Karol Furdík Department of Cybernetics and AI, FEI TU Košice

Management of IT Environment (3) LS 2012/20131

Karol Furdík

Department of Cybernetics and AI, FEI TU Košice

Standardization in terms of IT Standardization in terms of IT service managementservice management

MManagement of IT Environment (3)anagement of IT Environment (3)Riadenie IT prostrediaRiadenie IT prostredia


Lecture contentLecture content

Definitions of basic terms normalization, norm and standard task, properties and characteristics of a technical norm types of standards, factors and stages of standardisation, norm life-cycle

Standardization organisations Legislative framework of norms Standardization in IT servis management

standards for quality management standards for modeling and management of business processes standards for IT services and management standards for IT security management standards for related technologies

Certification


Standardization - definitionsStandardization - definitions

1. Standardization – creation and application of norms, standards,

recommendations and rules in certain field of study- in our case implementation and application of IT/ICT in organisation

2. Standardization - definition of framework, which ensures

compliance of minimal level of quality, technological or management

processes, system management, interface provision, etc.

Objective of implementation of standards created by the precess of

standardisation: increase the competitiveness of organisation, where the norms are

implemented guaranteeing the prescribed quality of output products/services streamlining and optimalisation of decision and management processes increase of prestige and credit of the organisation opposing the competition,

which does not have the standard implemented


Prerequisites for standard implemnentationPrerequisites for standard implemnentation

Standard should be progrssive, and according to the newest knlovledge and trends – impotrant mostly in the field of IT

result – standardization is an iterative process, in which the standards undergo several stages from the proposal through implementation up to the termination of the standard

However, the standard should be sufficiently stable, accepted by a wide range of proffessionals and with proved aplication in real life

Standard has to be sufficiently clear, understandable, explicit and controllable

therefore it should include implementation guides, application examples and it is also appropriate to include a recommended certification procedure


Norm aNorm andnd standardstandard

Norm – Established binding rule, custom etc., resp. set of such rules. E.g. moral,

social, legal, governmental (technical) norm Technical norm – prescribed technical solution of a product, equipment,

technology etc.

Standard - common (good) quality level, stable, normal rate, basic level of

evaluation Technical standard - common, pattern, governing the production so that a

certain type products of according type,quality, composition or size were

made; (in some countries) label of technical standard Norm is a more „strict“ term, containing a binding feature. Standard has in slovak environment a more general, loose meaning; standard

does not have to be binding / obligatory to apply (Remark: in the past STN were

obligatory, nowadays they are not) In English the term standard is used, so the terms norm and standard may be

regarded as synonyms.


StandardStandard - -definitiondefinition, , purposepurpose, , characteristicscharacteristics

Def. according to ISO: standard is a documment, based on an agreement

and approved by a respected organisation, that provides common and

repeatable set of rules, guides, restrictions or charatcetistics for

processes and their outcomes such that in a given context an optimal

level of arrangement is achieved.

Purpose of (technical) standards is to provide a precise specification in the

given field of industry, sales or services which serves as a reference

framework for application in production or business.

Standard should be: Result of broad consensus among experts -> eligibility for practise Verifies and stable Progressive to correspond with the latest knowledge and trends Predictive, forward-looking


Properties of technical standardProperties of technical standard (1) (1)

Represents a certain level of know-how and technology, that should be as

progressive as possible, but already prooved in practise. Therefore a presense of wide consortium of industry representatives and experts is

necessary in the process of standard creation.

Result of cooperation, so it reflects the combined results of all associated patries

and is confirmed by an agreement of the consotrium. should represent all relevant interests of: manufacturers, users, laboratories,

government, consumers etc.

Never a compromise nor neutral. In contrary, standard expresses a strict and exact

specification of a certain approach or process (production, technological,

managerial, etc.).


Properties of technical standardProperties of technical standard (2) (2)

Consistent and coherent. Is created by technical committees that are coordinated

by specialized patries which ensure that the obstacles and differences between

different areas and business activities are overcome.

Reference document used specifically in relation to public contracts between

business or industrial partners, in international trade contracts or for creation of

business agreements.

Used by industrialists as a non-negotiationable reference, which simplifies and

unites business relationship between economic partners.

Although a standard is not necessarily legally binding it is a generally accepted

document that may be used in court litigations.

Standards are widely available, they can be studied or traded with no restrictions.

However, thay cannot be published or coppied.


Types of standards Types of standards (1)(1)

According to content: Basic standards - terminology, metrology, conventions, symbols etc. Wide

range, general provisions for one particular area.

Test methods and analysis standards – measurements of certain properties.

Product and service standards- parameters of a certain type of product (product

standards) or of a certain service. describe the lowest acceptable levels of parameters a product or service has to

achieve (e.g. health protection, security, docummentation, ...)

Organizational standards – description of company function and relationships,

modeling of activities inside the company (e.g. quality management, value

analysis, logistics, project and system management, production organization

etc.).


Types od standards Types od standards (2)(2)

According to geographical scope: National (in Slovakia - STN, ANSI – USA, DIN – Germany, BS – Great Britain,

Ö NORM – Austria, NF - France, JISC – Japan) Regional (e.g. European – EN, ETS ) International (e.g. ISO, IEC, IEEE, W3C and other)

Technical harmonisation principle - at European level there are defined as

common technical specifications so-called harmonized standards (created by

European standardization organizations). National standardization organizations take over these harmonized standards

as their own using qualified translation of the original European standard and

harmonize all other standards with respect to the European one. In Slovakia it is done according to zákon č. 264/1999 Z. z., resulting in

harmonized slovak technical norms.


Designation form of Designation form of STNSTN standards standards

sign STN and a 6-digit number: STN XX XX XX – original national standard, two digits represent class, group

and order in the catalog (cca 40% of the total number of STN standards). STN EN XXXXX resp. STN ISO/IEC XXXXX – took over European or

international standard, 5-digit number reflects the number of the initial European

or international standard (cca 60% of standards)

After the marking of took over standards there is a index sign that represents

national STN standard under which the standard issued, for example: STN ISO/IEC 20000-1 (36 9788) – after inclusion into STN this standard has

been given class 36: Electrical Engineering, Information technologies, group 97,

serial number 88.


Standardization and creation of standardsStandardization and creation of standards

Standardization (resp. normalization): targeted activity that creates and puts standards (norms) into practise aims to achieve an optimum degree of order in a particular area with respect to

the actual state of knowledge, to address known problems and expected future

prospects.

Activities associated with stanardization: drafting of the standard official issue of the standard implementation

Contribution of technical standardization: improve the suitability of products, processes and services for their intended use

avoiding obstacles and ensure technical cooperation.


Standardization factorsStandardization factors Production justifying factor. Standard allows to achieve desired technical

parameters, satisfy the customer, confirm the production method, affect the

productivity growth, and provide a defined level of quality and safety. Transaction clarification factor. Existence of reference documents, standards

and regulations enables you to better evaluate the offer and to reduce

uncertainty in trade relations. Inovation and further development factor. Participation in standardization allows

you to anticipate future development and continually upgrade your product or

service -> gaining advantage through knowledge transfer. New technology transfer factor. Normalization facilitates and accelerates the

transfer of technology on various importand areas (new materials, information

systems, biotechnologies, ITSM etc.) Factor influencing strategic decisions. Participation in standardization makes a

significant need to implement new solutions, what maked the company more

competitive. This highlights the need to actively participate in standardization

and not just to take it as inevitable evil.


Standardization stagesStandardization stages (1) (1)

1. First draft of the standard. From idea to working draft. Identification of the market need for new standard. Define requirements (commetioan, user, functional and technical) that represent

the needs of the market and serve as a basis for standard development. First working draft (draft specification) of the standard which is a consensual

result from all of the interested parties.

2. Development and official release. From design to final formulation. Process of approving the proposal in a broader consortium of experts, usually

coordinated by a relevant standardization organization. Assess the wider impact of standards on the area and beyond, as well as on the

structure of already existing standards. Potential conflicts are addressed cy

recasting the draft and its reassessment. Official release of the standard and its inclusion into the existing catalog of

standards.


Standardization stages Standardization stages (2)(2)

3. Implementation. From formulation of the standard to implementation Specification of testing and certification, which is usually published as an

amendment to the standard. May also contain more or less detailed guides for implementation including example

of reference implementation. These amendments ensure interoperability ie. the consistency between different

implementations. Process of continous and periodic assesment of compliance with the standard,

regular assessment of standard application, particulary with regard to changing

needs and marked requiremens. This process may result into proposals to update or amend the standard (or a

proposal to repeal the standard for not being up to date).


Standard life-cycleStandard life-cycle


Standardization organizationsStandardization organizations

Organizations dealing with standardization, management of

standardization activities and standard publication. Categorization based on teritorial scope:

international regional national

Coordination of work is ensured by common structures and

cooperation agreements.

In Slovakia: SÚTN, Slovenský ústav technickej normalizácie,

http://www.sutn.sk State subsidized organization; founder: ÚNMS SR Represents SR in international organizations Creation, approval and publication of STN, harmonization with European

standards


International standardizationInternational standardization (1) (1)

ISO, International Organization for Standardization, http://www.iso.org World federation of national standardization org (163 members) Role – support the development of standardization and related activities on a global

scale to facilitate international exchange of good and services and to achieve alliance in

intelectual, scientific, techncal and economic area. ISO activity is focused on all standardizaton areas The area of electrical engineering, electronics and IT is addressed in close

collaboration with IEC.

IEC, International Electro technical Commission, http://www.iec.ch Prepares and pubishes international standards for all electrical,

electronic and related technologies. In the field of IT, based on an agreement with ISO, a joint committee ISO/IEC

JTC1 has been established, in which the IEC participates on developement of

the ISO/IEC 20000 standard.


International standardization International standardization (2)(2)

ITU, International Telecommunication Union, http://www.itu.int Specialized United Nations agency for telecommunication and

radiocommunication

IEEE, Institute for Electrical and Electronics Engineers,

http://www.ieee.org International non-profit proffesional organization seeking to

improve technology related to electrical engineering

W3C, World Wide Web Consortium, http://www.w3.org International association of stakeholder organizations and

individuals which has been developing standards for web

environment


Regional standardization in EuropeRegional standardization in Europe

CEN, European Committee for Standardization, http://www.cen.eu The most important standardization body in Europe Job description – creation and management of European EN standards in

all areas where standardization is applied except the areas of electrical

engineering (CENELEC) and telecommunications (ETSI).

CENELEC, European Committee for Electrotechnical Standardization,

http://www.cenelec.eu Non-profit organization, main European standardization organization for the

area of electrical engineering

ETSI, European Telecommunications Standards Institute,

http://www.etsi.org Non-profit organization that creates European ETS standards for the area of

telecommunication


National standardizationNational standardization

ANSI, American National Standards Institute, http://www.ansi.org manages about 20% of commissions sub-committees and

workgroups of ISO and IEC e.g. ANSI code tables (ASA X3.4-1963 – adopted as ISO 8859),

standardization of C programing language (ANSI X3.159-1989), ANSI initiative

to publish ISO standard using on-line library, etc.

BSI, British Standards Institution, http://www.bsigroup.com BSI standards known as BS (British Standard) E.g. ISO/IEC 20000 (formerly BS 15000), group of standards for system

management quality ISO 9000 (formerly BS 5750), information security

management standard ISO/IEC 27001 (formerly BS 7799), etc.


Standardization legislationStandardization legislation

General principle – in principle, standards are not binding / obligatory

and compliance is voluntary.

This does not mean that there are no rules and you can use them as you want

Legislative framework provides: definition of the standard and its types basic principles of creation and compliance determining the rights, duties and responsibilities of subjects creating and

applying standards Broader aspects of the framework:

legal specification of authorship Definition of conformity assessment and certification.


Standard legislation inStandard legislation in SR SR

Zákon č. 264/1999 Z. z. o technických požiadavkách na výrobky a o

posudzovaní zhody (as amended)Describes: method for provision of technical requirements for products that could

endanger health, safety or property of people or the invironment rights and obligations of SÚTN procedures for assessing conformity of products with technical standards rights and obligations of subjects related to the conformity assessment rights and obligations, resulting from the standards, of businesses that

produce, import products on the market scope of state administration in the field of technical ztandardization and

conformity assessment supervision of compliance with the law including penalties relation between Slovak and other standards, harmonization and standard

acceptance


Authorization, conformity assessment, certificationAuthorization, conformity assessment, certification

Definitions under the law No. 264/1999 Z. z.:Authorization (§ 11) assignment of the operator or other legal entity to implement

conformity assessment. The mandate is issued by department. Holder of the

authorization (ie. „authorized person“) may be in accordance to the scope of

the authorization content authorized to provide certification, conformity

assessment, inspection and product testing.

Conformity assessment(§ 12) investigating whether the real properties of the

product match the technical requirements. If OK the manufacturer/importer is

issued with a declaration of conformity (§13), that is necessary for the product

to be placed on thenational market.

Certification (§ 14) activity of authorized person, issuing the certificate proving

that the properties of the product and/or activities related to its production are

in accordance with the technical requirements.


Standardization of IT environment/servicesStandardization of IT environment/services

IT environment – infrastructure, that includes IT/ICT in given organization to

achieve specific business objectives (income, long-term development,etc.).

Objectives of the organization are defined at the level of corporate strategy,

namely its focus on medium and long term horizon. Strategy defines: what is the main objective of the business which activities does the business deal with how is the organization managed What are the goals in the area of marketing, sales, production, etc.

Corporate strategy is then specified in detail and realized using appropriate

business processes – sequences of actions, activities and tasks necessary for

creation of a particular product or service for the customer.

Particular form of business processes is given by the aquired business strategy

while the criteria of quality and adequacy is the level of compliance with the

stategic goals of the organization.


Progressive IT service managementProgressive IT service management

For meaningful and effective functioning of business processes, we use IT

services which run on a particular IT/ICT infrastructure.

Role of IT service management – is to align individual components of the

infrastructure to support the business processes of the company in the most

appropriate, efficient and optimal way.


Development of standards for ITSMDevelopment of standards for ITSM


Classification of IT management standardsClassification of IT management standards

ITIL framework – the basis, from which the most importand standard is

ISO/IEC 20000

Standards related to IT management (as a whole): quality management standards (ISO 9000) business process management and modeling standards IT service management standards

including ISO/IEC 20000

information security management standards standards for some technologies suitable for designing and operation

of IT service systems


Quality management standardsQuality management standards

ISO 9000 standards, defining so-called Quality management system

ISO 9000 ITIL

Specifies duty to describe, document, manage and continuously improve all existing processes, prescribes the form of documentation and management methods.

Defines how to design ITSM in a way that will lead to cost-effective provision of IT services, also introduces a continuous cycle of effectivity and efficiency improvement.

Has a broader scope and covers all business processes in general.

Covers only those ITSM processes that are a part of business activities.

A general standard that does not specifiy what specific processes schould be described.

Exactly defines which of the processes should be developed and implemented.

Other standards regarding QMS e.g.: STN ISO 10006:2003. Quality management systems. Instructions for quality

management in projects. STN EN ISO 14001:2004. Environmental management systems.

Requirements and usage guides. ISO 26000:2010. Social responsibilty of companies


Business process management standardsBusiness process management standards

Business process management: optimalisation of business processes setting the activities on the mose appropriate level of quality, effectivity in terms

of time, resources and cost Possible automation of BP, adequate level of human interaction

BPM standards:

Object Management Group, http://www.omg.org BPMN (BP Modelling Notation), http://www.bpmn.org BPDM (BP Definition Metamodel), http://www.omg.org/spec/BPDM/ UML (Unified Modeling Language), http://www.uml.org

Organization WfMC (Workflow Management Coalition), http://www.wfmc.org XPDL (http://www.wfmc.org/xpdl.html),

defines format for storing and exchanging process representations. BPAF (BP Analytics Format, http://www.wfmc.org/business-process-analytics-

format.html), XML scheme for assessment and evaluation of process efficiency.


ISO 20000 ISO 20000 standard for ITSM standard for ITSM (1)(1)

ISO/IEC 20000 - parts:

1. Introduction: defines the purpose, scope and application of the

standard.

2. Terms and definitions: defines the basic terminology.

3. Management system requirements: defines the responsibilities od

senior management in the area of service quality management,

documentation requirements , responsibilitiy assignment and required

training of presonnel.

4. Planing and implementation: defines the system, of continous

improvement using PDCA.

5. New services and changes: defines requirements for planning and

assessment of cost, impacts and risks of changes.


ISO 20000 ISO 20000 standard for ITSMstandard for ITSM (2) (2)

ISO/IEC 20000 - parts:

6. Service delivery process: definition of tactical service planing

processes (service level management, reporting, continuity

management, financial resources managemetn, information security

management).

7. Relation processes: defines processes for managing relationships

with customer, suppliers and third parties.

8. Recovery processes: defines operational service management

processes (incidents and problem management).

9. Control process: defines processes of information support, security

checks and changes(configuration and change management).

10. Deployment process: defines the requirements of process that

physically makes, implements and deploys changes (issues

managemet).


ISO 20000 - ITIL – ISO 20000 - ITIL – In-house processesIn-house processes


Structure of Structure of ISO/IEC 20000ISO/IEC 20000 standard standard

ISO/IEC 20000-1:2005. Part 1: Specification. Defines basic requirements for

ITSM within the organisation and server as a reference framework for

certification od IT service providers.

ISO/IEC 20000-2:2005. Part 2: Code of practice (user manual). Serves as a

supporting guide for ITSM implementation.

ISO/IEC TR 20000-3:2009. Part 3: Guidance for the scoping and applicability of

ISO/IEC 20000-1. Defines the scale and applicability ofITSM within an

organisation.

ISO/IEC TR 20000-4:2010. Part 4: Process reference model. Defines the logical

representation os abstract processes of ITSM and its parts including the goals

and requires outputs.

ISO/IEC TR 20000-5:2010. Part 5: Exemplar implementation plan for ISO/IEC

20000-1. Practical example of ITSM implementation.


Structure of Structure of STN ISO/IEC 20000STN ISO/IEC 20000 standard standard

ISO/IEC 20000 standard has been translated into slovak in august

2008 and included into STN system, where it consists of these rules:

STN ISO/IEC 20000-1:2005. Information technologies. Service

management. Part 1: Specification.

STN ISO/IEC 20000-2:2005. Information technologies. Service

management. Part 2: Pactise recommendations.


Other ITSM standardsOther ITSM standards

ISO/IEC 38500 (http://www.38500.org), standard for IT Governance. Standard

covers a higher level of ITSM including the management of company

processes and strategic goals of a company. Is comes from Austarlian

stadard AS 8015:2005 and is based on COBIT of version 4.1

ISO/IEC 15504, also known as SPICE (Software Process Improvement and

Capability dEtermination). Standard defines a reference model pro

organisational processes, creation, delivery, support and maintanacne in area

of precess types and their performance.

ISO/IEC 15288 describes life-cycle processes of artifical human constucted

systems. These processes are defined in four categories: technical, project,

contract and supplementary organisation processes.


Security standards forSecurity standards for IT IT systemssystems

Information security managemet system (ISMS) is defined by ISO/IEC 27000

(http://www.27000.org) and consists of these documents: ISO/IEC 27000:2009. Definition of terms. ISO/IEC 27001:2005. Requirements. Main standard for ISMS based on British

standard BS 7799-2. Represents a complex ISMS through implementation,

maintanance, and improving within an organisation. ISO/IEC 27002:2005. Code of practice. Set of guidelines for ISMS. ISO/IEC 27003:2010. Implementation guide for ISMS. ISO/IEC 27004:2009. Measurement. Implementation and maintanace guide

for standardised markers and efficiency measurements. ISO/IEC 27005:2008. Information security risk management.

Recommendations and techniques for security risk management analysis. ISO/IEC 27006:2007. Requirements and guides for ISMS cefrification. ISO/IEC 27011:2008. ISMS for telecommunication. ISO 27799:2008. ISMS for healthcare facilities.


Some technology standards for Some technology standards for ITIT systems systems

ISO/IEC 29361-29363:2008. Web Services Interoperability. These standards

define profiles of web services – communication via SOAP, WSDL

parametres description, linking of parameters SOAP binding, etc.

W3C specifiactions: SOAP (Simple Object Access Protocol, http://www.w3.org/TR/soap12/). W3C

Recommendation: SOAP Version 1.2 WSDL (Web Services Description Language, http://www.w3.org/TR/wsdl20/).

W3C Recommendation: Web Services Description Language Version 2.0 SAWSDL (http://www.w3.org/TR/sawsdl/). W3C Recommendation: Semantic

Annotations for WSDL and XML Schema

OASIS consortiom specifications: SOA (http://docs.oasis-open.org/soa-rm/v1.0/). OASIS standard: Reference

Model for Service Oriented Architecture 1.0,


Certification of compliance with Certification of compliance with ITSMITSM norms norms

Certification and conformity assessment is usually carried out by various

government and private companies ( not directly by the standardisation

organisations!), which are qualified and authorised for this kinds of activities

(authorised presonel).

Framework rules are restricted by law – in Slovakia zákon č. 264/1999 Z. z. o

technických požiadavkách na výrobky a o posudzovaní zhody.

Standardisation framework for conformity assesment and certification is

specified in ISO /IEC 17000:2004, as well as STN ISO /IEC 17000.

Accreditation in Slovakia is issued by Slovak national accreditation

service (SNAS, http://www.snas.sk)

For certifiacation in the field of quality management and IT service management

in our country consult the following certification authorities: Bureau Veritas, http://www.bureauveritas.sk TÜV NORD Slovakia, http://www.tuvnord.sk


Certification process for Certification process for ISO/IEC 20000ISO/IEC 20000

Conclusion: Standard (like ISO/IEC 20000 or any other) is not the goal, but path.

Therefore it is not right to be guided solely by our effort to increase our prestige

by getting a certificate, but try to achieve the best results possible through

understanding the companies processes and customer needs.


QuestionsQuestions??

For more info:

– SUTN: http://www.sutn.sk

– ITIL / ITSM: http://www.itsmf.sk or http://www.itsm.sk

Documents

Karol Furdík Department of Cybernetics and AI, FEI TU Košice