Managing Information Technology
Service Delivery
Greg Charles, Ph.D.Principal ConsultantComputer Associates
June 2005
Today’s Objective
To provide information on the latest trends in service management as seen in government data centers around the country
Ever-Increasing Complexity
Approaches Currently In Use
Business As Usual - “Firefighting”
Legislation - “Forced”
Best Practice Focused
The Legislation Minefield
Privacy & Security– Personal Information Protection
Electronic Document Act (PIPEDA)– US Patriot Act \ Homeland Security
(Critical Infrastructure)– Personal Health Information Protection
Act (PHIPA)– Health Insurance Portability and
Accountability Act (HIPAA)– SEC Rules 17a-3 & 17a-4 re: Securities
Transaction Retention– Gramm-Leach Bliley Act (GLBA) privacy
of financial information– Children’s Online Privacy Protection Act– Clinger-Cohen Act (US Gov.)– Federal Information Security Mgmt. Act
(FISMA)– Freedom of Information & Protection of
Privacy (FOIPOP) BC Gov– FDA Regulated IT Systems– Freedom Of Information Act– Americans with Disabilities Act, Sec. 508
(website accessibility)
Finance– Sarbanes Oxley (US)– FFIEC US Banking Standards– Basel II (World Bank)– Turnbull Report (UK)– Canadian Bill 198 (MI 52-109 & 52-111)
Washington State Laws relating to IT – Policy 403-R1, 400-P1, 401-S1, 402-G1;
Executive Order 00-03; RCW 9A.52.110,120,130; RCW 9A.48.070, 080, 090; RCW 9A.105.041 and many more
Other International IT Models– Corporate Governance for ICT DR 04198
(Australia)– Intragob Quality Effort (Mexico)– Medical Information System Development
(Medis-DC) (Japan)– Authority for IT in the Public Administration
(AIPA) (Italy)– Principles of accurate data processing
supported accounting systems (GDPdu & GoBS) (Germany)
– European Privacy Directive (Safe Harbor Framework)
Best Practices
•What is not defined cannot be controlled•What is not controlled cannot be measured•What is not measured cannot be improved
– Define -- Improve– Measure-- Control And Stabilize
Quality & Control Models• ISO 900x• COBIT• TQM• EFQM• Six Sigma• COSO• Deming• etc..
Process Frameworks• IT Infrastructure Library• Application Service Library • Gartner CSD• IBM Processes• EDS Digital Workflow • Microsoft MOF• Telecom Ops Map• etc..
What Is ITIL?
– ITIL is a seven book series that guides business users through the planning, delivery and management of quality IT services
Information Technology
Infrastructure Library
Planning To Implement Service Management
Service Management
ServiceSupport
ServiceDelivery
The
Business
The Business
Perspective
Application Management
ICTInfrastructureManagement
The
Technology
Security Management
The ITIL Books
Complete ITIL Process Model
CMDB
IncidentsProblems
Known Errors Changes Releases
MonitoringTools
Incidents
Incidents
ChangeManagement
ReleaseManagement
Release scheduleRelease statisticsRelease reviewsSecure library’Testing standardsAudit reports
ConfigurationManagement
ProblemManagement
IncidentManagement
Customer Survey reports
CommunicationsUpdates
Work-arounds
Releases
DifficultiesQueries
Enquiries
CMDB reportsCMDB statisticsPolicy standardsAudit reports
Change scheduleCAB minutesChange statisticsChange reviewsAudit reports
Problem statisticsProblem reportsProblem reviewsDiagnostic aidsAudit reports
Service reportsIncident statisticsAudit reports
Changes
ClsRelationships
Service Desk
Customer Surveyreports
The Business, Customers or Users
ITIL Service Support Model
ITIL Service Delivery ModelBusiness, Customers and Users
QueriesEnquiries
Service LevelManagement
AvailabilityManagement
CapacityManagement
FinancialManagement
For IT Services
IT ServiceContinuity
Management
CommunicationsUpdatesReports
RequirementsTargets
Achievements
SLAs, SLRs OLAsService reportsService catalogueSIPException reportsAudit reports
IT continuity plansBIS and risk analysisRequirements def’nControl centersDR contractsReportsAudit reports
Financial planTypes and modelsCosts and chargesReportsBudgets and forecastsAudit reports
Capacity planCDVTargets/thresholdsCapacity reportsSchedulesAudit reports
Availability planAMDBDesign criteriaTargets/ThresholdsReportsAudit reports
Alerts and ExceptionsChanges
ManagementTools
What Is ITIL All About?
Aligning IT services with business requirements A set of best practices, not a methodology Providing guidance, not a step-by-step, how-to
manual; the implementation of ITIL processes will vary from organization to organization
Providing optimal service provision at a justifiable cost
A non-proprietary, vendor-neutral, technology-agnostic set of best practices.
CobIT
IT OPERATIONS
Audit Models
Quality Systems & Mgmt. Frameworks
Service M
gm
t.
Ap
p. D
ev. (SD
LC
)
Pro
ject Mg
mt.
IT P
lann
ing
IT S
ecurity
Qu
ality System
IT Governance Model
COSO
ISO17799
PMI
ISO
SixSigma
TSOIS
Strategy
ASL
CMM
Sarbanes- Oxley
US Securities & Exchange Commission
ITIL
BS 15000
AS 8018
CobIT
CobIT is an open standard control framework for IT Governance with a focus on IT Standards and Audit
Based on over 40 International standards and is supported by a network of 150 IT Governance Chapters operating in over 100 countries
CobIT describes standards, controls and maturity guidelines for four domains, and 34 control processes
The CobiT Cube
4 Domains
34 Processes
318 Control Objectives
(Business Requirements)
Deliver & Support(DS Process Domain)
Deliver & Support(DS Process Domain)
Monitor(M Process Domain)
Monitor(M Process Domain)
Acquire & Implement(AI Process Domain)
Acquire & Implement(AI Process Domain)
Plan & Organize
(PO Process Domain)
Plan & Organize
(PO Process Domain)
CobiT Domains
Deliver & SupportDeliver & SupportMonitorMonitor
Planning & Organization
Acquire & Implement
Planning & Organization
Acquire & ImplementPlan & OrganizePlan & OrganizeAcquire & Maintain
Application Software
Acquire & Maintain
Application Software
Assess Risks
Assess Risks
Manage Performance
& Capacity
Manage Performance
& Capacity
Ensure Continuous
Service
Ensure Continuous
Service
Ensure System Security
Ensure System Security
Identify & Allocate
Costs
Identify & Allocate
Costs
Manage Third-Party
Services
Manage Third-Party
Services
Define & Manage Service Levels
Define & Manage Service Levels
Install & Accredit Systems
Install & Accredit Systems
Manage ChangeManage
Change
Assist & Advise
IT Customers
Assist & Advise
IT Customers
Manage ConfigurationManage
Configuration
Manage Problems & Incidents
Manage Problems & Incidents
Acquire & Maintain
Technology Infrastructure
Acquire & Maintain
Technology Infrastructure
Manage DataManage
Data
Manage FacilitiesManage
Facilities
Manage OperationsManage
Operations
Define Strategic IT Plan
Define Strategic IT Plan
Define IT Organization
& Relationships
Define IT Organization
& Relationships
Manage IT InvestmentManage IT
Investment
Determine Technological
Direction
Determine Technological
Direction
Communicate Aims & Direction
Communicate Aims & Direction
Manage Human
Resource
Manage Human
Resource
Ensure Compliance With External
Standards
Ensure Compliance With External
Standards
Manage ProjectsManage
Projects
Manage QualityManage
Quality
Identify Automated Solutions
Identify Automated Solutions
Develop & Maintain
IT Procedures
Develop & Maintain
IT Procedures
Educate &
Train Users
Educate &
Train Users
Monitor The
Process
Monitor The
Process
Assess Internal Control
Adequacy
Assess Internal Control
Adequacy
Obtain Independent
Assurance
Obtain Independent
Assurance
Provide Independent
Audit
Provide Independent
Audit
Define Information
Architecture
Define Information
Architecture
COSO Components
Monitoring
• Assess control system performance over time
• Ongoing and separate evaluations
• Management and supervisory activities
Control Activities
• Policies that ensure management directives are carried out
• Approval and authorizations, verifications, evaluations, safeguarding assets security and segregation of duties
Control Environment
• Sets “tone at the top”
• Foundation for all other components of control
• Integrity, ethical values, competence, authority, responsibility
Information and Communication
• Relevant information identified, captured and communicated timely
• Access to internal and externally generated information
• Information flow allows for management action
Risk Assessment
• Identify and analyze relevant risks to achieving the entity’s objectives
COSO, CobiT & SOX Components
Putting COSO, CobiT, and ITIL together
COSO defines the high level policies of a well governed IT organization
CobiT defines the control structures for evaluating the organization conforms to COSO policies.
ITIL defines the practices that will satisfy the CobiT controls.
How to Make it a Reality?Key Success Factors
Theory – CobIT/ITIL/COSOTheory – CobIT/ITIL/COSO
Guidelines for Best Practices Provides the theory but not the
process Education is an important
component
Guidelines for Best Practices Provides the theory but not the
process Education is an important
component
Technology – CA and othersTechnology – CA and others
Provide the technology that enables and automates the process
Repeatability, compliance and notifications
Implement processes impossible without technology
Provide the technology that enables and automates the process
Repeatability, compliance and notifications
Implement processes impossible without technology
Process Process
Convert theory to process that is applicable to the unique needs of the organization
Training & Education Tool configuration
Convert theory to process that is applicable to the unique needs of the organization
Training & Education Tool configuration
Customer maturity isolates appropriate transition point, blueprint & ROI
Define Policy In Network Scanner
Discover Assets
Define Standard Builds
NetworkScan Group (scheduled)
Attack & Penetration Performed
Level 1
Ensure Backup of Critical Assets
New Asset?
YES
NO
Agent Based Scanning Initiated
Re-Test Notification to User
Population
Systems configuration changed and
rebooted
Verification - Rescan
Patch Needed?
Patches sent to Vulnerability Management
Group
NO
YES
Config.Change Needed?
NO
YES
Patch Available?
NO
Patch Tested?
NO
Document problems with incident ticket
YES YES
Requestfor
Change
Initiate Change Order and
complete Business Impact Analysis
YES
Level 2
NewIncidents
Detect Vulnerabilities
Assess Business Impact
Assign Priority
Fixed?
Document Post Scan Results
Audit Asset
Generate Report
UpdateCMDB
YES
NO
Software Delivery
YES
Restore ImageDocument
problems with incident ticket
NO
Level 3
IDSSecurityIncident
Computer Incident Response TeamInvestigation In
Progress
Security To Incident
Resolution
Vulnerability Identified?
YES
NO
Acceptable Use ViolationDenial Of ServiceInformation TheftProbeSocial EngineeringUnauthorized UseResource Modification
Level 4
Integrated SecurityEvent Priortization
Manual Process To Remove
Vulnerabiliteis
Network ScanPenetration Test
QuantitativeMetrics
Manual Process To Remove
Vulnerabiliteis
Making IT Easier4-Business-Driven
3-Responsive
2-Efficient
1-Active
Ability toshare yourIT resourcesthroughoutthe supplychain anddynamicallyreallocateresourcesbased uponchangingbusiness needs
Ability tomanageservice levelsand providethe services that areimportant tothe business
Ability toautomateresponses,streamlineprocesses,consolidateresources
Ability torespond toproblemsand faults
ROIROI
ROI
4-Business-Driven
3-Responsive
2-Efficient
1-Active
Ability toshare yourIT resourcesthroughoutthe supplychain anddynamicallyreallocateresourcesbased uponchangingbusiness needs
Ability tomanageservice levelsand providethe services that areimportant tothe business
Ability toautomateresponses,streamlineprocesses,consolidateresources
Ability torespond toproblemsand faults
ROIROI
ROI
Define Policy In Network Scanner
Discover Assets
Define Standard Builds
NetworkScan Group (scheduled)
Attack & Penetration Performed
Level 1
Ensure Backup of Critical Assets
New Asset?
YES
NO
Agent Based Scanning Initiated
Re-Test Notification to User
Population
Systems configuration changed and
rebooted
Verification - Rescan
Patch Needed?
Patches sent to Vulnerability Management
Group
NO
YES
Config.Change Needed?
NO
YES
Patch Available?
NO
Patch Tested?
NO
Document problems with incident ticket
YES YES
Requestfor
Change
Initiate Change Order and
complete Business Impact Analysis
YES
Level 2
NewIncidents
Detect Vulnerabilities
Assess Business Impact
Assign Priority
Fixed?
Document Post Scan Results
Audit Asset
Generate Report
YES
NO
Software Delivery
YES
Restore ImageDocument
problems with incident ticket
NO
Level 3
Manual Process To Remove
Vulnerabiliteis
Network ScanPenetration Test
Manual Process To Remove
Vulnerabiliteis
Define Policy In Network Scanner
Discover Assets
Define Standard Builds
NetworkScan Group (scheduled)
Attack & Penetration Performed
Level 1
Ensure Backup of Critical Assets
New Asset?
YES
NO
Agent Based Scanning Initiated
Re-Test Notification to User
Population
Systems configuration changed and
rebooted
Verification - Rescan
Patch Needed?
Patches sent to Vulnerability Management
Group
NO
YES
Config.Change Needed?
NO
YES
Patch Available?
NO
Patch Tested?
NO
Document problems with incident ticket
YES YES
Requestfor
Change
Initiate Change Order and
complete Business Impact Analysis
YES
Level 2
NewIncidents
Detect Vulnerabilities
Assess Business Impact
Assign Priority
Fixed?
YES
NO
Restore Image
Manual Process To Remove
Vulnerabiliteis
Manual Process To Remove
Vulnerabiliteis
Next Steps - Focus on Customer Needs
• Proven Best Practices
• High Quality
• Comprehensive
• People • Process
• Technology
• Partners
• Enabling
• Evolutionary
• Efficient
• Complete• Integrated• Open
EIM
Define Policy In Network Scanner
Discover Assets
Define Standard Builds
NetworkScan Group (scheduled)
Attack & Penetration Performed
Level 1
Ensure Backup of Critical Assets
New Asset?
YES
NO
Agent Based Scanning Initiated
Re-Test Notification to User
Population
Systems configuration changed and
rebooted
Verification - Rescan
Patch Needed?
Patches sent to Vulnerability Management
Group
NO
YES
Config.Change Needed?
NO
YES
Patch Available?
NO
Patch Tested?
NO
Document problems with incident ticket
YES YES
Requestfor
Change
Initiate Change Order and
complete Business Impact Analysis
YES
Level 2
NewIncidents
Detect Vulnerabilities
Assess Business Impact
Assign Priority
Fixed?
Document Post Scan Results
Audit Asset
Generate Report
UpdateCMDB
YES
NO
Software Delivery
YES
Restore ImageDocument
problems with incident ticket
NO
Level 3
IDSSecurityIncident
Computer Incident Response TeamInvestigation In
Progress
Security To Incident
Resolution
Vulnerability Identified?
YES
NO
Acceptable Use ViolationDenial Of ServiceInformation TheftProbeSocial EngineeringUnauthorized UseResource Modification
Level 4
Integrated SecurityEvent Priortization
Manual Process To Remove
Vulnerabiliteis
Network ScanPenetration Test
QuantitativeMetrics
Manual Process To Remove
Vulnerabiliteis
SolutionsBusiness
Flows
Proven Practice “Statements”Proven Practice “Statements”
Respondent ScoringRespondent Scoring
Typical Survey Section features…
Comparison Charts3 Sets ofScores Industry
ComparisonRole
Comparison
OverallComparison
YourScore
Meeting Customer Needs – Best Practices
Best Practices:Industry and CA best practices are applied to all of our solutions to maximize standardization and quality
Best Practices