balancing act between balancing supply against demand and balancing against resources
capacity management processes and planning must be involved in all stages of the service lifecycle
-strategy: service portfolio contains resources and capabilities
-design: requirements driven capacity plans to ensure service meets their expected performance targets
-transition: verifying utilization and performance
-operation: monitoring and maintaining forecasts
-continual improvement: ongoing tuning and optimization
capacity management must understand
-current business operations and their requirements
-patterns of business activity
-future business plans and requirements
-agreed and planned service targets
-all areas of IT and its capacity performance
planning and managing complexity
-managing the capacity of large IT environment is a difficult task
-capacity management simplifies this task by:
-determining which components need to be upgraded
-determining when an upgrade is required
-managing the cost of an upgrade
-evaluating the capacity-related risk of change
-evaluating whether or not a proposed SLR is achievable
-helping solve capacity-related problems
-ensuring that adequate capacity exists in any continuity environments
business capacity management
-assist with agreeing service level requirements
-design, procure, or amend service configuration
-verify service level agreements
-support service level agreement notification
-control and implementation
design related activities of capacity management
-exploitation of new technology
-designing resilience
ongoing iterative activities of capacity management
-monitoring: threshold management; response time monitoring
-analysis
-tuning
-implementation
modeling and trending activities of capacity management
-baselining
-trend analysis
-analytical modeling
-simulation modeling
service capacity management
focus of this sub-process is the management, control, and prediction of the end-to-end performance and capacity of the live, operational IT services usage and workloads; ensures the at the performance of all services, as detailed in service targets within SLAs and SLRs, is monitored and measured, analyzed, and reported; in order to meet agreed performance levels of services, it may be necessary to instigate proactive and reactive actions

-identify and understand the IT services, their use of resources, working patterns, peaks, and troughs
-ensure that the services meet agreed targets as defined in SLA
-identify any service breaches or near misses through monitoring and comparing actual targets against agreed targets
-must be proactive and predictive

component capacity management
focus of this sub-process is the management, control and prediction of the performance, utilization and capacity of individual IT technology components underpinning IT services; ensures that all components within the IT infrastructure that have finite resource are monitored and measured, analyzed, and reported

-identify and understand the performance, capacity, and utilization of individual components
-ensure optimal use of IT components
-monitor hardware and software components and collect information
-forecast issues where possible
-monitor changes to services to estimate hardware and software upgrades
-balance services across existing components

demand management in capacity management
activities specifically focused on understanding the variable aspects of business and planning for an appropriate response to those variable aspects
proactive activites
-pre-empting performance issues
-producing trends of the current component utilization and estimating the future requirements
-modeling and trending the predicted changes in IT services
-ensuring that upgrades are budgeted, planned, and implemented before SLAs and service targets are breached or performance issues occur
-actively seeking to improve service performance wherever it is cost-justifiable
-producing and maintaining a capacity plan
-tuning (optimizing) the performance of services and components
reactive activities
-monitoring, measuring, reporting, and reviewing the current performance of both services and components
-responding to all capacity-related “threshold” events and instigating corrective action
-reacting to and assisting with specific performance issues
triggers of capacity management
-service breaches
-capacity or performance events and alerts, including threshold events
-exception reports
-periodic revision of current capacity and performance
-review of forecasts, reports and plans
-new and changed services requiring additional capacity
-periodic trending and modeling
-review and revision of business and IT plans and strategies
-review and revision of designs and strategies
-review and revision of SLAs, OLAs, contracts, or any other agreements
inputs of capacity management
-business information
-service IT information
-component performance and capacity information
-service performance issues
-service information
-financial information
-change information
-performance information
-CMS
-workload information
outputs of capacity mangement
-CMIS
-capacity plan
-service performance information and reports
-workload analysis and reports
-ad hoc capacity and performance reports
-forecasts and predictive reports
-thresholds, alerts, and events
capacity management interface service strategy
demand management
-capacity plans responses to PBAs
-understanding and evaluating PBAs for their effect upon the capacity-related aspects of services and components
capacity management interface service design
SERVICE LEVEL MANAGEMENT
-service information with details of the services from the service portfolio and the service catalog and service level targets within SLAs and SLRs and possibly from the monitoring of SLAs, service reviews and breaches of the SLAs
-reporting and reviewing of service performance and the development of new SLRs or changes to existing SLAs
IT SERVICE CONTINUITY MANAGEMENT
-capacity management assists with business impact assessment
AVAILABILITY MANAGEMENT
-works with capacity to support required resources for availability commitments
capacity management interface service operation
incident and problem management
-service performance issues relating to poor performance
capacity management process uses…
the CMIS to store capacity-related information
CMIS is used to perform several activities that include
-review current capacity and performance
-improve current service and component capacity
-assess, agree, and document new requirements for capacity
-plan new capacity
capacity CSF: accurate business forecasts
KPI: Production of workload forecasts on time
KPI: Percentage accuracy of forecasts of business trends
KPI: Timely incorporation of business plans into the capacity plan
KPI: reduction in the number of variances from the business plans and capacity plans
capacity CSF: Knowledge of current and future technologies
KPI: increased ability to monitor performance and throughput of all services and components
KPI: timely justification and implementation of new technology in line with business requirements (time, cost, and functionality)
KPI: Reduction in the use of old technology, causing breached SLAs due to problems with support or performance
capacity CSF: Ability to demonstrate cost effectiveness
KPI: reduction in last-minute buying to address urgent performance issues
KPI: reduction in the over-capacity of IT
KPI: accurate forecasts of planned expenditure
KPI: reduction in the business disruption caused by a lack of adequate IT capacity
KPI: relative reduction in the cost of production of the capacity plan
capacity CSF: Ability to plan and implement the appropriate IT capacity to match business need
KPI: percentage reduction in the number of incidents due to poor performance
KPI: percentage reduction in lost business due to inadequate capacity
KPI: all new services implemented to match SLRs
KPI: increased percentage of recommendations made by capacity management are acted on
KPI: reduction in the number of SLA breaches due to either poor service performance or poor component performance
challenges of capacity management
-getting information from the business
-making sense of component capacity management
-different tools and different information formats
-information overload
risks of capacity management
-lack of commitment to the capacity management process
-lack of appropriate information on future plans and strategies
-lack of resources, budget, or senior management commitment
-service capacity management and component capacity management are performed in isolation
-processes become too bureaucratic or manually intensive
-processes focus too much on the technology and not enough on the services and the business
-reports and information are too technical and do not give appropriate information
capacity management process owner
-accountable for the capacity management process
-works with other processes to ensure capacity management is integrated with the overall service lifecycle
capacity management process manager
p. 3-49; responsible for the process
coordinates activities between capacity management and other service management processes
availability management purpose
-to be the focal point for management of availability-related issues
-ensure that availability targets are set, measured, and achieved
availability management objectives
-produce and maintain availability plans reflecting the current and future needs of the business
-ensure that service availability achievements meet or exceed agreed targets
-assist with diagnosis and resolution of availability-related incidents and problems
-assess the impact of changes on the availability plan and availability of services
-advise and guide other areas of the business and IT
-implement cost-justifiable measures to improve the availability of services
scope of availability management
-covers the design, implementation, measurement, management, and improvement of IT service and component availability
-ensures that services and components are designed and delivered in line with business needs
-includes the availability of business processes
-availability drivers of future business plans and requirements
-service availability targets agreed in SLAs
-performance and availability of the IT infrastructure, data, applications, and the environment
-business impacts and priorities for services
business value of availability management
-ensures that availability matches the evolving needs of the business
-ensures customer satisfaction with reliability and availability
-provides high-quality stable services in support of business needs
-evaluates new or changed service requirements
-supports business needs to follow environmentally sound strategies
guiding principles for availability management
-service availability is at the core of customer satisfaction and business success
-business, customer, and user satisfaction and recognition can be achieved even when services fail, provided that the reaction to failure is handled well
-understanding how services support the business drives improving availability
-availability is only as good as its weakest link
-the more proactive the process, the better service availability will be
-it is less expensive to design availability into services than to add it at a later date
service availability involves
-all aspects of service availability and unavailability
-impact of component availability
-potential impact of component availability
-impact of the availability of collection of components
component availability involves
component availability and unavailability
aspects of availability
-availability
-reliability
-maintainability
-serviceability
availability equation
((agreed service time AST)-downtime)/AST) *100%
reliability equation
(MTBSI in hours)= (available time in hours)/(number of breaks)
reliability equation 2
MTBF in hours = ((available time in hours-total downtime in hours)/(number of breaks))
maintainability
MTRS in hours=((total downtime in hours)/(number of service breaks))
vital business functions
-parts of the business process that are critical to success
-influence availability design and cost-effectiveness
-the more vital the function, the higher level of resilience required
-availability requirements determined by the business, not IT
-special VBFs: High Availability, fault tolerance, continuous operation, continuous availability
reactive availability management techniques
-monitor, measure, analyze, and report service and component availability
-unavailability analysis
-expanded incident management lifecycle
-service failure analysis
proactive availability management techniques
-requirement definition
-designing for availability
-service availability design
-CFIA(component failure impact analysis)
-SPOF (single point of failure)
-FTA (fault tree analysis
-simulation, modeling, and load testing
-risk analysis and management
-availabiltiy testing schedule
-planned and preventative maintenance
-production of projected service outage
-reviewing all new and changed services
-continual review and improvement
triggers of availability management
-new or changed business needs or new or changed services
-new or changed targets within agreements such as SLRs, SLAs, OLAs, or contracts
-service or component breaches, availability events and alerts, including threshold events, exception errors
-periodic activities of availability management such as reviewing, revising, or reporting
-review of availability management forecasts, reports and plans
-review and revision of business and IT plans and strategies
-review and revision of designs and strategies
-recognition or notification of a change of risk or impact of a business process of VBF, an IT service or component
-request from SLM for assistance with availability targets and explanation of achievements
inputs of availability management
-business information
-business impact information
-previous risk analysis
-service information
-financial information
-change and release information
-configuration management
-service targets
-component information
-technology information
-past performance
-unavailability and failure information
outputs of availability management
-AMIS
-the availability plan for the proactive improvement of IT services and technology
-availability and recovery design criteria and proposed service targets for new or changed services
-service availability, reliability, and maintainability reports of achievements against targets, including input for all service reports
-component availability, reliability, and maintainability reports of achievements against targets
-revised risk analysis reviews and reports and an updated risk register
-monitoring, management, and reporting requirements for IT services and components to ensure that deviations in availability, reliability, and maintainability are detected, actioned, recorded, and reported
-an availability management test schedule for testing all availability, resilience, and recovery mechanisms
-the planned and preventative maintenance schedules
-the PSO in conjunction with change and release management
-details of the proactive availability techniques and measures that will be deployed to provide additional resilience to prevent or minimize the impact of component failures on the IT service availability
-improvement actions for inclusion within the SIP
process interfaces with availability management service design
SLM
Capacity management
ISM information security management
ITSCM
process interfaces with availability management service transition
change management
process interfaces with availability management service operation
incident and problem management
access management
information management in availability mangement
AMIS: contains information used and produced by availability management
availability plans that describe:
-current and future availability needs of the business
-how availability shortfalls are being addressed
-details of new availability requirements
-schedules and reviews of SFA assessments
-information about the availability benefits of future technology
availability CSF: manage availability and reliability of IT service
KPI: percentage reduction in the unavailability of services and components
KPI: percentage increase in the reliability of services and components
KPI: effective review and follow-up of all SLA, OLA and UC breaches relating to availability and reliability
KPI: percentage improvement in overall end-to-end availability of service
KPI: Percentage reduction in the number and impact of service breaks
KPI: improvement in the MTBF
KPI: improvement in the MTBSI
KPI: reduction in the MTRS
availability CSF: satisfy business needs for access to IT services
KPI: percentage reduction in the unavailability of services
KPI: percentage reduction of the cost of business overtime due to unavailable IT
KPI: percentage reduction in critical time failures
KPI: percentage improvements in business and users satisfied with service
availability CSF: Availability of IT infrastructure and applications as documented in SLAs, provided at optimum costs
KPI: percentage reduction in the cost of unavailability
KPI: percentage improvement in the service delivery costs
KPI: timely completion of regular risk assessment and system review
….P 4-69
challenges of availability management
-meeting and managing the expectations of the business
-integration of all availability-related information
-convincing the business of the need for proactive availability management
risk of availability management
-a lack of commitment from the business to the availability management process
-a lack of commitment from the business and a lack of appropriate information on future plans and strategies
-a lack of senior management commitment or a lack of resources and/or budget to the availability management process
-labor-intensive reporting processes
-the processes focus too much on the technology and not enough on the services and the needs of the business
-the AMIS is maintained and isolation is not shared or consistent with other process areas, especially ITSCM, information security management and capacity management
availability management process owner
-carry out the generic process owner role for the availability management process
-working with management of all functions to ensure acceptance of the availability management process as the single point of coordination for all availability-related issues, regardless of the specific technology involved
-working with other process owners to ensure there is an integrated approach to the design and implementation of availability management, service level management, capacity management, IT service continuity management, and information security management
availability management process manager
-manages the interface between availability management and other processes
-ensures that services meet agreed levels of availability
-assists in the investigation and diagnosis of availability-related incidents and problems
ITSCM purpose
-align with and support the overall business continuity management process
-ensure that minimum agreed business continuity-related service levels can be provided
-understand and reduce risk to IT services to levels acceptable to the business
-plan and prepare for the recovery of IT Services
ITSCM objectives
-manage and maintain a set of IT service continuity plans and IT recovery
-ensure that continuity and recovery mechanisms are in place to meet the agreed business continuity targets defined in SLAs
-conduct complete and regular BIA
-conduct regular risk analysis and management, in conjunction with businss availability management process, and security management process
-provide advice and guidance on continuity- and recovery- related issues to business and IT
-assist the change managment process to assess the impact of all changes on IT service continuity plans and IT recovery plans
-assist in proactive measures for improving availability of services
-negotiate and agree the necessary contracts with suppliers, in conjunction with the supplier management process for provision of the planned recovery capability
scope of ITSCM
-focus on significant business events: disasters, significant interruptions beyond normal daily operation, identified through a BIA, business impact and loss through financial loss, damage to reputation, regulatory breaches
-agreement with the business of scope of ITSCM
-ITSCM policies
-conducting BIA to quantify the impact a loss of IT services would have on the busines
-risk identification, assessment, and management
-production of an ITSCM strategy and integration with overall BCM strategy
-production, management, and maintenance of ITSCM plans
-testing and validation of continuity plans
business value of ITSCM
-supports the BCM (business continuity managment) and BCP (business continuity plan)
-used to raise awareness of continuity and recovery requirements
-often used to justify and implement a BCM and BCP
-should be driven by business risk
-identified by business continuity planning
-ensures recovery arrangements for IT services are aligned to business impacts, risks, and needs
production of business continuity strategy is based on:
-involvement of ITSCM in initiation and requirements stages to support the BCM activities
-understanding the relationship between the business processes and the impacts of loss of IT services on these activities
-becomes the basis for producing an ITSCM strategy
the business continuity strategy should
-focus on business processes and associated issues such as business process continuity, staff continuity and building continuity
effective implementation of ITSCM is through
-identification of critical business processes
-analysis and coordination of the required technology and supporting IT services
-the situation may be even more complex in outsourcing situations
4 stages within ITSCM lifecycle
1. initiation
2. requirements and strategy
3. implementation
4. ongoing operation
Stage 1 of ITSCM
initiation-this stage deals with policy setting, specifying terms of reference, and scope of the project
Stage 2 of ITSCM
requirements and strategy- this stage includes requirements analysis and developing strategy for risk reduction based on BIA
Stage 3 of ITSCM
ITSCM implementation- once the strategy has been approved, the IT service continuity plans need to be produced in line with the business continuity plans; the ITSCM plans need to be develped to enable the necessary information for critical systems, services, and facilities to either continue to be provided or to be reinstated within an acceptable period to the business
Stage 4 of ITSCM
Ongoing operation-this stage focuses on education, awareness, training of service continuity-specific items, testing of ITSCM plans, ongoing operation, and any changes coordinated through change management process
initiating – policy setting
specifying managment intent and clarifying roles and responsibilities rlevant to continuity activities
initiating – defining scope and all terms of reference
defining the scope of all staff in the organization, as well as conducting resk assessment and business impact analysis
initiating – initiating a project
allocating resources: acquiring the necessary resources in terms of time and money
defining the project organization and control structure: following accepted best practice for complex project managment, such as PMBOK (Project Management Body of Knowledge) or PRINCE2(PRojects IN Controlled Enviromnents)
Agreeing to project and quality plans: providing an understanding of the overall project deliverables and serving as means to control variance; quality plans ensure that acceptable levels of quality are present in project deliverables
M_o_R
management of risk- a standard management framework used to assess and manage risks witin an organization
M_o_R principles
essential for the development of good risk management practice and are derived from corporate governance principles
M_o_R approach
an organization’s approach to M_o_R principles, which needs to be agreed and defined within the following living documents:
-risk management policy
-process guide
-plans
-risk registers
-issue logs
M-o_R processes
the following main steps describe the inputs, outputs, and activities that ensure that risks are controlled:
-identify: the threats and opportunities within an activity that could impact the ability to reach its objective
-assess: the understanding of the net effect of the identified threats and opportunities associated with an activity when aggregated together
-plan: a specific managment response that will reduce the threats and maximize the opportunities
-implement: the planned risk management actions, montior their effectiveness, and take corrective action where responses do not match expectations
Invocation of ITSCM
processes should be:
-fit for purpose; interface correctly with other relevant invocation processes
decisions:
-often made by a “crisis management” team
-must consider: extent of damage; scope of invocation; likely length of the disruption; potential business impact; retrieval of required documentation, workstation images, etc.; mobilization of personnel; alerting suppliers and vendors
-guidance and plans must be available to key staff, both within and outside the office
the objectives of invocation are to:
-build up the business to normal levels at the recovery site
-conducts short-term operation from recovery site
-leave the recovery site in the shortest possible time
triggers of ITSCM
-new or changed business needs, or new or changed services
-new or changed targets within agreements, such as SLRs, SLAs, OLAs, or underpinning contracts
-the occurrence of a mjor incident that requires assessment for potential invocation of either business or IT continuity plans
-periodic activities such as the BIA or risk analysis activities, maintenance of continuity plans or other revieiwing, revising , or reporting activities
-assessment of changes and attendance at CAB(change advisory board) meetings
-review and revidsion of busines and IT plans and strategies
-reivew and revisioin of designs and strategies
-recognition or notification of a change of risk or impact of a businesss process or VBF (vital business function), an IT service, or component
-initation of tests of continuity and recovery plans
inputs of ITSCM
-business information
-IT information
-a businesss continuity strategy and set of business continuity plans
-service information from the SLM process
-financial information
-change information
-CMS
-business continuity mangement and availability management testing schedules
-IT service continuity plans and test reports
outpus of ITSCM
-a revised ITSM policy and strategy
-a set of ITSM plans, including all crisis management plans, emergency response plans and disastor recovery plans, together with a set of supporting plans and contracts with recovery service providers
-BIA exercieses and reports, in conjunceiton with BCM and the busines
-Risk analysis and mangement reviews and reports, inconjuction witht he buisness, availability management, and security managemnet
-An ITSCM testing schedule
-ITSCM test scenarios
-ITSCM test reports and reviews
-forecasts and predictive reports are used by all areas to analyze, predict and forecast particular business and IT scenarios and their potential solutions
purpose of Information Security Management (ISM)
-provide a focal point for all aspects of IT security
-manage IT security activities
-align IT security with business security
-provide strategic direction for security activities
-ensure that information security is effectively managed in all service management activities; objectives are achieved; risks are managed
objectives of ISM
-availability and usability- information available and usable when required
-confidentiality- information disclosed to those who have a right to know
-integrity- information is complete, accurate, protected
-authenticity- trusted business transactions and information exchanges between enterprises and partners
scope of ISM
-should be the focal point for all IT security issues
-establish and maintain ISMS to guide the development and management of an information security program
-must ensure that an information security policy is produced, maintained, and enforced
-needs to understand total IT and business security environment; policies and plans; existing and future requirements; obligations and responsibilities; business and IT risks
ISM process should include:
-Information security policy
-current and future needs
-policy and plans
-security controls
-contracts
-management of security breaches
-improvements
-integration
ISM provides value to the business by
-maintaining and enforcing an information security policy that fulfills:
*needs of the business security policy
*requirements of corporate governance
ISM manages all aspects of IT and information security
-through appropriate security controls it provides assurance that
*IT services underpinning business processes are in line with business and corporate risk management processes and guidelines
information security must be aligned with
-business security
-business needs
-business objectives
all IT service providers must ensure that
-all processes within the IT organization include security considerations
-comprehensive information security policy or policies exist
-necessary security controls are in place to monitor and enforce the policies
to develop a cost-effective information security program an organization requires
-security framework
-policy
-ISMS
ISM framework generally consists of the following components
-information security policy
-security management information system
-security strategy
-organization structure
-security controls
-security risks
-monitoring processes
-communications strategy
-training and awareness strategy and plan
five elements of ISMS
1. control- establish management framework, organization structure, and responsibilities
2. plan- devise and recommend the appropriate security measures
3. implement- appropriate procedures, tools, and controls in place
4. evaluate- supervise and check compliance and auditing
5. maintain- improve security agreements and implement security measures and controls
information security governance should provide 6 basic outcomes
1. strategic alignment
2. value delivery
3. risk management
4. performance management
5. resource management
6. business process assurance
Outcome 1: strategic alignment
-security requirements should be driven by enterprise requirements
-security solutions need to fit enterprise processes
-investment in information security should be aligned with the enterprise strategy and agreed-on risk profile
Outcome 2: value delivery
-a standard set of security practices, for example, baseline security requirements that follow best practices
-properly prioritized and distributed effort to areas with greatest impact and business benefit
-institutionalized and commoditized solutions
-complete solutions, covering organization and processes as well as technology
-a culture of continual improvement
Outcome 3: risk management
-agreed-on risk profile
-understanding of risk exposure
-awareness of risk management priorities
-risk mitigation
-risk acceptance/deference
Outcome 4: performance management
-defined, agreed, and meaningful set of metrics
-measurement process that will help identify shortcomings and provide feedback on progress made resolving issues
-independent assurance
Outcome 5: resource management
-knowledge is captured and available
-documented security processes and practices
-developed security architecture to efficiently utilize infrastructure resources
key activities within the ISM process
-production, review, and revision of an overall information security policy and a set of supporting specific policies
-communication, implementation, and enforcement of security policies
-assessment and classification of all information assets and documentation
-implementation, review, revision, and improvement of a set of security controls and risk assessment and responses
-monitoring and management of all security breaches and major security incidents
-analysis, reporting, and reduction of the volumes and impact of security breaches and incidents
-scheduling and completion of security reviews, audits, and penetration tests
ISM activities
-produce, review, and revise security policies
-assess and classify information assets
-establish security controls
-establish security incident procedures
-conduct audits and testing
-produce security strategy
Security controls
threats- Prevention/Reduction & Evaluation/Reporting
incident- Detection/Repression & Evaluation/Reporting
damage- correction/Recovery & Evaluation/Reporting
control
security measures
-preventive- prevent a security incident from happening
-reductive-minimize any possible damage from occurring in advance
-detective- detect when a security incident occurs
-repressive- counteract any continuation or repetition of the security incident
-corrective-repair the damage as far as possible
triggers of ISM
-changed business needs or services
-changed targets: SLRs, SLAs, OLAs, or contracts
-service or component breaches
-availability events and alerts
-periodic activities
-review and revision of ISM policies, reports, and plans
-review and revision of business and IT plans and strategies
-change of risk or impact of a business process or VBF
-request from SLM
-new or changed corporate governance guidelines
inputs of ISM
-business information
-service information
-change information
-configuration management
-technology information
-risk analysis process and reports
-corporate governance and security policies
-IT information
-details of all security events and breaches
outputs of ISM
-an overall information security management policy
-SMIS
-revised security risk assessment processes and reports
– a set of security controls
-security audits and audit reports
-security test schedules and plans
-a set of classified information assets
-reviews and reports of security breaches and major incidents
-policies, processes, and procedures
CSF and KPIs of ISM
p. 6-38
challenges of ISM
-ensure adequate business support from the business, business security, and senior management
-establish appropriate information security policy with effective supporting processes and controls
-ensure ongoing alignment and integration of information security management with business security management, including policies and plans
risks of ISM
-increased availability and robust requirements
-growing potential for misuse and abuse of information and information systems
-external dangers from hackers and compromise of information and information systems
-a lack of business and senior management commitment
-processes focused on technology and overlooking services and business needs
-risk assessments performed in isolation
-bureaucratic or outdated information security management policies and processes, or policies that add no business value
responsibilities of ISM process owner
-carrying out generic process owner role for the information security management process
-working with the business to ensure proper coordination and communication between organizational (business) security management and information security management
-working with managers of all functions to ensure acceptance of the information security management process as the single point of coordination for all information security related issues, regardless of the specific technology involved
-working with other process owners to ensure there is an integrated approach to the design and implementation of information security management, availability management, IT service continuity management, and organizational security management
responsibilities of ISM process manager
p.6-44 & 6-45
generic requirements for technology to assist service design
-the underpinning nature of tools and technology
-effective service design technology
-validates inputs and outputs
-tool selection and design decisions
evaluation criteria for technology and tooling for process implementation
-out of the box
-configuration required
-customization required