Demystifying ITIL Greg Charles Ph D Area Principal

Demystifying ITIL Greg Charles, Ph. D. Area Principal Consultant, CA June 2006 Pacific Northwest Digital Government Summit

Today’s Objective -To provide a basic understanding (theory and concepts) of ITIL’s Service Management Framework (Service Support and Service Delivery components) 2 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Ever-Increasing Complexity 3 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Approaches Currently In Use -Business As Usual - “Firefighting” -Legislation - “Forced” -Best Practice Focused 4 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

The Legislation Minefield - Privacy & Security - Finance - Sarbanes Oxley (US) - Personal Information Protection Electronic Document Act (PIPEDA) - FFIEC US Banking Standards - US Patriot Act Homeland Security - Basel II (World Bank) (Critical Infrastructure) - Turnbull Report (UK) - Personal Health Information Protection - Canadian Bill 198 (MI 52 -109 & 52 -111) Act (PHIPA) - Washington State Laws relating to IT - Health Insurance Portability and - Policy 403 -R 1, 400 -P 1, 401 -S 1, 402 -G 1; Accountability Act (HIPAA) Executive Order 00 -03; RCW - SEC Rules 17 a-3 & 17 a-4 re: Securities 9 A. 52. 110, 120, 130; RCW 9 A. 48. 070, 080, 090; Transaction Retention RCW 9 A. 105. 041 and many more - Gramm-Leach Bliley Act (GLBA) privacy - Other International IT Models of financial information - Corporate Governance for ICT DR 04198 - Children’s Online Privacy Protection Act (Australia) - Clinger-Cohen Act (US Gov. ) - Intragob Quality Effort (Mexico) - Federal Information Security Mgmt. Act - Medical Information System Development (Medis (FISMA) -DC) (Japan) - Freedom of Information & Protection of - Authority for IT in the Public Administration Privacy (FOIPOP) BC Gov (AIPA) (Italy) - FDA Regulated IT Systems - Principles of accurate data processing supported accounting systems (GDPdu & Go. BS) - Freedom Of Information Act (Germany) - Americans with Disabilities Act, Sec. - European Privacy Directive (Safe Harbor 508 (website accessibility) 5 Framework) © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Best Practices Quality & Control Models • ISO 900 x • COBIT • TQM • EFQM • Six Sigma • COSO • Deming • etc. . Process Frameworks • IT Infrastructure Library • Application Service Library • Gartner CSD • IBM Processes • EDS Digital Workflow • Microsoft MOF • Telecom Ops Map • etc. . • What is not defined cannot be controlled • What is not controlled cannot be measured • What is not measured cannot be improved - Define -- Improve - Measure -- Control And Stabilize 6 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

What Is ITIL? - ITIL is a seven book series that guides business users through the planning, delivery and management of quality IT services Information Technology Infrastructure Library 7 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

The ITIL Books T h e B u s i n e s s 8 Planning To Implement Service Management T h e Service Management Service Support The Business Perspective Service Delivery ICT Infrastructure Management Security Management Application Management © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. T e c h n o l o g y

ITIL Simplified Business, Customers & Users Service Desk Service Level Management Incident Management Availability Management Problem Management Capacity Management Change Management Financial Management Release Management Service Continuity Configuration Management Service Support 9 Service Delivery © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

ITIL Service Support Model The Business, Customers or Users Monitoring Tools Difficulties Queries Enquiries Communications Updates Work-arounds Incidents Customer Service Desk Survey reports Incident Management Problem statistics Problem reports Problem reviews Diagnostic aids Audit reports Incidents 10 Customer Survey reports Problem Management Service reports Incident statistics Audit reports Changes Releases Change Management Change schedule CAB minutes Change statistics Change reviews Audit reports Problems Known Errors Release Management Release schedule Release statistics Release reviews Secure library’ Testing standards Audit reports Changes CMDB Releases © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Configuration Management CMDB reports CMDB statistics Policy standards Audit reports Cls Relationships

Service Desk -To provide a strategic central point of contact for customers and an operational single point of contact for managing incidents to resolution -In addition, the Service Desk handles Service Requests 11 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Incident Management - To restore normal service operation as quickly as possible and minimize the adverse impact on business operations 12 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Problem Management - 13 To minimize the adverse impact of incidents and problems on the business that are caused by errors in the IT Infrastructure and to prevent recurrence of incidents related to these errors © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Change Management -To ensure that standardized methods and procedures are used for efficient and prompt handling of all changes to minimize the impact of change-related incidents and improve day-to-day operations 14 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Release Management • Release Management takes a holistic view of a change to an IT service and should ensure that all aspects of a Release, both technical and non-technical, are considered together 15 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Configuration Management - To identify, record and report on all IT components that are under the control and scope of Configuration Management 16 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

ITIL Service Support 17 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

ITIL Service Delivery Model Business, Customers and Users Communications Updates Reports Queries Enquiries Availability Management Availability plan AMDB Design criteria Targets/Thresholds Reports Audit reports Service Level Management Capacity plan CDV Targets/thresholds Capacity reports Schedules Audit reports Requirements Targets Achievements Financial Management For IT Services Financial plan Types and models Costs and charges Reports Budgets and forecasts Audit reports Management Tools 18 Alerts and Exceptions Changes © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. SLAs, SLRs OLAs Service reports Service catalogue SIP Exception reports Audit reports IT Service Continuity Management IT continuity plans BIS and risk analysis Requirements def’n Control centers DR contracts Reports Audit reports

Service Level Management -To maintain and improve IT service quality through a constant cycle of agreeing, monitoring and reporting to meet the customers’ business objectives 19 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Availability Management -To optimize the capability of the IT infrastructure, services and supporting organization to deliver a cost effective and sustained level of availability enabling the business to meet their objectives 20 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Capacity Management -To ensure that all the current and future capacity and performance aspects of the business requirements are provided cost effectively 21 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Financial Management -To provide cost-effective stewardship of the IT assets and resources used in providing IT services 22 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

IT Service Continuity Management - To ensure that the required IT technical and services facilities can be recovered within required, and agreed timescales - IT Service Continuity Planning is a systematic approach to create a plan and/or procedures to prevent, cope with and recover from the loss of critical services for extended periods 23 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Service Delivery 24 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

What Is ITIL All About? - Aligning IT services with business requirements - A set of best practices, not a methodology - Providing guidance, not a step-by-step, how-to manual; the implementation of ITIL processes will vary from organization to organization - Providing optimal service provision at a justifiable cost - A non-proprietary, vendor-neutral, technology-agnostic set of best practices. 25 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

IT Governance Model Audit Models Sarbanes. Oxley COSO US Securities & Exchange Commission Cob. IT Quality System 26 IT Planning ISO 20000 Project Mgmt. BS 15000 IT Security ITIL App. Dev. (SDLC) CMMi Service Mgmt. Quality Systems & Mgmt. Frameworks IT OPERATIONS ASL ISO 17799 PMI © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. TSO IS Strategy ISO Six Sigma

Cob. IT (Control Objectives for IT) -Cob. IT is an open standard control framework for IT Governance with a focus on IT Standards and Audit -Based on over 40 International standards and is supported by a network of 150 IT Governance Chapters operating in over 100 countries -Cob. IT describes standards, controls and maturity guidelines for four domains, and 34 control processes 27 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

The Cobi. T Cube (Business Requirements) 4 Domains 34 Processes 318 Control Objectives 28 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Cobi. T Domains Plan & Organize Acquire & Implement (AI Process Domain) (PO Process Domain) Monitor (M Process Domain) Deliver & Support (DS Process Domain) 29 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Acquire & Implement Plan & Organize Define Strategic IT Plan Determine Define Information Technological Direction Architecture Define IT Organization & Relationships Manage IT Investment Manage Human Resource Ensure Compliance With External Standards Identify Automated Solutions Acquire & Maintain Application Software Manage Change Acquire & Maintain Technology Infrastructure Develop & Maintain IT Procedures Communicate Aims & Direction Manage Projects Assess Risks Manage Quality Monitor The Process Obtain Independent Assurance 30 Install & Accredit Systems Assess Internal Control Adequacy Provide Independent Audit Deliver & Support Define & Manage Service Levels Manage Third-Party Services Manage Performance & Capacity Ensure Continuous Service Ensure System Security Identify & Allocate Costs Educate & Train Users Assist & Advise IT Customers Manage Configuration Manage Problems & Incidents Manage Data Manage Facilities © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Manage Operations

COSO Components Control Activities Monitoring • Policies that ensure management directives are carried out • Approval and authorizations, verifications, evaluations, safeguarding assets security and segregation of duties • Assess control system performance over time • Ongoing and separate evaluations • Management and supervisory activities Information and Communication • Relevant information identified, captured and communicated timely • Access to internal and externally generated information • Information flow allows for management action 31 Control Environment • Sets “tone at the top” • Foundation for all other components of control • Integrity, ethical values, competence, authority, responsibility © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Risk Assessment • Identify and analyze relevant risks to achieving the entity’s objectives

COSO, Cobi. T & SOX Components 32 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Putting COSO, Cobi. T, and ITIL together -COSO defines the high level policies of a well governed organization -Cobi. T defines the control structures for evaluating the IT organization conforms to COSO policies. -ITIL defines the best practices that will satisfy the Cobi. T controls. 33 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

How to Make ITIL a Reality? Key Success Factors Theory – ITIL/Cob. IT/COSO § Guidelines for Best Practices § Provides theory but not the process § Education is an important component Process § Convert theory to process that is applicable to the unique needs of the organization § Training & Education § Tool configuration Technology – CA and others § Provide the technology that enables and automates the process § Repeatability, compliance and notifications § Implement processes impossible without technology 34 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Making IT Easier Customer maturity isolates appropriate transition point, blueprint & ROI 35 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Next Steps - Focus on Customer Needs EITM • Complete • Integrated • Open • Proven Best Practices Business Flows • People • Process • Technology • Partners • High Quality • Comprehensive • Enabling • Evolutionary • Efficient 36 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies. Solutions

Respondent Scoring Proven Practice “Statements” 37 Typical Survey Section features… © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Comparison Charts 3 Sets of Scores Role Comparison Overall Comparison 38 Industry Comparison Your Score © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Tools to Aid Success Maturity Model Solution Sheets ROI Tool Transitional Maturity Process Model SAO/SAS Profilers 39 Blueprints © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Meeting Customer Needs – Best Practices: Six Sigma, etc. Best Practices: Industry and CA best practices are applied to all of our solutions to maximize standardization and quality 40 © 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Thank You Questions?